system-login auth part order is: auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 auth required pam_shells.so auth required pam_nologin.so auth include system-auth This works fine only with local accounts. If the auth is done in system-auth, eg: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth optional pam_afs_session.so always_aklog debug program=/usr/bin/aklog auth sufficient pam_sss.so forward_pass auth required pam_deny.so then all the non-local logins fail since pam_unix does not succeed. To me it looks like the pam_faillock authfail should be moved after system-auth, eg: auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth required pam_shells.so auth required pam_nologin.so auth include system-auth auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 I have checked that it works OK with the changed order.
https://gitweb.gentoo.org/proj/pambase.git/commit/?id=75cd44e94032b13bba41539737d6ac63623217e1