To trigger, you need to have some additional modules installed and enabled.
Authentification fails completly if you us some additional modules in an auth clause. But the error can be seen with session, too: $ dpkg -l libpam* | grep ^i ii libpam-cgfs 2.0.5-0ubuntu1~ubuntu16.04.1 amd64 PAM module for managing cgroups for LXC ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2 amd64 PAM module to unlock the GNOME keyring upon login ii libpam-modules:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.1.8-3.2ubuntu2 all Runtime support for the PAM library ii libpam-systemd:amd64 229-4ubuntu16 amd64 system and service manager - PAM module ii libpam0g:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules library >From the log (as an example): Feb 6 09:20:20 intern auth: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory Feb 6 09:20:20 intern auth: PAM adding faulty module: pam_cgfs.so Feb 6 09:20:20 intern auth: pam_unix(dovecot:auth): check pass; user unknown Feb 6 09:20:20 intern auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxx rhost=192.168.0.172 $ find /lib -name *pam_cgfs.so /lib/x86_64-linux-gnu/security/pam_cgfs.so Attached: common-session using cgfs.so
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_systemd.so session optional pam_cgfs.so -c freezer,memory,name=systemd # end of pam-auth-update config
