Using SUSE 11 sp3 for VMWARE -

Samba/winbind I have followed several examples about how to setup a SAMBA share using AD authentication but not allowing AD users the ability to log in by any means. I have setup the samba share with the ad users explicitly set in the samba.conf. Then I would go into /etc/pam.d/common-auth and add after "auth required pam_winbind.so use_first_pass" require_membership_of=[sid of domain admins] and this works except!!
At the top of the common-auth states: # This file is autogenerated by pam-config. All changes will be overwritten and they do.

So where would I set the require_membership_of= to restrict log in capabilities. Or is there a way to prevent pam-conf from overriding any changes, or is there a way to set them in pam-conf.

Thanks