On Tue, 2018-02-06 at 22:06 +0100, j2ev centrum cz wrote:
Hello, I spent a little more time investigating the issue. I took a look in to the source code of libsoup and I think it calls winbind's ntlm_auth binary without password with the --use-cached-creds option only. And if that does not work, it makes some own computations. I am no programmer, so I might be wrong. Nevertheless, I tried to join the domain and login with pam_winbind to be able to use the cached credentials. I tried to call ntlm_auth manually and it worked and so did login in Evolution. I think that libsoup itself might not actually support NTLMv2, maybe just NTLM2, or the implementation is broken. Anyway, I post it for information. If there would be anyone willing to take a look on this, I would appreciate. Using Thunderbird with EWS plugin for calendars is rather difficult.
Can you clarify please? If you use ntlm_auth for single-sign-on, it works? If you use Kerberos (which you should), it works? The only case that doesn't work is when you *don't* use ntlm_auth (because you've moved it out of the way or because winbindd does have creds), and libsoup attempts to do the authentication for itself using a password that you provide manually? I'd like to see the NTLM exchanges in both working and failing cases, please.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature