Warning ntlm_auth
-
Hello Forum,
we still got old clients which connect via outlook2010 and the old zarafa-plugin.
this weekend i updated to Version “kopano-server-8.7.22.0-el7php56.57.1” and all outlook2010 clients stopped working. (hang on connect)
i found log entrys like:Waiting for ntlm_auth with pid 4575 to exit has timed out. Your ntlm_auth program might be hanging on shutdown. Killing process...they are there multiple times.
in netstat i see that the relevant clients are connected to port 236/237 (based on http/s)
i tried my ntlm auth manually:
ntlm_auth --username=testuser Password: NT_STATUS_OK: The operation completed successfully. (0x0)so everything should be fine.
I looked up differences in the example-config and my productive cfg (for new/old switches) but didnt find any relevant options.
sso is enabled
koicd_issuing works from meet-serverany ideas?,
best regards
coffee_is_life -
@coffee_is_life Did you add the parameters
in smb.conf (fneeded in all members where its needed and all AD-DC its using. )
ntlm auth = mschapv2-and-ntlmv2-onlyNow its using ntlmv1 which, you can see that if you verbose the output.
try this.
ntlm_auth --allow-mschapv2 --username=testuser -
ntlm_auth --allow-mschapv2 --username=testuser Password: NT_STATUS_OK: The operation completed successfully. (0x0)notice, that there is no smaba-server (for smb file acces) installed. The server was integrated into ad and winbind is in use.
i added the line
ntlm auth = mschapv2-and-ntlmv2-onlyto smb.conf but dont know if this will be used in winbind.
manual auth is working like shown above.
coffee_is_life
-
@coffee_is_life said in Warning ntlm_auth:
smb.conf but dont know if this will be used in winbind.
Well, even if you only install winbind you should setup smb.conf, at least, it highly recommended.
this is my config for an “auth-only” (winbind only) setup, and its domain joined, the smb.conf
[global] workgroup = ADDOM security = ads realm = YOUR.REALM.TLD netbios name = HOSTNAME_WITH_MAX15_CHARS_AND_NO_UNDERSCORES preferred master = no domain master = no host msdfs = no interfaces = IP4_adress_here 127.0.0.1 bind interfaces only = yes dns proxy = yes server signing = required #Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/local/private/something-here.key.pem tls certfile = /etc/ssl/local/certs/something-here.cert.pem tls cafile = /etc/ssl/certs/internalRoot-ca.pem ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## PICK ONE, Backend AD or backend RID and configure accordingly. ## https://wiki.samba.org/index.php/Idmap_config_ad ## https://wiki.samba.org/index.php/Idmap_config_rid ## map ids from the domain the range may not overlap ! idmap config ADDOM : backend = ad idmap config ADDOM : schema_mode = rfc2307 idmap config ADDOM : range = 10000-3999999 idmap config ADDOM : unix_nss_info = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes # Use home directory and shell information from AD # winbind nss info = rfc2307 overrulled by unix_nss_info (PER DOMAIN) option # show domain prefix # set to no, dont use the default domain, output shows: DOMAIN\user # set to yes, use the default domain, output shows: user winbind use default domain = yes # show users with getent passwd winbind enum users = no winbind enum groups = no # enable offline logins winbind offline logon = yes # check depth of nested groups, ! slows down you samba, if to much groups de pth winbind expand groups = 4 # Added for freeradius/Squid-Proxy to use NTLMv2. # Line below must be set on all samba AD-DC's and the members involved. ntlm auth = mschapv2-and-ntlmv2-only # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershares creating, when set empty no error log messages. usershare path = # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For Windows ACL support on member file server, enabled globaly, OBLIGATED # For a mixed setup of rights, put this per share! vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes -
The basic smb config is set and was used since the server was installed (join ad into realm etc via kerberos file)
the basic config looks like this:
[global] workgroup = DOMAIN // Domain masked manual for this post realm = DOMAIN.DE // Domain masked manual for this post security = ads idmap backend = tdb idmap uid = 100000-200000 idmap gid = 100000-200000 idmap config DOMAIN : backend = ad // Domain masked manual for this post idmap config DOMAIN : range = 500-999999 // Domain masked manual for this post idmap config DOMAIN : schema_mode = rfc2307 // Domain masked manual for this post idmap config DOMAIN : unix_nss_info = yes // Domain masked manual for this post winbind use default domain = yes winbind offline logon = yes winbind refresh tickets = yes winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes ntlm auth = mschapv2-and-ntlmv2-onlyonly the last line was added.
still getting errors:
Waiting for ntlm_auth with pid 26885 to exit has timed out. Your ntlm_auth program might be hanging on shutdown. Killing process...coffee_is_life
-
@coffee_is_life so, now that is set, where are you using the command “ntlm_auth”
In that code you need to call it with : ntlm_auth --allow-mschapv2 -
ntlm_auth --allow-mschapv2 --username=testuser Password: NT_STATUS_OK: The operation completed successfully. (0x0)the manual auth is working with and without “–allow-mschapv2”
when called from kopano-server and the error is thrown, i get a process:[ntlm_auth] <defunct>i think its caused by the latest “samba-winbind-client” package update.
i now work on centos 7 with package version:
samba-winbind-4.10.16-15.el7_9.x86_64i will try to downgrade to “samba-winbind-4.10.16-13.el7_9.x86_64” - this was in use before saturday.
this will only be a workaround, because the manual way is working, called from kopano-server its defunc.i will downgrade the package and report back.
coffee_is_life
-
@coffee_is_life ah…
Centos… well, thats not really my cookie, i only do Debian/Ubuntu.
The Phase-out of NTLMv1 is your problem. (windows and samba).So your samba is outdated and might cause more problems then you think.
Sure, downgrading “might” give you some short term slack but better fix it correctly.
It’s key to find out where its used.but let me know, you might need to report it to centos as bug, or use a higher samba version.
There are repo’s you can use, i’ll have to look in the samba list.i’ll lets wait and see what you come with first. ;-)
-
I’ve downgraded all samba-packages to the last working version.
Even with this versions ( 4.10.16-13.el7_9 and 4.10.16-9.el7_9 - checked both) i get the error from kopano-server.The parent PID from defunct ntlm_auth process belongs to kopano-server.
Manual authentication is still working.
Seems to be a problem from Kopano-server and calling the process.coffee_is_life
-
I came across this discussion yesterday. In version 8.7.21 changes were made in the code for Kerberos, these changes corrupt the Kerberos authentication in Kopano. Can be found in the git repository https://github.com/Kopano-dev/kopano-core/commit/6f5412a63b750ff45206b085a3a195835322f98c . Unfortunately Kopano did not detect this during testing or Kopano does not care.
