[Samba] Not Obeying "require_membership_of" winbind.so when "User must change password at next logon"

steve steve at steve-ss.com
Sun Sep 1 01:56:45 MDT 2013

On Thu, 2013-08-22 at 11:49 +0000, Jason Caylor wrote:
> Okay, so I have an Active Directory server running on Windows Server 2012 Standard
> I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly.
> I am able to login with my Active Directory users credentials.
> When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm.

Say the group with that SID is mygroup.
 getent group mygroup
return a gidNumber? If so, then:

Put only the users you want. Then common-account:
account required        pam_succeed_if.so user ingroup mygroup

man pam_succeed_if

BTW, I'd strongly advise changing to the ad backend.

More information about the samba mailing list