# [Solved...] pam_winbind.so require_membership_of is ignored?

## scratch

Hi, I'm setting up a Gentoo samba server for our campus 2003 ADS network home directories. Near as I can tell everything is working the way it needs to so I've decided it might be time to lock it down.

To simplify new user creation we've decided that using pam_mkhomedir.so would be a great feature to have the fileserver automagically create their home when they first log in. But we don't want everyone to log in, just the members of filesurfer-users (yes, my naming schemes are all that imaginative). 

The obvious first choice was /etc/pam.d/samba:

```

#%PAM-1.0

# Require membership of filesurfer-users group

account required        pam_winbind.so require_membership_of=(SID)

session required        pam_winbind.so require_membership_of=(SID)

session optional        pam_mkhomedir.so skel=/etc/mside-skel umask=0077

```

The (SID) I'm using is the full output of wbinfo -n filesurfer-users sans "Domain Group(2)". The two members of this group are Faculty and Staff, each of which has all the named user accounts.

I've also tried (in place of SID) "REALM\filesurfer-users" and  "REALM+filesurfer-users" as well as several other silly combinations of gibberish to try and make the flag fail I won't list here. 

smb.conf is set to obey pam restrictions and to encrypt passwords. 

This same setup on a RedHat imap server (require_membership_of) is working just swimmingly. 

I've compiled samba with the following use flags:

```

net-fs/samba-3.0.28  USE="acl ads automount cups doc ldap pam python quotas readline swat syslog winbind -async -caps -examples -fam -ipv6 (-selinux)"

```

Any ideas to why the require_membership_of flag is being ignored? This same setup on our RedHat imap server (require_membership_of) is working just swimmingly which gives me some faith in my configuration. 

Thanks!

Shaun

----------

## scratch

As far as I can tell this is actually a documented limitation of PAM:

```
obey pam restrictions (G)

             When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or  not

             Samba  should  obey PAM's account and session management directives. The default behavior is to use PAM for clear

             text authentication only and to ignore any account or session management. Note that Samba always ignores PAM  for

             authentication  in  the  case of encrypt passwords = yes. The reason is that PAM modules cannot support the chal-

             lenge/response authentication mechanism needed in the presence of SMB password encryption.

```

So, while man pam_winbind more or less implies that it will do what I expect I think this might just be an oversight in the documentation. But this flag will work for things such as ssh logins...

```
require_membership_of=[SID or NAME]

          If  this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID can be

          either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the SID. That name

          must  have the form: MYDOMAIN\mygroup or MYDOMAIN\myuser. pam_winbind will, in that case, lookup the SID internally.

          Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of  SIDs

          a user is a member of with wbinfo --user-sids=SID.

```

Cheers!

----------

