Re: NTLM: incorrect bytecount for NEGPROT response data

[Alexey Lobanov <A.Lobanov@gctrials.com>]

Self-reply.

The essence of problem seems to be the stalled Cyrus SASL version in 
Debian. Both 2.1.22 in Stable and 2.1.23 in Testing have 
"plugins/ntlm.c" code unchanged since 2005.

This piece of code had been patched by CMU team intensively in 2009 
only, in version 2.1.24.

So, I still do not know what to do with production servers. Either to 
freeze Samba at 3.0.X or compile Cyrus SASL 2.1.24 from source.

Alexey

On 26/07/10 12:13, Alexey Lobanov wrote:


> Hello all.
>
> I use several Debian servers running since 2005. All them use 
> Samba->NTLM->Cyrus SASL authentication chain for Cyrus IMAP and Postfix 
> SMTP services, in very trivial form:
>
> pwcheck_method: saslauthd
> mech_list: plain ntlm
> ntlm_server: 127.0.0.1
>
> The problem: upon upgrade from Samba 3.0 to Samba 3.2, the NTLM 
> athentication dies both for SMTP and IMAP clients, with the following 
> log records:
>
> Jul 22 17:40:22 obolon postfix/smtpd[26140]: NTLM server step 1
> Jul 22 17:40:22 obolon postfix/smtpd[26140]: client flags: ffff8207
> Jul 22 17:40:22 obolon postfix/smtpd[26140]: NTLM: incorrect bytecount
> for NEGPROT response data
>
> Same happens both with Debian-provided Samba (3.2.5 in Lenny) and with 
> self-built Samba 3.2.4; no difference. Old self-built Samba 3.0.25 
> authenticates SASL clents fine, without any problems.
>
> Can anyone offer any explanations, configuration changes or diagnostic 
> tests?
>
> Alexey