Re: Need to authenticate Outlook and NTLM
On Tue, 19 Feb 2019 08:53:13 +0200 Aki Tuomi wrote:
>
> On 19.2.2019 4.48, Mark Foley via dovecot wrote:
> > On Mon, 18 Feb 2019 10:17:16 - Stuart Henderson wrote:
> >> On 2019-02-13, Mark Foley via dovecot wrote:
> >>> Is it possible that no one on this list is authenticating Outlook with
> >>> Dovecot and NTLM?
> >> Yes, it's possible, the outdated instructions you found on the wiki
> >> suggests it's an uncommon configiration.
> > Hmmm, really? And yet Windows/Outlook is still the predominant email client
> > out there
> > (unfortunately). Maybe everyone is going to outlook.com?
> >
> >> No actual answers from me, but it might give you some clues:
> >>
> >>> More on this ...
> >>>
> >>> I short-sheeted ntlm_auth to see what was being passed to it. It is
> >>> getting as arg1:
> >>>
> >>> --helper-protocol=squid-2.5-ntlmssp
> >>>
> >>> I tried running ntlm_auth at the command line as:
> >>>
> >>> ntlm_auth --username=user --password=password
> >>> --helper-protocol=squid-2.5-ntlmssp
> >>>
> >>> It did nothing, just hung there. The ntlm_auth man page says:
> >>>
> >>> --helper-protocol=PROTO
> >>> Operate as a stdio-based helper. Valid helper protocols are:
> >> The squid auth helpers are stdio-based, they run in a loop, reading from
> >> stdin, checking authentication, and return results on stdout. This avoids
> >> both
> >> passing sensitive data on the command line (visible to ps, at least
> >> briefly)
> >> and the need to keep forking and initialising a new process.
> >>
> >> So it's normal that it would just sit waiting for input.
> >>
> >> Dovecot is just reusing the same protocol that squid uses.
> > If --username and --password are passed on the command line, what is it
> > waiting for on stdin?
> > Normally, ntlm_auth, with id and pw passed on the command line prints,
> > "NT_STATUS_OK: The
> > operation completed successfully. (0x0)" to stdout. There is no further
> > stdin input needed.
> >
> > Is there a way to disable the --helper-protocol in Dovecot?
> >
> >>> After more searching I came across this post,
> >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
> >>> which, in summary, said that ntlm_auth had to run as root. So, I added
> >>> the following to my
> >>> dovecot config per that post's suggestion:
> >>>
> >>> service auth {
> >>> user = root
> >>> }
> >>>
> >>> After restarting and trying again to connect from Outlook I got the
> >>> message:
> >>>
> >>> auth: Info: ntlm(?,192.168.0.58,): user not
> >>> authenticated: NT_STATUS_NO_MEMORY
> >> I don't know the full details of how samba/ntlm works, but this seems like
> >> an error coming from the server you're attempting to authenticate against.
> >> I think you should start debugging on the samba side - make sure tools
> >> like wbinfo are working, if not then debug those with samba, then move
> >> on to Dovecot after you have that working.
> > Samba has been running for years (with updates) and everything like wbinfo
> > works. Dovecot can
> > authenticate with kerberos/GSSAPI, and other applications can authenticate
> > with ntlm_auth. My
> > suspicion here is that the "user not authenticated" problem is perhaps
> > because dovecot cannot
> > run the auth service as root? The dovecot user is dovenull, so why would it
> > be permitted to run
> > as root in any case?
> >
> > I think the problem is in invoking ntlm_auth. I tried simply returning zero
> > from my "fake"
> > ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from
> > ntlm_auth_helper.
> >
> > --Mark
>
> Hi,
>
> try
>
>
> service auth {
>
> user = root
>
> }
Aki - yes, I did try that. It was in my original post but has been edited out
of the email
chain since.
Things I've tried since:
I installed squid -- it wasn't installed before.
Now, with the NTLM mechanism and:
auth_use_winbind = yes
auth_winbind_helper_path = /usr/bin/ntlm_auth
I get:
ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL
This link: https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html,
suggests that I
need to make /var/lib/samba/winbindd_privileged writable by, I assume, dovecot.
Which I did.
The link says this is a directory, but in fact it is a pipe:
> ls -l /var/lib/samba/winbindd_privileged
total 0
srwxrwxrwx 1 root dovecot 0 2019-02-20 00:05 pipe=
That could be an issue? That failed with:
auth: Info: ntlm(?,192.168.0.58,<6Iit7EyCysbAqAA6>): user not authenticated:
NT_STATUS_NO_MEMORY
I again tried adding the following both with root and dovecot group ownership:
service auth {
user = root
}
That gave the same NT_STATUS_NO_MEMORY error. Per your (Aki) suggestion, I
tried adding:
default_vsz_limit = 1G
but that made no difference, same NT_STATUS_NO_MEMORY error.
Conclusion thus far: With root.root ownership of
/var/lib/samba/winbindd_privileged and no
'service auth' directive, I get the "broken helper" error. With either dovecot
ownership of
that file (pipe) or using the 'service auth' direc
Re: Need to authenticate Outlook and NTLM
On 19.2.2019 4.48, Mark Foley via dovecot wrote:
> On Mon, 18 Feb 2019 10:17:16 - Stuart Henderson wrote:
>> On 2019-02-13, Mark Foley via dovecot wrote:
>>> Is it possible that no one on this list is authenticating Outlook with
>>> Dovecot and NTLM?
>> Yes, it's possible, the outdated instructions you found on the wiki
>> suggests it's an uncommon configiration.
> Hmmm, really? And yet Windows/Outlook is still the predominant email client
> out there
> (unfortunately). Maybe everyone is going to outlook.com?
>
>> No actual answers from me, but it might give you some clues:
>>
>>> More on this ...
>>>
>>> I short-sheeted ntlm_auth to see what was being passed to it. It is getting
>>> as arg1:
>>>
>>> --helper-protocol=squid-2.5-ntlmssp
>>>
>>> I tried running ntlm_auth at the command line as:
>>>
>>> ntlm_auth --username=user --password=password
>>> --helper-protocol=squid-2.5-ntlmssp
>>>
>>> It did nothing, just hung there. The ntlm_auth man page says:
>>>
>>> --helper-protocol=PROTO
>>> Operate as a stdio-based helper. Valid helper protocols are:
>> The squid auth helpers are stdio-based, they run in a loop, reading from
>> stdin, checking authentication, and return results on stdout. This avoids
>> both
>> passing sensitive data on the command line (visible to ps, at least briefly)
>> and the need to keep forking and initialising a new process.
>>
>> So it's normal that it would just sit waiting for input.
>>
>> Dovecot is just reusing the same protocol that squid uses.
> If --username and --password are passed on the command line, what is it
> waiting for on stdin?
> Normally, ntlm_auth, with id and pw passed on the command line prints,
> "NT_STATUS_OK: The
> operation completed successfully. (0x0)" to stdout. There is no further stdin
> input needed.
>
> Is there a way to disable the --helper-protocol in Dovecot?
>
>>> After more searching I came across this post,
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
>>> which, in summary, said that ntlm_auth had to run as root. So, I added the
>>> following to my
>>> dovecot config per that post's suggestion:
>>>
>>> service auth {
>>> user = root
>>> }
>>>
>>> After restarting and trying again to connect from Outlook I got the message:
>>>
>>> auth: Info: ntlm(?,192.168.0.58,): user not
>>> authenticated: NT_STATUS_NO_MEMORY
>> I don't know the full details of how samba/ntlm works, but this seems like
>> an error coming from the server you're attempting to authenticate against.
>> I think you should start debugging on the samba side - make sure tools
>> like wbinfo are working, if not then debug those with samba, then move
>> on to Dovecot after you have that working.
> Samba has been running for years (with updates) and everything like wbinfo
> works. Dovecot can
> authenticate with kerberos/GSSAPI, and other applications can authenticate
> with ntlm_auth. My
> suspicion here is that the "user not authenticated" problem is perhaps
> because dovecot cannot
> run the auth service as root? The dovecot user is dovenull, so why would it
> be permitted to run
> as root in any case?
>
> I think the problem is in invoking ntlm_auth. I tried simply returning zero
> from my "fake"
> ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from
> ntlm_auth_helper.
>
> --Mark
Hi,
try
service auth {
user = root
}
Aki
Re: Need to authenticate Outlook and NTLM
On Mon, 18 Feb 2019 10:17:16 - Stuart Henderson wrote:
>
> On 2019-02-13, Mark Foley via dovecot wrote:
> > Is it possible that no one on this list is authenticating Outlook with
> > Dovecot and NTLM?
>
> Yes, it's possible, the outdated instructions you found on the wiki
> suggests it's an uncommon configiration.
Hmmm, really? And yet Windows/Outlook is still the predominant email client out
there
(unfortunately). Maybe everyone is going to outlook.com?
> No actual answers from me, but it might give you some clues:
>
> > More on this ...
> >
> > I short-sheeted ntlm_auth to see what was being passed to it. It is getting
> > as arg1:
> >
> > --helper-protocol=squid-2.5-ntlmssp
> >
> > I tried running ntlm_auth at the command line as:
> >
> > ntlm_auth --username=user --password=password
> > --helper-protocol=squid-2.5-ntlmssp
> >
> > It did nothing, just hung there. The ntlm_auth man page says:
> >
> > --helper-protocol=PROTO
> > Operate as a stdio-based helper. Valid helper protocols are:
>
> The squid auth helpers are stdio-based, they run in a loop, reading from
> stdin, checking authentication, and return results on stdout. This avoids both
> passing sensitive data on the command line (visible to ps, at least briefly)
> and the need to keep forking and initialising a new process.
>
> So it's normal that it would just sit waiting for input.
>
> Dovecot is just reusing the same protocol that squid uses.
If --username and --password are passed on the command line, what is it waiting
for on stdin?
Normally, ntlm_auth, with id and pw passed on the command line prints,
"NT_STATUS_OK: The
operation completed successfully. (0x0)" to stdout. There is no further stdin
input needed.
Is there a way to disable the --helper-protocol in Dovecot?
>
> > After more searching I came across this post,
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
> > which, in summary, said that ntlm_auth had to run as root. So, I added the
> > following to my
> > dovecot config per that post's suggestion:
> >
> > service auth {
> > user = root
> > }
> >
> > After restarting and trying again to connect from Outlook I got the message:
> >
> > auth: Info: ntlm(?,192.168.0.58,): user not
> > authenticated: NT_STATUS_NO_MEMORY
>
> I don't know the full details of how samba/ntlm works, but this seems like
> an error coming from the server you're attempting to authenticate against.
> I think you should start debugging on the samba side - make sure tools
> like wbinfo are working, if not then debug those with samba, then move
> on to Dovecot after you have that working.
Samba has been running for years (with updates) and everything like wbinfo
works. Dovecot can
authenticate with kerberos/GSSAPI, and other applications can authenticate with
ntlm_auth. My
suspicion here is that the "user not authenticated" problem is perhaps because
dovecot cannot
run the auth service as root? The dovecot user is dovenull, so why would it be
permitted to run
as root in any case?
I think the problem is in invoking ntlm_auth. I tried simply returning zero
from my "fake"
ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from
ntlm_auth_helper.
--Mark
Re: Need to authenticate Outlook and NTLM
On 18.2.2019 12.17, Stuart Henderson via dovecot wrote:
> On 2019-02-13, Mark Foley via dovecot wrote:
>> Is it possible that no one on this list is authenticating Outlook with
>> Dovecot and NTLM?
> Yes, it's possible, the outdated instructions you found on the wiki
> suggests it's an uncommon configiration.
>
> No actual answers from me, but it might give you some clues:
>
>> More on this ...
>>
>> I short-sheeted ntlm_auth to see what was being passed to it. It is getting
>> as arg1:
>>
>> --helper-protocol=squid-2.5-ntlmssp
>>
>> I tried running ntlm_auth at the command line as:
>>
>> ntlm_auth --username=user --password=password
>> --helper-protocol=squid-2.5-ntlmssp
>>
>> It did nothing, just hung there. The ntlm_auth man page says:
>>
>> --helper-protocol=PROTO
>> Operate as a stdio-based helper. Valid helper protocols are:
> The squid auth helpers are stdio-based, they run in a loop, reading from
> stdin, checking authentication, and return results on stdout. This avoids both
> passing sensitive data on the command line (visible to ps, at least briefly)
> and the need to keep forking and initialising a new process.
>
> So it's normal that it would just sit waiting for input.
>
> Dovecot is just reusing the same protocol that squid uses.
>
>> After more searching I came across this post,
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
>> which, in summary, said that ntlm_auth had to run as root. So, I added the
>> following to my
>> dovecot config per that post's suggestion:
>>
>> service auth {
>> user = root
>> }
>>
>> After restarting and trying again to connect from Outlook I got the message:
>>
>> auth: Info: ntlm(?,192.168.0.58,): user not authenticated:
>> NT_STATUS_NO_MEMORY
> I don't know the full details of how samba/ntlm works, but this seems like
> an error coming from the server you're attempting to authenticate against.
> I think you should start debugging on the samba side - make sure tools
> like wbinfo are working, if not then debug those with samba, then move
> on to Dovecot after you have that working.
>
>
You might need to configure auth and auth-worker processes with larger
vsz_limit, or configure default_vsz_limit = 1G
Aki
Re: Need to authenticate Outlook and NTLM
On 2019-02-13, Mark Foley via dovecot wrote:
> Is it possible that no one on this list is authenticating Outlook with
> Dovecot and NTLM?
Yes, it's possible, the outdated instructions you found on the wiki
suggests it's an uncommon configiration.
No actual answers from me, but it might give you some clues:
> More on this ...
>
> I short-sheeted ntlm_auth to see what was being passed to it. It is getting
> as arg1:
>
> --helper-protocol=squid-2.5-ntlmssp
>
> I tried running ntlm_auth at the command line as:
>
> ntlm_auth --username=user --password=password
> --helper-protocol=squid-2.5-ntlmssp
>
> It did nothing, just hung there. The ntlm_auth man page says:
>
> --helper-protocol=PROTO
> Operate as a stdio-based helper. Valid helper protocols are:
The squid auth helpers are stdio-based, they run in a loop, reading from
stdin, checking authentication, and return results on stdout. This avoids both
passing sensitive data on the command line (visible to ps, at least briefly)
and the need to keep forking and initialising a new process.
So it's normal that it would just sit waiting for input.
Dovecot is just reusing the same protocol that squid uses.
> After more searching I came across this post,
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
> which, in summary, said that ntlm_auth had to run as root. So, I added the
> following to my
> dovecot config per that post's suggestion:
>
> service auth {
> user = root
> }
>
> After restarting and trying again to connect from Outlook I got the message:
>
> auth: Info: ntlm(?,192.168.0.58,): user not authenticated:
> NT_STATUS_NO_MEMORY
I don't know the full details of how samba/ntlm works, but this seems like
an error coming from the server you're attempting to authenticate against.
I think you should start debugging on the samba side - make sure tools
like wbinfo are working, if not then debug those with samba, then move
on to Dovecot after you have that working.
Re: Need to authenticate Outlook and NTLM
Is it possible that no one on this list is authenticating Outlook with Dovecot
and NTLM?
--Mark
-Original Message-
Date: Fri, 08 Feb 2019 00:51:01 -0500
To: dovecot@dovecot.org
Subject: Re: Need to authenticate Outlook and NTLM
From: Mark Foley via dovecot
More on this ...
I short-sheeted ntlm_auth to see what was being passed to it. It is getting as
arg1:
--helper-protocol=squid-2.5-ntlmssp
I tried running ntlm_auth at the command line as:
ntlm_auth --username=user --password=password
--helper-protocol=squid-2.5-ntlmssp
It did nothing, just hung there. The ntlm_auth man page says:
--helper-protocol=PROTO
Operate as a stdio-based helper. Valid helper protocols are:
squid-2.5-ntlmssp
Server-side helper for use with Squid 2.5's NTLMSSP authentication.
Requires access to the directory winbindd_privileged in $LOCKDIR. The
protocol used is described here:
http://devel.squid-cache.org/ntlm/squid_helper_protocol.html. This protocol
has been extended to allow the
NTLMSSP Negotiate packet to be included as an argument to the YR command.
(Thus avoiding loss of information in
the protocol exchange).
Squid NTLM authentication? As far as I know, I don't have Squid. If I leave off
the
--helper-protocol bit on the ntlm_auth command line, it returns an OK status.
Is there a way to NOT pass "--helper-protocol=squid-2.5-ntlmssp"? Would this
help?
--Mark
-Original Message-
Date: Fri, 08 Feb 2019 00:19:19 -0500
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Need to authenticate Outlook and NTLM
I've posted questions on this before, but now I really, really need a solution.
Using Dovecot 2.2.33.2
We've been using Dovecot as IMAP server for several years on a Linux host which
is also the
Active Directory / Domain Controller. We have both Thunderbird and Outlook
clients. The
Thunderbird clients authenticate w/o problem with AD credentials using
Kerberos/GSSAPI.
I've never been able to get the Outlook clients to authenticate using domain
credentials, so
I've also hard-coded user and password into /etc/passwd and let the Dovecot
authenticate via
PLAIN LOGIN. Now, however, I am mandated to switch all users to Outlook, so I
need an AD
credential solution.
I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those
instructions.
The first problem I ran into was in Step 3 where it said to put the following
line in the
config:
auth_ntlm_use_winbind = yes
This gave me an error when I restarted Dovecot:
Restarting Dovecotdoveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting:
auth_ntlm_use_winbind
googling this error indicated that this was a version 1.x directive and 2.x
used only
auth_use_winbind. I removed the auth_ntlm_use_winbind and Dovecot restart. If
this is true,
the wiki should be updated since it purports to be a version 2.x wiki. I
followed the rest of
the instructions on that wiki and my modified config is:
$ doveconf -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.157 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = ): ntlm_auth reports broken
helper: NT_STATUS_UNSUCCESSFUL
After more searching I came across this post,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
which, in summary, said that ntlm_auth had to run as root. So, I added the
following to my
dovecot config per that post's suggestion:
service auth {
user = root
}
After restarting and trying again to connect from Outlook I got the message:
auth: Info: ntlm(?,192.168.0.58,): user not authenticated:
NT_STATUS_NO_MEMORY
At this point I've been unable to find a solution to this error. I've listed
the entire dovecot
log output for this last attempt to connect from Outlook below.
Has anyone in the Universe successfully connected from Outlook using active
domain credentials?
If so, what's the secret? What am I not doing correctly?
Thanks for any and all help! --Mark
dovecot log:
Feb 07 23:39:40 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Feb 07 23:39:40 auth: Debug: Module loaded:
/usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Feb 07 23:39:40 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357)
Feb 07 23:39:40 auth: Debug: client in: AUTH1 NTLMservice=imap
session=SCINjFqBKcXAqAA6lip=192.168.0.
Re: Need to authenticate Outlook and NTLM
More on this ...
I short-sheeted ntlm_auth to see what was being passed to it. It is getting as
arg1:
--helper-protocol=squid-2.5-ntlmssp
I tried running ntlm_auth at the command line as:
ntlm_auth --username=user --password=password
--helper-protocol=squid-2.5-ntlmssp
It did nothing, just hung there. The ntlm_auth man page says:
--helper-protocol=PROTO
Operate as a stdio-based helper. Valid helper protocols are:
squid-2.5-ntlmssp
Server-side helper for use with Squid 2.5's NTLMSSP authentication.
Requires access to the directory winbindd_privileged in $LOCKDIR. The
protocol used is described here:
http://devel.squid-cache.org/ntlm/squid_helper_protocol.html. This protocol
has been extended to allow the
NTLMSSP Negotiate packet to be included as an argument to the YR command.
(Thus avoiding loss of information in
the protocol exchange).
Squid NTLM authentication? As far as I know, I don't have Squid. If I leave off
the
--helper-protocol bit on the ntlm_auth command line, it returns an OK status.
Is there a way to NOT pass "--helper-protocol=squid-2.5-ntlmssp"? Would this
help?
--Mark
-Original Message-
Date: Fri, 08 Feb 2019 00:19:19 -0500
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Need to authenticate Outlook and NTLM
I've posted questions on this before, but now I really, really need a solution.
Using Dovecot 2.2.33.2
We've been using Dovecot as IMAP server for several years on a Linux host which
is also the
Active Directory / Domain Controller. We have both Thunderbird and Outlook
clients. The
Thunderbird clients authenticate w/o problem with AD credentials using
Kerberos/GSSAPI.
I've never been able to get the Outlook clients to authenticate using domain
credentials, so
I've also hard-coded user and password into /etc/passwd and let the Dovecot
authenticate via
PLAIN LOGIN. Now, however, I am mandated to switch all users to Outlook, so I
need an AD
credential solution.
I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those
instructions.
The first problem I ran into was in Step 3 where it said to put the following
line in the
config:
auth_ntlm_use_winbind = yes
This gave me an error when I restarted Dovecot:
Restarting Dovecotdoveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting:
auth_ntlm_use_winbind
googling this error indicated that this was a version 1.x directive and 2.x
used only
auth_use_winbind. I removed the auth_ntlm_use_winbind and Dovecot restart. If
this is true,
the wiki should be updated since it purports to be a version 2.x wiki. I
followed the rest of
the instructions on that wiki and my modified config is:
$ doveconf -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.157 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = ): ntlm_auth reports broken
helper: NT_STATUS_UNSUCCESSFUL
After more searching I came across this post,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
which, in summary, said that ntlm_auth had to run as root. So, I added the
following to my
dovecot config per that post's suggestion:
service auth {
user = root
}
After restarting and trying again to connect from Outlook I got the message:
auth: Info: ntlm(?,192.168.0.58,): user not authenticated:
NT_STATUS_NO_MEMORY
At this point I've been unable to find a solution to this error. I've listed
the entire dovecot
log output for this last attempt to connect from Outlook below.
Has anyone in the Universe successfully connected from Outlook using active
domain credentials?
If so, what's the secret? What am I not doing correctly?
Thanks for any and all help! --Mark
dovecot log:
Feb 07 23:39:40 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Feb 07 23:39:40 auth: Debug: Module loaded:
/usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Feb 07 23:39:40 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357)
Feb 07 23:39:40 auth: Debug: client in: AUTH1 NTLMservice=imap
session=SCINjFqBKcXAqAA6lip=192.168.0.2 rip=192.168.0.58
lport=143 rport=50473
Feb 07 23:39:40 auth: Debug: client passdb out: CONT1
Feb 07 23:39:40 auth: Debug: client in: CONT1
TlRMTVNTUAABB4IIogAGAbEdDw== (previous base64 data
may contain sensitiv
Need to authenticate Outlook and NTLM
I've posted questions on this before, but now I really, really need a solution.
Using Dovecot 2.2.33.2
We've been using Dovecot as IMAP server for several years on a Linux host which
is also the
Active Directory / Domain Controller. We have both Thunderbird and Outlook
clients. The
Thunderbird clients authenticate w/o problem with AD credentials using
Kerberos/GSSAPI.
I've never been able to get the Outlook clients to authenticate using domain
credentials, so
I've also hard-coded user and password into /etc/passwd and let the Dovecot
authenticate via
PLAIN LOGIN. Now, however, I am mandated to switch all users to Outlook, so I
need an AD
credential solution.
I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those
instructions.
The first problem I ran into was in Step 3 where it said to put the following
line in the
config:
auth_ntlm_use_winbind = yes
This gave me an error when I restarted Dovecot:
Restarting Dovecotdoveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting:
auth_ntlm_use_winbind
googling this error indicated that this was a version 1.x directive and 2.x
used only
auth_use_winbind. I removed the auth_ntlm_use_winbind and Dovecot restart. If
this is true,
the wiki should be updated since it purports to be a version 2.x wiki. I
followed the rest of
the instructions on that wiki and my modified config is:
$ doveconf -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.157 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = ): ntlm_auth reports broken
helper: NT_STATUS_UNSUCCESSFUL
After more searching I came across this post,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
which, in summary, said that ntlm_auth had to run as root. So, I added the
following to my
dovecot config per that post's suggestion:
service auth {
user = root
}
After restarting and trying again to connect from Outlook I got the message:
auth: Info: ntlm(?,192.168.0.58,): user not authenticated:
NT_STATUS_NO_MEMORY
At this point I've been unable to find a solution to this error. I've listed
the entire dovecot
log output for this last attempt to connect from Outlook below.
Has anyone in the Universe successfully connected from Outlook using active
domain credentials?
If so, what's the secret? What am I not doing correctly?
Thanks for any and all help! --Mark
dovecot log:
Feb 07 23:39:40 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Feb 07 23:39:40 auth: Debug: Module loaded:
/usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Feb 07 23:39:40 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357)
Feb 07 23:39:40 auth: Debug: client in: AUTH1 NTLMservice=imap
session=SCINjFqBKcXAqAA6lip=192.168.0.2 rip=192.168.0.58
lport=143 rport=50473
Feb 07 23:39:40 auth: Debug: client passdb out: CONT1
Feb 07 23:39:40 auth: Debug: client in: CONT1
TlRMTVNTUAABB4IIogAGAbEdDw== (previous base64 data
may contain sensitive data)
Feb 07 23:39:40 auth: Debug: client passdb out: CONT1
TlRMTVNTUAACCAAIADgFgomifTyOI3AwfogAAGIAYgBABgEAAA9IAFAAUgBTAAIACABIAFAAUgBTAAEACABNAEEASQBMAAQAFABoAHAAcgBzAC4AbABvAGMAYQBsAAMAHgBtAGEAaQBsAC4AaABwAHIAcwAuAGwAbwBjAGEAbAAHAAgAVIrLTWi/1AEA
Feb 07 23:39:40 auth: Debug: client in: CONT1
TlRMTVNTUAADGAAYAGwAAAD8APwAhABYCAAIAFgMAAwAYACAAQAABYKIogYBsR0PEulY2h+wL/nnNAXbmMSVx20AYQByAGsAQwBPAE0ATQBPAE4A5+rNhVU1odt5650z/pNVpQEBVIrLTWi/1AFg5+W08PtmxQACAAgASABQAFIAUwABAAgATQBBAEkATAAEABQAaABwAHIAcwAuAGwAbwBjAGEAbAADAB4AbQBhAGkAbAAuAGgAcAByAHMALgBsAG8AYwBhAGwABwAIAFSKy01ov9QBBgAEAAIIADAAMAABACAAAOity40ZG1J9BpqGn4TwBjP02UByQ6D/OUD6DrRDhg+3CgAQAAAJABIAaQBtAGEAcAAvAG0AYQBpAGwA
(previous base64 data may contain sensitive data)
Feb 07 23:39:40 auth: Info: ntlm(?,192.168.0.58,): user not
authenticated: NT_STATUS_NO_MEMORY
Feb 07 23:39:42 auth: Debug: client passdb out: FAIL1
