I followed the instructions for enabling login, ssh, gdm login for edirectory users. I created a Group for these designated administrators and enabled that group.

The server on which I am testing this recognizes these users and allows them to log in. However, when the user runs sudo commands in the bash shell, authentications fails like this:

tkindig : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tokind ; USER=root ; COMMAND=rcnamcd
Users may also login to GDM, but when they attempt to ulock the screen after idle timeout, the failure looks like this:

unix2_chkpwd[19831]: pam_authenticate(gnome-screensaver, root): Authentication failure
sudoers is pretty much default (SLES 10 SP2/OES 2 SP1) but I modified the following:

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
#Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
%AdminGroup ALL=(ALL)ALL
I commented out the Defaults targetpw and ALL ALL=(ALL) ALL, and added the %AdminGroup declaration.

AdminGroup is the edirectory group enabled in LUM for login to the server.

I am pretty sure my issue is in the pam-nam area, but I have not found any concrete instructions that apply to my installation. There are some on SLES 9/OES 1 and earlier versions, but these refer to files that I do not have.

admin:/etc/pam.d # ls
atd             common-auth               cups               gnomesu-pam   other      samba   sudo      xdm
chage           common-password           gdm                httpstkd      passwd     shadow  sudo_old  xlock
chfn            common-session            gdm-autologin      httpstkd.old  ppp        smtp    tsafs     xscreensaver
chsh            common-session.YaST2save  gnome-passwd       login         pure-ftpd  sshd    useradd
common-account  crond                     gnome-screensaver  openwbem      rpasswd    su      vlock
admin:/etc/pam.d # cat sudo
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
admin:/etc/pam.d # cat sshd
auth    required        pam_env.so
auth     required       pam_nologin.so
auth    sufficient      pam_nam.so      use_first_pass
auth    required        pam_unix2.so
account  include        common-account
account sufficient      pam_nam.so
password include        common-password
password        sufficient      pam_nam.so
session  include        common-session
session optional        pam_nam.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session  optional      pam_resmgr.so fake_ttyname
admin:/etc/pam.d # cat gnome-screensaver

# Fedora Core
#auth       include     system-auth
#account    include     system-auth
#password   include     system-auth
#session    include     system-auth

# SuSE/Novell
auth       include      common-auth
account    include      common-account
password   include      common-password
session    include      common-session
Refs: Setting Up Linux Computers to Use eDirectory Authentication.
Using sudo with LUM-enabled eDirectory Users
eDirectory/PAM Authentication to Linux Services