curl can't connect thought NTLM proxy with --proxy-any option

[NTMan]

curl can't connect thought NTLM proxy with --proxy-any option

$ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl --version
curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.50.0-DEV NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets Metalink 

$ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs curl -v --proxy-any http://google.com
* Rebuilt URL to: http://google.com/
*   Trying 172.18.4.7...
* Connected to 172.18.4.7 (172.18.4.7) port 8080 (#0)
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  )
< Via:1.1 ISAEG
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: Negotiate
< Connection: close
* HTTP/1.1 proxy connection set close!
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 2374  
< 
* Closing connection 0
* Issue another request to this URL: 'http://google.com/'
* Hostname 172.18.4.7 was found in DNS cache
*   Trying 172.18.4.7...
* Connected to 172.18.4.7 (172.18.4.7) port 8080 (#1)
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  )
< Via:1.1 ISAEG
< Proxy-Authenticate: NTLM
< Proxy-Authenticate: Kerberos
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate. 
< Proxy-Authenticate: Negotiate
< Connection: close
* HTTP/1.1 proxy connection set close!
< Proxy-Connection: close
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 2374  
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE>
<STYLE>A:link {
    FONT: 8pt/11pt verdana; COLOR: #ff0000
}
A:visited {
    FONT: 8pt/11pt verdana; COLOR: #4e4e4e
}
</STYLE>

<META content=NOINDEX name=ROBOTS>
<META http-equiv=Content-Type content="text-html; charset=Windows-1252">

<META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff>
<TABLE cellSpacing=5 cellPadding=3 width=410>
  <TBODY>
  <TR>
    <TD vAlign=center align=left width=360>
      <H1 style="FONT: 13pt/15pt verdana; COLOR: #000000"><!--Problem-->The page 
      cannot be displayed</H1></TD></TR>
  <TR>
    <TD width=400 colSpan=2><FONT 
      style="FONT: 8pt/11pt verdana; COLOR: #000000">There is a problem with the 
      page you are trying to reach and it cannot be displayed.</FONT></TD></TR>
  <TR>
    <TD width=400 colSpan=2><FONT 
      style="FONT: 8pt/11pt verdana; COLOR: #000000">
      <HR color=#c0c0c0 noShade>

      <P>Please try the following:</P>
      <UL>
        <LI>Click the Refresh button, 
        or try again later.<BR>
        <LI>Open the Web site
         home page, and then look for links to the information you want. 
        <LI>If you typed the page address in the Address bar, make sure that it
        is spelled correctly.<BR>
        <LI>Verify that the Internet access policy on your network allows you
        to view this this page.</LI>
        <LI>If you believe you should be able to view this directory or page, 
        please contact the Web site administrator by using the e-mail address or 
        phone number listed on the Web site
         home page. </LI></UL>
      <H2 style="FONT: 8pt/11pt verdana; COLOR: #000000">HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)<BR>Internet Security and Acceleration Server</H2>
      <HR color=#c0c0c0 noShade>

      <P>Technical Information (for support personnel)</P>
      <UL>
        <LI>Background:<BR>The gateway could not retrieve the requested page.<P></P></LI>
        <LI>ISA Server: isaeg.east.kronospan.int<BR>
        Via: <BR><BR>Time: 14.06.2016 14:09:49 GMT
        </LI></UL></FONT></TD></TR></TBODY></TABLE></BODY></HTML>
* Closing connection 1

$ LD_LIBRARY_PATH=/home/synergy/curl/curl/lib/.libs /home/synergy/curl/curl/src/curl -V
curl 7.50.0-DEV (x86_64-unknown-linux-gnu) libcurl/7.50.0-DEV NSS/3.24 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets Metalink �

Operating system Fedora 23 and RHEL 7.
This problem occurred if curl compiled with --with-gssapi option.

[iboukris]

• gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate.

The proxy supports Negotiate which is prefered over NTLM so curl tries using GSSAPI and it fails.
You may use '--proxy-ntlm --proxy-basic' instead of any, to support both NTLM and Basic auth.

[NTMan]

Ok, why needed this mode. Some companies have corporate politics use Microsoft Forefront TMG.

And when we begin install Linux the problems begin. Many programs use the curl, but to tell them that they must use --proxy-ntlm option is impossible.
Maximum that I can tell to them is proxy address, user name and password. I like do it system-wide.

# cat /etc/profile.d/proxy.sh 
http_proxy=http://east-kronospan\\edvglu:niva4x4\$\$\$@172.18.4.7:8080
https_proxy=$http_proxy
export http_proxy
export https_proxy
no_proxy=127.0.0.1,10.18.1.57
export no_proxy

What we want?

We want that Linux workstation can work in Windows network. Able update via package manager (yum, dnf, aptitude, etc) download files via wget, send bug reports via gnome-abrt, and of course expected if it was a server all server software php, python etc able work via curl (SOAP) with external services of course without rewriting this software.

Here needed yet another option in environment which would be ignore GSSAPI faiure or ignore GSSAPI faiure by default.

Thanks.

[kdudka]

On Tuesday, June 14, 2016 10:19:05 Mikhail wrote:

Ok, why needed this mode. Some companies have corporate politics use
Microsoft Forefront TMG.

And when we begin install Linux the problems begin. Many programs use the
curl, but to tell them that they must use --proxy-ntlm option is
impossible. Maximum that I can tell to them is proxy address, user name and
password. I like do it system-wide.

cat /etc/profile.d/proxy.sh

http_proxy=http://east-kronospan\edvglu:niva4x4\$\$\$@172.18.4.7:8080
https_proxy=$http_proxy
export http_proxy
export https_proxy
no_proxy=127.0.0.1,10.18.1.57
export no_proxy

What we want?

We want that Linux workstation can work in Windows network. Able update via
package manager (yum, dnf, aptitude, etc) download files via wget, send bug
reports via gnome-abrt, and of course expected if it was a server all
server software php, python atc able work via curl (SOAP) with external
services of course without rewriting this software.

Thank you for providing the background info. Could this be resolved
by configuring the proxy such that it does not advertise Kerberos?

Kamil

Here needed yet another option in environment which would be ignore GSSAPI
faiure or ignore GSSAPI faiure by default.

Thanks.

---

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#876 (comment)

[NTMan]

Unfortunately we can not affect admins which tuning the proxy server. If we could we already agreed about opening required ports to the Internet. We have already found a workaround this is cntlm proxy which installed on our side and pass all queries to NTLM proxy. But I would like that curl can do it directly. Linux should to be more friendlier and more comfortable this only way breaks through the way to desktop.

What is wrong with cntlm?

Main problem is installation this package, because package managers couldn't work (they use of course curl, but curl by default not work with NTLM), also not work wget. Only one way to install cntlm is manually download it with command curl --proxy-ntlm -O https://kojipkgs.fedoraproject.org/packages/cntlm/0.92.3/9.fc24/x86_64/cntlm-0.92.3-9.fc24.x86_64.rpm

Second problem for downloading cntlm package we must know full url to it.

For compare with Windows, for starting work enough enter proxy address and credentials.

[bagder]

gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate

That should of course be enough clues for libcurl to decide that it should rather try another allowed authentication mechanism...

[iboukris]

Please see a possible fix for HTTP (works for me):
iboukris@148b911

It is a bit ugly because we clear 'data->state.authhost.avail' once we pick one auth from all the available ones (supported by the server), however we still have this info in 'data->info.httpauthavail'.

[iboukris]

Hmm, I think this patch assumes Negotiate header is the first header.
Perhaps we need another approach.

[captain-caveman2k]

I've pushed a fix that I think addresses #718 for the most part which was built off some work I was doing back in March that I have recently pushed - However in this fix I have assumed we should let GSS-API based empty user names through as the user will be coming from the credientals cache.

I understand that even then it could fail so we could modify either this function or the new Curl_auth_is_spnego_supported() function to try and attempt to generate a token.

[captain-caveman2k]

we clear 'data->state.authhost.avail' once we pick one auth from all the available ones

Does anyone know why we clear this here? It's been baffling me for a few days now!

[bagder]

Does anyone know why we clear this here

I don't recall exactly, but I think it may just be a precaution for the next request using the same easy handle?

[iboukris]

I understand that even then it could fail so we could modify either this function or the new Curl_auth_is_spnego_supported() function to try and attempt to generate a token.

Yea, maybe we can call gss_inquire_cred() in the new Curl_auth_is_spnego_supported() check.

[iboukris]

Actually, maybe it's better to attempt to generate a token instead of calling gss_inquire_cred() because it would help to detect possible failure due to improper target name, e.g. when IP is used instead of hostname (and no reverse dns available).