Problem With Using pam_listfile and Secondary Group-memberships in Active Directory
 

Right now, I'm trying to push a large enterprise (several tens of thousands of users) into using centralized authentication for their growing population of RHEL 5.x servers. This enterprise is primarily Windows based. I've got people interested in using the winbind authentication. However, given the size of the operation, we can't just have anyone authenticatable through AD allowed to log into a system.

For some systems, use of the pam_winbind.conf would be sufficient. However, there are some systems that are shared by people in different AD groupings. So, I've been looking to leverage pam_listfile for that task. It looks like a good start, but seems to be falling down when I try to have it make its allow/deny decisions based on anything other than a user's primary AD group.

Given the complexity of the organizational structure in this enterprise, secondary group functionality is critical. I'm trying to determine if there's something I'm missing in my config or if my pam_listfile version is missing something.

RPM info for my pam subsystem is: