I recently came into the same issue while setting up a client in an active directory realm. Granting local groups (typically, dialout group which is needed to access serial port) from a set of active directory groups is the most convenient way i found to gives specific users such access (mapping the local groups in the ad is not possible, due to gid issues which may not be consistent accross clients).
Is there any reason the /usr/shar/pam-configs/group file is not part of the distribution ? My understanding is that it does no harm (disabled by default), and would allow easier activation via pam-auth-update. Last thing to note, when using gdm you also have to enable pam_group in systemd-user (see #851243). Regards,
