[squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint

2008-07-10 Thread afstcklnd

Finally resolved that issue by applying the latest fedora core 9 updates and
resetting a few things - unfortunately, not sure exactly what fixed the
problem.

A query on squid.conf...

If the http_access settings allow a connection through without ntlm
authentication, it seems as though the authentication is not used.
Reasonable I assume but in trying to get this working, we tried to set up
reverse proxy to a different site - successfully. Then we added the ntlm
bits for access to the secure area. What became apparent is although the
login was requested on the browser, nothing actually got through to winbind!

Anyway, we still have a problem...

Having removed all http_access accept the ntlm users bit, authorisation
process goes through OK, however, the security token is not getting through
to sharepoint. Squid debug shows the GET followed by a reply with
Unauthorised from the sharepoint server.

What else am I missing?

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18385593.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] Re: Re: Re: Re[squid-users] verse proxy to Sharepoint

2008-07-10 Thread afstcklnd

Not having a dig at you but I'm going round in circle here - has noone ever
done this successfully before?

Microsoft IAS is heavy, unwieldy and unfriendly so we chose to use Squid to
act as reverse proxy for limited remote access to various MS Sharepoint
sites (applications as they like to call them).

After a lot of reading, it seemed sensible to run on latest linux and squid
and use ntlm for authentication - it all points that way out there on the
net. 

I then find that ntlm is not supported in 3.0 so built and earlier version
and now today, get the info that we shouldn't authenticate on squid anyway
as we should hand-off through to sharepoint servers.

Set this up and find that squid 2.7 does not support http 1.1 -
aggghh.

login=PASS does hand off to sharepoint OK - however, sharepoint returns
everything under http 1.1 with objectmoved - new target does not get
replaced with external url for the site so external access suddenly finds
itself pointing somewhere strange.

If I ever get this working, I might write a book and make a fortune :) or
maybe not because if people wanted it, someone would have written it
already.

Henrik, you seem to be the guru - what do you advise???






Henrik Nordstrom-5 wrote:
 
 On tor, 2008-07-10 at 09:18 -0700, afstcklnd wrote:
 Having removed all http_access accept the ntlm users bit, authorisation
 process goes through OK, however, the security token is not getting
 through
 to sharepoint. Squid debug shows the GET followed by a reply with
 Unauthorised from the sharepoint server.
 
 Maybe this:
 
 Access to password protected content fails via the reverse proxy
 http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd
 
 
 Regarding authentication, it's generally a bad idea to use
 authentication both at the reverse proxy and the web server. There is
 only one slot fror web server authentication in HTTP and things can
 get a bit confusing if you have two servers using that same slot at the
 same time...
 
 
 Regards
 Henrik
 
  
 

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18394067.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint

2008-06-30 Thread afstcklnd

OK, does this mean I've misunderstood? I thought Samba had to be both
configured and running for the squid helpers to work. Your email suggests
that the helpers themselves do it all???

Thanks
Andrew




Henrik Nordstrom-5 wrote:
 
 On fre, 2008-06-27 at 02:38 -0700, afstcklnd wrote:
 OK, really at a loss now. Got rid of this problem by refining a few
 things
 but now still not working but no real evidence of why not? Although
 maybe
 
 == log.smbd ==
 [2008/06/26 21:28:35,  3]
 printing/printing.c:start_background_queue(1397)
   start_background_queue: Starting background LPQ thread
 [2008/06/26 21:28:35,  2] lib/util_sock.c:open_socket_in(1268)
   bind failed on port 445 socket_addr = 0.0.0.0.
   Error = Address already in use
 
 Sounds like you already have Samba running...
 
 Regards
 Henrik
 
 
  
 

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18196220.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] Re: Re[squid-users] verse proxy to Sharepoint

2008-06-27 Thread afstcklnd

OK, really at a loss now. Got rid of this problem by refining a few things
but now still not working but no real evidence of why not? Although
maybe

== log.smbd ==
[2008/06/26 21:28:35,  3] printing/printing.c:start_background_queue(1397)
  start_background_queue: Starting background LPQ thread
[2008/06/26 21:28:35,  2] lib/util_sock.c:open_socket_in(1268)
  bind failed on port 445 socket_addr = 0.0.0.0.
  Error = Address already in use
[2008/06/26 21:28:35,  2] lib/util_sock.c:open_socket_in(1268)
  bind failed on port 139 socket_addr = 0.0.0.0.
  Error = Address already in use
[2008/06/26 21:28:35,  2] smbd/server.c:open_sockets_smbd(580)
  waiting for a connection




afstcklnd wrote:
 
 Hi,
 
 OK, have built a new Squid 2.7 Stable 2 version and it's up and running.
 wbinfo reports authentication OK, but I get the following when the users
 try and authenticate
 
 authenticateNTLMHandleReply: Error validating user via NTLM. Error
 returned 'BH NT_STATUS_ACCESS_DENIED'
 
 This would suggest a Samba problem but in isolation, Samba seems fine. Any
 ideas???
 
 All the best
 Andrew
 
 
 
 Chris Robertson-2 wrote:
 
 afstcklnd wrote:
 We have a working infrastructure using Windows 2003, AD  Sharepoint for
 Project Web Access. In order to allow branch office access, we wanted to
 put
 in place a reverse proxy solution and looked at Squid. After a lot of
 reading, it became clear the Squid 2.6 or above was the best option in
 order
 to get working NTLM authentication. So

 We've installed a Fedora Core 9 box with Squid 3.0, attached it to the
 domain and set up all the kerberos, ldap authentication etc. However,
 it's
 not quite behaving correctly.
   
 
 Last I saw, 
 (http://www.squid-cache.org/mail-archive/squid-users/200803/0523.html) 
 you'll need to use 2.6 or 2.7 to proxy NTLM authentication.  The 
 connection pinning required to support it has not been added to the 
 released Squid 3 code base.
 
 Testing kerberos, ldap etc. seems all OK and the ntlm helpers are
 running
 OK. Connect to the proxy with IE of Firefox and the request for a
 password
 is presented but regardless of what is entered authentication. 

 Obviously I need to provide more information but can you guide me as to
 where and what I need to provide?

 Thanks
   
 
 Chris
 
 
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18151537.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint

2008-06-27 Thread afstcklnd

Yes, but only winbindd_privileged


Henrik Nordstrom-5 wrote:
 
 On mån, 2008-06-23 at 15:31 -0700, afstcklnd wrote:
 Hi,
 
 OK, have built a new Squid 2.7 Stable 2 version and it's up and running.
 wbinfo reports authentication OK, but I get the following when the users
 try
 and authenticate
 
 authenticateNTLMHandleReply: Error validating user via NTLM. Error
 returned
 'BH NT_STATUS_ACCESS_DENIED'
 
 This would suggest a Samba problem but in isolation, Samba seems fine.
 Any
 ideas???
 
 Have you given the user Squid runs as access to the samba winbind pipe?
 
 Regards
 Henrik
 
  
 

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18151558.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] Re: Re[squid-users] verse proxy to Sharepoint

2008-06-23 Thread afstcklnd

Chris,

Thanks for the information!

Everything I read says use 2.6 or ANY build above that.

ATB
Andrew




Chris Robertson-2 wrote:
 
 afstcklnd wrote:
 We have a working infrastructure using Windows 2003, AD  Sharepoint for
 Project Web Access. In order to allow branch office access, we wanted to
 put
 in place a reverse proxy solution and looked at Squid. After a lot of
 reading, it became clear the Squid 2.6 or above was the best option in
 order
 to get working NTLM authentication. So

 We've installed a Fedora Core 9 box with Squid 3.0, attached it to the
 domain and set up all the kerberos, ldap authentication etc. However,
 it's
 not quite behaving correctly.
   
 
 Last I saw, 
 (http://www.squid-cache.org/mail-archive/squid-users/200803/0523.html) 
 you'll need to use 2.6 or 2.7 to proxy NTLM authentication.  The 
 connection pinning required to support it has not been added to the 
 released Squid 3 code base.
 
 Testing kerberos, ldap etc. seems all OK and the ntlm helpers are running
 OK. Connect to the proxy with IE of Firefox and the request for a
 password
 is presented but regardless of what is entered authentication. 

 Obviously I need to provide more information but can you guide me as to
 where and what I need to provide?

 Thanks
   
 
 Chris
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18064761.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] Re: Re[squid-users] verse proxy to Sharepoint

2008-06-23 Thread afstcklnd

Hi,

OK, have built a new Squid 2.7 Stable 2 version and it's up and running.
wbinfo reports authentication OK, but I get the following when the users try
and authenticate

authenticateNTLMHandleReply: Error validating user via NTLM. Error returned
'BH NT_STATUS_ACCESS_DENIED'

This would suggest a Samba problem but in isolation, Samba seems fine. Any
ideas???

All the best
Andrew



Chris Robertson-2 wrote:
 
 afstcklnd wrote:
 We have a working infrastructure using Windows 2003, AD  Sharepoint for
 Project Web Access. In order to allow branch office access, we wanted to
 put
 in place a reverse proxy solution and looked at Squid. After a lot of
 reading, it became clear the Squid 2.6 or above was the best option in
 order
 to get working NTLM authentication. So

 We've installed a Fedora Core 9 box with Squid 3.0, attached it to the
 domain and set up all the kerberos, ldap authentication etc. However,
 it's
 not quite behaving correctly.
   
 
 Last I saw, 
 (http://www.squid-cache.org/mail-archive/squid-users/200803/0523.html) 
 you'll need to use 2.6 or 2.7 to proxy NTLM authentication.  The 
 connection pinning required to support it has not been added to the 
 released Squid 3 code base.
 
 Testing kerberos, ldap etc. seems all OK and the ntlm helpers are running
 OK. Connect to the proxy with IE of Firefox and the request for a
 password
 is presented but regardless of what is entered authentication. 

 Obviously I need to provide more information but can you guide me as to
 where and what I need to provide?

 Thanks
   
 
 Chris
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18079891.html
Sent from the Squid - Users mailing list archive at Nabble.com.



[squid-users] Re[squid-users] verse proxy to Sharepoint

2008-06-17 Thread afstcklnd

We have a working infrastructure using Windows 2003, AD  Sharepoint for
Project Web Access. In order to allow branch office access, we wanted to put
in place a reverse proxy solution and looked at Squid. After a lot of
reading, it became clear the Squid 2.6 or above was the best option in order
to get working NTLM authentication. So

We've installed a Fedora Core 9 box with Squid 3.0, attached it to the
domain and set up all the kerberos, ldap authentication etc. However, it's
not quite behaving correctly.

Testing kerberos, ldap etc. seems all OK and the ntlm helpers are running
OK. Connect to the proxy with IE of Firefox and the request for a password
is presented but regardless of what is entered authentication. 

Obviously I need to provide more information but can you guide me as to
where and what I need to provide?

Thanks

-- 
View this message in context: 
http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p17909397.html
Sent from the Squid - Users mailing list archive at Nabble.com.