Created attachment 744224 [details] yum.conf Description of problem: Again not work NTLM auth with yum [root@telecon_16 ~]# rpm -q yum yum-3.4.3-81.fc19.noarch [root@telecon_16 ~]# rpm -q curl curl-7.29.0-4.fc19.i686 [root@telecon_16 ~]# yum install mc -v Not loading "blacklist" plugin, as it is disabled Loading "langpacks" plugin Loading "refresh-packagekit" plugin Not loading "whiteout" plugin, as it is disabled Adding en_US to language list Config time: 0.035 Yum version: 3.4.3 rpmdb time: 0.000 Setting up Package Sacks Error: Cannot retrieve metalink for repository: fedora/19/i386. Please verify its path and try again
The only change in NTLM code was: commit 9b9a1db530511197d98df076dc97a13252d69711 Enable GSSNEGOTIATE when curl >= 7.28.0 BZ 892070. The underlying curl bug "auth status not being cleared when handles are reset" was fixed in 7.28.0 https://sourceforge.net/p/curl/bugs/1127/ Since your curl is newer (7.29.0), this is active and may be causing the problem. Could you run eg "strace 2>yum.log -f -s 512 -e trace=socket,connect,send,recv yum .." and attach the log?
Created attachment 747058 [details] yum.log
Thanks for the report and for the trace. Curl sends two requests, both without the "Proxy-Authorization: NTLM xxx" header. I've set up a dummy proxy and reproduced the problem with curl 7.24.0 (when gssnegotiate is enabled), but curl 7.29.0 always worked fine. Could you use curl directly, and post the output? Thanks! $ curl --version curl 7.29.0 (i686-pc-linux-gnu) libcurl/7.29.0 OpenSSL/1.0.0 zlib/1.2.5 libidn/1.24 libssh2/1.4.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz $ curl -v https://foo.com --proxy http://10.10.9.62:8080 --proxy-user login:pwd --proxy-anyauth ... > CONNECT foo.com:443 HTTP/1.1 > Host: foo.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive ... < HTTP/1.1 407 Proxy Authentication Required ... < Via: 1.1 PROXY-NEW < Proxy-Authenticate: Negotiate < Proxy-Authenticate: Kerberos < Proxy-Authenticate: NTLM < Proxy-Authenticate: Basic realm="proxy-new.afbank.ru" < Proxy-connection: close ... > CONNECT foo.com:443 HTTP/1.1 > Host: foo.com:443 > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive
$ curl --version curl 7.29.0 (i686-redhat-linux-gnu) libcurl/7.29.0 NSS/3.14.3.0 zlib/1.2.7 libidn/1.26 libssh2/1.4.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz $ curl -v https://foo.com --proxy http://10.10.9.62:8080 --proxy-user m_gavrilov:p@ss**9 --proxy-anyauth * About to connect() to proxy 10.10.9.62 port 8080 (#0) * Trying 10.10.9.62... * Connected to 10.10.9.62 (10.10.9.62) port 8080 (#0) * Establish HTTP proxy tunnel to foo.com:443 > CONNECT foo.com:443 HTTP/1.1 > Host: foo.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) < Via: 1.1 PROXY-NEW < Proxy-Authenticate: Negotiate < Proxy-Authenticate: Kerberos < Proxy-Authenticate: NTLM < Proxy-Authenticate: Basic realm="proxy-new.afbank.ru" < Connection: close < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 737 < * Ignore 737 bytes of response-body * Received HTTP code 407 from proxy after CONNECT * Found bundle for host foo.com: 0x9538b50 * About to connect() to proxy 10.10.9.62 port 8080 (#1) * Trying 10.10.9.62... * Connected to 10.10.9.62 (10.10.9.62) port 8080 (#1) * Establish HTTP proxy tunnel to foo.com:443 > CONNECT foo.com:443 HTTP/1.1 > Host: foo.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) < Via: 1.1 PROXY-NEW < Proxy-Authenticate: Negotiate * gss_init_sec_context() failed: : Cannot determine realm for numeric host address < Proxy-Authenticate: Kerberos < Proxy-Authenticate: NTLM < Proxy-Authenticate: Basic realm="proxy-new.afbank.ru" < Connection: close < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 737 < * Received HTTP code 407 from proxy after CONNECT * Connection #1 to host 10.10.9.62 left intact curl: (56) Received HTTP code 407 from proxy after CONNECT $ curl -v https://foo.com --proxy http://10.10.9.62:8080 --proxy-user m_gavrilov:p@ss**9 --proxy-ntlm * About to connect() to proxy 10.10.9.62 port 8080 (#0) * Trying 10.10.9.62... * Connected to 10.10.9.62 (10.10.9.62) port 8080 (#0) * Establish HTTP proxy tunnel to foo.com:443 * Initializing NSS with certpath: sql:/etc/pki/nssdb * Proxy auth using NTLM with user 'm_gavrilov' > CONNECT foo.com:443 HTTP/1.1 > Host: foo.com:443 > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) < Via: 1.1 PROXY-NEW < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAGgokCZ6denPMxVAsAAAAAAAAAAIAAgAA+AAAABQLODgAAAA9BRkJBTksCAAwAQQBGAEIAQQBOAEsAAQASAFAAUgBPAFgAWQAtAE4ARQBXAAQAEgBhAGYAYgBhAG4AawAuAHIAdQADACYAcAByAG8AeAB5AC0AbgBlAHcALgBhAGYAYgBhAG4AawAuAHIAdQAFABIAYQBmAGIAYQBuAGsALgByAHUAAAAAAA== < Connection: Keep-Alive < Proxy-Connection: Keep-Alive < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 0 < * TUNNEL_STATE switched to: 0 * Establish HTTP proxy tunnel to foo.com:443 * Proxy auth using NTLM with user 'm_gavrilov' > CONNECT foo.com:443 HTTP/1.1 > Host: foo.com:443 > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACgAKAHAAAAAFAAUAegAAAAAAAAAAAAAABoKJAtegIv0dQ/iHAAAAAAAAAAAAAAAAAAAAALlYjmDRi1QeIgxmCVWhSje3eyw1zA8RO21fZ2F2cmlsb3Z3czE2Ng== > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 502 Proxy Error ( Connection refused ) < Via: 1.1 PROXY-NEW < Connection: close < Proxy-Connection: close < Pragma: no-cache < Cache-Control: no-cache < Content-Type: text/html < Content-Length: 636 < * Received HTTP code 502 from proxy after CONNECT * Connection #0 to host 10.10.9.62 left intact curl: (56) Received HTTP code 502 from proxy after CONNECT
Seems "--proxy-anyauth" option not properly works. :(
Yes, the curl bug #1127 is still there. I'll disable GSSNEGOTIATE in python-urlgrabber until this gets fixed.
python-urlgrabber-3.9.1-27.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/python-urlgrabber-3.9.1-27.fc19
Package python-urlgrabber-3.9.1-27.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing python-urlgrabber-3.9.1-27.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-8469/python-urlgrabber-3.9.1-27.fc19 then log in and leave karma (feedback).
python-urlgrabber-3.9.1-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.