> On another machine using Winbind 2.x I have a similar configuration > with the old helpers, and it does fail the way I want. It was using > 'external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group -c' > however, instead of 'proxy_auth'. Can I make the browsers work how I > want with the new method? To answer my own question, in case anyone is concerned: What I wanted to do was similar to what I had last time: external_acl_type NT_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl acl FullUsers external NT_global_group "/etc/squid/fullusers" Changing the order of the http_access lines to: http_access allow localhost http_access allow fullusers http_access allow localnet allowedsites http_access deny all means all usernames are logged as appropriate. This setup lets you do NTLM authentication without bothering users with passwords dialogs (and obviously only works on browsers that support NTLM) and therefore 'silently' deny users without the correct access. Craig
