[squid-users] ntlm_auth sending ERR to squid when it shouldn't

ntlm_auth seems to be sending ERR to squid when it shouldn't. I have
two users below that should both work but one doesn't. Any help
understanding where I've gone wrong is appreciated.

Let's look at this...

THIS WORKED:
###########################################################
Got SMBIZ+workinguser "SMBIZ+Internet Full" from squid
User: -SMBIZ+workinguser-
Group: -SMBIZ+Internet Full-
SID: -S-1-5-21-2732840889-2280141153-3048588358-1688 Domain Group (2)-
GID: -16777253-
Sending OK to squid

THIS FAILED:
###########################################################
Got SMBIZ+failinguser "SMBIZ+Internet Full" from squid
User: -SMBIZ+failinguser-
Group: -SMBIZ+Internet Full-
SID: -S-1-5-21-2732840889-2280141153-3048588358-1688 Domain Group (2)-
GID: -16777253-
Sending ERR to squid

Let's look at the first case...

The auth script got "SMBIZ+Internet Full" as the group. Let's see
what the SID is for that:

[root@inferno squid]# wbinfo -n "SMBIZ+Internet Full"
S-1-5-21-2732840889-2280141153-3048588358-1688 Domain Group (2)

O.K. Now let's see what the GID for that SID is:

[root@inferno squid]# wbinfo -Y S-1-5-21-2732840889-2280141153-3048588358-1688
16777253

That looks right. Now let's get the list of groups that workinguser is in:

[root@inferno squid]# wbinfo -r SMBIZ+workinguser
16777216
16777222
16777223
16777252
16777253 <<<<<<
16777255
16777256

So, workinguser is showing in the group that we are interested in.
Let's look at the test user:

[root@inferno squid]# wbinfo -r SMBIZ+failinguser
16777216
16777251
16777253 <<<<<<

He is also in that group so this should have worked also. Right?

NTLM SETTINGS
###########################################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm use_ntlm_negotiate on

Thanks!

--
Gabriel Gunderson
http://gundy.org