Hello, We've been running a cyrus server with pam authentication for some time with no problems. However, I've had to run it with: account required pam_permit.so auth sufficient pam_winbind.so try_first_pass The above allows logins to work. I'd prefer to run it with: account sufficient pam_winbind.so auth sufficient pam_winbind.so try_first_pass However, this does not work. I also have an option for ldap (non-AD) in my pam, and if I test one of those accounts (commenting out winbind entries), I can use the account line OK in that case: account sufficient pam_ldap.so auth sufficient pam_ldap.so try_first_pass This works for ldap based accounts. Why is winbind causing failure when account is being used with the module? The reason I want to use the account line for each of ldap and winbind is that we have a pam_groupdn I want to enforce, and that isn't going to happen while we are using: account required pam_permit.so I need to switch it to: account sufficient pam_ldap.so account sufficient pam_winbind.so once account and winbind can be figured out. I'm having problems locating reference material/docs pertaining to this problem. --Donald _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
