Hi, >updated to the current rawhide 0.9.7 audit with a vanilla 2.6.12-rc6 >kernel. is there some kernel config switch to make it play nice? The kernel switch we are using is CONFIG_AUDITSYSCALL. However, you should be able to login without it. It does depend on which version of audit-libs and pam that you are using. If you are using the current versions of each (rawhide), you shouldn't be having a problem. The way this should be working is that login calls pam, which in turn notifies the audit system as pam performs certain actions. This is a call to audit_send_user_message in libaudit.c. This sends the message via sendto into the kernel. It checks for ECONNREFUSED which means the audit netlink subsytem is not compiled into the kernel. It also looks for EPERM & uid!=0, which is what you have when xscreensaver needs to let you back in. If either of those are found, it tells pam that it was successful and pam continues with login. Some pam configurations have also been updated to call pam_loginuid.so. What this does is set a new process attribute, loginuid, that is inheritted by all processes after login forks to start your shell. This way, if you su to root, we can see that you originally logged in under another account. There was a bug spotted a week ago that pam_loginuid.so was not checking for ENOENT when it tried to open /proc/self/loginuid to set that process attribute. This could also prevent you from logging in, too. To check this, comment out pam_loginuid.so in /etc/pam.d/login,sshd,gdm. Or you can change it from required to optional. Today should have audit-libs-0.9.8 in rawhide, which cleans up a couple more user space audit message functions that are not called by pam. If you could check to see if loginuid is causing the problem that would help. Any other debug info would help too. Thanks, -Steve Grubb __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com