MacOS – launchctl doesn’t start cntlm daemon

homebrewlaunchdmacosplistservices

I've installed cntlm on osx using the homebrew formula.

Then I've copied the .plist file and started the daemon:

sudo cp -fv /usr/local/opt/cntlm/*.plist /Library/LaunchDaemons
sudo chown root /Library/LaunchDaemons/homebrew.mxcl.cntlm.plist

But after the reboot the daemon isn't running. I've tried to run it manually with

sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.cntlm.plist

but its output is

/Library/LaunchDaemons/homebrew.mxcl.cntlm.plist: Operation already in progress

I've also checked the plist file with plutil -lint and it is ok.

This is the source of /Library/LaunchDaemons/homebrew.mxcl.cntlm.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>homebrew.mxcl.cntlm</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/opt/cntlm/bin/cntlm</string>
    </array>
    <key>KeepAlive</key>
    <false/>
    <key>RunAtLoad</key>
    <true/>
    <key>StandardOutPath</key>
    <string>/var/null</string>
    <key>StandardErrorPath</key>
    <string>/var/null</string>
  </dict>
</plist>

Do you know why this happen and how to run it correctly as a daemon?

Best Answer

I'm posting this as a separate answer since I did not have to fiddle with any plist files to make this work. Here's how I installed and started CNTLM today:

Install CNTLM with Homebrew

brew install cntlm

Edit CNTLM configuration

Edit the /usr/local/etc/cntlm.conf file, update the following items:

  • Username: The user name for authenticating with your NTLM proxy
  • Domain: Set the domain (if required)
  • Password: Your password in plain text - only required for testing, remove this later...
  • Proxy: Your proxy host name/IP and port (can use multiple lines)
  • NoProxy: Add any hosts that don't need to be proxied

Update Authentication

Run the following to let CNTLM figure out which authentication means work with your proxy:

cntlm -M https://www.google.com

This will spit out info like this, copy this into your cntlm.conf file:

Auth            NTLM
PassNT          ...
PassLM          ...

Next, have your password encrypted:

cntlm -H

Enter your account password when asked. This command will then print something like the following (some lines are the same as from the above command) - copy this into your cntlm.conf file:

PassLM          ...
PassNT          ...
PassNTLMv2      ...    # Only for user 'xxx', domain 'yyy'

Remove your plain text password from the file now and comment out the Password line.

You will need to run cntlm -H again if you change your password.

Run CNTLM as a macOS Service

Multiple options exist for this, pick the one you like best:

# Start CNTLM at boot time - requires `sudo`
sudo brew services start cntlm

# Start CNTLM at login time
brew services start cntlm

# Run CNTLM on demand, don't start at boot or login
brew services run cntlm

# Stop CNTLM (might have to use `sudo` if you started it with `sudo`)
(sudo) brew services stop cntlm

# List all services managed by Homebrew
brew services list

More info on brew services can be found in the official documentation.

Related Question