Symptom
User is not able to “su” to another account (be it local, or LDAP based)
[admazwan_ngali@oracle~]$ su - servicesoasit Password: Password: su: incorrect password
/var/log/secure will display this error log.
Jul 21 23:53:37 oracle su[22863]: pam_vas: Authentication <succeeded> for <Active Directory> user: <servicesoasit> account: <ServiceSOASIT@AMER.DELL.COM> service: <su-l> reason: <N/A> Access Control Identifier(NT Name):<AMERICAS\ServiceSOASIT> Jul 21 23:53:38 oracle su[22863]: pam_unix(su-l:auth): authentication failure; logname=admazwan_ngali uid=2184379 euid=2184379 tty=pts/6 ruser= rhost= user=servicesoasit
As you can see pam_vas already verified authentication is a success, but “su” still refused you to switch user.
Troubleshooting
Ensure setuid is set on /bin/su file. Not sure why it’s changed, probably it happened during OEL upgrade recently.
[root@oracle pam.d]# ll /bin/su -rwxr-xr-x 1 root root 28336 Oct 16 2012 /bin/su
Try to “su” to another account again. Issue should be fixed.
[root@oracle pam.d]# chmod +s /bin/su [root@oracle pam.d]# ll /bin/su -rwsr-xr-x 1 root root 28336 Oct 16 2012 /bin/su
[admazwan_ngali@oracle ~]$ su - servicesoasit Password: [servicesoasit@oracle~]$2 Comments