Squid stops working with Authentication for ‘ntlm’

falconbase · 23 September 2023 09:07

Hi all,

i updated my ipfire to 1.78 after the update the Squid didn’t start, Authentification with Active Directory. In the logs i see this:

2023/09/23 11:02:53| ERROR: Failure while parsing Config File: Unknown authentication scheme ‘ntlm’.
2023/09/23 11:02:53| Not currently OK to rewrite swap log.
2023/09/23 11:02:53| storeDirWriteCleanLogs: Operation aborted.
2023/09/23 11:02:53| FATAL: Bungled /etc/squid/squid.conf line 80: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
2023/09/23 11:02:53| Squid Cache (Version 6.1): Terminated abnormally.

when i disable the Authentification than works the Proxy fine.

bonnietwin · 23 September 2023 10:44

You appear to have an authentication config that is specifying ntlm authentication. This was dropped back in January 2019 in Core Update 129.

ntlm authentication was dropped by squid in the 4.5 release and IPFire is currently using version 6.1 of squid.

What version of IPFire were you using before uograding to Core Update 178?

The currently available authentication methods can be found in the following wiki page.
https://wiki.ipfire.org/configuration/network/proxy/wui_conf/auth

falconbase · 23 September 2023 11:21

Hi,

i upgrade from 174 to 178.

i had 6 authentication methods

bonnietwin · 23 September 2023 13:15

Searching through the git commits on proxy.cgi the change was actually made in the Core Update from 126 to 127.

The commit to remove it was
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=ea72700a3b5f53680b218e9261593806bdc5f7d4

and I checked proxy.cgi in Core Update 127 and 174 and the commit changes were present in those versions and hence in between.

You can also see the change of authentication mentioned in the Core Update Release announcement
https://blog.ipfire.org/post/ipfire-2-21-core-update-127-released

If you were running Core Update 174 with 6 authentication options then it means that you still had the old version of proxy.cgi on your system.

There have been 12 updates of proxy.cgi since Core Update 127, so I would have expected you to have got the updated version of proxy.cgi somewhere in that period.

proxy.cgi was shipped with all of the following Core Updates:-
127 when the ntlm option was removed.
129
142
147
152
158
160
162
171
173
174
176

Even if you don’t update every Core Update it would seem difficult to have missed every one of those updates where proxy.cgi was shipped and hence a new version installed.

You mentioned that you upgraded from 174 to 178 and Core Update 174 shipped proxy.cgi so I would have expected you to already have run into this problem when that upgrade happened.

If you now only have the 5 authentication options then it sounds like you have the correct version now, without the ntlm authentication option.