[squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint
Finally resolved that issue by applying the latest fedora core 9 updates and resetting a few things - unfortunately, not sure exactly what fixed the problem. A query on squid.conf... If the http_access settings allow a connection through without ntlm authentication, it seems as though the authentication is not used. Reasonable I assume but in trying to get this working, we tried to set up reverse proxy to a different site - successfully. Then we added the ntlm bits for access to the secure area. What became apparent is although the login was requested on the browser, nothing actually got through to winbind! Anyway, we still have a problem... Having removed all http_access accept the ntlm users bit, authorisation process goes through OK, however, the security token is not getting through to sharepoint. Squid debug shows the GET followed by a reply with Unauthorised from the sharepoint server. What else am I missing? -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18385593.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re: Re: Re[squid-users] verse proxy to Sharepoint
Not having a dig at you but I'm going round in circle here - has noone ever done this successfully before? Microsoft IAS is heavy, unwieldy and unfriendly so we chose to use Squid to act as reverse proxy for limited remote access to various MS Sharepoint sites (applications as they like to call them). After a lot of reading, it seemed sensible to run on latest linux and squid and use ntlm for authentication - it all points that way out there on the net. I then find that ntlm is not supported in 3.0 so built and earlier version and now today, get the info that we shouldn't authenticate on squid anyway as we should hand-off through to sharepoint servers. Set this up and find that squid 2.7 does not support http 1.1 - aggghh. login=PASS does hand off to sharepoint OK - however, sharepoint returns everything under http 1.1 with objectmoved - new target does not get replaced with external url for the site so external access suddenly finds itself pointing somewhere strange. If I ever get this working, I might write a book and make a fortune :) or maybe not because if people wanted it, someone would have written it already. Henrik, you seem to be the guru - what do you advise??? Henrik Nordstrom-5 wrote: On tor, 2008-07-10 at 09:18 -0700, afstcklnd wrote: Having removed all http_access accept the ntlm users bit, authorisation process goes through OK, however, the security token is not getting through to sharepoint. Squid debug shows the GET followed by a reply with Unauthorised from the sharepoint server. Maybe this: Access to password protected content fails via the reverse proxy http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd Regarding authentication, it's generally a bad idea to use authentication both at the reverse proxy and the web server. There is only one slot fror web server authentication in HTTP and things can get a bit confusing if you have two servers using that same slot at the same time... Regards Henrik -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18394067.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint
OK, does this mean I've misunderstood? I thought Samba had to be both configured and running for the squid helpers to work. Your email suggests that the helpers themselves do it all??? Thanks Andrew Henrik Nordstrom-5 wrote: On fre, 2008-06-27 at 02:38 -0700, afstcklnd wrote: OK, really at a loss now. Got rid of this problem by refining a few things but now still not working but no real evidence of why not? Although maybe == log.smbd == [2008/06/26 21:28:35, 3] printing/printing.c:start_background_queue(1397) start_background_queue: Starting background LPQ thread [2008/06/26 21:28:35, 2] lib/util_sock.c:open_socket_in(1268) bind failed on port 445 socket_addr = 0.0.0.0. Error = Address already in use Sounds like you already have Samba running... Regards Henrik -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18196220.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re[squid-users] verse proxy to Sharepoint
OK, really at a loss now. Got rid of this problem by refining a few things but now still not working but no real evidence of why not? Although maybe == log.smbd == [2008/06/26 21:28:35, 3] printing/printing.c:start_background_queue(1397) start_background_queue: Starting background LPQ thread [2008/06/26 21:28:35, 2] lib/util_sock.c:open_socket_in(1268) bind failed on port 445 socket_addr = 0.0.0.0. Error = Address already in use [2008/06/26 21:28:35, 2] lib/util_sock.c:open_socket_in(1268) bind failed on port 139 socket_addr = 0.0.0.0. Error = Address already in use [2008/06/26 21:28:35, 2] smbd/server.c:open_sockets_smbd(580) waiting for a connection afstcklnd wrote: Hi, OK, have built a new Squid 2.7 Stable 2 version and it's up and running. wbinfo reports authentication OK, but I get the following when the users try and authenticate authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' This would suggest a Samba problem but in isolation, Samba seems fine. Any ideas??? All the best Andrew Chris Robertson-2 wrote: afstcklnd wrote: We have a working infrastructure using Windows 2003, AD Sharepoint for Project Web Access. In order to allow branch office access, we wanted to put in place a reverse proxy solution and looked at Squid. After a lot of reading, it became clear the Squid 2.6 or above was the best option in order to get working NTLM authentication. So We've installed a Fedora Core 9 box with Squid 3.0, attached it to the domain and set up all the kerberos, ldap authentication etc. However, it's not quite behaving correctly. Last I saw, (http://www.squid-cache.org/mail-archive/squid-users/200803/0523.html) you'll need to use 2.6 or 2.7 to proxy NTLM authentication. The connection pinning required to support it has not been added to the released Squid 3 code base. Testing kerberos, ldap etc. seems all OK and the ntlm helpers are running OK. Connect to the proxy with IE of Firefox and the request for a password is presented but regardless of what is entered authentication. Obviously I need to provide more information but can you guide me as to where and what I need to provide? Thanks Chris -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18151537.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re: Re[squid-users] verse proxy to Sharepoint
Yes, but only winbindd_privileged Henrik Nordstrom-5 wrote: On mån, 2008-06-23 at 15:31 -0700, afstcklnd wrote: Hi, OK, have built a new Squid 2.7 Stable 2 version and it's up and running. wbinfo reports authentication OK, but I get the following when the users try and authenticate authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' This would suggest a Samba problem but in isolation, Samba seems fine. Any ideas??? Have you given the user Squid runs as access to the samba winbind pipe? Regards Henrik -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18151558.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re[squid-users] verse proxy to Sharepoint
Chris, Thanks for the information! Everything I read says use 2.6 or ANY build above that. ATB Andrew Chris Robertson-2 wrote: afstcklnd wrote: We have a working infrastructure using Windows 2003, AD Sharepoint for Project Web Access. In order to allow branch office access, we wanted to put in place a reverse proxy solution and looked at Squid. After a lot of reading, it became clear the Squid 2.6 or above was the best option in order to get working NTLM authentication. So We've installed a Fedora Core 9 box with Squid 3.0, attached it to the domain and set up all the kerberos, ldap authentication etc. However, it's not quite behaving correctly. Last I saw, (http://www.squid-cache.org/mail-archive/squid-users/200803/0523.html) you'll need to use 2.6 or 2.7 to proxy NTLM authentication. The connection pinning required to support it has not been added to the released Squid 3 code base. Testing kerberos, ldap etc. seems all OK and the ntlm helpers are running OK. Connect to the proxy with IE of Firefox and the request for a password is presented but regardless of what is entered authentication. Obviously I need to provide more information but can you guide me as to where and what I need to provide? Thanks Chris -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18064761.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re[squid-users] verse proxy to Sharepoint
Hi, OK, have built a new Squid 2.7 Stable 2 version and it's up and running. wbinfo reports authentication OK, but I get the following when the users try and authenticate authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' This would suggest a Samba problem but in isolation, Samba seems fine. Any ideas??? All the best Andrew Chris Robertson-2 wrote: afstcklnd wrote: We have a working infrastructure using Windows 2003, AD Sharepoint for Project Web Access. In order to allow branch office access, we wanted to put in place a reverse proxy solution and looked at Squid. After a lot of reading, it became clear the Squid 2.6 or above was the best option in order to get working NTLM authentication. So We've installed a Fedora Core 9 box with Squid 3.0, attached it to the domain and set up all the kerberos, ldap authentication etc. However, it's not quite behaving correctly. Last I saw, (http://www.squid-cache.org/mail-archive/squid-users/200803/0523.html) you'll need to use 2.6 or 2.7 to proxy NTLM authentication. The connection pinning required to support it has not been added to the released Squid 3 code base. Testing kerberos, ldap etc. seems all OK and the ntlm helpers are running OK. Connect to the proxy with IE of Firefox and the request for a password is presented but regardless of what is entered authentication. Obviously I need to provide more information but can you guide me as to where and what I need to provide? Thanks Chris -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p18079891.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re[squid-users] verse proxy to Sharepoint
We have a working infrastructure using Windows 2003, AD Sharepoint for Project Web Access. In order to allow branch office access, we wanted to put in place a reverse proxy solution and looked at Squid. After a lot of reading, it became clear the Squid 2.6 or above was the best option in order to get working NTLM authentication. So We've installed a Fedora Core 9 box with Squid 3.0, attached it to the domain and set up all the kerberos, ldap authentication etc. However, it's not quite behaving correctly. Testing kerberos, ldap etc. seems all OK and the ntlm helpers are running OK. Connect to the proxy with IE of Firefox and the request for a password is presented but regardless of what is entered authentication. Obviously I need to provide more information but can you guide me as to where and what I need to provide? Thanks -- View this message in context: http://www.nabble.com/Reverse-proxy-to-Sharepoint-tp17909397p17909397.html Sent from the Squid - Users mailing list archive at Nabble.com.