| Username : Date : Action : Comments [ close all ] |
|
|
|
HJH : 23/12/02 12:54 AM : Incident created |
|
- I've got a machine (AMD XP2200, 60Gb. IBM, 512Mb.Ram, ATI9000 128Mb, SBLive!, Terractec Cinergy 400) that will not allow ANY user to use the 'su' commando correctly.
When I use the 'su' command, I can filluout the password, but it always says that the password is invalid (even though it isn't).
Does anyone know what causes thes/ what I can do about it?
Hendrik-Jan Heins
|
|
|
|
Linegod_7611 : 23/12/02 09:58 PM : Reply received |
|
- What security level did you set your system to?
Could you try lowering it and see if 'su' works?
Can you log in, from a console (CTRL-ALT-F1) as root?
------
Note: If this answer resolves your problem, please remember to close this
incident.
|
|
|
|
HJH : 24/12/02 11:08 PM : More info provided |
|
- I've tried different security levels, but that made no difference...
I can log on as root, that's no problem, only the "su"-command seems to be unusable.
|
|
|
|
Linegod_7611 : 28/12/02 05:13 PM : Reply received |
|
- Could you open another console and run 'tail -f /var/log/messages' and then
attempt to log in with 'su'. Post the errors.
--------
Note: If this answer resolves your problem, please remember to close this
incident.
|
|
|
|
HJH : 29/12/02 10:36 PM : More info provided |
|
- I've attached the output in the file on this text. Is the problem the line that starts with "rwhod"?
Hendrik-Jan Heins
|
|
Attachment
|
|
Linegod_7611 : 30/12/02 08:17 PM : Reply received |
|
- I'm not sure how but the rwho daemon may be blocking the 'su' command. Try
disabling rwhod (/etc/rc.d/init.d/rwhod stop) and try 'su' again. Post the
output of 'tail -f /var/log/messages' again.
------
Note: If this answer resolves your problem, please remember to close this
incident.
|
|
|
|
HJH : 03/01/03 08:39 PM : More info provided |
|
- Ok,
I followed your instructions, but it didn't work...
I attached a new file with output.
Hendrik-Jan Heins
|
|
Attachment
|
|
Linegod_7611 : 04/01/03 08:11 PM : Reply received |
|
- It would appear that you are attempting to use the command as 'su root'. For
root, all you need to do is type 'su' without any other arguements.
------
Note: If this answer resolves your problem, please remember to close this
incident.
|
|
|
|
HJH : 05/01/03 12:30 AM : More info provided |
|
- I'm sorry, but I don't understand this answer..
Yes, I know that to become root on a system, you only have to use "su" however you can "su" for every user, like "su user1" etc.... and you can also do "su root" that works just as well.
So I think that, if I sort of understand your comment, it does not make any difference.....
|
|
|
|
Linegod_7611 : 06/01/03 01:46 PM : Reply received |
|
- My bad, I was trying to generate the same error message as you got, but was
on a box with a higher security level, and got sidetracked.
If you could, could you try chaning the root password, and then try the 'su'
command again.
--------
Note: If this answer resolves your problem, please remember to close this
incident.
|
|
|
|
HJH : 06/01/03 11:31 PM : More info provided |
|
- I already tried that, but it didn't help...
So I am really at a loss about what generates this problem...
Hendrik-Jan Heins
|
|
|
|
perlotto : 11/01/03 03:03 AM : Reply received |
|
- Is your user a member of the wheel group? If that is not true you should not
be able to 'su'.
|
|
|
|
HJH : 19/01/03 04:36 PM : More info provided |
|
- Hmmmm,
I'm not quite sure your idea of a "wheel group" is on the right track. The whole concept of a wheel group is part of IRIX, not of Linux. And to be able to work with a "wheel group", you'll have to activate it in your login/users config. script. And by default this isn't enabled in Mandrake....
Hendrik-Jan Heins
|
|
|
|
perlotto : 22/01/03 05:06 AM : Reply received |
|
- Wheel group is enabled assuming a certain msec level. It is also found in
Solaris, and many other AT&T based OS's. If you go to:
/etc/security/msec
and do a ls -l you should see something like:
drwxr-xr-x 2 root root 4096 Dec 20 19:19 ./
drwxr-xr-x 4 root root 4096 Nov 16 21:30 ../
-rw-rw-r-- 1 root root 53 Dec 20 19:19 level.local
-rw-rw-r-x 1 root root 60 Oct 19 21:20 perm.local*
-rwxrwxr-x 1 root root 19 Dec 20 19:19 security.conf*
lrwxrwxrwx 1 root root 27 Dec 20 16:13 server -
> /etc/security/msec/server.5
-rw-r--r-- 1 root root 193 Sep 17 07:16 server.4
-rw-r--r-- 1 root root 109 Dec 7 00:19 server.5
And as you can see I am running msec 5, which is one of the levels that
activates the wheel group. You can see in my group file:
wheel:x:10:perlotto
Which without, I cannot su to root either.
|
|
|
|
HJH : 22/01/03 10:59 PM : More info provided |
|
- OK,
I'll check your suggestion. But I'm quite sure this machine is set to security level 3 or lower.
so, the only way this problem will occur if something went wrong during the install...
Hendrik-Jan Heins
|
|
|
|
decampsr : 02/02/03 04:15 PM : Reply received |
|
- I think I add this problem, but I can't remember how I solved it... It was
something very crazy, like
# pwunconv
# pwconv
Hope (but doubt) this helps.
|
|
|
|
HJH : 03/02/03 02:02 AM : More info provided |
|
- Hmmm,
your answer sounds like a really obscure problem/solution...
I hope mine is a bit simpler ;-)
Anyway, I've been toying with this machine again, and the wheel group is not activated anywhere on the system. The rwhod daemon is also off. But... in /var/log/messages I saw that, when I was performing a "su" command as root, everything works, also no problem messages. However, when I performed a "su" command as a normal user, I saw in the messages file, that the machine treated the user as a ruser (remote user)! So it looks like the machine is not accepting it's own users as local.
Anyone????
thanks for all your help so far!
Hendrik-Jan Heins
|
|
|
|
decampsr : 04/02/03 12:41 PM : More info requested |
|
- Can you please snd the reslut of
cat /etc/pam.d/su
An dmaybe try do uninstall the rwho package
|
|
|
|
d92_ulg : 04/02/03 10:09 PM : Reply received |
|
- The obscure problem solution is not so obscure. The shadow files might not be
synchronized with /etc/passwd and /etc/group. If a user exists in /etc/passwd
but not in /etc/shadow I could imagine that su thinks the user is not local.
But I'm just speculating.
This comes from man pwconv:
pwconv creates shadow from passwd and an optionally existing shadow.
pwunconv creates passwd from passwd and shadow and then removes shadow.
grpconv creates gshadow from group and an optionally existing gshadow.
grpunconv creates group from group and gshadow and then removes
gshadow.
An alternative is that the configuration in the file /etc/pam.d/su
is "strange".
mine looks like this:
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_wheel.so use_uid
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
Good Luck!
|
|
|
|
HJH : 17/02/03 09:46 AM : More info provided |
|
- Hello all,
thank you all for your input so far. And I am happy that I can say that it was not in vain! So far the pwconv/onconv command has worked!!!
Unfortunately that is not the whole solution, there still seems to be a (small?!) issue with xauth left. This is an excerpt from my /var/log/messages:
Feb 16 17:12:00 home su(pam_unix)[3019]: session opened for user root by
(uid=501)
Feb 16 17:12:00 home su[3019]: pam_xauth: error creating temporary file
`/root/.xauthHCF7vN': Permission denied
Feb 16 17:12:00 home su(pam_unix)[3019]: session closed for user root
I think this is the last part, anyone?
Hendrik-Jan Heins
|
|
|
|
decampsr : 20/02/03 10:31 AM : Reply received |
|
- I have just checked that, even if the temp file already exists with no writing
permission, xauth is able to start.
I don't think to anything right now, except that /root does not belong to
root... Ah, if I remember well, redHat has released some bug corrections for
pam recently. Maybe Mandrake was concerned, too. Anyway, you should update
your Mandrake distrib from MandrakeUpdate.
-- Regis
d92_ulg, your explanation sounds very good. That's only a shame I spent a
whole tring to debug the very fair pam config files before I found the trick.
|
|
|
|
HJH : 20/02/03 11:05 PM : Reply received |
|
- Ok,
thanks so far...
So, I guess I can better close this incident for now?
However, that puts me seriously on the spot... as I think I have more than one
person that I'll have to give credits on this one!
Hendrik-Jan Heins
|
|
|
|
HJH : 20/02/03 11:18 PM : More info provided |
|
- Uhm,
see the msg above this one...
Hendrik-Jan Heins
|
|
|
|
HJH : 24/02/03 07:02 PM : Incident closed |
|
-
|
|
|
