Well, I ran some tests for this scenario.
I configured NS as a domain member (server AD is Win8R2) and I activated the authenticated proxy mode.
AD Users open web pages without popup authentication.
Some settings to note: the DNS proxy must be the domain’s DNS server (normally the server AD), the proxy in the browser must be the proxy full name (FQN) (not the IP)
I had problems with client windows installed on hyper-v
For your problem look files /var/log/squid/cache.log and access.log for errors.
tail -f /var/log/squid/cache.log
After using the external acl named ext_wbinfo_group_acl I set the navigation for a single AD group.
I added these lines after the section
Additional NTLM auth for Windows XP clients in ADS mode
external_acl_type nt_group% LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl WebYesACL external nt_group WebYes
http_access allow WebYesACL
and commented (#)
http_access allow localnet authenticated
(Where WebYes is the domain group)
It works.
You can create multiple acl for most groups and combine them to set permissions
The only problem occurs when you reconfigure the proxy from Web Consolle that deletes lines added by hand.
Any opinion for this configuration?