Package: dovecot-core
Version: 1:2.2.13-11
If the directions on the wikki are followed and dovecot is configured
with:
auth_use_winbind = yes
auth_mechanisms = plain gssapi gss-spnego login ntlm
Then the 'ntlm' method does not work. (for reference this mechanism
calls the samba ntlm_auth helper program)
This works fine in squeeze so I investigated the source of the
problem.
With a high enough log level this obscure message will come out:
Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: Login for user
[]\[jgg]@[wakko] failed due to [Reading winbind reply failed!]
Dec 30 20:30:21 quartz dovecot[8439]: auth: Error:
../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for \jgg
failed: NT_STATUS_UNSUCCESSFUL
Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: GENSEC login failed:
NT_STATUS_UNSUCCESSFUL
Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: winbind: ntlm_auth exited
with exit code 0
Noting the failure code is 'Reading winbind reply failed!'
After investigating some more I figured out that dovecot is now
calling ntlm_auth as user dovecot (1.2 used user root), and for some
reason ntlm_auth in jessie requires access to the priviledged pipe (ie
/var/lib/samba/winbindd_privileged/pipe). Typically this is root-only.
So it doesn't work, and fails obtusely.
I am surprised/dismayed that samba requires priviledge to validate
NTLM, but at least in jessie (2:4.1.13+dfsg-2) it does, perhaps that
is another bug. But, knowing what to look for, it is easy to see:
As root:
$ ntlm_auth --diagnostics --username=jgg
Password:
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
As a user:
$ ntlm_auth --diagnostics --username=jgg
Password:
Reading winbind reply failed! (0xc0000001)
Test LM failed!
Reading winbind reply failed! (0xc0000001)
Test LM and NTLM failed!
Reading winbind reply failed! (0xc0000001)
Test NTLM failed!
Reading winbind reply failed! (0xc0000001)
Test NTLM in LM failed!
Reading winbind reply failed! (0xc0000001)
Test NTLM in both failed!
Reading winbind reply failed! (0xc0000001)
Test NTLMv2 failed!
Reading winbind reply failed! (0xc0000001)
Test NTLMv2 and LMv2 failed!
Reading winbind reply failed! (0xc0000001)
Test LMv2 failed!
Reading winbind reply failed! (0xc0000001)
Test NTLMv2 and LMv2, LMv2 broken failed!
Reading winbind reply failed! (0xc0000001)
Reading winbind reply failed! (0xc0000001)
Test NTLM and LM, LM broken failed!
Reading winbind reply failed! (0xc0000001)
Reading winbind reply failed! (0xc0000001)
Test Plaintext failed!
Reading winbind reply failed! (0xc0000001)
Test Plaintext LM broken failed!
Reading winbind reply failed! (0xc0000001)
Reading winbind reply failed! (0xc0000001)
Test Plaintext NT only failed!
Reading winbind reply failed! (0xc0000001)
Test Plaintext LM only failed!
So, the fix on the dovecot side is to revert to the dovecot 1.2
behavior and invoke ntlm_auth as root, simply done as a config
change:
service auth {
user = root
}
At a minimum this should be documented in the config comments around
'auth_use_winbind', probably should be on the wikki and ideally
dovecot would default to root if winbind is enabled, since it doesn't
work at all otherwise..
Jason
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
