dovecot - Jul 2007 - [Patch] Samba's proposed "ntlm_auth + winbind" support for dovecot-auth

The Samba team recommends to use their "ntlm_auth" command line helper
for "NTLM" and "GSS-SPNEGO" authentication. This helper
interacts with
the Samba's winbind daemon, and this way can authenticate users against 
NT or Active Directory windows domain.

Currently Dovecot can do "NTLM" authentication too, but just
"locally"
(against a local or sql database etc.).

I've made a patch (attached), which adds "ntlm_auth" (or
"winbind")
support for Dovecot.

The idea is to add two new authentication mechanisms: 
"mech_winbind_ntlm" and "mech_winbind_spnego". Both are
coded in one
additional file, "mech-winbind.c". An option
"auth_ntlm_use_winbind"
specifies whether to use the current implementation of ntlm, or do it by 
the "ntlm_auth" helper. "GSS-SPNEGO" always performed by the
helper.
Normally, "ntlm_auth" is invoked once, for all further requests.

Such a way, "ntlm_auth helper from the Samba package, interacting with 
the Samba's winbind daemon", is used now by Squid, Apache and AFAIK
some
other applications. It is "strongly recommended" by the Samba team,
and
was already proposed even in this maillist 3 year ago (see f.e.  
http://www.dovecot.org/list/dovecot/2004-September/004775.html ).

I hope there are no any serious performance issues for such a "complex 
way" -- f.e. with our web proxy, using this way, ~200 users do not feel 
any actual delays etc.

I've successfully tested this patch with NTLM against AD domain.


This patch can considerably improve the situation of "Email client on 
Windows desktop under Windows domain, but imap/pop at UNIX server".

Currently, windows users have to specify their "login/password" for 
email accounts manually. There is an "SPA" (Secure Password 
Authentication) alternative for them, where just the desktop's login is 
used transparently, but it cannot be used now, because Dovecot cannot 
perform NTLM against, say, Active Directory domain.

Since "dovecot-auth" daemon can be utilized by MTA as well (Postfix
and
other), the support of "ntlm_auth" in Dovecot can satisfy both SMTP
and
IMAP servers at UNIX side, and solve the issue completely.


Questions and requests:
- I try to code things most close to used style, i.e. using Dovecot's 
memory-management and io-pipe routines etc., but could someone look at 
it and check whether I've missed something or not?
- Perhaps some names (of routines, modules) could be chosen better?
- Maybe some other options should be implemented, i.e. 
"auth_winbind_helper_ntlm" and "auth_winbind_helper_spnego"
to specify
the helper's cmdline exactly ?
- Currently I strip domain part of the username returned, i.e. from 
"DOMAIN\user" just to "user". Maybe better add some option 
"auth_winbind_strip_domain" for this?

Certainly, it will be fine if someone else check it more, especially for 
"GSS-SPNEGO" which I cannot test for a while.


Regards,
Dmitry Butskoy
http://www.fedoraproject.org/wiki/DmitryButskoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-1.0.1-winbind.patch
Type: text/x-diff
Size: 11717 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070702/66b3253c/attachment-0002.bin>

On Mon, 2007-07-02 at 16:19 +0400, Dmitry Butskoy wrote:
> - I try to code things most close to used style, i.e. using Dovecot's 
> memory-management and io-pipe routines etc., but could someone look at 
> it and check whether I've missed something or not?
close() and dup2() errors should be reported, although they're unlikely.

ostream is a bit pointless there since you're doing only a single write.
You could just use write_full().
> - Maybe some other options should be implemented, i.e. 
> "auth_winbind_helper_ntlm" and
"auth_winbind_helper_spnego" to specify
> the helper's cmdline exactly ?
Yes.
> - Currently I strip domain part of the username returned, i.e. from 
> "DOMAIN\user" just to "user". Maybe better add some
option
> "auth_winbind_strip_domain" for this?
What if you changed it to user at domain? Then you could use Dovecot's
standard %n or %u variables.

There's one thing I'd want changed: make it non-blocking. Both input and
output are currently blocking, so dovecot-auth is stuck while waiting
for ntlm_auth to reply. I want to avoid this whenever possible (I don't
ever want to see "authentication just gets stuck, why??" mails.
"ntlm_auth timed out" message in log is much nicer).

I guess ntlm_auth can handle only a single session at a time? So this
would pretty much require that you either implement some kind of a queue
or execute multiple ntlm_auths. Or maybe both. Using auth worker
processes would probably be best. Unfortunately that currently works
only for passdbs and userdbs, not for mechanisms. I guess I could try
changing this for v1.1, unless you want to try? :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070702/46d251bf/attachment-0002.bin>

Timo Sirainen wrote:
>> - Currently I strip domain part of the username returned, i.e. from 
>> "DOMAIN\user" just to "user". Maybe better add some
option
>> "auth_winbind_strip_domain" for this?
>>     
>
> What if you changed it to user at domain? Then you could use Dovecot's
> standard %n or %u variables.
>   
AFAIK "user at domain" should have an actual form of "user at
example.com",
but "ntlm_auth" returns "EXAMPLE\user" in such a case, not 
"EXAMPLE.COM\user". At least for NTLM (against AD).
OTOH the spnego could retrurn the actual "user at example.com", but it
is
still unknown to me :)
> There's one thing I'd want changed: make it non-blocking. Both
input and
> output are currently blocking, so dovecot-auth is stuck while waiting
> for ntlm_auth to reply. I want to avoid this whenever possible (I don't
> ever want to see "authentication just gets stuck, why??" mails.
> "ntlm_auth timed out" message in log is much nicer).
>
> I guess ntlm_auth can handle only a single session at a time? 
No.

Normally ntlm_auth invoked at once for ALL authentication sessions. It 
is a child process which lives all the time while the dovecot-auth is alive.
> There's one thing I'd want changed: make it non-blocking
Still actual after the clarification above?..
> So this
> would pretty much require that you either implement some kind of a queue
>   
Currently I prefer to use blocking io, which provides such "a queue" 
de-facto. At least for initial implementation. (I hope "ntlm_auth" is 
fast enough).

But some timeout surely could be useful. How can it be implemented?
> or execute multiple ntlm_auths.
Does the use of worker for, say,  PAM userdb affects us here too?
>  Or maybe both. Using auth worker
> processes would probably be best. Unfortunately that currently works
> only for passdbs and userdbs, not for mechanisms. I guess I could try
> changing this for v1.1, unless you want to try? :)
>   
It seems that I prefer you try it... :)

Does "blocking io" + "worker" look like the best way?


Regards
Dmitry Butskoy