Hi all, could anyone give any suggestion for solve next problem: I have been configured squid with Single Sign-On (kerberos+samba+ntlm) So,commands wbinfo -t,wbinfo -p, wbinfo -u, wbinfo -g is working well (domain is KNG, realm kng.local), examples: $wbinfo -u KNG\ldapreader KNG\testproxyad1 KNG\testproxyad2 $wbinfo -a kng\\ldapreader%12345678 plaintext password authentication succeeded challenge/response password authentication succeeded squid.conf .... auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Proxy_AD auth_param basic credentialsttl 2 hours auth_param basic casesensitive off authenticate_cache_garbage_interval 10 seconds authenticate_ttl 0 seconds ... So, when acl & http_access is next, it works: acl users proxy_auth REQUIRED ... http_access allow users But, i need to give access in the internet by lists of users, so i re-edit squid config & create list: file /etc/squid/users.acl, it contain user names: ldapreader testproxyad1 testproxyad2 squid.conf ... acl users proxy_auth "/etc/squid/users.acl" ... http_access allow users After that, in browser squid says that "access denied", access.log: bla-bla-bla <IP-user> TCP_DENIED/407 1874 GET <bla-bla-bla> KNG\ldapreader NONE/- text/html Changing file with names users.acl as this: KNG\ldapreader KNG\testproxyad1 KNG\testproxyad2 No result, "access denied". Add options in smb.conf [global] winbind separator = \ No result, "access denied". Checking ntlm_auth (basic), well done: $/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic kng\ldapreader 12345678 OK Checking ntlm_auth (ntlmssp), well done: $/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp YR TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAA7TEzPz/FpREAAAAAAAAAAAAAAAAwAAAA What's wrong? Why squid don't want to work with list of users? Maybe I do not correct edit squid.conf in acl tag (acl users proxy_auth "/etc/squid/users.acl")? Or maybe get ntlm_auth from samba source, not from squid? Will waiting for respone.
