Squid NTLM auth

juraj · 24 November 2021 12:01

Hi
I have error
Unrecognised ntlm auth scheme parameter ‘credentialsttl’

because parameter is possible only in auth_param basic but not with NTLM as is set in conf.
http://www.squid-cache.org/Doc/config/auth_param/
Squid cache version 4.15 and Core Update 160
How to remove this parameterfrom squid.conf even after save from web interface ?

bonnietwin · 24 November 2021 15:01

Hallo @juraj,

Welcome to the IPFire community.

I just tried out setting the authentications with the web proxy on my vm testbed.

I presume that you have samba installed as ntlm-auth only seems to be used when that is installed. Then Windows Active Directory becomes one of the Authentication options on the web proxy page.

So I installed samba and then selected Windows Active Directory for the authentication and then pressed the “Save and Restart” button.

I did not get any error message at this stage. Looking in the squid.conf file there was both a

auth_param basic credentialsttl xx minutes

and a

auth_param ntlm credentialsttl xx minutes

line in the file.

Looking in the proxy.cgi file this is what the code is written to actually do.

At what point do you get the error message?

Looking back through the commits to proxy.cgi the inclusion of

auth_param ntlm credentialsttl xx minutes

into the ntlm auth section occurred around the beginning of 2019, although I cannot find the actual commit making the change.

For many of the other options squid ignores them if they are used in a context that is not correct. If the credentialsttl does not fall into that category and creates an error then this may be a bug in the cgi code that has been there since the start of 2019. Maybe there are not many people using the Windows Active Directory authentication option with Samba so it has not been found till now.

It would be good to know at which stage of the authentication setup or operation that you got the error message and was it on the Web Proxy cgi page or somewhere else.

If it is a bug then it would be good for you to raise this in the IPFire Bugzilla. Your IPFire People email address and password credentials will work to authenticate you in the IPFire Bugzilla.

https://wiki.ipfire.org/devel/bugzilla
https://bugzilla.ipfire.org/

juraj · 29 November 2021 12:52

Thanks for fast response.
You are right about configuration.
This error is shown only if I restart squid manually from shell.
So if this error is ignored by Squid, I’ll ignore it too.

I done manual restart to find out why is my Block category in URL filter not functional.