> -----Original Message----- > From: Matte Nilsson [mailto:condmaster@xxxxxxxxxxx] > Sent: Thursday, July 07, 2005 5:30 AM > To: squid-users@xxxxxxxxxxxxxxx > Cc: matte@xxxxxxxxxxxxxxx > Subject: I want NO login dialog when a user is > unauthenticated (if its possible..) > > > Hello! > > I run a squid/2.5.STABLE10 in a 1000 user enviroment on a SUSE SLES9 server > with Samba 3.0.9 configured for MS AD. > > Everything works just fine with the group authenication against MS AD. But > my problem is that when users without Internet Access Try to access the > internet the login dialog appears, and its like a closed door to a cat - > they are trying other peoples accounts, and lock them out. > > So my question is.. Are there any way to disable the login dialog for users > with no internet access?? > Here is my squid.conf: > > > http_port 10.52.5.201:8080 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > log_fqdn on > client_netmask 255.255.255.255 > dns_nameservers 10.52.17.201 10.52.17.202 > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > --require-membership-of=S-1-5-21-1187005629-1892371507-1230779191-4288 > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > --require-membership-of=S-1-5-21-1187005629-1892371507-1230779191-4288 > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > > #********************************************************************* > acl InternetAccess proxy_auth REQUIRED > #********************************************************************* > acl special_url url_regex -i "/usr/local/squid/etc/open_sites.txt" > #********************************************************************* > http_access allow special_url > http_access allow InternetAccess > #********************************************************************* > > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object HTTP > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 > acl Safe_ports port 2001 > acl Safe_ports port 3001 > acl Safe_ports port 21 > acl Safe_ports port 443 563 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT Remove the "auth_param basic" lines. No more authentication pop-up. Otherwise, prevent the workstations that people without internet access use from accessing the proxy at all. Third option, use wbinfo_group.pl to separate those that have internet access from those that don't. A setup guide of unknown accuracy is available at http://www.flatmtn.com/computer/Linux-SquidNT.html#Squid-4 Chris
