first the basics: we use squid 2.6stable16, samba/winbind 3.0.24. squid is configured to use ntlm_auth via winbind. ntlm/winbind is use for authentication, to restrict internet access (autorization) we use a static export of nt/ad-groups via text file. i am thinking in changing this to use wbinfo_group to skip the static export. one reason is: we provide squid services for many subsidiaries. each use local groups, eg 001_surfer, 002_surfer, 003_surfer eg. in the AD there is a nested group www_surfer, which contains 001_surfer and so on. so a user member of 001_surfer should is also member of surfer. our static export for each subsidiary only exports the 00x... groups. wbinfo_group only check against the 00x... groups. i don't get any OK if checking against the group "surfer". tried wbinfo, when doing wbinfo -r USERNAME i only the the 00x_surfer groups but not the surfer group??? so the question is: how can i use ntlm_auth, winbind and wbinfo_group to authorize against nested groups in an windows AD? any hints? thanxs markus
