Your message dated Mon, 28 Dec 2009 13:26:07 +0200
with message-id <[email protected]>
and subject line Re: PATH: NTLM AUTH against Outlook 2007
has caused the Debian Bug report #479690,
regarding PATCH: NTLM AUTH against Outlook 2007
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
479690: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479690
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cyrus-sasl2
Version: 2.1.22.dfsg1-19
Severity: wishlist
Shortdescription: Patch fixes NTLM authentication bug introduced with
Outlook 2007 (where digest-md5 also fails), when connecting to any sasl
enabled system with realm support, where username is matched against
[email protected] in any sasl backend (%...@%r via postfix,
cyrus-imapd, courier, etc...).
Bugdescription:
Outlook Express, Outlook 2000, 2003, XP using the following method
(which is covered by cyrus-sasl2 2.1.22). First ntlm request username
and client domain (where the client domain is the workgroup/domain of
the windows workstation), and if that fails the second ntlm request
without client domain, but with a fully qualified email address
[email protected].
Outlook 2007 uses a different way: it directly sends in the first ntlm
request: client user: username and client domain: maildomain.tld. There
is no fallback mechanism, and therefore this fails in sasl2 with
"username not found"
Solution:
This patch adds the logic to distinguish between the old method and the
new method and supports both. The new logic is: if there is a client
domain available, build a fully qualified username and send it to the
sasl backend for verification (this works for Outlook 2007, the older
versions fail here). If there is no client domain, send the handed over
username for verification (which is then the fully qualified username,
handed over by the older Outlook versions).
--
kind regards
Christoph Christ
Head of Development/Research
MCP-Softworks s.r.o.,
Freiungsstrasse 8/1, A-2410 Hainburg an der Donau
Tel: +43-664-9307044, Fax: +43-664-779307044
http://www.mcpsoftworks.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
cyrus-sasl-2.1.22-patch/plugins/ntlm.c
--- cyrus-sasl-2.1.22/plugins/ntlm.c 2005-07-07 18:10:14.000000000 +0200
+++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c 2008-05-04 14:56:54.000000000
+0200
@@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
struct propval auxprop_values[2];
unsigned char hash[NTLM_HASH_LENGTH];
unsigned char resp[NTLM_RESP_LENGTH];
+
+ unsigned char *combined_username = NULL;
/* fetch user's password */
result = sparams->utils->prop_request(sparams->propctx,
password_request);
if (result != SASL_OK) goto cleanup;
- /* this will trigger the getting of the aux properties */
- result = sparams->canon_user(sparams->utils->conn, authid, authid_len,
+ ///////////////////////////////////////////////////////////////////
+ // patch by [email protected]
+ // rights: GPL
+ // older pop3, imap, smtp ntlm clients are sending first
+ // client-user: usernamex
+ // client-domain: NTDOMAIN/WORKGROUP
+ // and if thats denied by us, they retry with
+ // client-user: [email protected]
+ // without a client domain
+ // outlook 2007 changed that behaviour to support properly
+ // also other mail servers. They are thus sending already (hurray!)
+ // as the first try: client-user: username
+ // and as client domain: the users emaildomain
+ ///////////////////////////////////////////////////////////////////
+ if (domain) {
+ // to match the outlook 2007 method
+ combined_username = sparams->utils->malloc(authid_len + domain_len
+ 1);
+ if (combined_username == NULL) {
+ MEMERROR(sparams->utils);
+ return SASL_NOMEM;
+ }
+ sprintf(combined_username, "%...@%s", authid, domain);
+ result = sparams->canon_user(sparams->utils->conn,
combined_username, strlen(combined_username),
SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
+ sparams->utils->free(combined_username);
+ }
+ else {
+ // use old method (ignore the first try and match the second
+ result = sparams->canon_user(sparams->utils->conn, authid,
authid_len,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
+ }
+
+ /* this will trigger the getting of the aux properties */
if (result != SASL_OK) goto cleanup;
result = sparams->utils->prop_getnames(sparams->propctx,
--- End Message ---
--- Begin Message ---
tag 479690 +wontfix
thanks
Since this bug concerns a patch we cannot apply, I'm closing this bug.
--
Fabian Fagerholm <[email protected]>
--- End Message ---
