What exactly do you mean? Should I set it up like this? external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NoInternet external ntgroup NoInternet http_access deny NoInternet ALL So by default the last thing on the line is AUTH? What exactly does the ALL do to make it not pop up (it appears to work btw). Also, when changing group membership in AD, for the changes to take effect would you have to reload squid, samba, and winbind? Is there anyway (other than editing the default squid error page, to redirect them if they are blocked? I do this with squidguard, not sure if its possible with this script/squid. Thanks -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Wednesday, November 28, 2007 3:15 AM To: Terry Dobbs Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Anyone Use wbinfo_group.pl? Terry Dobbs wrote: > Hey > > I have a transparent proxy setup using squid, winbind, samba, etc... I > got sick of manually blocking IP addresses from accessing the internet > and stumbled across an article (thank god for google!) that allows > access based on AD Group. > > It pretty much looks like... > > external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl > acl NoInternet external ntgroup NoInternet > > Then there is the http_access deny line that denies the NoInternet > group. > > This seems to work fine, if a user belongs to the NoInternet group they > are prompted for Username/Password and even if they put in the correct > credentials they aren't allowed to go anywhere. > > My question is, instead of prompting for username/password if a user > belongs to the group, how do I just redirect them to a page? No other > time is my users prompted for authentication as it uses the NT "pass > through" credentials, so not sure why it wants to prompt now. > > Hoping someone out there is doing something similar? The credientials are asked again because auth is the last option to complete the http_access rule. There is a hack/workaround of adding 'all' as the last item on the line which apparently prevents the credentials being sought if they fail the first time. I suspect your other rules go something like http_access !noauth localnet which has the same effect of not requesting again on failure. Amos