I am confused. I was under the impression that by "DEFAULT" root was not permitted to login to GDM/GNOME. And yet I am able to do so on a "vanilla" build. My /etc/pam.d/gdm: <SNIP> #%PAM-1.0 auth required pam_env.so auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth required pam_succeed_if.so user != root quiet auth substack system-auth auth optional pam_gnome_keyring.so account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include system-auth </SNIP> My /etc/pam.d/gdm-password: <SNIP> auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth include password-auth auth optional pam_gnome_keyring.so account required pam_nologin.so account include password-auth password substack password-auth password optional pam_gnome_keyring.so session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include password-auth </SNIP> Is there something overriding these settings? My /etc/pam.d/system-auth-ac: <SNIP> #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_tally2.so deny=3 onerr=fail unlock_time=600 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_tally2.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password required pam_passwdqc.so enforce=users password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so </SNIP> My /etc/pam.d/password-auth-ac: <SNIP> #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=3 onerr=fail unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password required pam_passwdqc.so enforce=users password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so </SNIP> I have looked all around and am not getting anything "solid" on Internet. SNAC guide provides little detail on configuring PAM. Red Hat and CENT OS even less. Thanks in advance for your time, Paul W. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
