Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cntlm: does not work properly compared to Ubuntu #146097

Closed
carlosdagos opened this issue Nov 15, 2021 · 4 comments
Closed

cntlm: does not work properly compared to Ubuntu #146097

carlosdagos opened this issue Nov 15, 2021 · 4 comments
Assignees
@carlosdagos
Labels
0.kind: bug Something is broken

Comments

@carlosdagos
Copy link
Member

Describe the bug

Copied from from an email that I received:

 Dear maintainers,
i am trying cntlm on nixos as the company i work for is using one of those corporate proxy..
after configuring cntlm on a nixos vm, i noticed it was not working.  
i started comparing an ubuntu vm with cntlm with the nixos vm with cntlm. i am using same configuration in both machines the authorization on the nixos machine looks wrong:

i masked some sensitive information:

NIXOS

******* Round 1 C: 5 *******
Reading headers (5)...
HEAD: CONNECT www.google.com:443 HTTP/1.1
NO: www.google.com (localhost)
NO: www.google.com (127.0.0.*)
NO: www.google.com (10.*)
NO: www.google.com (192.168.*)
NO: www.google.com (*.europe.intranet)
NO: www.google.com (*.intranet)
NO: www.google.com (*.ing.net)
NO: www.google.com (*.local)
Thread processing...
cntlm[3090]: Using proxy giba-proxy.xxxxxxx.net:8080
cntlm[3090]: Resolving proxy giba-proxy.xxxxxxx.ing.net...
Resolve giba-proxy.xxxxxxxx.net:
-> 10.196.63.225
Host => www.google.com:443
User-Agent => curl/7.76.1
Proxy-Connection => Keep-Alive
cntlm[3090]: 127.0.0.1 CONNECT www.google.com:443
NTLM Request:
Domain: AD
Hostname: nixos
Flags: 0xA208B205
Sending PROXY auth request...
Host => www.google.com:443
User-Agent => curl/7.76.1
Proxy-Connection => keep-alive
Proxy-Authorization => NTLM OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO0OO

Content-Length => 0

Reading PROXY auth response...
HEAD: HTTP/1.1 407 authenticationrequired
Date => Thu, 28 Oct 2021 07:09:37 GMT
Content-Type => text/html
Cache-Control => no-cache
Content-Length => 12637
X-Frame-Options => deny
Proxy-Connection => Keep-Alive
Proxy-Authenticate => Negotiate
Proxy-Authenticate => NTLM
Discarding 12637 bytes.
cntlm[3090]: Proxy returning invalid challenge!
Sending headers (6)...
Host => www.google.com:443
User-Agent => curl/7.76.1
Proxy-Connection => keep-alive
No body.
******* Round 2 C: 5, S: 6 (authok=0, noauth=0) *******
Reading headers (6)...
HEAD: HTTP/1.1 407 authenticationrequired
Date => Thu, 28 Oct 2021 07:09:37 GMT
Content-Type => text/html
Cache-Control => no-cache
Content-Length => 12637
X-Frame-Options => deny
Proxy-Connection => Keep-Alive
Proxy-Authenticate => Negotiate
Proxy-Authenticate => NTLM
Sending headers (5)...
Body included. Length: 12637
data_send: read 2048 of 2048 / 2048 of 12637 (errno = ok)
data_send: wrote 2048 of 2048


UBUNTU:
Resolve <redacted>:
-> <redacted>
Host => www.google.com:443
User-Agent => curl/7.74.0
Proxy-Connection => Keep-Alive
cntlm[1371]: 127.0.0.1 CONNECT www.google.com:443
NTLM Request:
Domain: AD
Hostname: <redacted>
Flags: 0xA208B205
Sending PROXY auth request...
Host => www.google.com:443
User-Agent => curl/7.74.0
Proxy-Connection => keep-alive
Proxy-Authorization => NTLM TOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO1VLVZJUlRVQUxCT1hBRA==
Content-Length => 0
Reading PROXY auth response...
HEAD: HTTP/1.1 407 authenticationrequired
Date => Thu, 28 Oct 2021 07:01:22 GMT
Content-Type => text/html
Cache-Control => no-cache
Content-Length => 0
X-Frame-Options => deny
Proxy-Connection => Keep-Alive
Proxy-Authenticate => NTLM TlRMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE=
NTLM Challenge:
Challenge: 7984431D8955214B0 (len: 92)
Flags: 0xA0898205
Server: <redacted>
NT domain: ad
TBofs: 52
TBlen: 40
ttype: 0


so in case of ubuntu a proper negotiation is done, (i see the proxy authenticate sending some kind of base64 auth ? ) while on nixos that is not the case.
now, this is the moment where everything gets weird as i tried to compile the source  (sourceforge tgz on both cases) on both vms and the behaviour is always the same: good on ubuntu fail on nixos.

ldd ./cntlm
linux-vdso.so.1 (0x00007ffdee1ba000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9a7566d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a75481000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9a756bc000)

ldd ./cntlm
linux-vdso.so.1 (0x00007ffc93a4b000)
libpthread.so.0 => /nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib/libpthread.so.0 (0x00007fc62ddbe000)
libc.so.6 => /nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib/libc.so.6 (0x00007fc62dbfd000)
/nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib/ld-linux-x86-64.so.2 => /nix/store/jsp3h3wpzc842j0rz61m5ly71ak6qgdn-glibc-2.32-54/lib64/ld-linux-x86-64.so.2 (0x00007fc62dde1000)

Steps To Reproduce

Steps to reproduce the behavior: TBD

Expected behavior

TBD

Screenshots

None.

Additional context

Ubuntu seems to be working differently to nix package.

Notify maintainers

@carlosdagos
@qknight

Metadata

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:
@carlosdagos carlosdagos added the 0.kind: bug Something is broken label Nov 15, 2021
@carlosdagos carlosdagos self-assigned this Nov 15, 2021
@carlosdagos carlosdagos changed the title cntlm cntlm: does not work properly compared to Ubuntu Nov 15, 2021
@henriqueqc
Copy link

Had the same problem @carlosdagos . For some reason, if the hostname is nixos it does not work. Changing it to something different worked.

I recompiled the same version from source in both Ubuntu and NixOs and used the -M together with the -v argument to test the configuration. I noticed that the only difference was the hostname. Changing the hostname to something other than nixos worked. Seems like a very strange behavior, but I did not investigated further to know exactly why this is.

I know that you report was years ago, so I'm just commenting here in case anyone else hits the same problem.

@henriqueqc
Copy link

I changed the hostname on the Ubuntu machine to nixos and it also fails. So both NixOS and Ubuntu have the same behavior. It appears to be an upstream bug or a bug with the NTLM server.

@F-Joachim
Copy link

Great @henriqueqc. I experienced exactly the same problem. Changing the hostname worked for me. Thanks 👍

@carlosdagos
Copy link
Member Author

carlosdagos commented Mar 24, 2025
edited
Loading

Closing this as I don't think it's an issue with the package, as @henriqueqc points out it may be the hostname setting affecting the NTLM server. And this would make sense, as some servers may verify the hostname against the username (assuming corporate environments). We can reopen if necessary, but I don't think on the package side there's much to do here :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carlosdagos carlosdagos

Labels
0.kind: bug Something is broken
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@henriqueqc @carlosdagos @F-Joachim