semodule

[Daniel J Walsh]

On 05/31/2009 05:12 PM, Vadym Chepkov wrote:
>
>> also check /etc/pam.d/system-auth
>
> Unexpected, but yes, you were right, when I disabled winbind it worked as expected, but I need winbind enabled. I thought having pam_selinux as a first and last session rule should be sufficient. what's wrong with my config then?
>
> $ cat /etc/pam.d/sshd
> #%PAM-1.0
> auth       include      system-auth
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    include      system-auth
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
>
> $ cat /etc/pam.d/system-auth
> #%PAM-1.0
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so try_first_pass nullok
> auth        sufficient    pam_winbind.so
> auth        required      pam_deny.so
>
> account     sufficient    pam_unix.so
> account     required      pam_winbind.so
>
> password    required      pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so try_first_pass use_authtok nullok md5 shadow
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session     sufficient    pam_unix.so
> session     required      pam_winbind.so
>
>
> Sincerely yours,
>    Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No idea how windbind woul change this.