I'm running Debian 9. I'm no PAM expert. What I want to do is restrict user logins to uids that are members of the "goodgroup" group. I forget where I got this solution originally, but this is what I have in my /etc/pam.d/common-account: ##### . . . # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 account sufficient pam_localuser.so # >>> This is where I'm trying to do it <<< account requisite pam_succeed_if.so user ingroup goodgroup account [default=bad success=ok user_unknown=ignore] pam_sss.so account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore auth info_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 # end of pam-auth-update config ##### Let's say I have a uid "baduid" that's not in the required group. What I'd like to happen is that trying "su baduid" as root should fail completely.. What actually happens is that the su is successful but baduid has no associated home directory. Here's what I see in the log file when I do "su baduid": May 3 16:08:03 myhost su[3014]: pam_succeed_if(su:account): requirement "user ingroup goodgroup" not met by user "baduid" May 3 16:08:03 myhost su[3014]: Successful su for baduid by root May 3 16:08:03 myhost su[3014]: + /dev/pts/0 root:baduid May 3 16:08:03 myhost su[3014]: pam_unix(su:session): session opened for user baduid by root(uid=0) May 3 16:08:03 myhost su[3014]: pam_systemd(su:session): Cannot create session: Already running in a session Any help in trying to achieve my goal would be greatly appreciated. Matthew Wyneken _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list