I get the following 2 relevant lines on startup:
cntlm: GSS-API error Inquire credential: Unspecified GSS failure. Minor code may provide more information
cntlm: GSS-API error Inquire credential: No Kerberos credentials available
Is there any special entry I need to add to the cntlm.ini or cntlm.cust.ini?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
prerequisite are:
a configured kerberos environment (on linux you have to edit /etc/krb5.conf)
a kerberos ticket (on linux usually kinit is used to acquire the ticket)
in cntlm conf add:
I realised that my last post did not reach the forum, so I will repost.
I have not provided all the information, how I want to make the program work, for that I apologize.
I compiled the code successfully using cygwin. Then I took the compiled .exe along with the necesarry .dll-s and copied to my corporate notebook, where I can try the kerberos proxy feature. Using the information from your last post the output is (without sensitive information)
C:\Programs\cntlm-0.92.3_kerberos>cntlm -f -v -c cntlm.cust.ini
section: global, Proxy = 'proxy server'
section: global, Auth = 'GSS'
section: global, Username = 'username'
section: global, Domain = 'domain'
section: global, Listen = '5865'
cntlm: Proxy listening on 127.0.0.1:5865
cntlm: Workstation name used: hostname
cntlm: Forcing GSS auth.
cntlm: Using following NTLM hashes: NTLMv2(0) NT(0) LM(0)
cntlm: GSS-API error Inquire credential: Unspecified GSS failure. Minor code may provide more information
cntlm: GSS-API error Inquire credential: No Kerberos credentials available
cntlm: PID 10568: Cntlm ready, staying in the foreground
* Round 1 C: 4 *
Reading headers (4)...
HEAD: CONNECT hostname:443 HTTP/1.1
Thread processing...
cntlm: PID 10568: Using proxy proxy server:3128
cntlm: PID 10568: Resolving proxy proxy server...
Resolve proxy server:
-> proxy ip
Host => hostname:443
cntlm: PID 10568: 127.0.0.1 CONNECT hostname:443
cntlm: PID 10568: GSS-API error Inquire credential: Unspecified GSS failure. Minor code may provide more information
cntlm: PID 10568: GSS-API error Inquire credential: No Kerberos credentials available
cntlm: PID 10568: No valid credential available
You're requesting with empty auth_s?!
Credentials structure dump:
User: username
Domain: domain
Wks: hostname
HashNTLMv2: 0
HashNT: 0
HashLM: 0
Flags: 0
PassNTLMv2: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
PassNT: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
PassLM: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Tried to run klist and kinit on Windows with cygwin without success. There are no executables by these names. Found kadm-client in krb5.conf though, will try that later.
My main concern is, that up until kerberos, compiled cntlm.exe could be performed on windows, without cygwin installed, if however required cygwin dll-s were present. If cntlm with kerberos is to be used on windows, native (downloaded and installed) or cygwin kerberos binaries are to be present. This is the part what I cannot figure out, and cannot get it to work, but on Windows. You also most probably know, that windows files and directory paths are different, /etc/krb5.conf is not a valid path on windows.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Any news on this issue yet? Is this going into trunk in some time?
I would appreciate a windows version of it and can also do some testing.
Regarding klist and kinit: The commands exist on Windows 7 and could maybe help in setting credential cache which is obviously the problem in your case.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Got also an 403 (Ubuntu 18.04) - seems to me to be related to the Kerberos token size since it worked for me with a new test user with low count of AD group membership (token size 2320) but did not work for my own account with (token size 11500 (Base 64 accordingly size of 15340))
The AD supports token size up to 64kB.
Can someone give me a hint where to start further ivestigation?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The issue with the Kerberos token size seems to be related to the usage of BUFSIZE in "kerberos.c" and "forward.c". BUFSIZE is defined as 4096 in "util.h".
Last edit: RobertB 2019-03-22
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
get the source from trunk
apply patch in attachment
install cygwin package libkrb5-devel
./configure --enable-kerberos
make
it should compile.
is long time I don't use it and never tried it on cygwin, anyway I try to give you help.
Thanks for the help, I compiled it successfully!
I get the following 2 relevant lines on startup:
cntlm: GSS-API error Inquire credential: Unspecified GSS failure. Minor code may provide more information
cntlm: GSS-API error Inquire credential: No Kerberos credentials available
Is there any special entry I need to add to the cntlm.ini or cntlm.cust.ini?
prerequisite are:
a configured kerberos environment (on linux you have to edit /etc/krb5.conf)
a kerberos ticket (on linux usually kinit is used to acquire the ticket)
in cntlm conf add:
Auth gss
Username <domain user>
Domain <domain(i.e.) COMPANY.LAN>
then you can start cntlm
if you still get errors, start cntlm with -v -f and post the output
Luca
Last edit: Luca Di Stefano 2015-04-19
I realised that my last post did not reach the forum, so I will repost.
I have not provided all the information, how I want to make the program work, for that I apologize.
I compiled the code successfully using cygwin. Then I took the compiled .exe along with the necesarry .dll-s and copied to my corporate notebook, where I can try the kerberos proxy feature. Using the information from your last post the output is (without sensitive information)
C:\Programs\cntlm-0.92.3_kerberos>cntlm -f -v -c cntlm.cust.ini
section: global, Proxy = 'proxy server'
section: global, Auth = 'GSS'
section: global, Username = 'username'
section: global, Domain = 'domain'
section: global, Listen = '5865'
cntlm: Proxy listening on 127.0.0.1:5865
cntlm: Workstation name used: hostname
cntlm: Forcing GSS auth.
cntlm: Using following NTLM hashes: NTLMv2(0) NT(0) LM(0)
cntlm: GSS-API error Inquire credential: Unspecified GSS failure. Minor code may provide more information
cntlm: GSS-API error Inquire credential: No Kerberos credentials available
cntlm: PID 10568: Cntlm ready, staying in the foreground
* Round 1 C: 4 *
Reading headers (4)...
HEAD: CONNECT hostname:443 HTTP/1.1
Thread processing...
cntlm: PID 10568: Using proxy proxy server:3128
cntlm: PID 10568: Resolving proxy proxy server...
Resolve proxy server:
-> proxy ip
Host => hostname:443
cntlm: PID 10568: 127.0.0.1 CONNECT hostname:443
cntlm: PID 10568: GSS-API error Inquire credential: Unspecified GSS failure. Minor code may provide more information
cntlm: PID 10568: GSS-API error Inquire credential: No Kerberos credentials available
cntlm: PID 10568: No valid credential available
You're requesting with empty auth_s?!
Credentials structure dump:
User: username
Domain: domain
Wks: hostname
HashNTLMv2: 0
HashNT: 0
HashLM: 0
Flags: 0
PassNTLMv2: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
PassNT: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
PassLM: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Sending PROXY auth request...
Host => destination:443
Proxy-Connection => keep-alive
Proxy-Authorization => NTLM
Content-Length => 0
Reading PROXY auth response...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Server => squid/3.2.13
Mime-Version => 1.0
Date => Wed, 13 May 2015 12:49:47 GMT
Content-Type => text/html
Content-Length => 3268
X-Squid-Error => ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate => Negotiate
X-Cache => MISS from proxy server
Via => 1.1 proxy server (squid/3.2.13)
Connection => keep-alive
Discarding 3268 bytes.
cntlm: PID 10568: GSS-API error Inquire credential: Unspecified GSS failure. Minor code may provide more information
cntlm: PID 10568: GSS-API error Inquire credential: No Kerberos credentials available
cntlm: PID 10568: No valid credential available
cntlm: PID 10568: Proxy returning invalid challenge!
Sending headers (5)...
Host => destination:443
Proxy-Connection => keep-alive
No body.
* Round 2 C: 4, S: 5 (authok=0, noauth=0) *
Reading headers (5)...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Server => squid/3.2.13
Mime-Version => 1.0
Date => Wed, 13 May 2015 12:49:47 GMT
Content-Type => text/html
Content-Length => 3206
X-Squid-Error => ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate => Negotiate
X-Cache => MISS from proxy server
Via => 1.1 proxy server (squid/3.2.13)
Connection => keep-alive
Sending headers (4)...
Body included. Length: 3206
data_send: read 2048 of 2048 / 2048 of 3206 (errno = ok)
data_send: wrote 2048 of 2048
data_send: read 1158 of 1158 / 3206 of 3206 (errno = ok)
data_send: wrote 1158 of 1158
Body sent.
PROXY CLOSING CONNECTION
forward_request: palive=0, authok=0, ntlm=0, closed=0
Thread finished.
proxy_thread: request rc = 0xffffffff
Joining thread 537143352; rc: 0
After this it repeats the cycle.
Hope it helps, and thanks.
the error is:
GSS-API error Inquire credential: No Kerberos credentials available
for acquire the kerberos credentials you need to configure /etc/krb5.conf then execute:
kinit username@domain
before to run cntlm run the following command and check if you have acquired the credentials:
klist
then you can run cntlm
Tried to run klist and kinit on Windows with cygwin without success. There are no executables by these names. Found kadm-client in krb5.conf though, will try that later.
My main concern is, that up until kerberos, compiled cntlm.exe could be performed on windows, without cygwin installed, if however required cygwin dll-s were present. If cntlm with kerberos is to be used on windows, native (downloaded and installed) or cygwin kerberos binaries are to be present. This is the part what I cannot figure out, and cannot get it to work, but on Windows. You also most probably know, that windows files and directory paths are different, /etc/krb5.conf is not a valid path on windows.
Any news on this issue yet? Is this going into trunk in some time?
I would appreciate a windows version of it and can also do some testing.
Regarding klist and kinit: The commands exist on Windows 7 and could maybe help in setting credential cache which is obviously the problem in your case.
Try following steps:
This should result in: New ticket is stored in cache file <file>.
To link cntlm to this file, add this environment variable:
It's appropriate to use backslashes in Windows.
Cntlm reports:
I'm now stuck on evaluating requests going to the proxy. Get an 403 for now.
Last edit: martin.s 2015-06-19
Got also an 403 (Ubuntu 18.04) - seems to me to be related to the Kerberos token size since it worked for me with a new test user with low count of AD group membership (token size 2320) but did not work for my own account with (token size 11500 (Base 64 accordingly size of 15340))
The AD supports token size up to 64kB.
Can someone give me a hint where to start further ivestigation?
The issue with the Kerberos token size seems to be related to the usage of BUFSIZE in "kerberos.c" and "forward.c". BUFSIZE is defined as 4096 in "util.h".
Last edit: RobertB 2019-03-22
On the machine running Windows 7 I do have the klist command, but not the kinit (for unknown reasons to me). Did you install kerberos?
You're right: It's obviously included in JRE 8 as command line tool. Question is whether that tool is suitable.
https://sourceforge.net/p/cntlm/feature-requests/30/#22d0
there is no trunk 282? How to apply patch on 272?
patching file debian/control
patching file auth.h
patching file configure
patching file kerberos.h
patching file auth.c
patching file Makefile
patching file main.c
Hunk #2 succeeded at 886 (offset -1 lines).
Hunk #3 succeeded at 1180 (offset -3 lines).
Hunk #4 succeeded at 1274 (offset -3 lines).
Hunk #5 succeeded at 1327 (offset -3 lines).
patching file forward.c
Hunk #3 FAILED at 98.
Hunk #4 FAILED at 148.
Hunk #5 FAILED at 233.
3 out of 5 hunks FAILED -- saving rejects to file forward.c.rej
patching file doc/cntlm.1
patching file kerberos.c
The command '/bin/sh -c patch -p0 -i /201211-cntlm-kerberos-authentication.patch' returned a non-zero code: 1
Last edit: Manish 2019-11-22