samba - Jan 2008 - require_membership_of being ignored?

Hi, I'm setting up a Gentoo samba server for home directories on a 2003 ADS
network.

I've decided to use pam_mkhomedir.to have the fileserver automagically
create
their home when they first log in. But we don't want everyone to log in,
just
the members of the AD group filesurfer-users.

The problem: Regardless of what I put as a require_membership_of= in the samba
pam file, any domain user can log in and a home directory is created.

I've attached a copy of /etc/pam.d/samba and /etc/samba/smb.conf.

Any help would be greatly appreciated.

/etc/pam.d/samba:
----------------------------------------------------------------------
#%PAM-1.0

# Require membership of filesurfer-users group
account required        pam_winbind.so require_membership_of=(SID)

session required        pam_winbind.so require_membership_of=(SID)
session optional        pam_mkhomedir.so skel=/etc/mside-skel umask=0077
------------------------------------------------------------------------

Smb.conf:
[global]
workgroup = DOMAIN
netbios aliases = FILESURFER
server string = FileSurfer
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
realm = DOMAIN.SCHOOL.EDU
encrypt passwords = yes
server signing = auto
smb passwd file = /etc/samba/smbpasswd
admin users = @"DOMAIN+Domain Admins"
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password*
%n\n*passwd:*all*authentication*tokens*updated*successfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
allow trusted domains = no
idmap backend = rid
idmap uid = 10000-1000000
idmap gid = 10000-1000000
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
local master = no
inherit permissions = yes
dos filemode = yes
       recycle:exclude = *.tmp *.temp *.o *.obj ~$*
       recycle:keeptree = True
       recycle:touch = True
       recycle:versions = True
       recycle:noversions = .doc|.xls|.ppt
       recycle:repository = /home/trash/%U
       recycle:maxsize = 10000000
vfs objects = recycle

[homes]
   comment = Home Directories
   create mask = 0700
   browseable = no
   writable = yes
   valid users = %U
   nt acl support = yes
------------------------------------------------------------

Thanks in advance,

Mike

I'm running into the same issue that Mike posted about.
 
I've got authentication working as well as the auto creation of home
directories. The problem is anybody that has a valid domain account can
come in regardless of group. 
 
I'm running SuSE
The require_membership_of parameter supposed to be in the auth section
right? 
 
The common-auth file I have is:
auth    required        pam_env.so
auth    sufficient      pam_unix2.so
auth    required        pam_winbind.so use_first_pass
require_membership_of=DOMAINNAME\groupname
 
I've tried with an account that is explicitly outside of the group and
that users account is allowed in.