Squid NT - как отфильтровать группу?

[newermind]

ставлю squid 2.6

домен на win2003

 

в конфиге добавлено:

 

auth_param ntlm program c:/squid/squid/libexec/mswin_ntlm_auth.exe --helper-protocol=squid-2.5-ntlmssp --require-membership-of="VBG_TN@InetUsers"

auth_param ntlm children 10

auth_param ntlm keep_alive on

 

тоесть по логике на прокси авторизуются ТОЛЬКО доменные пользователи и ТОЛЬКО из локальной группы InetUsers

 

Но пускает всех.

хотя записи в логах есть :

 

1180358810.096 31 192.168.11.199 TCP_DENIED/407 2059 GET http://polo.imageg.net/include/frontdoor.css - NONE/- text/html

1180358810.627 765 192.168.11.199 TCP_MISS/200 9141 GET http://www.polo.com/frontdoor/index.jsp vbg_tn%5cstudent DIRECT/63.240.110.250 text/html

1180358811.221 1125 192.168.11.199 TCP_MISS/200 941 GET http://polo.imageg.net/include/frontdoor.css vbg_tn%5cstudent DIRECT/84.53.139.27 text/css

1180358811.596 375 192.168.11.199 TCP_MISS/200 19237 GET http://polo.imageg.net/include/mbox.js vbg_tn%5cstudent DIRECT/84.53.139.27 application/x-javascript

1180358812.643 1047 192.168.11.199 TCP_MISS/200 364 GET http://geo.offermatica.com/geocity? vbg_tn%5cstudent DIRECT/69.20.17.27 application/x-javascript

1180358813.252 609 192.168.11.199 TCP_MISS/200 391 GET http://mbox5.offermatica.com/m2/polocom/mbox/standard? vbg_tn%5cstudent DIRECT/66.150.139.10 text/JavaScript

1180358814.815 1563 192.168.11.199 TCP_MISS/200 728 GET http://switch.atdmt.com/action/nycpol_frontgatepage_1 vbg_tn%5cstudent DIRECT/12.130.60.5 image/gif

1180358815.049 1797 192.168.11.199 TCP_MISS/200 137044 GET http://polo.imageg.net/frontdoor/FrontDoor3staticbackup.jpg? vbg_tn%5cstudent DIRECT/84.53.139.27 image/jpeg

1180358815.627 172 192.168.11.199 TCP_MISS/200 8736 GET http://polo.imageg.net/include/flashobject.js vbg_tn%5cstudent DIRECT/84.53.139.27 application/x-javascript

1180358815.830 781 192.168.11.199 TCP_MISS/200 6227 GET http://www.polo.com/frontdoor/index.jsp? vbg_tn%5cstudent DIRECT/63.240.110.250 text/html

1180358815.955 296 192.168.11.199 TCP_MISS/200 364 GET http://geo.offermatica.com/geocity? vbg_tn%5cstudent DIRECT/69.20.17.27 application/x-javascript

1180358816.190 219 192.168.11.199 TCP_MISS/200 391 GET http://mbox5.offermatica.com/m2/polocom/mbox/standard? vbg_tn%5cstudent DIRECT/66.150.139.10 text/JavaScript

1180358816.237 0 192.168.11.199 TCP_DENIED/407 1859 GET http://mbox5.offermatica.com/m2/polocom/mbox/standard? - NONE/- text/html

1180358816.268 31 192.168.11.199 TCP_DENIED/407 2089 GET http://mbox5.offermatica.com/m2/polocom/mbox/standard? - NONE/- text/html

1180358816.580 390 192.168.11.199 TCP_MISS/304 649 GET http://switch.atdmt.com/action/nycpol_frontgatepage_1 vbg_tn%5cstudent DIRECT/12.130.60.5 -

1180358816.862 594 192.168.11.199 TCP_MISS/200 383 GET http://mbox5.offermatica.com/m2/polocom/mbox/standard? vbg_tn%5cstudent DIRECT/66.150.139.10 text/JavaScript

1180358817.346 1141 192.168.11.199 TCP_MISS/200 80056 GET http://polo.imageg.net/frontdoor/FrontDoor1flash.swf vbg_tn%5cstudent DIRECT/84.53.139.27 application/x-shockwave-flash

1180358817.377 515 192.168.11.199 TCP_MISS/200 17756 GET http://polo.imageg.net/include/omniture.js vbg_tn%5cstudent DIRECT/84.53.139.34 application/x-javascript

1180358817.627 140 192.168.11.199 TCP_MISS/200 698 GET http://polo.imageg.net/include/minicartOmni.js vbg_tn%5cstudent DIRECT/84.53.139.34 application/x-javascript

1180358818.440 1063 192.168.11.199 TCP_MISS/302 1203 GET http://datag.polo.com/b/ss/polocom/1/G.9-P...s21366986747075? vbg_tn%5cstudent DIRECT/128.242.125.9 text/plain

1180358818.971 531 192.168.11.199 TCP_MISS/200 638 GET http://datag.polo.com/b/ss/polocom/1/G.9-P...s21366986747075? vbg_tn%5cstudent DIRECT/128.242.125.13 image/gif

 

 

Где student - пользователь не из группы InetUsers но он проходит..

что сделано не верно?