I want to allow only one group member from my domain to log in to my gentoo box. Having got the group id (15020), with my uderstanding of PAM, I've done:

auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_winbind.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_succeed_if.so gid=15020
account    required     pam_winbind.so
account    required     pam_unix.so

password   required     pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    sufficient   pam_mkhomedir.so skel=/etc/skel/ umask=0077
domain authentication works fine from before, but it doesn't stop domain users not in the 15020 mapped group from logging in. I've done various permutations of these PAM rules but haven't hit the spot yet, can anyone recommend anything?