I have PAM configured to allow Novell logins using ncpfs and the pam_ncp_auth.so module. However, I recently discovered that, for local users (I have a local account for administration), I can enter any password, or no password at all, and it allows the login. Sudo still behaves normally, and /var/log/auth.log shows nothing other than gdm having trouble unlocking a keyring (because I'm not entering the correct password, no doubt). The only thing I added/changed to the PAM config is in common_auth, I changed pam_unix.so to sufficient (instead of required).

I know I haven't provided a huge amount of info about the system, but I went through the same procedure on a test system beforehand and never ran into these problems. Any ideas?

Ok, well, I feel like an idiot: I don't know why this didn't show up on my test machine, but the reason local passwords were ignored was that the "sufficient" control-flag will ignore failed modules. The reason I configured it this way was because I was under the impression that just changing common-auth would make it simpler for any other services to use Novell to authenticate.

So to fix it, I changed common-auth to "auth required pam_unix.so nullok secure", and added a custom sufficient line to the gdm service. After the pam_ncp_auth.so module, I then included an "auth required pam_deny.so".

So much for an elegant solution >_<