FC6(working 'su -') vs Centos5(failing 'su -')

Justin W jlist at jdjlab.com
Sun Jun 3 04:23:16 UTC 2007

Tony Nelson wrote:
> At 1:39 PM -0500 6/2/07, Justin W wrote:
>> I tried both 'setenforce 0' and appending 'enforcing=0' to the kernel
>> arguments. Neither allowed me access.
> So much for that idea.
Yeah, SELinux is usually my fall-back thing to blame. I don't like it 
when it's not it because it's not as easy as just not enforcing policy 
until either 1) a policy update is made or 2) I create a rule to allow 
whatever it is I want done.
>> Would having the user accounts being held in an LDAP directory have any
>> effect (though I don't see how it'd effect one access method and not the
>> other)?
> Dunno, haven't used LDAP.  Can you change that for even one new account,
> and try it that way?
I added a tester account locally and tried logging in with that. I got 
the same error messages in my logs:

    Jun  2 23:07:50 zeus su: pam_unix(su-l:auth): authentication
    failure; logname=tester uid=550 euid=0 tty=pts/0 ruser=tester
    rhost=  user=root

    type=USER_AUTH msg=audit(1180843672.674:96): user pid=1881 uid=550
    auid=550 subj=user_u:system_r:unconfined_t:s0 msg='PAM:
    authentication acct=root : exe="/bin/su" (hostname=?, addr=?,
    terminal=pts/0 res=failed)'

Is there a good location to place a "debug" option in the PAM 
configurations? Which modules would be the most useful to get 
information from (and how does it work? I tried one already and I didn't 
see any more output in any logs than normal.).

Justin W

More information about the fedora-list mailing list