I've configured pam on our new RHEL5 and found out that everything works as expected, except with the gnome-screensaver. I've then configured /etc/pam.d/gnome-screensaver separately to find out why.
Here's the file:
# Fedora Core
#auth include system-auth
auth required pam_env.so
auth required pam_tally.so onerr=succeed
auth sufficient pam_unix.so nullok try_first_pass likeauth
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account include system-auth
password include system-auth
session include system-auth
#auth include common-auth
#account include common-account
#password include common-password
#session include common-session
I've found out that if I have "onerr=fail" as it is in system-auth, it wouldn't work, with onerr=succeed it works. So where does it fail?
/var/log/secure gives the answer:
gnome-screensaver-dialog: pam_tally(gnome-screensaver:account): Error opening /var/log/faillog for update
-rw------- 1 root root 3196800 Jun 28 16:42 /var/log/faillog
I don't see anything wrong here, the login programs must have the according suid-bit so that they can write in this file. At least ssh-logins work on the machine with a regular user.
So, does the login program of the gnome-screensaver-dialog not have the suid bit? Or am I searching on the wrong path?
Any help is welcome.
I did another test which confirmed that it tries to write with my regular user:
chmod 777 /var/log
(login through screensaver)
-rw------- 1 myuser myuser 25632 Jun 29 08:52 /var/log/faillog
Doing the same but logging in as regular user through ssh will create the file with root:root as the owner.
Setting the rights on the file as 666 won't help either, because it will trigger another error message, namely "/var/log/faillog is either world writable or not a normal file"