Bug 25050 - cntlm daemon can not start correctly
Summary: cntlm daemon can not start correctly
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: x86_64 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
Whiteboard: MGA7-32-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-07-05 10:17 CEST by Stefano Prina
Modified: 2019-08-31 15:23 CEST (History)
5 users (show)

See Also:
Source RPM: cntlm.x86_64
Status comment:

proposed cntlm.service (385 bytes, text/plain)
2019-07-05 11:17 CEST, Stefano Prina

Description Stefano Prina 2019-07-05 10:17:08 CEST
Description of problem:

the cntlm daemon can not start correctly, it seems that the process can not create the pid file as specified inside the systemd unit.

the systemd unit contain :
ExecStart=/usr/sbin/cntlm -a ntlm -U cntlm -P /run/cntlm.pid -c /etc/cntlm.conf 

starting the process drop root's privileges becoming the user cntlm ( as specified by -U cntlm ) that can not have permissions to create the file /run/cntlm.pid.

this cause the failed state

Version-Release number of selected component (if applicable):

cntlm.x86_64                                      0.92.3-2.mga7                   @System 

How reproducible:

Steps to Reproduce:
1. sudo dnf install cntlm
2. edit the conf file, adding username, domain, password and setting the custom proxy
3. sudo systemctl restart cntlm

My fix proposed fix :

1 . remove the option -U, but is not secure

2 . create the folder and change its ownership before the units start

I modified the unit file 
[f59073c@odin ~]$ more /usr/lib/systemd/system/cntlm.service
Description=CNTLM Authentication Proxy
After=syslog.target network.target

ExecStartPre=/usr/bin/mkdir /run/cntlm/ 
ExecStartPre=/usr/bin/chown cntlm. /run/cntlm/
ExecStart=/usr/sbin/cntlm -a ntlm -U cntlm -P /run/cntlm/cntlm.pid -c /etc/cntlm.conf
ExecReload=/usr/bin/kill -HUP $MAINPID


Comment 1 Stefano Prina 2019-07-05 11:17:58 CEST
Created attachment 11151 [details]
proposed cntlm.service
Comment 2 Jani Välimaa 2019-07-05 16:44:10 CEST
Updated cntlm-0.92.3-2.1.mga7 should be available on mirrors soonish in core/udpates_testing. Please test.

Instead of creating dir with .service file I modified tmpfiles.conf to create /run/cntlm and modified only PID-file location in .service file.

CC: (none) => jani.valimaa
Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2019-07-22 12:23:47 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Googled and found https://vijiboy.wordpress.com/2018/03/14/configure-cntlm-to-generate-hash-for-your-password-h-and-verify-m/
to get some tests
Changed the /etc/cntlm file to point to my own laptop and at CLI:
# cntlm -h
CNTLM - Accelerating NTLM Authentication Proxy version 0.92.3
Copyright (c) 2oo7-2o1o David Kubicek

This program comes with NO WARRANTY, to the extent permitted by law. You
may redistribute copies of it under the terms of the GNU GPL Version 2 or
newer. For more information about these matters, see the file LICENSE.
For copyright holders of included encryption routines see headers.

Usage: cntlm [-AaBcDdFfgHhILlMPpSsTUuvw] <proxy_host>[:]<proxy_port> ...
        -A  <address>[/<net>]
            ACL allow rule. IP or hostname, net must be a number (CIDR notation)
        -a  ntlm | nt | lm
and a lot more
# cntlm -H
PassLM          142DDC49E073DA63552C4BCA4AEBFB11
PassNT          6744CA8C8FEC5500FCE7E2F016025F61
PassNTLMv2      E7502E111FBE7435B735B9B8D338A3C1    # Only for user 'testuser', domain 'corp-uk'
and followed the steps to  include this infi in the conf file
# cntlm -v -f -M http://google.com
section: global, Username = 'testuser'
section: global, Domain = 'corp-uk'
section: global, Password = 'password'
section: global, Username = 'testuser'
section: global, Domain = 'hviaene.thuis'
section: global, Proxy = 'localhost:8080'
section: global, Listen = ''
section: global, Password = ':'
section: global, PassLM = '142DDC49E073DA63552C4BCA4AEBFB11'
section: global, PassNT = '6744CA8C8FEC5500FCE7E2F016025F61'
section: global, PassNTLMv2 = 'E7502E111FBE7435B735B9B8D338A3C1'
Default config file opened successfully
cntlm: Proxy listening on
cntlm: Ignoring config file option: Username
cntlm: Ignoring config file option: Domain
cntlm: Ignoring config file option: Password
cntlm: Workstation name used: mach5.hviaene.thuis
cntlm: Using proxy localhost:8080
cntlm: Resolving proxy localhost...
Config profile  1/4... Resolve localhost:
so_connect: Connection refused
cntlm: Proxy connect failed, will try localhost:8080
cntlm: No proxy on the list works. You lose.

Connection to proxy failed, bailing out
cntlm: Terminating with 0 active threads

Whatever I tried, switching off firewall, no go.
But the problem is apparantly not cntlm because

telnet: connect to address ::1: Connection refused
telnet: connect to address Connection refused
telnet: Unable to connect to remote host: Connection refused
And I cann't get ly head around it.

CC: (none) => herman.viaene

Comment 4 José Jorge 2019-08-20 08:34:57 CEST
Tested with a production server migrated from MGA6 to MGA7. Without this update, cntlm failed to start. So this update fixes the bug, please push.

Whiteboard: (none) => MGA7-32-OK MGA7-64-OK
CC: (none) => lists.jjorge

Thomas Backlund 2019-08-31 12:20:16 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2019-08-31 15:23:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.