semodule

Vadym Chepkov chepkov at yahoo.com
Sun May 31 21:12:54 UTC 2009


> also check /etc/pam.d/system-auth

Unexpected, but yes, you were right, when I disabled winbind it worked as expected, but I need winbind enabled. I thought having pam_selinux as a first and last session rule should be sufficient. what's wrong with my config then?

$ cat /etc/pam.d/sshd
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke

$ cat /etc/pam.d/system-auth
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        sufficient    pam_winbind.so
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     required      pam_winbind.so

password    required      pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so try_first_pass use_authtok nullok md5 shadow
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_unix.so
session     required      pam_winbind.so


Sincerely yours,
  Vadym Chepkov




More information about the fedora-selinux-list mailing list