Доброго времени суток. Я нуб.
Требуется squid с прозрачной авторизацией (браузеры хромиумы и файрфокс поддерживают, шаблоны для назначения прокси для этих бразуеров работают нормально) в AD (win 2008r2) и собственно раздавать интернет по группам. Решил использовать Debian6+Squid3.1+krb+smb+winbind. В итоге kinit выдал билет, машина вошла в домен (net ads join -U USER%PASSWD) успешно, wbinfo листит группы и юзеров (wbinfo -t checking the trust secret for domain MFK-22 via RPC calls succeeded), wbinfo --authenticate отрабатывает нормально, НО ntlm_auth --username=user --domain=domain --diagnostics=password не отрабатывает (использую в squid ntlm и если не отработает - basic, не отрабатывает прозрачно ни 1 а при вводе вручную логина-пароля - не узнаются учетные данные) - по неверному паролю, с указанием хелпера вообще висит (--helper-protocol=squid-2.5-ntlmssp).
Конфиги

kerberos
[spoiler]
[libdefaults]
default_realm = MFK-22.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#    default_tgs_enctypes = des3-hmac-sha1
#    default_tkt_enctypes = des3-hmac-sha1
#    permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
MFK-22.LOCAL = {
kdc = dc.mfk-22.local
admin_server = dc.mfk-22.local
default_domain = mfk-22.local
}

[domain_realm]
.mfk-22.local = MFK-22.LOCAL
mfk-22.local = MFK-22.LOCAL

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5dc.log
admin_server = FILE:/var/log/ksadmind.log
[/spoiler]

samba
[spoiler]

[global]
workgroup = MFK-22
server string = SQUID-PROXY

security = ads
password server = dc.mfk-22.local
realm = MFK-22.LOCAL
preferred master = no
encrypt passwords = true
obey pam restrictions = yes

winbind enum groups = yes
winbind enum users = yes
winbind use default domain = True
winbind uid = 10000-20000
winbind gid = 10000-20000

template homedir = /home/%template homedir = /home/%

#logs#
log file = /ver/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
[/spoiler]

nsswitch
[spoiler]
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat winbind

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
[/spoiler]
Буду благодарен за любые идеи.
p.s. извиняюсь за стену текста, спойлеров нет.