"account sufficient pam_winbind.so" not working, auth line works fine

["D G Teed" <donald teed gmail com>]

Hello,

We've been running a cyrus server with pam authentication for some time
with no problems.  However, I've had to run it with:

account     required      pam_permit.so
auth        sufficient    pam_winbind.so try_first_pass

The above allows logins to work.

I'd prefer to run it with:

account     sufficient    pam_winbind.so
auth        sufficient    pam_winbind.so try_first_pass

However, this does not work.

I also have an option for ldap (non-AD) in my pam, and if I test
one of those accounts (commenting out winbind entries),
I can use the account line OK in that case:

account     sufficient    pam_ldap.so
auth        sufficient    pam_ldap.so try_first_pass

This works for ldap based accounts.

Why is winbind causing failure when account is being used with the module?

The reason I want to use the account line for each of ldap and winbind
is that we have a pam_groupdn I want to enforce, and that isn't going to happen
while we are using:

account     required      pam_permit.so

I need to switch it to:

account     sufficient   pam_ldap.so
account     sufficient    pam_winbind.so

once account and winbind can be figured out.

I'm having problems locating reference material/docs pertaining
to this problem.

--Donald