[Dovecot] dovecot NTLM authentication

Lior Okman lior.okman at gmail.com
Mon Mar 6 23:17:47 EET 2006


I've tried stting default_pass_scheme to NTLM (first thing I did) and
I tried adding the {NTLM} prefix to the password field, both things
don't work.

I will try the plaintext logins with NTLM in LDAP next, and I'll post
my results.

I've already set auth_debug and auth_debug_password to yes. Here is
the log dump (slightly edited for privacy):

Mar  6 16:00:19 office dovecot: auth(default): client in:
AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  6 16:00:19 office dovecot: auth(default): client out: CONT^I1^I
Mar  6 16:00:19 office dovecot: auth(default): client in:
CONT^I1^ITlRMTVNTUcsqABDAB7IIogoACgArAABACwADACgAAAAFASgKABADD1NJTlRSQU5TLVNPRlQ=
Mar  6 16:00:19 office dovecot: auth(default): client out:
CONT^I1^ITlRMTVNTUtAbAskoDACMADAABBBFAooAjp5sXLYVGxMAABBDAFACABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAbcdA=
Mar  6 16:00:19 office dovecot: auth(default): client in:
CONT^I1^ITlRMTVNTUtAbascoGAAYAGoAAAAYABgAggAAABQAFABIFAKECAAIAFwABADGAAYAZAAFAKEAAACaAAAABQKIAgUBKAoAAAAPVABSAEEATgBTAC0AUwBPAEYAVABsAGkAbwByAFMASQBOAOlVqxuylfFZAAAAAFAKEAABADAAAAAAABCutypTqizx1LjI6+083WW8CXUIlREMLw==
Mar  6 16:00:19 office dovecot: auth(default): ldap(lior,x.x.x.x):
base=dc=example,dc=com scope=subtree
filter=(&(objectClass=sambaSamAccount)(uid=lior))
fields=uid,sambaNTPassword
Mar  6 16:00:19 office dovecot: auth(default): ldap(lior,x.x.x.x):
uid(user)=lior sambaNTPassword(password)=<correct NTLM hash>
Mar  6 16:00:20 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior
Mar  6 16:00:20 office dovecot: auth(default): client in:
AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  6 16:00:20 office dovecot: auth(default): client out: CONT^I2^I
Mar  6 16:00:20 office dovecot: auth(default): client in:
CONT^I2^ITlRMTVNGUAABFAKEB4IIogFAKEAAAAAAAAAreAlAAAAFASgKAdAADw==
Mar  6 16:00:20 office dovecot: auth(default): client out:
CONT^I2^ITlRMTVNTUA6CAATRDAAMADAAATRFAooAMg4lC++DGnwAAAAAAAAAABQAFAA8AAAAbwBmAGYAaQBjaGUAAwAMdG8AZgBmAGkAYwBlAAtreAA=
Mar  6 16:00:20 office dovecot: auth(default): client in:
CONT^I2^ITlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAABaDAAABIFAKECAAIAEgAAAAGAAYAUAAAAAAAAACGAAAABQKIAgUBKAoAAAAPbABpAG8AcgBTAEkATgBPVUNLOMzcAQHACKAAAPuZZleAAAWrongck2qbufsTT4VBZ0DYYGmt4dx2Scd6c1A=
Mar  6 16:00:20 office dovecot: auth(default): ldap(lior,x.x.x.x):
base=dc=example,dc=com scope=subtree
filter=(&(objectClass=sambaSamAccount)(uid=lior))
fields=uid,sambaNTPassword
Mar  6 16:00:20 office dovecot: auth(default): ldap(lior,x.x.x.x):
uid(user)=lior sambaNTPassword(password)=<correct NTLM hash>
Mar  6 16:00:22 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior
Mar  6 16:00:22 office dovecot: auth(default): client in:
AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  6 16:00:22 office dovecot: auth(default): client out: CONT^I3^I
Mar  6 16:01:19 office dovecot: imap-login: Disconnected: Inactivity:
rip=x.x.x.x, lip=x.x.x.x, TLS
Mar  6 16:01:22 office dovecot: imap-login: Disconnected: Inactivity:
user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS
Mar  6 16:01:22 office dovecot: child 30826 (auth) killed with signal 11

It seems that the server is failing the authentication attempt,
causing Outlook to retry the authentication. After two times, outlook
just hangs and I need to kill it.

Any ideas?

Thanks,
Lior

On 3/6/06, Timo Sirainen <tss at iki.fi> wrote:
> On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
> > When I compare the NTLM hash provided by the dovecotpw utility to the
> > one I have in my SAMBA ldap, it appears to be exactly the same.
> >
> > When I use the LDAP passdb backend, I can see in the log file that
> > dovecot has received the correct NTLM hash value, but outlook fails to
> > authenticate successfully.
> >
> > I'm using the debianized dovecot version v1.0.beta2.
>
> It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it
> reads the scheme wrong. The passwords in LDAP probably aren't prefixed
> with {NTLM}? Have you set default_pass_scheme = NTLM in
> dovecot-ldap.conf?
>
> Have you tried if plaintext logins work with NTLM hashes in LDAP? If
> they don't, try setting auth_debug=yes and auth_debug_passwords=yes and
> check if the logs help.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQBEDKAAyUhSUUBViskRAoeAAJ47VqTGwd8Us95uzGOTqjqdccRhiwCeN7fC
> hKJfz4B/WcJNvWwow/wqmgo=
> =NRN5
> -----END PGP SIGNATURE-----
>
>
>


More information about the dovecot mailing list