Description of problem: There are hard-coded uid constants in /etc.login.defs and /etc/pam.d/system-auth-ac which should not be allowed to get out of sync. Version-Release number of selected component (if applicable): authconfig-6.1.13-1 How reproducible: Always 1. UID_MIN 500 2. auth requisite pam_succeed_if.so uid >= 500 quiet Expected results: 1. UID_MIN 500 2. auth requisite pam_succeed_if.so uid >= $UID_MIN quiet Additional info: It is all very nice having an authconfig to try and tie everything together but it would be better, and more robust, for individual config files that actually depend on each other to properly share whatever they have in common. You cannot have it both ways - want to retain simple flat config files yet have a higher-level configuration utility - if the simple config files are inherently broken in their implementation. If the simple config files are going to be inherently broken then you might as well totally remove accessible simple config files and only have the authconfig configuration utility. If these two config files get out of sync - which is quite easy - then useradd etc are going to create users whose uid's don't properly match what pam is configured for. Very bad. Very sloppy. Instead, both /etc/login.defs and /etc/pam.d/system-auth-ac need to somehow share the same value (eg 500). They might source or include a common file. Or somehow /etc/security/pam_env.conf can contain the definition and /etc/login.defs can share that definition. Hard-coded constants in independent config files is about the worst possible sin that can possibly be committed. Very bad. Very sloppy.