We have a rather disjointed network, primarily due to the way the company works. As a result, not every one of our users is currently logged in to the Windows domain. However, we have squid acting as a proxy for everyone's web browsing (wpad & etc), and our users don't know the difference. We would like to increase the functionality of squid by preventing certain users from accessing the web (via the proxy) while allowing everyone else to get through. Again, not everyone is logged in to the domain. My goal is to add NTLM authentication to make it transparent to the end user and, essentially, avoid the windows pop-up. The less the users are aware of the proxy, the better. :) I added NTLM authentication (via winbind back to AD), and that works great. I can see the user names populated in the output. However, I cannot seem to get it to allow traffic through for those users that the NTLM authentication fails on. In other words, I have: ---squid.conf snippet--- auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Web Proxy Server auth_param basic credentialsttl 24 hours ... acl all src 0.0.0.0/0.0.0.0 ... # This to never cache no_cache deny QUERY # We don't want to proxy FTP. acl FTP proto FTP always_direct allow FTP ## # Allow WindowsUpdate to work. ## acl update-micro-dom dstdomain .microsoft.com acl update-micro-dom dstdomain .windowsupdate.com # http_access allow update-micro-dom acl NoAccess proxy_auth baduser # acl AD_Users proxy_auth REQUIRED http_access deny NoAccess http_access allow AD_Users http_access allow localhost http_access allow all # And finally deny all other access to this proxy (catch all) http_access deny all ---squid.conf snippet--- Once I put the above in place (specifically the proxy_auth lines), the logs show hits for those users logged in to the domain (good), but then shows a whole mess of denied messages for users not part of the domain (bad). It is as if it is ignoring the allow "all" line, and I have the feeling I am missing something simple. But of course, I cannot help but ask if this is this even possible? -Rich
