Issue

• This was on a RHEL 5.9 system that is authenticated via Active Directory.System uses latest pam - pam-0.99.6.2.12 and now users cannot ssh into the system. Prior to the update, system had pam-0.99.6.2-6.el5_5.2.
• Problem does not seem to involve number of users in the group as a test was done with only 2 users.

• To reproduce:
  1) Configure system with AD or LDAP and enable pam_listfile in /etc/pam.d/sshd to control login
  2) Attempt to login to server
  3) From /var/log/secure:

  Feb 27 13:51:41 host1 sshd[2649]: pam_listfile(sshd:account): Refused user abc for service sshd
  Feb 27 13:51:41 host1 sshd[2649]: fatal: Access denied for user abc by PAM account configuration
  

• Representative /etc/pam.d/sshd file:

#%PAM-1.0
auth       include      system-auth
account    required     pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/groups.allow
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so 

• Representative groups.allow file:

[xyz@host1 pam.d]$ cat ../security/groups.allow 
users