We had an issue where with two NT domains that trusted one another, the
users would not get authenticated to the cache unless they were members of
the same domain that held the squid server. What we found was that a
trusted domain would return DOMAIN+USERNAME rather than DOMAIN/USERNAME so
that the domain would not get stripped before being presented. Here's an
enhancement that seems to work. This is in squid_ldap_group.c

if (user && strip_nt_domain) {
char *u = strchr(user, '\\');
if (!u)
u = strchr(user, '/');
/*Addition to allow trusted domains*/
if (!u)
u = strchr(user, '+');
/*end of addition*/
if (u && u[1])
user = u + 1;