Bug 170338 - su - user account pam stack fails
su - user account pam stack fails
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2005-10-10 15:46 EDT by Benn Oshrin
Modified: 2015-01-07 19:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-12 15:35:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Original /etc/pam.d/su (970 bytes, text/plain)
2005-10-11 10:35 EDT, Benn Oshrin
no flags Details
Modified /etc/pam.d/su (1.00 KB, text/plain)
2005-10-11 10:35 EDT, Benn Oshrin
no flags Details
/etc/pam.d/system-auth (1.14 KB, text/plain)
2005-10-11 10:36 EDT, Benn Oshrin
no flags Details
Original /etc/pam.d/su (972 bytes, text/plain)
2005-10-12 15:30 EDT, Benn Oshrin
no flags Details

  None (edit)
Description Benn Oshrin 2005-10-10 15:46:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
su - user from root fails for some (but not all) values of user.  We have been unable to correlate the characteristics of the users (UID, home directory, etc) to predict success or failure, none of whom have valid shells on the box in question.  (User info is retrieved via LDAP and authenticated against Kerberos, although in this example no authentication should occur.)

This can be corrected by applying the following patch to /etc/pam.d/su:

< account    sufficient   /lib/security/$ISA/pam_permit.so
> account    sufficient   pam_krb5.so
> account    required     pam_unix.so

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. su --shell=/bin/sh username -c uptime
(Reproducible always for any user which fails.)  

Actual Results:  su: incorrect password

Expected Results:   14:26:09 up 41 days,  5:24,  3 users,  load average: 0.00, 0.00, 0.00

Additional info:

This might be related to or a dupe of 

Note however that we must disable both pam_krb5 and pam_unix.
Comment 1 Tomas Mraz 2005-10-11 03:05:47 EDT
Could you please attach you /etc/pam.d/su and /etc/pam.d/system-auth?

Also are there any log messages in /var/log/messages or secure when the su -
xxxx command fails?
Comment 2 Benn Oshrin 2005-10-11 10:35:21 EDT
Created attachment 119802 [details]
Original /etc/pam.d/su
Comment 3 Benn Oshrin 2005-10-11 10:35:54 EDT
Created attachment 119803 [details]
Modified /etc/pam.d/su
Comment 4 Benn Oshrin 2005-10-11 10:36:32 EDT
Created attachment 119804 [details]
Comment 5 Benn Oshrin 2005-10-11 10:42:37 EDT
The only entries were of the form

Oct 10 14:26:09 soyvlaki su(pam_unix)[28071]: session opened for user xxxx b
y benno(uid=0)
Oct 10 14:26:09 soyvlaki su(pam_unix)[28071]: session closed for user xxxx

(even with 'debug' flags set for the pams in the stack).
Comment 6 Benn Oshrin 2005-10-12 15:30:07 EDT
Created attachment 119849 [details]
Original /etc/pam.d/su

Attachment 119802 [details] was the wrong file.
Comment 7 Benn Oshrin 2005-10-12 15:35:17 EDT
I think this bug may be invalid, based on local configuration changes I've discovered.  I'll reopen it if I'm 
Comment 8 Tomas Mraz 2005-10-12 16:00:59 EDT
It's partly invalid (removing the pam_unix is never the right thing, instead the
broken_shadow option should be used when the accounts authenticated against
kerberos have wrong 'x' entry in /etc/passwd - *K* should be there) and partly a
duplicate of bug 164794 which is a real bug (this is when removing pam_krb5 from
account helps).

Note You need to log in before you can comment on or make changes to this bug.