Hi We have a client where only students in group year11 should be able to login. I keep getting locked out with this: account required pam_succeed_if.so user ingroup year11 getent group year11 lists members correctly. I've tried this: http://serverfault.com/questions/483643/linux-pam-pam-succeed-if-so But it fails. I think because we're using sssd and I don't know the correct order. The position in the stack seems to matter. Here is ours: account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix.so try_first_pass auth required pam_sss.so use_first_pass session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_sss.so session optional pam_umask.so session optional pam_systemd.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm session optional pam_env.so If I try and authenticate, I do not even get a password prompt: 2013-09-01T11:22:14.438159+02:00 hh16 su: pam_xauth(su:session): error creating temporary file `/home/users/lynn2/.xauthXPkISk': No such file or directory This leads me to believe that it must come after the pam_sss.so line since I can see that sssd has (correctly) identified me as it knows my home directory. I have to remove the line I'm testing in a second root shell, whereupon I can login normally: 2013-09-01T11:43:34.642148+02:00 hh16 su: pam_unix(su:auth): authentication failure; logname=lynn uid=1000 euid=0 tty=pts/2 ruser=lynn rhost= user=lynn2 2013-09-01T11:43:35.371140+02:00 hh16 su: pam_sss(su:auth): authentication success; logname=lynn uid=1000 euid=0 tty=pts/2 ruser=lynn rhost= user=lynn2 2013-09-01T11:43:35.373290+02:00 hh16 su: (to lynn2) lynn on /dev/pts/2 2013-09-01T11:43:35.431413+02:00 hh16 su: pam_unix(su:session): session opened for user lynn2 by lynn(uid=1000) It's the same if I try logging in on another tty rather than su. Is there a pam-config way of adding this? Anyone? Thanks L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org