After sucessfully configuring Kerberos, this is what I've found in /etc/pam.d/common-auth
file:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Does the success=2
control value mean that if the pam_unix.so
fails, the authentication skips to the auth requisite pam_deny.so
line or to the last line?