> also check /etc/pam.d/system-auth Unexpected, but yes, you were right, when I disabled winbind it worked as expected, but I need winbind enabled. I thought having pam_selinux as a first and last session rule should be sufficient. what's wrong with my config then? $ cat /etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke $ cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth sufficient pam_winbind.so auth required pam_deny.so account sufficient pam_unix.so account required pam_winbind.so password required pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_unix.so session required pam_winbind.so Sincerely yours, Vadym Chepkov -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
