I've got domain authentication working successfully against a Windows 2000 Active Directory domain with winbind and kerberos on 2 linux boxes. Everything works, logins, samba shares, ssh.
I've added something to the pam rules global/shared auth sections to stop any domain account that is not a member of the "domain admins" group from logging it. The line is:
auth required pam_winbind.so use_first_pass require_membership_of=S-1-5-21-xxxxxxxxx-551417010-xxxxxxxxxx-512
This is supposed to make sure that only user accounts that are members of the group that matches the SID (in this case the "domain admins" group) can log on. The test should return negative for domain user not a member of that domain group.
In samba 3.0.14a which is the current stable version on gentoo this works as expected, members of the group can log on and other domain users can't.
However, the exact same line on another box (suse) which is using samba 3.0.20b-3.1 does not work as expected and every domain user can still log on whether or not they are a member of the domain admins group.
This works fine for me. Can you provide some more information?
ok, the box it was happening on has been wiped and I'm trying this on a new gentoo box with samba-3.0.21b which works as expected. I have no explanation for this so I should close this bug as invalid unless I can reproduce it which at present I cannot, but I was positive this didn't work with the samba on the suse box of the same version. perhaps suse patched something distro specific?
I permanently checked this in our package and it worked fine; so if it is still an issue for you, please reopen and send us some log level 10 debugging logs.