cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: problem using NTLM authentication with default OS credentials

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Fri, 11 Jul 2014 11:44:49 +0100

On Fri, 2014-05-30 at 01:13 -0700, jasper_ro_at_yahoo.com wrote:
> curl_easy_setopt(curl_handle,CURL_PROXYAUTH,CURLAUTH_NTLM | CURLAUTH_NTLM_WB | CURLAUTH_GSSNEGOTIATE);
> curl_easy_setopt(curl_handle,CURL_PROXYUSERPWD,":");
> curl_easy_perform(curl_handle) ;
 ...
> Is there a known problem in curl for running this way in linux ?

I've just sent patches which fix two problems that were preventing this
from working for you.

As Michael correctly pointed out, you *did* need to supply a username,
since the ntlm_auth helper tool doesn't infer it automatically. That's
because the ntlm_auth helper was really designed for *server*
authentication, and client support was added as an afterthought. So it
expects to be *told* the username.

And modern NTLM responses will also be too large for the buffer that
curl was using to receive them; I've fixed that too.

However, there's a third problem — you need to drop CURLAUTH_NTLM from
your auth options. Otherwise it'll try 'native' NTLM using that empty
username and password (doh!) before trying the automatic NTLM
authentication via winbind.

Which is a bit stupid, admittedly, but I'm not quite sure what the best
fix is. Should we patch http.c to always try ntlm_wb *before* ntlm auth?
Or patch the native NTLM auth method to bail out if the username and
password are empty? Or both?

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse_at_intel.com                              Intel Corporation

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2014-07-11