su failing, same password works fine at console

Mistoffeles · 03-02-2009, 04:18 PM

Never had this happen before, I have a new server (RHEL 5.3) that I can log into at the console keyboard but I can't su from my account using the exact same password.

I have gone through the /etc/pam.d/su file, /etc/ssh/sshd_config and just about every other thing that I can think of, comparing it to my other servers, and nothing seems to be any different.

Anyone able to point me in the right direction towards solving this?

FragInHell · 03-02-2009, 05:16 PM

Try resseting the password as root, or even editing shadow and removing the password, then can u login?

Mistoffeles · 03-02-2009, 05:42 PM

I've done that, and then just to see I tried something else, I logged in using my account at the console and I could not su to root.

So, nothing wrong with ssh/sshd, it's just su. Going to research this, but if anyone has any ideas please post as I generally take forever to find what I need just by book/Google research.

FragInHell · 03-02-2009, 07:03 PM

can u post your pam su and pam login configuration files, are you using directory server/ldap?

Mistoffeles · 03-02-2009, 07:36 PM

As far as I know, I am using local shadow password authentication. I set up the wheel group to allow only certain users to be able to use su.

The only thing I changed in /etc/pam.d/su was to uncomment the line:

auth required pam.wheel.so use_uid

This gives me this result:

su: incorrect password

I then recommented the other line and uncommented this:

auth sufficient pam_wheel.so trust use_uid

Which gave me this result:

su: cannot set groups: operation not permitted

So I changed back to the first one.

Here are the pam files:

[root@beastie ~]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so

[root@beastie ~]# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke

SELinux is disabled.

Mistoffeles · 03-02-2009, 07:55 PM

Note: According to env, kerberos is in my path. I don't know if that means I am actually using it to authenticate.

The more I learn about Linux, the more I realise how little I know.