Description of problem: YUM does not supports proxies with NTLM My Fedora 16 Workstation joined to Windows domain. I can't install/update any package because yum couldn't support NTLM and can't work via ISA proxy.
Created attachment 549002 [details] authconfig-gtk
I have same problem, I had a fedora 16 at work which was configured to use my employer's http proxy (a squid one) to access internet, that was fine and I could install packages.. until the company decided to enforce authentication (NTLM) on the proxy, now I can't use yum to install or update software. Yum uses curl to download packages, and I can use curl to go through proxy with these flags: curl --proxy-ntlm --proxy-user user:pass www.somedomain.org/somefile So it's only a matter of Yum being able to pass those flags to curl, what about new yum.conf 'auth_type' option that will pass --proxy-ntlm if set to 'ntlm' ? Also you can use --proxy-anyauth like: curl --proxy-anyauth --proxy-user user:pass www.somedomain.org/somefile and so don't need the yum.conf option I mentioned before. Hope you can fix this bug as is blocking people using fedora from corporate networks.
Hi Nelson, thanks for the report. Nice to hear that curl in F16 actually works over NTLM proxies, because docs at http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTHTTPAUTH state that it works only with OpenSSL, but Fedora ships NSS instead. I don't have access to any NTLM proxy. Could you add this line to /usr/lib/python2.7/site-packages/urlgrabber/grabber.py and report if it works? Thanks! --- a/urlgrabber/grabber.py +++ b/urlgrabber/grabber.py @@ -1289,6 +1289,7 @@ class PyCurlFileObject(object): else: if proxy == '_none_': proxy = "" self.curl_obj.setopt(pycurl.PROXY, proxy) + self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY) if opts.username and opts.password: if self.scheme in ('http', 'https'):
Created attachment 562486 [details] Use ANYAUTH curl option for proxy authentication Hi Zdenek, I already did a patch that is working fine for me, I was about to post it here just when you submit it your comment.. so I'm attaching it here, the patch is same as yours but only adds the ANYAUTH option when the proxy var contains '@' which means it has user:pass data. Use wherever approach you like. I couldn't use git to make the patch because git has same NTLM problem.. but the patch is from current master downloaded from gitweb. Thanks! PD: Btw, yay! for script languages like python that make me fix this without having to recompile/repackage..
Btw the page you linked stated it supported NSS: "You need to build libcurl with either OpenSSL or NSS support for this option to work, or build libcurl on Windows."
Yep, I told Kamil Dudka and he fixed it 30 minutes ago :) I've proposed this upstream fix: http://lists.baseurl.org/pipermail/yum-devel/2012-February/009089.html I don't think PROXYAUTH=HTTP_ANY must be conditional. curl parses the proxy string, and if there's no user/pass, I'm quite sure it will ignore PROXYAUTH anyway.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Zdenek, I've tested fedora 17 at work with a NTLM proxy and your patch is not working..
Yep, checked python-urlgrabber-3.9.1-11.fc17, and the patch was not there. Could you try latest rawhide build? (python-urlgrabber-3.9.1-14.fc18 atm) It should work in f17, too.
I've just tested python-urlgrabber-3.9.1-14.fc18 and is working fine.. but it's a pity it didn't got into fedora 17.
python-urlgrabber-3.9.1-12.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/python-urlgrabber-3.9.1-12.fc17
python-urlgrabber-3.9.1-13.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/python-urlgrabber-3.9.1-13.fc17
still not worked for me: http://dl.google.com/linux/chrome/rpm/stable/i386/repodata/repomd.xml: [Errno 14] curl#7 - "Couldn't connect" Trying other mirror. http://nodejs.tchol.org/stable/f17/i386/repodata/repomd.xml: [Errno 14] curl#7 - "Couldn't connect" Trying other mirror. http://fedora-mirror02.rbc.ru/pub/rpmfusion/free/fedora/updates/17/i386/repodata/repomd.xml: [Errno 12] Timeout on http://fedora-mirror02.rbc.ru/pub/rpmfusion/free/fedora/updates/17/i386/repodata/repomd.xml: (28, '') Trying other mirror. http://mirror.yandex.ru/fedora/rpmfusion/free/fedora/updates/17/i386/repodata/repomd.xml: [Errno 14] curl#7 - "Couldn't connect" Trying other mirror. http://fedora-mirror01.rbc.ru/pub/rpmfusion/free/fedora/updates/17/i386/repodata/repomd.xml: [Errno 12] Timeout on http://fedora-mirror01.rbc.ru/pub/rpmfusion/free/fedora/updates/17/i386/repodata/repomd.xml: (28, '') Trying other mirror.
Fedora 17 $ rpm -q python-urlgrabber python-urlgrabber-3.9.1-13.fc17.noarch
python-urlgrabber-3.9.1-13.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
I've got a similar problem and the recent update of python-urlgrabber to version 13 in Fedora 17 has broken my yum update. I have it in a VirtualBox behind a corporate proxy. Basically I get Error: Cannot retrieve metalink for repository: fedora. Please verify its path and try again I've then downgraded python-urlgrabber to version 11 and it works again. Just to be clear, with version 11 I had NO problems, ver 13 caused my issue. With a similar setup wget works and reaches behind the firewall. Trying to look at the network traffic, it seems that yum sends the first request without including the authentication token. While wget sends something. I will add the log tomorrow. In yum.conf I have proxy=http://xxx.xxx.xxx:0000 proxy_username=xxxxxx proxy_password=xxxxxx I've tried with 2 Windows accounts, one with domain FM\xxxxxx and one without xxxxxx which both used to work.
> yum sends the first request without including the authentication token. Yes, that's expected. When PROXYAUTH=BASIC (default in r11), curl sends "Proxy-Authorization: Basic dXNlcjpwd2Q=". With PROXYAUTH=NTLM, curl sends "Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=" instead. In r13 we set PROXYAUTH=ANY (to enable both basic and ntlm), and curl sends no such headers. The proxy should return 407 Proxy Authentication Required, and set the Proxy-Authenticate header. Curl then retries the request with correct Proxy-Authorization header.. It would be great if you could check the proxy's response. Maybe the proxy is broken, or there's a bug in curl. If necessary, I'd add proxy_auth=basic/ntlm/any option to yum.conf to work this around.
yum request sent in version 11 CONNECT mirrors.fedoraproject.org:443 HTTP/1.1 Host: mirrors.fedoraproject.org:443 Proxy-Authorization: Basic xnxmnbzxvmbxcvmbxcmbvxmcbvxmcbvxmcvn User-Agent: urlgrabber/3.9.1 yum/3.4.3 Proxy-Connection: Keep-Alive in version 13 CONNECT mirrors.fedoraproject.org:443 HTTP/1.1 Host: mirrors.fedoraproject.org:443 User-Agent: urlgrabber/3.9.1 yum/3.4.3 Proxy-Connection: Keep-Alive and proxy answers HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) Via: 1.1 GBAS-00328 Proxy-Authenticate: Negotiate Proxy-Authenticate: Kerberos Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm="gbas-00328.EMEA.ABNAMRO-NET.COM" Connection: close Proxy-Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 724 then yum sends again the same thing and the proxy answers the same.
curl works for both --proxy-basic and --proxy-ntlm (i've checked, the traffic is different, ntlm is a 2 way conversation). and for --proxy-basic is as expected. but --proxy-any does not. Again it sends twice the same header like above. I guess the option proxy_auth in yum.conf would be greatly appreciated.
Created attachment 594731 [details] Log of curl failing to use --proxy-basic This is the output of curl -v -o index.html --proxy-any www.bbc.co.uk 2> /tmp/curl.txt with the variable http_proxy set properly. It seems that curl tries something with kerberos * gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_1000' not found Still it would be good to be able to overwrite curl's proxy decision.
Ok, confirmed this is a bug in curl, incorrectly handling kerberos failures. You can probably work this around in 3 ways: a) initialize your Kerberos account locally (obtain and cache Kerberos tickets) b) patch urlgrabber.py - self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY) + self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY-pycurl.HTTPAUTH_GSSNEGOTIATE) This disables Kerberos, but NTLM and Basic should still be used, if necessary. c) remove that line completely (revert to urlgrabber r11 behavior), so only the (default) Basic auth is used.
Thanks. I'd rather not initialise kerberos, all other applications (wget, firefox, ubuntu) are happy with the basic proxy. Just to understand Are you or anybody else: 1) going to report / fix curl? 2) Releasing a new patched python-urlgrabber? 3) Adding the flag you mentioned to yum? Regards
1) Yes, filled Bug 835869. 2) I'm going to disable GSSNEGOTIATE in next release (solution b). 3) Not sure. Don't think it's necessary ATM.
Solution 2) is good enough for me. Tried and it works.
python-urlgrabber-3.9.1-14.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/python-urlgrabber-3.9.1-14.fc17
Package python-urlgrabber-3.9.1-14.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing python-urlgrabber-3.9.1-14.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10943/python-urlgrabber-3.9.1-14.fc17 then log in and leave karma (feedback).
Good, works for me. Thanks
now also work for me, but I prefer config proxy in one place via "System Settings/Network/Network proxy" please see attached screenshot. Of course if password is not set, prompt input password in yum console.
Created attachment 599714 [details] proxy config automatic
Created attachment 599716 [details] proxy config manual
python-urlgrabber-3.9.1-14.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.