"success=n" control syntax in pam.conf / pam.d/* files

Solution 1:

From my understanding, success=$num will specify how many rules to skip when successful. So if either pam_unix.so or pam_winbind.so succeed, PAM will skip to the final line. Of course, the final line permits access in all cases.

Solution 2:

pam.d(5) - Linux man page

For the more complicated syntax valid control values have the following form:
[value1=action1 value2=action2 ...]
The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack'

What the common-auth says:

1. If local UNIX authentication returns success, jump two modules over to 4th module (module 1 + 2 modules to jump -> module 4). Otherwise ignore the result of the local auth and move to the next module.
2. If winbind (replaced with sssd these days) with kerberos authentication returns success, jump one module over to module 4. Otherwise ignore the result of the local auth and move to the next module.
3. Deny the authentication request. The result is finalized as DENIED and PAM stops there (the action defined for requisite control).
4. Permit all. The result is finalized as PERMITTED but move to the next module (the action defined for required control). However there is no module left to execute, so it ends there.