The Samba-Bugzilla – Bug 9648
pam_winbind does not support use_uid option and PAM_IGNORE return value
Last modified: 2013-02-20 00:17:07 UTC
I've tried to use pam_winbind.so module in pam.d/so-l configuration file with require_membership_of option but was surprised that pam_winbind cannot use original user credentials (like pam_wheel does with option use_uid) and cannot be configured to reply PAM_IGNORE instead of PAM_SUCCESS or FAIL - it always checked for root account and not my AD user.
It will be nice if you can add support for these options.