[squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized

Rafael Akchurin rafael.akchurin at diladele.com
Thu Jul 13 16:53:54 UTC 2023 

And the configure options are just those from Debian Unstable (I just added the --disable-optimizations to be able to debug in vscode):


./configure \
	--with-build-environment=default \
	--disable-optimizations \
	--enable-build-info="ubuntu 22" \
	--datadir=/usr/share/squid \
	--sysconfdir=/etc/squid \
	--libexecdir=/usr/lib/squid \
	--mandir=/usr/share/man \
	--enable-inline \
	--disable-arch-native \
	--enable-async-io=8 \
	--enable-storeio="ufs,aufs,diskd,rock" \
	--enable-removal-policies="lru,heap" \
	--enable-delay-pools \
	--enable-cache-digests \
	--enable-icap-client \
	--enable-follow-x-forwarded-for \
	--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
	--enable-auth-digest="file,LDAP" \
	--enable-auth-negotiate="kerberos,wrapper" \
	--enable-auth-ntlm="fake,SMB_LM" \
	--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group" \
	--enable-security-cert-validators="fake" \
	--enable-storeid-rewrite-helpers="file" \
	--enable-url-rewrite-helpers="fake" \
	--enable-eui \
	--enable-esi \
	--enable-icmp \
	--enable-zph-qos \
	--enable-ecap \
	--disable-translation \
	--with-swapdir=/var/spool/squid \
	--with-logdir=/var/log/squid \
	--with-pidfile=/run/squid.pid \
	--with-filedescriptors=65536 \
	--with-large-files \
	--with-default-user=proxy \
	--enable-linux-netfilter \
	--with-systemd



-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Alex Rousskov
Sent: Thursday, July 13, 2023 5:02 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized

On 7/13/23 10:29, Francesco Chemolli wrote:
> Hi Rafael,
>    that code was moved to a RegisteredRunner in commit
> 09490bb867d0b3f00a29911a65c715108e95b782 .
> I'm not sure why it is not working for you

That commit broke NTLM support in some environments because the linker in those environments does not add src/auth/ntlm/Scheme.cc code to squid executable. Linkers are allowed to drop modules that they think are unused. We will need to find a solution to that problem.

Alex.


> On Thu, Jul 13, 2023 at 1:38 PM Rafael Akchurin 
> <rafael.akchurin at diladele.com <mailto:rafael.akchurin at diladele.com>> wrote:
> 
>     Good day everyone,
> 
>     We are now trying to move the configuration with was valid and
>     working in Squid 5.7 to Squid 6.1 and hitting the following error:
>     Unknown authentication scheme 'ntlm'
> 
>     The problem seem to be with the following configuration we use
>     (output from squid -k parse).
> 
>     023/07/13 13:34:04| Processing: auth_param ntlm program
>     /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan --dc1port=389
>     2023/07/13 13:34:04| ERROR: Failure while parsing Config File:
>     Unknown authentication scheme 'ntlm'.
>     2023/07/13 13:34:04| FATAL: Bungled
>     /opt/websafety/etc/squid/authentication.conf line 231: auth_param
>     ntlm program /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan
>     --dc1port=389
>     2023/07/13 13:34:04| Squid Cache (Version 6.1): Terminated abnormally.
> 
>     Comparing the contents of squid-5.9/src/AuthReg.cc and
>     squid-6.1/src/AuthReg.cc it seems the support for NTLM
>     authentication was indeed removed from the codebase (see below).
> 
>     May I ask if the NTLM scheme is not needed at all now and we should
>     continue using only Negotiate scheme (letting it handle the NTLM as
>     usual)?
> 
>     Best regards,
>     Rafael Akchurin
>     Diladele B.V.
> 
> 
>     In 5.0 the AuthReg.cc was
> 
>     /**
>     * Initialize the authentication modules (if any)
>     * This is required once, before any configuration actions are taken.
>     */
>     void
>     Auth::Init()
>     {
>          debugs(29,DBG_IMPORTANT,"Startup: Initializing Authentication
>     Schemes ...");
>     #if HAVE_AUTH_MODULE_BASIC
>          static const char *basic_type =
>     Auth::Basic::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << basic_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_DIGEST
>          static const char *digest_type =
>     Auth::Digest::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << digest_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_NEGOTIATE
>          static const char *negotiate_type =
>     Auth::Negotiate::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << negotiate_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_NTLM
>          static const char *ntlm_type =
>     Auth::Ntlm::Scheme::GetInstance()->type();
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>     Scheme '" << ntlm_type << "'");
>     #endif
>          debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication.");
>     }
> 
> 
>     In 6.1 it is now
> 
> 
> 
>     /**
>     * Initialize the authentication modules (if any)
>     * This is required once, before any configuration actions are taken.
>     */
>     void
>     Auth::Init()
>     {
>          debugs(29, 2, "Initializing Authentication Schemes ...");
>     #if HAVE_AUTH_MODULE_BASIC
>          static const char *basic_type =
>     Auth::Basic::Scheme::GetInstance()->type();
>          debugs(29, 2, "Initialized Authentication Scheme '" <<
>     basic_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_DIGEST
>          static const char *digest_type =
>     Auth::Digest::Scheme::GetInstance()->type();
>          debugs(29, 2, "Initialized Authentication Scheme '" <<
>     digest_type << "'");
>     #endif
>     #if HAVE_AUTH_MODULE_NEGOTIATE
>          static const char *negotiate_type =
>     Auth::Negotiate::Scheme::GetInstance()->type();
>          debugs(29, 2, "Initialized Authentication Scheme '" <<
>     negotiate_type << "'");
>     #endif
>     }
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
>     <http://lists.squid-cache.org/listinfo/squid-users>
> 
> 
> 
> --
>      Francesco
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list