On 19.2.2019 4.48, Mark Foley via dovecot wrote: > On Mon, 18 Feb 2019 10:17:16 -0000 Stuart Henderson wrote: >> On 2019-02-13, Mark Foley via dovecot <dovecot@dovecot.org> wrote: >>> Is it possible that no one on this list is authenticating Outlook with >>> Dovecot and NTLM? >> Yes, it's possible, the outdated instructions you found on the wiki >> suggests it's an uncommon configiration. > Hmmm, really? And yet Windows/Outlook is still the predominant email client > out there > (unfortunately). Maybe everyone is going to outlook.com? > >> No actual answers from me, but it might give you some clues: >> >>> More on this ... >>> >>> I short-sheeted ntlm_auth to see what was being passed to it. It is getting >>> as arg1: >>> >>> --helper-protocol=squid-2.5-ntlmssp >>> >>> I tried running ntlm_auth at the command line as: >>> >>> ntlm_auth --username=user --password=password >>> --helper-protocol=squid-2.5-ntlmssp >>> >>> It did nothing, just hung there. The ntlm_auth man page says: >>> >>> --helper-protocol=PROTO >>> Operate as a stdio-based helper. Valid helper protocols are: >> The squid auth helpers are stdio-based, they run in a loop, reading from >> stdin, checking authentication, and return results on stdout. This avoids >> both >> passing sensitive data on the command line (visible to ps, at least briefly) >> and the need to keep forking and initialising a new process. >> >> So it's normal that it would just sit waiting for input. >> >> Dovecot is just reusing the same protocol that squid uses. > If --username and --password are passed on the command line, what is it > waiting for on stdin? > Normally, ntlm_auth, with id and pw passed on the command line prints, > "NT_STATUS_OK: The > operation completed successfully. (0x0)" to stdout. There is no further stdin > input needed. > > Is there a way to disable the --helper-protocol in Dovecot? > >>> After more searching I came across this post, >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 >>> which, in summary, said that ntlm_auth had to run as root. So, I added the >>> following to my >>> dovecot config per that post's suggestion: >>> >>> service auth { >>> user = root >>> } >>> >>> After restarting and trying again to connect from Outlook I got the message: >>> >>> auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not >>> authenticated: NT_STATUS_NO_MEMORY >> I don't know the full details of how samba/ntlm works, but this seems like >> an error coming from the server you're attempting to authenticate against. >> I think you should start debugging on the samba side - make sure tools >> like wbinfo are working, if not then debug those with samba, then move >> on to Dovecot after you have that working. > Samba has been running for years (with updates) and everything like wbinfo > works. Dovecot can > authenticate with kerberos/GSSAPI, and other applications can authenticate > with ntlm_auth. My > suspicion here is that the "user not authenticated" problem is perhaps > because dovecot cannot > run the auth service as root? The dovecot user is dovenull, so why would it > be permitted to run > as root in any case? > > I think the problem is in invoking ntlm_auth. I tried simply returning zero > from my "fake" > ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from > ntlm_auth_helper. > > --Mark
Hi, try service auth { user = root } Aki