[squid-users] Having trouble with win32_check_group (SquidNT)

I am testing SquidNT 2.5STABLE7 on a Win2K machine, using NTLM
authentication and group checking via win32_check_group.exe; the
relevant items in squid.conf are:

auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl Authenticated proxy_auth REQUIRED
acl bwt_network src 192.168.0.0/24

external_acl_type NT_global_group %LOGIN
c:/squid/libexec/win32_check_group.exe -G -d -c

acl GProxyUsers external NT_global_group Internet

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow GProxyUsers Authenticated
http_access deny all

I'm just testing NTLM authentication at the moment; basic is not
implemented at this stage.

 From an account logged in as the domain administrator, all is well - as
taken from these entries in cache.log:

/win32_check_group.exe[2804]: Got '**domain**\\administrator Internet'
from Squid (length: 31).
/win32_check_group.exe[2804]: Valid_Global_Groups: checking group
membership of '**domain*\administrator'.
/win32_check_group.exe[2804]: Using '\\**domain controller**' as DC for
'**domain**' local domain.
/win32_check_group.exe[2804]: Using '\\**domain controller**' as DC for
'**domain**' user's domain.
/win32_check_group.exe[2804]: Windows group: Domain Admins, Squid group:
Internet
/win32_check_group.exe[2804]: Windows group: Exchange Domain Servers,
Squid group: Internet
/win32_check_group.exe[2804]: Windows group: Schema Admins, Squid group:
Internet
/win32_check_group.exe[2804]: Windows group: Citrix Access XP, Squid
group: Internet
/win32_check_group.exe[2804]: Windows group: Internet Access, Squid
group: Internet
/win32_check_group.exe[2804]: Windows group: MSWord, Squid group:
Internet
/win32_check_group.exe[2804]: Windows group: MSPowerpoint, Squid group:
Internet
/win32_check_group.exe[2804]: Windows group: Internet, Squid group:
Internet

However, when going in as myself the following happens:

/win32_check_group.exe[2804]: Got '**domain**\\eholton Internet' from
Squid (length: 25).
/win32_check_group.exe[2804]: Valid_Global_Groups: checking group
membership of '**domain**\eholton'.
/win32_check_group.exe[2804]: Using '**domain controller**' as DC for
'**domain**' local domain.
/win32_check_group.exe[2804]: Using '**domain controller' as DC for
'**domain**' user's domain.
/win32_check_group.exe NetUserGetGroups() failed.'

When I use win32_check_group.exe from the command line, used as directed
in the documentation and with the same arguments as in the squid.conf
extract above, I get the following as output:

**domain**\\eholton Internet
win32_check_group.exe[4052]: Got '**domain**\\eholton Internet' from
Squid (length: 25).
win32_check_group.exe[4052]: Valid_Global_Groups: checking group
membership of '**domain**\eholton'.
win32_check_group.exe[4052]: Using '**domain controller**' as DC for
'**domain**' local domain.
win32_check_group.exe[4052]: Using '**domain controller**' as DC for
'**domain**' user's domain.
win32_check_group.exe[4052]: Windows group: Data Warehouse
Administrator, Squid group: Internet
win32_check_group.exe[4052]: Windows group: MSoutlookxp, Squid group:
Internet
win32_check_group.exe[4052]: Windows group: Data Warehouse User, Squid
group: Internet
win32_check_group.exe[4052]: Windows group: Citrix Access XP, Squid
group: Internet
win32_check_group.exe[4052]: Windows group: IT Support, Squid group:
Internet
win32_check_group.exe[4052]: Windows group: MSWord, Squid group:
Internet
win32_check_group.exe[4052]: Windows group: MSPowerpoint, Squid group:
Internet
win32_check_group.exe[4052]: Windows group: Internet, Squid group:
Internet
OK

Where **domain** and **domain controller** refer to the actual values
for the site.

Is there something I'm missing? I find it puzzling that the helper is
failing given theoretically the same input as provided to it on a
command line.

Thanks in advance for any help!

-- 
Euan                                            mailto: Euan@erjholton.org
'Why?'