Configurei meu servidor firewall com squid+ldap e ingressou no dominio. Listou usuarios e grupos com wbinfo -u e wbinfo -g. Ao arrumar a autenticação no squid.conf para sempre pedir autenticação o navegador não para de pedir autenticação, ou seja, pedia senha toda hora.
#
# mkdir /var/spool/squid
# chmod 777 /var/spool/squid
#
# Criar e liberar o arquivo de log:
#
# chmod 777 /var/log/squid
# touch /var/log/squid/access.log
# chmod 777 /var/log/squid/access.log
#
# Iniciar Squid somente pra este boot:
# service squid start
#
# configurar pra iniciar Squid automaticamente em todo boot.
# chkconfig --level 35 squid on
#
#Mensagens de erro do Squid em Português
error_directory /usr/share/squid/errors/pt-br/ERR_ACCES_DENIED
# Definir nome do host firewall
visible_hostname sqefirewall.localdomain
# Definir em que porta vai rodar o squid
http_port 192.168.0.253:3128
# Definir tamanho de memoria cache
cache_mem 350 MB
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
# Tamanho maximo do objeto na memoria.
maximum_object_size_in_memory 64 KB
# Definir tamanho maximo de objeto
maximum_object_size 1024 MB
# Definir tamanho minimo de objeto
minimum_object_size 0 KB
# Quando comecar a descartar arquivos do cache
cache_swap_low 90
cache_swap_high 95
# Definir o local, tamanho, pasta e sub-pasta do cache
cache_dir ufs /var/spool/squid 2048 16 256
# Definir o local para gravar os logs de acesso
cache_access_log /var/log/squid/access.log squid
# Definir o local para gravar os logs do cache
cache_log /var/log/squid/cache.log
# Definir o local para gravar os logs do store
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
# Definir o usuario e grupo do squid
cache_effective_user squid
cache_effective_group squid
# Definir a mask dos usuarios que vao logar nos arquivos de saida
client_netmask 255.255.255.255
# Definir a linguagem dos resultados do squid
error_directory /usr/share/squid/errors/pt-br/
# Tempo para manter o Cache.
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
# Definir ACLs
# acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 1863 2096 443 563 465 873 995 2083 2087 10000
acl Safe_ports port 21 80 81 82 85 88 443 1863 8080 8085 8880 37777 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 21 3389
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 10000 # webmin
acl Safe_ports port 8080 # Geovision
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
#####################
# Inicio das regras #
#####################
# Controle de banda
#acl sites_1000k url_regex -i "/etc/squid/mod_bandwidth/sites_1000k"
#acl sites_50k url_regex -i "/etc/squid/mod_bandwidth/sites_50k"
#acl ips_1000k src "/etc/squid/mod_bandwidth/ips_1000k"
#acl ips_50k src "/etc/squid/mod_bandwidth/ips_50k"
############## Delay Pools ##############################
delay_pools 2
# Libera 1kb/s para os sites cadastrados no arquivo "sites_1000k"
#delay_class 1 2
#delay_parameters 1 -1/-1 10000/10000 10000/10000
#delay_access 1 allow sites_1000k ips_1000k
# Libera 50kb/s para os sites cadastrados no arquivo "sites_50k"
#delay_class 2 2
#delay_parameters 2 -1/-1 50000/50000 50000/50000
#delay_access 2 allow sites_50k
#delay_access 1 allow sites_50k ips_50k
# Team Viewer Servidor
acl teamviewer-ssl url_regex ^(master|ping)[0-9]+\.teamviewer\.com
http_access deny teamviewer-ssl
# Sites que nao devem solicitar autenticacao.
acl sites_libera_sem_auth url_regex "/etc/squid/acessos/sites/sites_sem_autenticacao"
http_access allow sites_libera_sem_auth
# Autenticacao AD
auth_param basic realm Use a internet somente para fins corporativos.
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=sqe,dc=enerconsult,dc=com" -D "cn=usuario,ou=internet,cn=Users,dc=sqe,dc=enerconsult,dc=com" -w "senha" -f sAMAccountName=%s -h 192.168.0.101
acl autentica proxy_auth REQUIRED
http_access allow autentica
auth_param ntlm children 30
auth_param basic children 5
auth_param basic credentialsttl 2 hours
# Libera Youtube
#acl youtube url_regex .youtube
#acl u_youtube proxy_auth nome.sobrenome
#http_access allow youtube u_youtube
# Windows Update
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern
www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
range_offset_limit -1
maximum_object_size 1000 MB
quick_abort_min -1
acl localnet src 192.168.0.0/24
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain
www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl wuCONNECT dstdomain
www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
# Bloqueio Skype
#acl skype_80 url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:80
#acl skype_443 url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443
#http_access deny skype_80
#http_access deny skype_443
#acl skype_ua browser ^skype^
#http_access deny skype_ua
# Politicas Gerais
acl acesso_irrestrito proxy_auth "/etc/squid/acessos/usuarios/acesso_irrestrito"
acl bloquear_extensoes urlpath_regex -i "/etc/squid/acessos/extensoes/extensoes"
acl acesso_moderado proxy_auth "/etc/squid/acessos/usuarios/acesso_moderado"
acl acesso_restrito proxy_auth "/etc/squid/acessos/usuarios/acesso_restrito"
acl sites_negados url_regex "/etc/squid/acessos/sites/sites_bloqueados"
acl sites_liberados url_regex "/etc/squid/acessos/sites/sites_liberados"
acl ips_liberados url_regex "/etc/squid/acessos/ips_liberados"
http_access allow ips_liberados
http_access allow acesso_irrestrito
http_access deny bloquear_extensoes !acesso_irrestrito
http_access allow acesso_restrito sites_liberados
http_access allow acesso_moderado !sites_negados
# Fim
#http_access deny all
http_access allow all
icp_access deny all