From mattie_linux at yahoo.com  Wed Sep 13 15:17:44 2006
From: mattie_linux at yahoo.com (mattie)
Date: Wed, 13 Sep 2006 15:17:44 PDT
Subject: [immigrants-discuss] su/ authentication stuff and sudo on
	opensolaris
Message-ID: <32262670.1158185894632.JavaMail.Twebapp@oss-app1>

hi there,
Please excuse my English.

I am on OpenSolaris. (SunOS 5.11      snv_42  October 2007)

I just inheritied 6 OpenSolaris boxes at work. I have root on all of them, and am not "locked out."

But there is a pesky authentication inconsistency.

I have sudo running on all 6 boxes. But I want it to be optional. On 5 of them, I *can* "su -" just fine from other users (of course having to know root's password). On the other, I *have* to use "sudo su -" to get to root!! It's driving me crazy.

What files control this? The /etc/default/login, and sudoers files are identical on all the boxes. The permissions on /bin/su are also the same on all boxes.

But I know I'm not looking in the right places.

Any Solaris advice appreciated!

thanks,
matt (new to opensolaris)
--
This message posted from opensolaris.org


From mgerdts at gmail.com  Wed Sep 13 18:40:16 2006
From: mgerdts at gmail.com (Mike Gerdts)
Date: Wed, 13 Sep 2006 20:40:16 -0500
Subject: [immigrants-discuss] su/ authentication stuff and sudo on
	opensolaris
In-Reply-To: <32262670.1158185894632.JavaMail.Twebapp@oss-app1>
References: <32262670.1158185894632.JavaMail.Twebapp@oss-app1>
Message-ID: <65f8f3ad0609131840u7a59504ej1e3cb1efb11bfe97@mail.gmail.com>

On 9/13/06, mattie <mattie_linux at yahoo.com> wrote:
> I have sudo running on all 6 boxes. But I want it to be optional.
> On 5 of them, I *can* "su -" just fine from other users (of course
> having to know root's password). On the other, I *have* to use
> "sudo su -" to get to root!! It's driving me crazy.
>
> What files control this? The /etc/default/login, and sudoers files
> are identical on all the boxes. The permissions on /bin/su are also
> the same on all boxes.
>
> But I know I'm not looking in the right places.
>
> Any Solaris advice appreciated!

The order that I would try is:

0) Be sure that PATH isn't messed up and using a non-standard su command.
1) Look at /var/adm/messages for error messages that point to something obvious.
2) Compare /etc/pam.conf between machines
3) Compare root's entry in /etc/passwd and /etc/shadow between machines
4) Enable PAM debugging: touch /etc/pam_debug, add
"auth.debug<tab>/var/adm/authlog" to /etc/syslog.conf, touch
/var/adm/authlog, kill -HUP syslogd. Try to su -.  Do the same on
another machine.  Look for differences in /var/adm/authlog between the
machines.

Unfortunately, PAM is not very good about telling exactly where
problems are.  The debug output is so verbose that it is extremely
hard to read.

Mike

-- 
Mike Gerdts
http://mgerdts.blogspot.com/


From tommythekid at gmail.com  Wed Sep 27 10:01:05 2006
From: tommythekid at gmail.com (Tommy McNeely)
Date: Wed, 27 Sep 2006 10:01:05 PDT
Subject: [immigrants-discuss] Re: su/ authentication stuff and sudo on
	opensolaris
In-Reply-To: <32262670.1158185894632.JavaMail.Twebapp@oss-app1>
Message-ID: <30135819.1159376495383.JavaMail.Twebapp@oss-app1>

The first thing I would check is the actual root password:
- do the sudo su -, (become root)
- passwd root
  (enter the password twice)

Then exit out and try regular su -


Using "sudo su -" uses your "user" password to gain root powers. Essentially you are running "su -" with "root powers" by authenticating with your user password. My guess is that the root password is locked/expired or otherwise invalid.

~tommy
--
This message posted from opensolaris.org