[squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized

Alex Rousskov rousskov at measurement-factory.com
Thu Jul 13 15:02:17 UTC 2023 

On 7/13/23 10:29, Francesco Chemolli wrote:
> Hi Rafael,
>    that code was moved to a RegisteredRunner in commit 
> 09490bb867d0b3f00a29911a65c715108e95b782 .
> I'm not sure why it is not working for you

That commit broke NTLM support in some environments because the linker 
in those environments does not add src/auth/ntlm/Scheme.cc code to squid 
executable. Linkers are allowed to drop modules that they think are 
unused. We will need to find a solution to that problem.

Alex.


> On Thu, Jul 13, 2023 at 1:38 PM Rafael Akchurin 
> <rafael.akchurin at diladele.com <mailto:rafael.akchurin at diladele.com>> wrote:
> 
>     Good day everyone,
> 
>     We are now trying to move the configuration with was valid and
>     working in Squid 5.7 to Squid 6.1 and hitting the following error:
>     Unknown authentication scheme 'ntlm'
> 
>     The problem seem to be with the following configuration we use
>     (output from squid -k parse).
> 
>     023/07/13 13:34:04| Processing: auth_param ntlm program
>     /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan --dc1port=389
>     2023/07/13 13:34:04| ERROR: Failure while parsing Config File:
>     Unknown authentication scheme 'ntlm'.
>     2023/07/13 13:34:04| FATAL: Bungled
>     /opt/websafety/etc/squid/authentication.conf line 231: auth_param
>     ntlm program /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan
>     --dc1port=389
>     2023/07/13 13:34:04| Squid Cache (Version 6.1): Terminated abnormally.
> 
>     Comparing the contents of squid-5.9/src/AuthReg.cc and
>     squid-6.1/src/AuthReg.cc it seems the support for NTLM
>     authentication was indeed removed from the codebase (see below).
> 
>     May I ask if the NTLM scheme is not needed at all now and we should
>     continue using only Negotiate scheme (letting it handle the NTLM as
>     usual)?
> 
>     Best regards,
>     Rafael Akchurin
>     Diladele B.V.
> 
> 
>     In 5.0 the AuthReg.cc was
> 
>     /**
>     * Initialize the authentication modules (if any)
>     * This is required once, before any configuration actions are taken.
>     */
>     void
>     Auth::Init()
>     {
>          debugs(29,DBG_IMPORTANT,"Startup: Initializing Authentication
>     Schemes ...");
>     #if HAVE_AUTH_MODULE_BASIC
>          static const char *basic_type =
>     Auth::Basic::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << basic_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_DIGEST
>          static const char *digest_type =
>     Auth::Digest::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << digest_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_NEGOTIATE
>          static const char *negotiate_type =
>     Auth::Negotiate::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << negotiate_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_NTLM
>          static const char *ntlm_type =
>     Auth::Ntlm::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << ntlm_type << "'");
>     #endif
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication.");
>     }
> 
> 
>     In 6.1 it is now
> 
> 
> 
>     /**
>     * Initialize the authentication modules (if any)
>     * This is required once, before any configuration actions are taken.
>     */
>     void
>     Auth::Init()
>     {
>          debugs(29, 2, "Initializing Authentication Schemes ...");
>     #if HAVE_AUTH_MODULE_BASIC
>          static const char *basic_type =
>     Auth::Basic::Scheme::GetInstance()->type();
>          debugs(29, 2, "Initialized Authentication Scheme '" <<
>     basic_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_DIGEST
>          static const char *digest_type =
>     Auth::Digest::Scheme::GetInstance()->type();
>          debugs(29, 2, "Initialized Authentication Scheme '" <<
>     digest_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_NEGOTIATE
>          static const char *negotiate_type =
>     Auth::Negotiate::Scheme::GetInstance()->type();
>          debugs(29, 2, "Initialized Authentication Scheme '" <<
>     negotiate_type << "'");
>     #endif
>     }
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
>     <http://lists.squid-cache.org/listinfo/squid-users>
> 
> 
> 
> -- 
>      Francesco
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list