RE: [squid-users] NT with 2 groups defined for squid

> Hi,
> I have a question regarding authentication.
> We have 2 group of users on NT: InternetUsersL (limited access -> some
> sites) and InternetUsersF (full access).
> Therefor I have 2 squidconfigurations installed on a box, one
> configured
> with port 8081(=limited access) and the other using port
> 8080(=full access)
> checking the correct groups on NT with using smb_auth.
> However I would prefer every client using the same script in
> there browser
> for automatic configuration.
>
> So my question :
> - is there a possibility to do this?

Yes.

> - does somebody use a better method for those 2 NT groups to
> authenticate?

Yes. Enumerate the groups and use squid ACLs.
Where I am we're using a database to do this, but it should be the same
with "net {local,global}group".
Create an .asp on your DC and IP- and password- protect it.
Have it dump a list of domain\user formatted lines.
Set up a cron job on the squid hosts, that wgets that page and if needed
properly formats it and puts it in a file which is referenced
by the squid configuration, and finally squid -k reconfigure's

 
> An other question :
> Since all of our clients are pointed to our proxy to run a
> script, won't the
> request to the Intranet servers still appear as if it's
> originating from the
> proxy?

Yes.

> Is it so that if a proxy exclusion exists for a client
> requestm the proxy
> will forward the request on the destination, still replacing
> the originating
> source address with its own. The difference is that it just
> doesn't force
> the request to pass through the proxy engine.

Use the .pac file for this.

> If so, even with the exclusion list, the proxy would still
> have to allow
> NTLM pass-through (NTLM authentication being used on webserver).

No can do. Internet Explorer will not even attempt authentication
if it sees it's going through a proxy. ANY proxy, not just squid (tested
with MSproxy, NetCache, CacheFlow, Squid)

-- 
	/kinkie