To enable single-sign-on with an existing windows network, I’ve been using winbind and kerberos to login users.

Unfortunately, winbind doesn’t have functionality to automatically add users to certain groups, e.g. audio, video, plugdev.

But I want to allow local users to access audio and USB drives on these machines.

I just found an easy way to do that:

  1. Add auth optional pam_group.so to your /etc/pam.d/gdm file
  2. Add *; :0 ;*;Al0000-2400;audio, video, plugdev to your /etc/security/group.conf file

This will give the first user logged in via the GDM login screen access to both USB sticks and audio playback. Using :* this should apply to all local users; a similar line with tty* should work for local ttys.

Note that this applies to any local user, not only to winbind users.

Other groups you might want to add: cdrom, scanner, dip, netdev