If this works, I'll integrate it into the next major stable, 0.93. Does it work at the same time as NTLM or is that some hard-coded overwrite/replacement? If so, can you make a run-time auto selection for it? And add "--with-kerberos" to the custom ./configure script?
For example:
- use NTLM if NTLM creds are available (Auth = nt|lm*)
- use Negotiate if no NTLM creds available (Auth = gss)
- bail gracefully/transparently by passing the full 407 reply from the proxy to the client if the proxy doesn't support the Auth we are configured for
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I see they are some changes in svn since I wrote the patch. I need to review the patch.
Is not an ovewrite/replacement.
You can configure it in conf file using GSS for auth type or (if no auth type is specified) it will be used automatically if a kerberos token is present
|- bail gracefully/transparently by passing the full 407 reply from the proxy to the client if the proxy doesn't support the Auth we are configured for
I must check if this last point is already implemented.
I let you know in the next days!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Your last patch has the copyright of the nice MIT folks removed again :(. And it doesn't apply to trunk. Also i believe you should do CFLAGS+=-DENABLE_KERBEROS if the support is enabled by doing make ENABLE_KERBEROS=1. Regardless of that, i still have the segfault when trying to connect to a w2k8 ISA:
cntlm: Available cached credential p.fertser@WORK.LOCAL
cntlm: Forcing GSS auth.
cntlm: Using cached credential for GSS auth.
cntlm: SOCKS5 proxy will NOT require any authentication
cntlm: Using following NTLM hashes: NTLMv2(0) NT(0) LM(0)
cntlm[5419]: Cntlm ready, staying in the foreground
[New Thread 0xb7cffb70 (LWP 5423)]
******* Round 1 C: 8 *******
Reading headers (8)...
HEAD: GET http://ya.ru/ HTTP/1.0
Thread processing...
cntlm[5419]: Using proxy 192.168.101.5:8080
User-Agent => Wget/1.12 (linux-gnu)
Accept => */*
Host => ya.ru
cntlm[5419]: 127.0.0.1 GET http://ya.ru/
cntlm[5419]: SPN name HTTP@192.168.101.5
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cffb70 (LWP 5423)]
0xb7dcf254 in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
(gdb) bt
#0 0xb7dcf254 in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#1 0xb7dd1ce4 in profile_init () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#2 0xb7dc70cd in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#3 0xb7dc71a8 in krb5_os_init_context () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#4 0xb7da3886 in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#5 0xb7f9825b in ?? () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#6 0xb7f96e21 in ?? () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#7 0xb7f8833b in ?? () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#8 0xb7f8964f in gss_init_sec_context () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#9 0x0805a9ca in client_establish_context (proxy=0x8063380, credentials=0x8063160,
buf=0x8069d40 "") at kerberos.c:212
#10 acquire_kerberos_token (proxy=0x8063380, credentials=0x8063160, buf=0x8069d40 "")
at kerberos.c:264
#11 0x08055134 in proxy_authenticate (sd=0xb7cff318, request=0x8067278, response=0x80673c8,
credentials=0x8063160) at forward.c:141
#12 0x08055cf1 in forward_request (thread_data=0x8068fd0, request=0x0) at forward.c:537
#13 0x08059d0d in proxy_thread (thread_data=0x8068fd0) at main.c:351
#14 0xb7fbbc39 in start_thread (arg=0xb7cffb70) at pthread_create.c:304
#15 0xb7ee996e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
(gdb)
ii libkrb5-3 1.9.1+dfsg-3 MIT Kerberos runtime libraries
Valid starting Expires Service principal
12/02/11 10:03:18 12/02/11 20:03:16 krbtgt/WORK.LOCAL@WORK.LOCAL
renew until 12/03/11 10:03:18
Please also check it does indeed work without specifying -a gss because for me it seems to ignore the cached credentials (even though it finds them on start). I can probably try to understand and fix the segfault but at the moment i have other stuff to do at work, and of course this bloody proxy is needed only at work. Testing the changes is not a problem though but i'd appreciate more clean patches against trunk.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes I must modify the patch for trunk and test it again.
Are you sure there is an HTTP@192.168.101.5 in your active directory? Usually hostnames are used for spn.
Of course I will take care for solve the segfault.
Actually the patch needs that the krb ticket is available at service startup if no cauth is specified. I know this is not the best solution.
Let you know asap.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sigh, is there a more comfortable way to discuss things than this loosy bugtracker?
192.168.101.5 is the proxy server, it's a different machine from the actual "domain controller" (which runs Kerberos server), i have also tried to specify the proxy's domain name in the config, the result was the same. I can assure you that at the moment i was trying to start cntlm i had a nice valid ticket in the cache (see my klist output in another comment) and it works for e.g. smbclient -k.
Hope you'll be able to sort it out, happy hacking!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
How could i install this patch in my actual cntlm instalation (0.92.1) in a windows 7 enviroment? . I Used cntlm-0.92.1-setup.exe installer.
Or when this patch will be integrated in the installer?
Thanks for this amazing solutions.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
you need to checkout the source, apply the patch and recompile
to be honest I never tested it on windows, I suspect they are no gss library for cygwin, so you need to compile kerberos libraries too.
Anyway when I have time will investigate further .
I
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi mavey, I have uploaded a patch with the switch
on config for enable kerberos auth (--enable-kerberos)
The behavior is the following:
1) if no auth is specified then tries to find a kerberos credential and, if found, use it for parent proxy auth
2) if auth is specified as gss, then at each new proxy connection, cntlm tries to find a gss credential to use
you last request:
- bail gracefully/transparently by passing the full 407 reply from the
is still not implemented, will try in the next days.
I fixed the problem with source forge mail address, feel free to contact me
in both cases if the acquisition of a kerberos token fails, then nt/lm token is sent as usual
if 407 is sent as response
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi mavey, I have uploaded a patch with the switch on config for enable kerberos auth (--enable-kerberos)
The behavior is the following:
1) if no auth is specified then tries to find a kerberos credential and, if found, use it for parent proxy auth
2) if auth is specified as gss, then at each new proxy connection, cntlm tries to find a gss credential to use
In both cases if the acquisition of a kerberos token fails, then nt/lm token is sent as usual
Your last request:
- bail gracefully/transparently by passing the full 407 reply from the
is still not implemented, will try in the next days.
I fixed the problem with source forge mail address, feel free to contact me
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thing is I don't know anything about Kerberos. Can I make it work with a regular NTLMv2-based domain controller? Is "Negotiate" = Kerberos? I'll need to understand how to work with it and set it up on my system before I integrate the patch. Only then I can see how it works and if it's up to Cntlm's source code standards (not saying it isn't, just that I have to make sure and might need to refactor things around to make it compatible with Cntlm extensions I'm planning in the future; we don't want to rewrite the whole thing with every new major feeature added to Cntlm, right?).
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
if I remember well since windows server 2003 kerberos is active per default.
for check it you need a windows pc registered in the domain and log in as domain user
then execute the command klist for check if you got a kerberos token
instead of klist you can use a mit kerberos for windows ui tool
next step is to activate kerberos auth in your proxy and this step is depending on the proxy you use. I suppose the microsoft proxy is already configured to use kerberos.
Now you need to install krbv5 and configure it on your linux box, for this you can find several docs on the web.
Negotiate is not kerberos, is a protocol for to negotiate the auth method between client and server, if server or client asks for negotiate is implicit that kerberos can be used as auth. If kerberos is not available on both sides then fallback to ntlm and then to basic.
how SPNEGO works is better look at some microsoft documents like http://msdn.microsoft.com/en-us/library/ms995329.aspx and many other.
The patch makes the following:
1) if a kerberos credential is available and the proxy has a valid principal name (SPN) then the client request is forwarded to the proxy with the credentials without to start the negotiation, there is no need to perform a request and wait a 401 answer then remake the request with the credential.
if there is no kerberos credential or no valid SPN for proxy, then will continue with ntlm as usual and will no more try with kerberos.
2) if GSS auth is specified in cntlm configuration and no credential is available, at each request will try to acquire a valid credential, if fails will fallback to ntlm
let me know if you need deeper details or changes to behavior / code
thanks
Luca
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Great stuff. This is what I'm searching for since a couple of months. However, I'm working on windows and don't have much experience in cross compiling. Do you have any hints for noob ? I've done some research and probably it would be possible to compile it on Linux using Cmake (targeting Windows).
Thanks in advance
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've been looking at this thread for a little time now. Is there any progress on this? I'm also trying to compile the kerberos enabled version under Windows with cygwin, but no success so far. I did stumble across a github version, where the MIT binaries are mentioned to be needed for the compile...
If you could give a little hint how to get the compiling process started with cygwin, that would be very much appreciated.
Thank you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
in attachment a first try (working) for integrate gss in cntlm
if you have a default cached credential or if ypu specify GSS as auth in conf, then gss integration will be activated
here the attachment
I've prepared a patch based on your work and sent it via e-mail, unfortunately, your sourceforge address is unreachable.
For your reference patch is at https://sourceforge.net/tracker/?func=detail&aid=3074770&group_id=197861&atid=963164 (sorry, i've no idea how to attach a patch right here)
hi, thanks for the patch!
I added a little description to man page and make some changes to the code.
Feature request will be accepted.
If this works, I'll integrate it into the next major stable, 0.93. Does it work at the same time as NTLM or is that some hard-coded overwrite/replacement? If so, can you make a run-time auto selection for it? And add "--with-kerberos" to the custom ./configure script?
For example:
- use NTLM if NTLM creds are available (Auth = nt|lm*)
- use Negotiate if no NTLM creds available (Auth = gss)
- bail gracefully/transparently by passing the full 407 reply from the proxy to the client if the proxy doesn't support the Auth we are configured for
yes it works :-)
I see they are some changes in svn since I wrote the patch. I need to review the patch.
Is not an ovewrite/replacement.
You can configure it in conf file using GSS for auth type or (if no auth type is specified) it will be used automatically if a kerberos token is present
|- bail gracefully/transparently by passing the full 407 reply from the proxy to the client if the proxy doesn't support the Auth we are configured for
I must check if this last point is already implemented.
I let you know in the next days!
Luca,
Your last patch has the copyright of the nice MIT folks removed again :(. And it doesn't apply to trunk. Also i believe you should do CFLAGS+=-DENABLE_KERBEROS if the support is enabled by doing make ENABLE_KERBEROS=1. Regardless of that, i still have the segfault when trying to connect to a w2k8 ISA:
cntlm: Available cached credential p.fertser@WORK.LOCAL
cntlm: Forcing GSS auth.
cntlm: Using cached credential for GSS auth.
cntlm: SOCKS5 proxy will NOT require any authentication
cntlm: Using following NTLM hashes: NTLMv2(0) NT(0) LM(0)
cntlm[5419]: Cntlm ready, staying in the foreground
[New Thread 0xb7cffb70 (LWP 5423)]
******* Round 1 C: 8 *******
Reading headers (8)...
HEAD: GET http://ya.ru/ HTTP/1.0
Thread processing...
cntlm[5419]: Using proxy 192.168.101.5:8080
User-Agent => Wget/1.12 (linux-gnu)
Accept => */*
Host => ya.ru
cntlm[5419]: 127.0.0.1 GET http://ya.ru/
cntlm[5419]: SPN name HTTP@192.168.101.5
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cffb70 (LWP 5423)]
0xb7dcf254 in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
(gdb) bt
#0 0xb7dcf254 in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#1 0xb7dd1ce4 in profile_init () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#2 0xb7dc70cd in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#3 0xb7dc71a8 in krb5_os_init_context () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#4 0xb7da3886 in ?? () from /usr/lib/i386-linux-gnu/libkrb5.so.3
#5 0xb7f9825b in ?? () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#6 0xb7f96e21 in ?? () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#7 0xb7f8833b in ?? () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#8 0xb7f8964f in gss_init_sec_context () from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
#9 0x0805a9ca in client_establish_context (proxy=0x8063380, credentials=0x8063160,
buf=0x8069d40 "") at kerberos.c:212
#10 acquire_kerberos_token (proxy=0x8063380, credentials=0x8063160, buf=0x8069d40 "")
at kerberos.c:264
#11 0x08055134 in proxy_authenticate (sd=0xb7cff318, request=0x8067278, response=0x80673c8,
credentials=0x8063160) at forward.c:141
#12 0x08055cf1 in forward_request (thread_data=0x8068fd0, request=0x0) at forward.c:537
#13 0x08059d0d in proxy_thread (thread_data=0x8068fd0) at main.c:351
#14 0xb7fbbc39 in start_thread (arg=0xb7cffb70) at pthread_create.c:304
#15 0xb7ee996e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
(gdb)
ii libkrb5-3 1.9.1+dfsg-3 MIT Kerberos runtime libraries
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: p.fertser@WORK.LOCAL
Valid starting Expires Service principal
12/02/11 10:03:18 12/02/11 20:03:16 krbtgt/WORK.LOCAL@WORK.LOCAL
renew until 12/03/11 10:03:18
Please also check it does indeed work without specifying -a gss because for me it seems to ignore the cached credentials (even though it finds them on start). I can probably try to understand and fix the segfault but at the moment i have other stuff to do at work, and of course this bloody proxy is needed only at work. Testing the changes is not a problem though but i'd appreciate more clean patches against trunk.
Yes I must modify the patch for trunk and test it again.
Are you sure there is an HTTP@192.168.101.5 in your active directory? Usually hostnames are used for spn.
Of course I will take care for solve the segfault.
Actually the patch needs that the krb ticket is available at service startup if no cauth is specified. I know this is not the best solution.
Let you know asap.
Sigh, is there a more comfortable way to discuss things than this loosy bugtracker?
192.168.101.5 is the proxy server, it's a different machine from the actual "domain controller" (which runs Kerberos server), i have also tried to specify the proxy's domain name in the config, the result was the same. I can assure you that at the moment i was trying to start cntlm i had a nice valid ticket in the cache (see my klist output in another comment) and it works for e.g. smbclient -k.
Hope you'll be able to sort it out, happy hacking!
Hi,
How could i install this patch in my actual cntlm instalation (0.92.1) in a windows 7 enviroment? . I Used cntlm-0.92.1-setup.exe installer.
Or when this patch will be integrated in the installer?
Thanks for this amazing solutions.
you need to checkout the source, apply the patch and recompile
to be honest I never tested it on windows, I suspect they are no gss library for cygwin, so you need to compile kerberos libraries too.
Anyway when I have time will investigate further .
I
patch to trunk (282) with config switch
Hi mavey, I have uploaded a patch with the switch
on config for enable kerberos auth (--enable-kerberos)
The behavior is the following:
1) if no auth is specified then tries to find a kerberos credential and, if found, use it for parent proxy auth
2) if auth is specified as gss, then at each new proxy connection, cntlm tries to find a gss credential to use
you last request:
- bail gracefully/transparently by passing the full 407 reply from the
is still not implemented, will try in the next days.
I fixed the problem with source forge mail address, feel free to contact me
in both cases if the acquisition of a kerberos token fails, then nt/lm token is sent as usual
if 407 is sent as response
cu&paste error...
Hi mavey, I have uploaded a patch with the switch on config for enable kerberos auth (--enable-kerberos)
The behavior is the following:
1) if no auth is specified then tries to find a kerberos credential and, if found, use it for parent proxy auth
2) if auth is specified as gss, then at each new proxy connection, cntlm tries to find a gss credential to use
In both cases if the acquisition of a kerberos token fails, then nt/lm token is sent as usual
Your last request:
- bail gracefully/transparently by passing the full 407 reply from the
is still not implemented, will try in the next days.
I fixed the problem with source forge mail address, feel free to contact me
Thanks, so the work is progressing?
Thing is I don't know anything about Kerberos. Can I make it work with a regular NTLMv2-based domain controller? Is "Negotiate" = Kerberos? I'll need to understand how to work with it and set it up on my system before I integrate the patch. Only then I can see how it works and if it's up to Cntlm's source code standards (not saying it isn't, just that I have to make sure and might need to refactor things around to make it compatible with Cntlm extensions I'm planning in the future; we don't want to rewrite the whole thing with every new major feeature added to Cntlm, right?).
Thanks!
hi,
if I remember well since windows server 2003 kerberos is active per default.
for check it you need a windows pc registered in the domain and log in as domain user
then execute the command klist for check if you got a kerberos token
instead of klist you can use a mit kerberos for windows ui tool
next step is to activate kerberos auth in your proxy and this step is depending on the proxy you use. I suppose the microsoft proxy is already configured to use kerberos.
Now you need to install krbv5 and configure it on your linux box, for this you can find several docs on the web.
Negotiate is not kerberos, is a protocol for to negotiate the auth method between client and server, if server or client asks for negotiate is implicit that kerberos can be used as auth. If kerberos is not available on both sides then fallback to ntlm and then to basic.
how SPNEGO works is better look at some microsoft documents like http://msdn.microsoft.com/en-us/library/ms995329.aspx and many other.
The patch makes the following:
1) if a kerberos credential is available and the proxy has a valid principal name (SPN) then the client request is forwarded to the proxy with the credentials without to start the negotiation, there is no need to perform a request and wait a 401 answer then remake the request with the credential.
if there is no kerberos credential or no valid SPN for proxy, then will continue with ntlm as usual and will no more try with kerberos.
2) if GSS auth is specified in cntlm configuration and no credential is available, at each request will try to acquire a valid credential, if fails will fallback to ntlm
let me know if you need deeper details or changes to behavior / code
thanks
Luca
Great stuff. This is what I'm searching for since a couple of months. However, I'm working on windows and don't have much experience in cross compiling. Do you have any hints for noob ? I've done some research and probably it would be possible to compile it on Linux using Cmake (targeting Windows).
Thanks in advance
I've been looking at this thread for a little time now. Is there any progress on this? I'm also trying to compile the kerberos enabled version under Windows with cygwin, but no success so far. I did stumble across a github version, where the MIT binaries are mentioned to be needed for the compile...
If you could give a little hint how to get the compiling process started with cygwin, that would be very much appreciated.
Thank you.