I have Samba 3.0.10 instaled on a CentOS 4.1 machine which authenticates users
against a Windows domain via pam_winbind. When require_membership_of is used
with the PAM module and is set to a SID from the domain everything works fine.
If I set the SID to a one for a local group, members of the local group cannot
login. The logs show an "incorrect password or invalid membership" error. When
I check what should be a valid user's group SIDS via wbinfo I see all domain and
local sids for the user listed. It appears that pam_wbinfo is not expanding
local SID memberships. I have also noticed that ntlm_auth when using
--required-membership-of also has this same problem.
The rationale for requiring a local SID is I can created a local nested group on
the box, say Valid Uers, which has for instance the Domain Admins group,
Developers group, johnblow, and janeblow as members.
After some a little push from from Andrew Bartlett on #samba-technical, I took a
look through the svn info for wbinfo.c with my non-existant C knowledge.
Possibly commits 7786 and 7823 might explain why wbinfo can list the SID of the
local nested groups? Thanks.
Any chance you test with a more recent release than 3.0.10 ?
We possibly won't have the ressources to debug / fix that issue for 3.0.10
(quite a bit changed since that).
Closing, as this works in more recent releases and there was no feedbacks for months. Please reopen, if you still see any problems with it.