I'm pleased to see another project increasing compatibility with windows clients, by the addition of NTLM login support, but I'm a bit worried about a few implementation details, and hope to offer an alternate approach. I mean no disrespect to those who have implemented to the code so far, but I feel that the idea of 'everybody re-implement NTLM' is prone to failure. Firstly, to bugs I've noticed by casual inspection of your implementation: - Unicode support is by 'null padding' - there is no real support for non-ascii characters. - NTLM2 (a negotiated scheme to avoid sending the LM response) is unsupported - NTLMSSP is NDR, not 'C struct pushed to the wire', it needs to be correctly marshaled and unmarshaled. There are other missing features, some of which are rumoured to become mandatory flags in future, but more importantly, because the implementation is standalone, it has no ability to integrate into an NT/Win2k/Samba domain. As part of the Samba team, I have worked with other projects - Squid in particular, to deliver server-side (and client-side) NTLMSSP authentication, without the need to re-implement the NTLMSSP protocol. This is done by a callout to 'ntlm_auth', a Samba 3.0 utility designed for this purpose, which in turn can contact domain controllers, allowing for seamless single sign on. http://samba.org/samba/docs/man/ntlm_auth.1.html I have recently completed reworking mod_ntlm_winbind for a similar purpose, and have patches for cyrus-sasl in my 'lorikeet' subversion repository. These should serve as good examples for the simple fork()/exec() modal that is used, and also show the support for GSS-SPNEGO (aka HTTP Negotiate) that ntlm_auth also provides. http://download.samba.org/ftp/unpacked/lorikeet/trunk/ My hope is that I can tempt a Dovecot developer to take on the challenge of modifying the dovecot to use ntlm_auth, and am most willing to answer any questions (here, by private mail or on the samba-technical list) that you may have on the issue. Thanks, Andrew Bartlett -- Andrew Bartlett abartlet at samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet at hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20040926/c05f2bef/attachment-0001.bin>
--On Sunday, September 26, 2004 9:14 AM +1000 Andrew Bartlett <abartlet at samba.org> wrote:> My hope is that I can tempt a Dovecot developer to take on the challenge > of modifying the dovecot to use ntlm_auth, and am most willing to answer > any questions (here, by private mail or on the samba-technical list) > that you may have on the issue.Thanks, Andrew. As the saying goes, "Good programmers write code, Great programmers steal it." It also helps to "stand on the shoulders of giants". (Nice article on the origin of that phrase at <http://www.aerospaceweb.org/question/history/q0162b.shtml>.)
> I'm pleased to see another project increasing compatibility with windows > clients, by the addition of NTLM login support, but I'm a bit worried > about a few implementation details, and hope to offer an alternate > approach. > > I mean no disrespect to those who have implemented to the code so far, > but I feel that the idea of 'everybody re-implement NTLM' is prone to > failure. > > Firstly, to bugs I've noticed by casual inspection of your > implementation: > > - Unicode support is by 'null padding' - there is no real support for > non-ascii characters.Does it really matter ? Do you know many people who use non-ascii characters in their email addresses and passwords ? :)> - NTLM2 (a negotiated scheme to avoid sending the LM response) is > unsupportedDid you RTFS ? Or may be I missed something ?> - NTLMSSP is NDR, not 'C struct pushed to the wire', it needs to be > correctly marshaled and unmarshaled.Yes, it's not a C struct, so what ? Where is the actual bug ?> There are other missing features, some of which are rumoured to become > mandatory flags in future, but more importantly, because the > implementation is standalone, it has no ability to integrate into an > NT/Win2k/Samba domain.It can be directly integrated with password backends using NTLM password scheme.> As part of the Samba team, I have worked with other projects - Squid in > particular, to deliver server-side (and client-side) NTLMSSP > authentication, without the need to re-implement the NTLMSSP protocol. > > This is done by a callout to 'ntlm_auth', a Samba 3.0 utility designed > for this purpose, which in turn can contact domain controllers, allowing > for seamless single sign on. > > http://samba.org/samba/docs/man/ntlm_auth.1.htmlSo you'll need Samba to run POP3/IMAP server. Doesn't look convinent to me. Many people have no windows domain infrastructure, but want to provide secure authentication for poor MS Outlook users.> I have recently completed reworking mod_ntlm_winbind for a similar > purpose, and have patches for cyrus-sasl in my 'lorikeet' subversion > repository. These should serve as good examples for the simple > fork()/exec() modal that is used, and also show the support for > GSS-SPNEGO (aka HTTP Negotiate) that ntlm_auth also provides. > > http://download.samba.org/ftp/unpacked/lorikeet/trunk/ > > My hope is that I can tempt a Dovecot developer to take on the challenge > of modifying the dovecot to use ntlm_auth, and am most willing to answer > any questions (here, by private mail or on the samba-technical list) > that you may have on the issue.