I'm taking the samba / winbind / PAM route to authenticate users on our linux servers from our Active Directory domain.

Everything works, but I want to limit what AD groups are allowed to authenticate. Winbind / PAM currently allows any enabled user account in the active directory, and pam_winbind.so doesn't seem to heed the require_membership_of=MYDOMAIN\\mygroup parameter. Doesn't matter if I set it in the /etc/pam.d/system-auth or /etc/security/pam_winbind.conf files.

How can I force winbind to honor the require_membership_of setting? Using CentOS 5.5 with up-to-date packages.

Update: turns out that PAM always allows root to pass through auth, by virtue of the fact that it's root. So as long as the account exists, root will pass auth. Any other account is subjected to the auth constraints.

Update 2: require_membership_of seems to be working, except for when the requesting user has the root uid. In that case, the login succeeds regardless of the require_membership_of setting. This is not an issue for any other account. How can I configure PAM to force the require_membership_of check even when the current user is root?

Current PAM config is below:

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_winbind.so
account sufficient pam_localuser.so
account required pam_unix.so broken_shadow

password ..... (excluded for brevity)

session required pam_winbind.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_limits.so
session required pam_unix.so

require_memebership_of is currently set in the /etc/security/pam_winbind.conf file, and is working (except for the root case outlined above).