Bug 448016

Summary: su does not work in 5.2
Product: Red Hat Enterprise Linux 5 Reporter: Stephen John Smoogen <smooge>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.2CC: gjohnsit, jdreese, jplans, ovasik, thras, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-30 15:18:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen John Smoogen 2008-05-22 21:55:47 UTC 
Description of problem:

1) Users can not su to root in 5.2 (could do so in RHL 5.1 and beta).
2) Root can su to other users.

The su process will accept a password, pause and then fail with 'incorrect user'.

I have checked /etc/pam.d/su and that is not the problem:

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

The only thing I can come up with currently is that it might have something to
do with ldap users.
Comment 1 Stephen John Smoogen 2008-05-22 22:16:37 UTC 
Moving to nss_ldap as emails from others affected see the problem fixed with
changing that component.
Comment 2 Garrett 2008-05-28 18:23:29 UTC 
I'm also having a similar problem, and have an ldap system too. I don't get the
error, but it simply won't allow me to be root. Modifying the /etc/pam.d/su file
to this didn't help.

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            sufficient      pam_ldap.so
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         sufficient      pam_ldap.so
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         sufficient      pam_ldap.so
session         optional        pam_xauth.so
Comment 3 Joel Eidsath 2008-05-29 21:42:11 UTC 
This is an nss_ldap issue. su failed on our RHEL 5 systems, as well as pipes and
backticking in bash.

Running system-config-authentication, enabling user caching (and chkconfiging
nscd on if necessary) fixed the problem for us.
Comment 4 Nalin Dahyabhai 2010-06-30 15:18:20 UTC 
This looks like a duplicate of bug #448014, which was fixed in nss_ldap-253-13.el5_2.1.  Please reopen this report if this update did not resolve the problem.  Thanks!

*** This bug has been marked as a duplicate of bug 448014 ***