[squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized

Alex Rousskov rousskov at measurement-factory.com
Thu Jul 13 18:20:16 UTC 2023 

Please see if the following partial fix helps in your environment:

https://github.com/squid-cache/squid/commit/5596a2f4894f80864b660b035d05f5aec74f8312.patch

The fix has been posted for preliminary review as draft PR 1422:
https://github.com/squid-cache/squid/pull/1422


Thank you,

Alex.



On 7/13/23 12:53, Rafael Akchurin wrote:
> And the configure options are just those from Debian Unstable (I just added the --disable-optimizations to be able to debug in vscode):
> 
> 
> ./configure \
> 	--with-build-environment=default \
> 	--disable-optimizations \
> 	--enable-build-info="ubuntu 22" \
> 	--datadir=/usr/share/squid \
> 	--sysconfdir=/etc/squid \
> 	--libexecdir=/usr/lib/squid \
> 	--mandir=/usr/share/man \
> 	--enable-inline \
> 	--disable-arch-native \
> 	--enable-async-io=8 \
> 	--enable-storeio="ufs,aufs,diskd,rock" \
> 	--enable-removal-policies="lru,heap" \
> 	--enable-delay-pools \
> 	--enable-cache-digests \
> 	--enable-icap-client \
> 	--enable-follow-x-forwarded-for \
> 	--enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
> 	--enable-auth-digest="file,LDAP" \
> 	--enable-auth-negotiate="kerberos,wrapper" \
> 	--enable-auth-ntlm="fake,SMB_LM" \
> 	--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group" \
> 	--enable-security-cert-validators="fake" \
> 	--enable-storeid-rewrite-helpers="file" \
> 	--enable-url-rewrite-helpers="fake" \
> 	--enable-eui \
> 	--enable-esi \
> 	--enable-icmp \
> 	--enable-zph-qos \
> 	--enable-ecap \
> 	--disable-translation \
> 	--with-swapdir=/var/spool/squid \
> 	--with-logdir=/var/log/squid \
> 	--with-pidfile=/run/squid.pid \
> 	--with-filedescriptors=65536 \
> 	--with-large-files \
> 	--with-default-user=proxy \
> 	--enable-linux-netfilter \
> 	--with-systemd
> 
> 
> 
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Alex Rousskov
> Sent: Thursday, July 13, 2023 5:02 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid 6.1 - auth scheme 'ntlm' is not recognized
> 
> On 7/13/23 10:29, Francesco Chemolli wrote:
>> Hi Rafael,
>>     that code was moved to a RegisteredRunner in commit
>> 09490bb867d0b3f00a29911a65c715108e95b782 .
>> I'm not sure why it is not working for you
> 
> That commit broke NTLM support in some environments because the linker in those environments does not add src/auth/ntlm/Scheme.cc code to squid executable. Linkers are allowed to drop modules that they think are unused. We will need to find a solution to that problem.
> 
> Alex.
> 
> 
>> On Thu, Jul 13, 2023 at 1:38 PM Rafael Akchurin
>> <rafael.akchurin at diladele.com <mailto:rafael.akchurin at diladele.com>> wrote:
>>
>>      Good day everyone,
>>
>>      We are now trying to move the configuration with was valid and
>>      working in Squid 5.7 to Squid 6.1 and hitting the following error:
>>      Unknown authentication scheme 'ntlm'
>>
>>      The problem seem to be with the following configuration we use
>>      (output from squid -k parse).
>>
>>      023/07/13 13:34:04| Processing: auth_param ntlm program
>>      /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan --dc1port=389
>>      2023/07/13 13:34:04| ERROR: Failure while parsing Config File:
>>      Unknown authentication scheme 'ntlm'.
>>      2023/07/13 13:34:04| FATAL: Bungled
>>      /opt/websafety/etc/squid/authentication.conf line 231: auth_param
>>      ntlm program /opt/websafety/bin/wsauth --dc1addr=dc1.diladele.lan
>>      --dc1port=389
>>      2023/07/13 13:34:04| Squid Cache (Version 6.1): Terminated abnormally.
>>
>>      Comparing the contents of squid-5.9/src/AuthReg.cc and
>>      squid-6.1/src/AuthReg.cc it seems the support for NTLM
>>      authentication was indeed removed from the codebase (see below).
>>
>>      May I ask if the NTLM scheme is not needed at all now and we should
>>      continue using only Negotiate scheme (letting it handle the NTLM as
>>      usual)?
>>
>>      Best regards,
>>      Rafael Akchurin
>>      Diladele B.V.
>>
>>
>>      In 5.0 the AuthReg.cc was
>>
>>      /**
>>      * Initialize the authentication modules (if any)
>>      * This is required once, before any configuration actions are taken.
>>      */
>>      void
>>      Auth::Init()
>>      {
>>           debugs(29,DBG_IMPORTANT,"Startup: Initializing Authentication
>>      Schemes ...");
>>      #if HAVE_AUTH_MODULE_BASIC
>>           static const char *basic_type =
>>      Auth::Basic::Scheme::GetInstance()->type();
>>           debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>>      Scheme '" << basic_type << "'");
>>      #endif
>>      #if HAVE_AUTH_MODULE_DIGEST
>>           static const char *digest_type =
>>      Auth::Digest::Scheme::GetInstance()->type();
>>           debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>>      Scheme '" << digest_type << "'");
>>      #endif
>>      #if HAVE_AUTH_MODULE_NEGOTIATE
>>           static const char *negotiate_type =
>>      Auth::Negotiate::Scheme::GetInstance()->type();
>>           debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>>      Scheme '" << negotiate_type << "'");
>>      #endif
>>      #if HAVE_AUTH_MODULE_NTLM
>>           static const char *ntlm_type =
>>      Auth::Ntlm::Scheme::GetInstance()->type();
>>           debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication
>>      Scheme '" << ntlm_type << "'");
>>      #endif
>>           debugs(29,DBG_IMPORTANT,"Startup: Initialized Authentication.");
>>      }
>>
>>
>>      In 6.1 it is now
>>
>>
>>
>>      /**
>>      * Initialize the authentication modules (if any)
>>      * This is required once, before any configuration actions are taken.
>>      */
>>      void
>>      Auth::Init()
>>      {
>>           debugs(29, 2, "Initializing Authentication Schemes ...");
>>      #if HAVE_AUTH_MODULE_BASIC
>>           static const char *basic_type =
>>      Auth::Basic::Scheme::GetInstance()->type();
>>           debugs(29, 2, "Initialized Authentication Scheme '" <<
>>      basic_type << "'");
>>      #endif
>>      #if HAVE_AUTH_MODULE_DIGEST
>>           static const char *digest_type =
>>      Auth::Digest::Scheme::GetInstance()->type();
>>           debugs(29, 2, "Initialized Authentication Scheme '" <<
>>      digest_type << "'");
>>      #endif
>>      #if HAVE_AUTH_MODULE_NEGOTIATE
>>           static const char *negotiate_type =
>>      Auth::Negotiate::Scheme::GetInstance()->type();
>>           debugs(29, 2, "Initialized Authentication Scheme '" <<
>>      negotiate_type << "'");
>>      #endif
>>      }
>>      _______________________________________________
>>      squid-users mailing list
>>      squid-users at lists.squid-cache.org
>>      <mailto:squid-users at lists.squid-cache.org>
>>      http://lists.squid-cache.org/listinfo/squid-users
>>      <http://lists.squid-cache.org/listinfo/squid-users>
>>
>>
>>
>> --
>>       Francesco
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list