> >Rich West wrote: >> >> I added NTLM authentication (via winbind back to AD), and that works >> great. I can see the user names populated in the output. However, I >> cannot seem to get it to allow traffic through for those >users that the >> NTLM authentication fails on. >> >> In other words, I have: >> ---squid.conf snippet--- >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 5 >> >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic children 5 >> auth_param basic realm Web Proxy Server >> auth_param basic credentialsttl 24 hours >> ... > >The simplest way around this is to setup basic authentication as a >backup to NTLM (configured after NTLM auth config). And give those >people a special type of user/pass for internet access. > but this means, that there must be a special user in the AD domain to work. so everyone can use that "surfer" account. you have uses auth ntlm and auth basic. that means that you will first try to do ntlm auth against AD and if this fails you do basic auth also against AD. you could change the basic auth to do auth against a local passwd-file, than you could add accounts with id/password who are allowed to access the squid. if a person is not member of AD nor in the passwd-list then he is not allowed to access - at least if he doesn't know one id/pass from passwd... markus
