Hi Alex, I've got it working fine on domain members. I should have explained better - I'm setting up a guest wireless network in a school, so all devices that attach will be personal, non domain, and as a rule I won't get the chance to configure them before they connect. The devices that I want to connect will be mostly student laptops, smartphones and visitors' devices. The plan is to set up proxy DHCP autoconfig and/or transparent port forwarding trick to point people towards the proxy (https is likely not to like this I know), but I want a way of getting people to say who they are and give them internet access accordingly. I;m using squid/squidguard to great effect for the domain machines, and I'd like to use the same set of rules for folks connecting their own devices. How has anyone else done this? the options I've found are basic, digest or NTLM all of which have major issues in terms of security, configuration or usability respectively. Jim > Jim, > > If you are getting login prompts like this (especially 3 times) it's likely > your NTLM auth is not working. > > In normal use with NTLM on domain member hosts, you should never see them, > not even when opening the browser for the first time. The browser should > pass through authentication from the logged on Windows session. > > I would check the permissions on the winbindd_privileged folder (usually in > /var/run/samba or /var/cache/samba) and make sure your squid user can write > to it. Some distros actually change the permissions on that folder after > winbind has started in the init script. > > You might also want to check winbind is working by issuing "wbinfo -u" and > "wbinfo -g" - you should get a list of domain users and groups. > > Alex