I have Samba 3.0.10 instaled on a CentOS 4.1 machine which authenticates users against a Windows domain via pam_winbind. When require_membership_of is used with the PAM module and is set to a SID from the domain everything works fine. If I set the SID to a one for a local group, members of the local group cannot login. The logs show an "incorrect password or invalid membership" error. When I check what should be a valid user's group SIDS via wbinfo I see all domain and local sids for the user listed. It appears that pam_wbinfo is not expanding local SID memberships. I have also noticed that ntlm_auth when using --required-membership-of also has this same problem. The rationale for requiring a local SID is I can created a local nested group on the box, say Valid Uers, which has for instance the Domain Admins group, Developers group, johnblow, and janeblow as members. After some a little push from from Andrew Bartlett on #samba-technical, I took a look through the svn info for wbinfo.c with my non-existant C knowledge. Possibly commits 7786 and 7823 might explain why wbinfo can list the SID of the local nested groups? Thanks. Tom
Any chance you test with a more recent release than 3.0.10 ? We possibly won't have the ressources to debug / fix that issue for 3.0.10 (quite a bit changed since that).
Closing, as this works in more recent releases and there was no feedbacks for months. Please reopen, if you still see any problems with it.