I've been reading *alot* lately on authenticating Unix/Linux users to
Active Directory. But I'm still a little unclear on a few things....

1st, if using windbind, and all I want to do is not have to manually
create users on the *nix box, do I need to configure ldap in "client"
mode on the *nix box ? Or does windbind take care of looking up the
user/password info without needing ldap info ?

2nd, is it possible to have *only* users in a specified AD group be
granted shell access, and therefore be authenticated ? IE, I don't want
*all* valid users in our domain to be granted access, I want to be able
to say that only users in AD group X can loin via the shell...

Finally, does using windbind require that the application/daemon
support, or be compiled to support PAM ? Some of our machines are AIX,
and PAM support isn't standard until 5.2, and has only recently been
back-ported to 5.1...We have 5.1, but also 4.3.3.
Or is there a good source of information on AIX's LAM ?

I've read, and re-read all the information I've been able to find on
windbind, and am still a bit unclear on these things.

Thanks for any info or pointers...

--
- Matt -