have you seen https://serverfault.com/questions/249671/switch-on-pam-debugging-to-syslog ? Once you’ve configured syslog to also show debug-level messages, creating /etc/pam_debug (i.e. via “touch /etc/pam_debug”) will turn on debug for all pam modules at once. Of course, there’s a debug option for most (if not all) modules all by itself, so you could try to debug only those modules suspicious of adding to the problems you’re after…
I’ve not tested /etc/pam_debug myself, though, so YMMV.
I saw this possible solution but it does not work. It seems to be an old solution which has been deprecated. The log was not talkative at all.
My actual problem is pam_tally2 not resetting the failure counter after a successful login. On a plain installation of SLES12 it is working but not on systems modified by my client. The man page of pam_tally2 does not mention a debug option but I am going to give it a try in case it is an undocumented feature.
[QUOTE=bfay;54240]
My actual problem is pam_tally2 not resetting the failure counter after a successful login. On a plain installation of SLES12 it is working but not on systems modified by my client. The man page of pam_tally2 does not mention a debug option but I am going to give it a try in case it is an undocumented feature. [/QUOTE]
I just checked a SLES12SP2 server, using pam 1.1.8, comparing to a newer version of pam (1.3.0) on a Leap installation: It seems that the 1.1.8 version does indeed not have the debug option.
Based on your description, you might want to focus on the configuration for the “account” phase. The following two quotes are from the pam_tally2 man page:
have you considered to open a service request? SUSE support might spot the problem directly, and/or engineering might be able to provide some means to debug the PAM function calls.