samba - Apr 2007 - Winbind: limiting groups that can log-in

Hi,

I am currently trying to configure AD (Windows 2003) + Linux (CentOS
4.4) to allow user logins for certain users, namely, developers.

The winbind authentication part of it is working correctly, but every
user in AD can login to the servers via ssh.

I have tried to limit users by adding 

valid_users = @"domain+developers" (+ is the separator) 

on /etc/samba/smb.conf, but this does not seem to work for
authentication.

As a workaround, I can limit access to groups by adding 

account required pam_listfile.so file=/etc/samba/allowed_groups
item=group sense=allow onerr=fail

to pam.d/sshd (/etc/samba/allowed_groups contains "developers"), but
it
does not seem to get the group from AD, so no remote users can login.

Is there any way to map windows groups to unix groups without
installing SFU? I only want to map one group, so getting the data
directly from AD shouldn't be a problem.

Thanks

Gabriel

________________________________________________________________________
This e-mail and its attachments are confidential. If you are not the intended
recipient of this e-mail message, please telephone or e-mail us immediately,
delete this message from your system and do not read, copy, distribute, disclose
or otherwise use this e-mail message and any attachments.

Although RI3K believes this e-mail and any attachments to be free of any virus
or other defect which may affect your computer, it is the responsibility of the
recipient to ensure that it is virus free and RI3K does not accept any
responsibility for any loss or damage in any way from its use.

RI3K Limited is a company registered in England no: 3909745.  Registered office
10, Ely Place, London, EC1N 6RY.   VAT registration no: 769 0192 07

RI3K Asia Pte Ltd is a company registered in Singapore no. 200100326R.   
Registered address 50, Raffles Place, #24-05 Singapore Land Tower, Singapore
048623

For offline file support, I check "csc policy" parameter.
It has 4 parameters. but,I can not find how  each parameter work
(except disable).

I read source program. Each parameter has 0-3 value in param/loadparm.c .
And it use rpc_rpcserver/srv_srvsvc_nt.c (may be only).But I can't found
each parameter value means.

Does nyone know each parameter mean(work)?

--
--- Oota Toshiya ---  oota at mail.linux.bs1.fc.nec.co.jp
NEC Computers Software Operations Unit              Shiba,Minato,Tokyo
Open Source Software Platform Development Division  Japan,Earth,Solar system
(samba-jp/ldap-jp Staff,mutt-j admin,analog-jp/samba-jp postmaster)