pam_winbind: Do not honour require_membership_of in the acct module parameters

This needs a password to work, and it confuses users for it to appear to be valid here.

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>

2 files changed, 11 insertions, 2 deletions

diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index 41921309f6..08a8637031 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -87,7 +87,14 @@
 		<parameter>MYDOMAIN\\myuser</parameter>.  pam_winbind will, in that case, lookup the SID internally. Note that
 		NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
 		user is a member of with <command>wbinfo --user-sids=SID</command>.
-		</para></listitem>
+		</para>
+
+		<para>
+		This option must only be specified on a auth
+		module declaration, as it only operates in conjunction
+		with password authentication.
+		</para>
+		</listitem>
 		</varlistentry>
 
 		<varlistentry>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index b318a3b58d..bef942142a 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -72,7 +72,9 @@
 		<parameter>MYDOMAIN\\myuser</parameter>.  pam_winbind will, in that case, lookup the SID internally. Note that
 		NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
 		user is a member of with <command>wbinfo --user-sids=SID</command>. This setting is empty by default.
-		</para></listitem>
+		</para>
+		<para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
+		</listitem>
 		</varlistentry>
 
 		<varlistentry>