Bug 25050 - cntlm daemon can not start correctly
Summary: cntlm daemon can not start correctly
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: x86_64 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-05 10:17 CEST by Stefano Prina
Modified: 2019-07-22 12:23 CEST (History)
2 users (show)

See Also:
Source RPM: cntlm.x86_64
CVE:
Status comment:


Attachments
proposed cntlm.service (385 bytes, text/plain)
2019-07-05 11:17 CEST, Stefano Prina
Details

Description Stefano Prina 2019-07-05 10:17:08 CEST
Description of problem:

the cntlm daemon can not start correctly, it seems that the process can not create the pid file as specified inside the systemd unit.

the systemd unit contain :
ExecStart=/usr/sbin/cntlm -a ntlm -U cntlm -P /run/cntlm.pid -c /etc/cntlm.conf 

starting the process drop root's privileges becoming the user cntlm ( as specified by -U cntlm ) that can not have permissions to create the file /run/cntlm.pid.

this cause the failed state


Version-Release number of selected component (if applicable):

cntlm.x86_64                                      0.92.3-2.mga7                   @System 

How reproducible:


Steps to Reproduce:
1. sudo dnf install cntlm
2. edit the conf file, adding username, domain, password and setting the custom proxy
3. sudo systemctl restart cntlm

My fix proposed fix :

1 . remove the option -U, but is not secure

2 . create the folder and change its ownership before the units start


I modified the unit file 
================================================================
[f59073c@odin ~]$ more /usr/lib/systemd/system/cntlm.service
[Unit]
Description=CNTLM Authentication Proxy
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/run/cntlm/cntlm.pid
ExecStartPre=/usr/bin/mkdir /run/cntlm/ 
ExecStartPre=/usr/bin/chown cntlm. /run/cntlm/
ExecStart=/usr/sbin/cntlm -a ntlm -U cntlm -P /run/cntlm/cntlm.pid -c /etc/cntlm.conf
ExecReload=/usr/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

====================================================================
Comment 1 Stefano Prina 2019-07-05 11:17:58 CEST
Created attachment 11151 [details]
proposed cntlm.service
Comment 2 Jani Välimaa 2019-07-05 16:44:10 CEST
Updated cntlm-0.92.3-2.1.mga7 should be available on mirrors soonish in core/udpates_testing. Please test.

Instead of creating dir with .service file I modified tmpfiles.conf to create /run/cntlm and modified only PID-file location in .service file.

Assignee: bugsquad => qa-bugs
CC: (none) => jani.valimaa

Comment 3 Herman Viaene 2019-07-22 12:23:47 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Googled and found https://vijiboy.wordpress.com/2018/03/14/configure-cntlm-to-generate-hash-for-your-password-h-and-verify-m/
to get some tests
Changed the /etc/cntlm file to point to my own laptop and at CLI:
# cntlm -h
CNTLM - Accelerating NTLM Authentication Proxy version 0.92.3
Copyright (c) 2oo7-2o1o David Kubicek

This program comes with NO WARRANTY, to the extent permitted by law. You
may redistribute copies of it under the terms of the GNU GPL Version 2 or
newer. For more information about these matters, see the file LICENSE.
For copyright holders of included encryption routines see headers.

Usage: cntlm [-AaBcDdFfgHhILlMPpSsTUuvw] <proxy_host>[:]<proxy_port> ...
        -A  <address>[/<net>]
            ACL allow rule. IP or hostname, net must be a number (CIDR notation)
        -a  ntlm | nt | lm
and a lot more
further
# cntlm -H
Password: 
PassLM          142DDC49E073DA63552C4BCA4AEBFB11
PassNT          6744CA8C8FEC5500FCE7E2F016025F61
PassNTLMv2      E7502E111FBE7435B735B9B8D338A3C1    # Only for user 'testuser', domain 'corp-uk'
and followed the steps to  include this infi in the conf file
but
# cntlm -v -f -M http://google.com
section: global, Username = 'testuser'
section: global, Domain = 'corp-uk'
section: global, Password = 'password'
section: global, Username = 'testuser'
section: global, Domain = 'hviaene.thuis'
section: global, Proxy = 'localhost:8080'
section: global, Listen = '127.0.0.1:3128'
section: global, Password = ':'
section: global, PassLM = '142DDC49E073DA63552C4BCA4AEBFB11'
section: global, PassNT = '6744CA8C8FEC5500FCE7E2F016025F61'
section: global, PassNTLMv2 = 'E7502E111FBE7435B735B9B8D338A3C1'
Default config file opened successfully
Resolve 127.0.0.1:
  -> 127.0.0.1
cntlm: Proxy listening on 127.0.0.1:3128
cntlm: Ignoring config file option: Username
cntlm: Ignoring config file option: Domain
cntlm: Ignoring config file option: Password
cntlm: Workstation name used: mach5.hviaene.thuis
Password: 
cntlm: Using proxy localhost:8080
cntlm: Resolving proxy localhost...
Config profile  1/4... Resolve localhost:
  -> 127.0.0.1
     127.0.0.1
so_connect: Connection refused
cntlm: Proxy connect failed, will try localhost:8080
cntlm: No proxy on the list works. You lose.

Connection to proxy failed, bailing out
cntlm: Terminating with 0 active threads

Whatever I tried, switching off firewall, no go.
But the problem is apparantly not cntlm because

telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
And I cann't get ly head around it.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.