cntlm: does not work properly compared to Ubuntu

[carlosdagos]

Describe the bug

Copied from from an email that I received:

 Dear maintainers,
i am trying cntlm on nixos as the company i work for is using one of those corporate proxy..
after configuring cntlm on a nixos vm, i noticed it was not working.  
i started comparing an ubuntu vm with cntlm with the nixos vm with cntlm. i am using same configuration in both machines the authorization on the nixos machine looks wrong:

i masked some sensitive information:

NIXOS

******* Round 1 C: 5 *******
Reading headers (5)...
HEAD: CONNECT www.google.com:443 HTTP/1.1
NO: www.google.com (localhost)
NO: www.google.com (127.0.0.*)
NO: www.google.com (10.*)
NO: www.google.com (192.168.*)
NO: www.google.com (*.europe.intranet)
NO: www.google.com (*.intranet)
NO: www.google.com (*.ing.net)
NO: www.google.com (*.local)
Thread processing...
cntlm[3090]: Using proxy giba-proxy.xxxxxxx.net:8080
cntlm[3090]: Resolving proxy giba-proxy.xxxxxxx.ing.net...
Resolve giba-proxy.xxxxxxxx.net:
-> 10.196.63.225
Host => www.google.com:443
User-Agent => curl/7.76.1
Proxy-Connection => Keep-Alive
cntlm[3090]: 127.0.0.1 CONNECT www.google.com:443
NTLM Request:
Domain: AD
Hostname: nixos
Flags: 0xA208B205
Sending PROXY auth request...
Host => www.google.com:443
User-Agent => curl/7.76.1
Proxy-Connection => keep-alive
Proxy-Authorization => NTLM OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO0OO

Content-Length => 0

Reading PROXY auth response...
HEAD: HTTP/1.1 407 authenticationrequired
Date => Thu, 28 Oct 2021 07:09:37 GMT
Content-Type => text/html
Cache-Control => no-cache
Content-Length => 12637
X-Frame-Options => deny
Proxy-Connection => Keep-Alive
Proxy-Authenticate => Negotiate
Proxy-Authenticate => NTLM
Discarding 12637 bytes.
cntlm[3090]: Proxy returning invalid challenge!
Sending headers (6)...
Host => www.google.com:443
User-Agent => curl/7.76.1
Proxy-Connection => keep-alive
No body.
******* Round 2 C: 5, S: 6 (authok=0, noauth=0) *******
Reading headers (6)...
HEAD: HTTP/1.1 407 authenticationrequired
Date => Thu, 28 Oct 2021 07:09:37 GMT
Content-Type => text/html
Cache-Control => no-cache
Content-Length => 12637
X-Frame-Options => deny
Proxy-Connection => Keep-Alive
Proxy-Authenticate => Negotiate
Proxy-Authenticate => NTLM
Sending headers (5)...
Body included. Length: 12637
data_send: read 2048 of 2048 / 2048 of 12637 (errno = ok)
data_send: wrote 2048 of 2048


UBUNTU:
Resolve <redacted>:
-> <redacted>
Host => www.google.com:443
User-Agent => curl/7.74.0
Proxy-Connection => Keep-Alive
cntlm[1371]: 127.0.0.1 CONNECT www.google.com:443
NTLM Request:
Domain: AD
Hostname: <redacted>
Flags: 0xA208B205
Sending PROXY auth request...
Host => www.google.com:443
User-Agent => curl/7.74.0
Proxy-Connection => keep-alive
Proxy-Authorization => NTLM TOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO1VLVZJUlRVQUxCT1hBRA==
Content-Length => 0
Reading PROXY auth response...
HEAD: HTTP/1.1 407 authenticationrequired
Date => Thu, 28 Oct 2021 07:01:22 GMT
Content-Type => text/html
Cache-Control => no-cache
Content-Length => 0
X-Frame-Options => deny
Proxy-Connection => Keep-Alive
Proxy-Authenticate => NTLM TlRMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE=
NTLM Challenge:
Challenge: 7984431D8955214B0 (len: 92)
Flags: 0xA0898205
Server: <redacted>
NT domain: ad
TBofs: 52
TBlen: 40
ttype: 0


so in case of ubuntu a proper negotiation is done, (i see the proxy authenticate sending some kind of base64 auth ? ) while on nixos that is not the case.
now, this is the moment where everything gets weird as i tried to compile the source  (sourceforge tgz on both cases) on both vms and the behaviour is always the same: good on ubuntu fail on nixos.

ldd ./cntlm
linux-vdso.so.1 (0x00007ffdee1ba000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9a7566d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a75481000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9a756bc000)

ldd ./cntlm
linux-vdso.so.1 (0x00007ffc93a4b000)
libpthread.so.0 => /nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib/libpthread.so.0 (0x00007fc62ddbe000)
libc.so.6 => /nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib/libc.so.6 (0x00007fc62dbfd000)
/nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib/ld-linux-x86-64.so.2 => /nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib64/ld-linux-x86-64.so.2 (0x00007fc62dde1000) 

Steps To Reproduce

Steps to reproduce the behavior: TBD

Expected behavior

TBD

Screenshots

None.

Additional context

Ubuntu seems to be working differently to nix package.

Notify maintainers

@carlosdagos
@qknight

Metadata

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

[henriqueqc]

Had the same problem @carlosdagos . For some reason, if the hostname is nixos it does not work. Changing it to something different worked.

I recompiled the same version from source in both Ubuntu and NixOs and used the -M together with the -v argument to test the configuration. I noticed that the only difference was the hostname. Changing the hostname to something other than nixos worked. Seems like a very strange behavior, but I did not investigated further to know exactly why this is.

I know that you report was years ago, so I'm just commenting here in case anyone else hits the same problem.

[henriqueqc]

I changed the hostname on the Ubuntu machine to nixos and it also fails. So both NixOS and Ubuntu have the same behavior. It appears to be an upstream bug or a bug with the NTLM server.

[F-Joachim]

Great @henriqueqc. I experienced exactly the same problem. Changing the hostname worked for me. Thanks 👍

[carlosdagos]

Closing this as I don't think it's an issue with the package, as @henriqueqc points out it may be the hostname setting affecting the NTLM server. And this would make sense, as some servers may verify the hostname against the username (assuming corporate environments). We can reopen if necessary, but I don't think on the package side there's much to do here :)

[F-Joachim]

Hi @carlosdagos - Yes, you're absolutely right. The issue has nothing to do with the package. It seems that our company NTLM server blocks requests if too many of them come from the same hostname. And that exactly the case if you install NixOS from scratch with the hostname nixos 😊 Setting the Workstation property (to your real hostname for example) in the cntlm config solves the problem.