First, let me express my gratitude for such a great software. It's incredibly useful and very well implemented.
I was able to set it up very easily, but my proxy denied (400) me requests to OpenDNS-banned sites, while my browser (using IE proxy settings) allowed me to access them.
I ran Wireshark to understand why that difference of behavior, and what I found was that in the NTLMSSP_NEGOTIATE phase, IE sends a Proxy-Authorization header with "Calling workstation domain" at NULL and "Calling workstation name" at NULL. Therefore, the NTLMSSP_CHALLENGE response is issued from a different Domain, and I guess that it's that Domain that let me bypass OpenDNS.
During the NTLMSSP_AUTH phase, IE send the right "Domain name" and "Host name". It's only during the NTLMSSP_NEGOTIATE phase that IE send NULL in "Calling workstation domain" and "Calling workstation name".
So my question is : is it possible to configure cntlm in such a way that it will send NULL in these places?
Actually, after further investigation, I noticed that the NEGOTIATE flags were different. IE sends :
Negotiate OEM Workstation Supplied: Not set
Negotiate OEM Domain Supplied: Not set
Negotiate OEM: Set
While cntlm sends:
Negotiate OEM Workstation Supplied: Set
Negotiate OEM Domain Supplied: Set
Negotiate OEM: Not set
Is there a switch for cntlm that would enable "OEM Negotiation" ?
Well, you can configure the flags that are sent, see the Flags option. But, Cntlm doesn't look at these particular bits so it will include the host name and domain name anyway. However, the other side is probably Microsoft code that should honor these bits and ignore the supplied fields when they're not signalled in the bit mask.
Try it and let me know. If that doesn't help, I could implement an extension for you that would make this behavior optional.