Hi everyone, I have Squid configured with Winbind 3.x to do NTLM authentication to only allow a limited subset of sites to people who are not in an "Internet access" group. Everything works OK - users in the group can access everything, users in the group can access only the sites in the allowedsites list, except the case where a limited user tried to access a site they don't have access to, both IE and Firefox pops up a dialog asking for credentials, instead of failing them with an "Access denied" message. On another machine using Winbind 2.x I have a similar configuration with the old helpers, and it does fail the way I want. It was using 'external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group -c' however, instead of 'proxy_auth'. Can I make the browsers work how I want with the new method? Relevant config sections: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="DOMAIN\\Internet" auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes acl allowedsites dstdomain "/etc/squid/allowedsites" acl fullusers proxy_auth REQUIRED http_access allow localhost http_access allow allowedsites http_access allow fullusers http_access deny all Thanks, Craig
