Whe using pam_winbind with BOTH global:require_membership_of AND global:krb5_auth the group-membership check does not work. Reason (as I believe): In nsswitch/pam_winbind.c, function winbind_auth_request(): line 412: ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_AUTH, &request, &response, user); sets the ret-value to PAM_AUTH_ERR correctly when group-membership fails, but line 429: ret = pam_putenv(pamh, var); overwrites the ret-value with PAM_SUCCESS Solution: As in the following code, use a temporary return variable for the pam_putenv()-call... Regards, Thomas Bünnemann
Has been fixed with revision 21158, will be part of samba 3.0.25.