Active Directory 2016 PAM feature time-bound group membership

Hi there,

I think it would be a good PAM improvement to leverage Active Directory's time bound group membership mechanism. Here's an example https://richardjgreen.net/active-directory-2016-time-based-group-membership/
The current PAM solution would lead to a kerberos TGT potentially being valid longer than the actual PAM checkout time. With the time-bound group membership, the kerberos TGT will actually only be valid for the time that you specify.

Cheers
Sebastian