On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote: > Hi all, > > Running as an ordinary user, straight from the beginning. > > Is the (default) suid of/usr/bin/su causing this? > > Anyway: the info requested: > > /var/log/secure will tell: > Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create > session: Already running in a session > Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened > for user root by testuser(uid=10005)
Interesting, there is even no account message at all...not even auth message? > > De pam.d files are from a clean fresh Fedora23 install and > ipa-client-install afterwards: > > /etc/pam.d/su > #%PAM-1.0 > auth sufficient pam_rootok.so > # Uncomment the following line to implicitly trust users in the "wheel" > group. > #auth sufficient pam_wheel.so trust use_uid > # Uncomment the following line to require a user to be in the "wheel" > group. > #auth required pam_wheel.so use_uid > auth substack system-auth > auth include postlogin > account sufficient pam_succeed_if.so uid = 0 use_uid quiet > account include system-auth ...yet clearly here su includes system_auth unless pam_succeed_if ran (which should only happen if you ran su as root) Just to be sure, can you comment out the pam_succeed_if.so line? > password include system-auth > session include system-auth > session include postlogin > session optional pam_xauth.so > > /etc/pam.d/postlogin > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* > service !~ su* quiet > session [default=1] pam_lastlog.so nowtmp silent > session optional pam_lastlog.so silent noupdate showfailed > > /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth [default=1 success=ok] pam_localuser.so > auth [success=done ignore=ignore default=die] pam_unix.so nullok > try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > Op 24-11-15 om 10:37 schreef Jakub Hrozek: > > re you running su as an ordinary user or root? What does appear in > /var/log/secure when you run su ? > > Can you show what is the /etc/pam.d/su config and the config of the > service that is included from /etc/pam.d/su ? (typically system-auth) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
