Symptom
User is not able to “su” to another account (be it local, or LDAP based)
[[email protected]~]$ su - servicesoasit Password: Password: su: incorrect password
/var/log/secure will display this error log.
Jul 21 23:53:37 oracle su[22863]: pam_vas: Authentication <succeeded> for <Active Directory> user: <servicesoasit> account: <[email protected]> service: <su-l> reason: <N/A> Access Control Identifier(NT Name):<AMERICAS\ServiceSOASIT> Jul 21 23:53:38 oracle su[22863]: pam_unix(su-l:auth): authentication failure; logname=admazwan_ngali uid=2184379 euid=2184379 tty=pts/6 ruser= rhost= user=servicesoasit
As you can see pam_vas already verified authentication is a success, but “su” still refused you to switch user.
Troubleshooting
Ensure setuid is set on /bin/su file. Not sure why it’s changed, probably it happened during OEL upgrade recently.
[[email protected] pam.d]# ll /bin/su -rwxr-xr-x 1 root root 28336 Oct 16 2012 /bin/su
Try to “su” to another account again. Issue should be fixed.
[[email protected] pam.d]# chmod +s /bin/su [[email protected] pam.d]# ll /bin/su -rwsr-xr-x 1 root root 28336 Oct 16 2012 /bin/su
[[email protected] ~]$ su - servicesoasit Password: [[email protected]~]$