Hi
I have Fedora Core 4 installation which is joined to Windows 2003 domain using samba with net ads join. Logins for Windows domain users work perfectly, but they can't start X server for some reason. Typing startx just gives the following error:

$ startx


Fatal server error:
PAM authentication failed, cannot start X server.
Perhaps you do not have console ownership?


Please consult the The X.Org Foundation support
at
for help.

giving up.
xinit: Connection refused (errno 111): unable to connect to X server
xinit: No such process (errno 3): Server error.

Local users can start X normally and I can't seem to find any problems with the associated pam files.

xserver:
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_console.so
auth required pam_permit.so
account required pam_permit.so

login:
#%PAM-1.0
auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional /lib/security/pam_mkhomedir.so skel=/etc/skel/
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open

system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Any help would be appreciated.

Regards
Matti Savolainen

I assume you didn't add the usernames to the /etc/passwd file, so I think you should also add a line like this to the xserver file :
account sufficient /lib/security/$ISA/pam_winbind.so
or use the pam_stack module to load the system-auth config

Hope this helps...

Have to try that tomorrow when I'm back to work. Thanks in advance, I'll post a reply when I have tested this..

Adding line account sufficient /lib/security/$ISA/pam_winbind.so to xserver file didn't help. But I tried commenting out the auth required pam_console.so line from xserver file and now X server starts properly for domain users. I'm just wondering if this will compromise system security..

New xserver file:
#%PAM-1.0
auth sufficient pam_rootok.so
#auth required pam_console.so
auth required pam_permit.so
account required pam_permit.so