FC6(working 'su -') vs Centos5(failing 'su -')
Justin W
jlist at jdjlab.com
Sun Jun 3 04:23:16 UTC 2007
Tony Nelson wrote:
> At 1:39 PM -0500 6/2/07, Justin W wrote:
>
>> I tried both 'setenforce 0' and appending 'enforcing=0' to the kernel
>> arguments. Neither allowed me access.
>>
> So much for that idea.
>
Yeah, SELinux is usually my fall-back thing to blame. I don't like it
when it's not it because it's not as easy as just not enforcing policy
until either 1) a policy update is made or 2) I create a rule to allow
whatever it is I want done.
>> Would having the user accounts being held in an LDAP directory have any
>> effect (though I don't see how it'd effect one access method and not the
>> other)?
>>
> Dunno, haven't used LDAP. Can you change that for even one new account,
> and try it that way?
>
I added a tester account locally and tried logging in with that. I got
the same error messages in my logs:
Jun 2 23:07:50 zeus su: pam_unix(su-l:auth): authentication
failure; logname=tester uid=550 euid=0 tty=pts/0 ruser=tester
rhost= user=root
type=USER_AUTH msg=audit(1180843672.674:96): user pid=1881 uid=550
auid=550 subj=user_u:system_r:unconfined_t:s0 msg='PAM:
authentication acct=root : exe="/bin/su" (hostname=?, addr=?,
terminal=pts/0 res=failed)'
Is there a good location to place a "debug" option in the PAM
configurations? Which modules would be the most useful to get
information from (and how does it work? I tried one already and I didn't
see any more output in any logs than normal.).
Thanks,
Justin W
More information about the fedora-list
mailing list