Let's start with the setup:
box1: Red Hat 5.2
box2: Windows 2003 SP2 (NOT Windows 2003 R2)

root: local linux account
testuser: Windows AD Account
testuser2: Windows AD Account

I have setup authentication using ldap/kerberos so that I can authenticate users against my Windows Domain Server.

I can ssh and login to the box by either testuser, testuser2 or root.
If I login to root first I can su - testuser and that works too.

If I ssh to the box and login as testuser and then try to "su - " I get the following error:
su: pam_krb5[19014]: authentication fails for 'root' (root@DOMAIN.COM): User not known to the underlying authentication module (Client not found in Kerberos database)

If I try to su to another AD account (ex. testuser2), I get a password failed (su: incorrect password). I do not see any errors in the secure log file. In the messages log file I see the following:
Apr 2 17:25:09 hugorhel5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 2 17:25:09 hugorhel5 last message repeated 3 times
Apr 2 17:25:09 hugorhel5 su: pam_krb5[19538]: authentication succeeds for 'testuser2' (testuser2@DOMAIN.COM)

in /var/log/audit/audit.log I see the following error too:
type=USER_AUTH msg=audit(1238714712.015:296): user pid=19538 uid=10000 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="testuser2" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 res=failed)'

I have not touched my PAM configuration. I used the GUI to enable ldap and kerberos authentication and thus my nsswitch.conf file looks like:
passwd: files ldap
shadow: files ldap
group: files ldap

So at the end of the day I can only login directly as a user but I cannot su to any other user if I am a user in AD. Any suggestions or ideas?

Hmm, so essentially you aren't able to authenticate to local accounts via su? have you possibly tried a noddy local account as another combination of factors? I think that this has to be PAM related, and initially I'd think it shoudl be something in the /etc/pam.d/su file, as it also seems su specific so far, and su appears to be directly hitting krb5, bypassing pam_unix. Having said that though I can't see why that should be able to be incorrect, as it should be going via system-auth for generic authentication. what does the pam su file say?

If you think PAM is hitting the krb authentication module and not hitting the pam_unix, why is it possible to su from a local account to a local account? Also, why is it NOT possible to su from an AD account to an AD account?

Thanks

well pam uses a central system-auth file in conjunction with specific configuration for each service via an include or the stack module. so the config is partially common, partially specific. so what does /etc/pam.d/su say?

If I login as a local user, I can su to any other local account fine and su to an ldap user (and then the fun stops). Once I get into a ldap user I can't su anymore.

My system-auth file looks like this:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so



My su file looks like this:
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so


Any ideas? It seems like it should use system-auth.

I figured it out, it was the PAM su module that was modified without me knowing. Thanks for your help and guidance.

I presume it was the wheel line? Sorry, I didn't get a chance to think about this today.