HPE Community
Operating System - HP-UX
1821472 Members
3346 Online
109633 Solutions
New Discussion юеВ

Re: problems with su

 
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 08:17 AM

тАО07-27-2004 08:17 AM

problems with su

Hello all,
I am new to HP-UX. I am running 11i. I have created some local user accounts through the SAM interface. When I telnet into my system as a non-root user and try to su - as root, I enter the password and I get su: Sorry, as if I typed the wrong password. (The root password is correct, I set it, and I can telnet in directly as root). I have read the security man page, by default su should work. The file /etc/security does not even exist. There is also nothing helpful listed in /var/adm/sulog other than my failed attempts. Anyone have any ideas??

Thanks for your help,
Rich

Here is the output from /var/adm/sulog:

SU 07/27 10:36 - tc jgreen-root
SU 07/27 10:36 - tc jgreen-root
SU 07/27 10:36 - tc jgreen-root
SU 07/27 10:37 - td rich-root
SU 07/27 10:37 - td rich-root
SU 07/27 14:37 - td rich-root
SU 07/27 14:37 - td rich-root
SU 07/27 14:39 - td rich-root
SU 07/27 16:06 + td root-root
SU 07/27 16:07 + td root-rich
SU 07/27 16:07 - td root-root
0 Kudos
Reply
18 REPLIES 18
Steven E. Protter
Exalted Contributor

тАО07-27-2004 08:27 AM

тАО07-27-2004 08:27 AM

Re: problems with su

check the permissions on su

ll /usr/bin/su
-r-sr-xr-x 1 root bin 28672 Oct 4 2002 /usr/bin/su

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 08:29 AM

тАО07-27-2004 08:29 AM

Re: problems with su

got the same output, permissions look good.

# ll /usr/bin/su
-r-sr-xr-x 1 root bin 24576 Nov 14 2000 /usr/bin/su
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

тАО07-27-2004 08:37 AM

тАО07-27-2004 08:37 AM

Re: problems with su

Do you see any additional logging messages in the /var/adm/syslog/syslog.log file that might point to the problem?

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Sundar_7
Honored Contributor

тАО07-27-2004 08:38 AM

тАО07-27-2004 08:38 AM

Re: problems with su

The file you should be looking at is /etc/default/security and not /etc/security.

Check if SU TO ROOT ALLOWED GROUPS is defined in the /etc/default/security file.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 08:42 AM

тАО07-27-2004 08:42 AM

Re: problems with su

No, there is nothing else in the syslog.log other than the duplicate info that is in sulog. For the last post, sorry, I meant to type /etc/default/security. Yes, this file does not exist. The only thing in 2 files in there are fs and useradd.

0 Kudos
Reply
Dave Olker
Neighborhood Moderator

тАО07-27-2004 08:48 AM

тАО07-27-2004 08:48 AM

Re: problems with su

Have you made any changes to the PAM configuration files? The files I'm curious about are /etc/pam.conf and /etc/pam_user.conf. If you've made changes to these files you could try putting the default versions of these files back and see if su works.

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 08:51 AM

тАО07-27-2004 08:51 AM

Re: problems with su

No this is a fresh install of 11i. I did not do the install however. But, the pam.conf file looks to be default, no ref to the su command listed. Also, there is nothing in the pam_user.conf file, all the lines are commented out.
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

тАО07-27-2004 08:53 AM

тАО07-27-2004 08:53 AM

Re: problems with su

Just to be sure, could you try doing a diff of /etc/pam.conf against the default file /usr/newconfig/etc/pam.conf and see if there is any difference between these files?

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 08:56 AM

тАО07-27-2004 08:56 AM

Re: problems with su

No differences....
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

тАО07-27-2004 09:01 AM

тАО07-27-2004 09:01 AM

Re: problems with su

Is trusted systems turned on by any chance?

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 09:03 AM

тАО07-27-2004 09:03 AM

Re: problems with su

I dont think so, how would I tell? Is it part of the standard install?
0 Kudos
Reply
john kingsley
Honored Contributor

тАО07-27-2004 09:08 AM

тАО07-27-2004 09:08 AM

Re: problems with su

This is a long shot, you said you were running "su - root", have you tried running "su root"?
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

тАО07-27-2004 09:09 AM

тАО07-27-2004 09:09 AM

Re: problems with su

Trusted systems is included with the standard HP-UX 11i, but it is disabled by default. Shadow password support is also available for 11i but it doesn't ship with the system.

One way to tell if you have either of these products installed would be to look at the /etc/passwd file to see if the encrypted passwords for your non-root users are stored in the /etc/passwd file. If they are then I doubt either of these products are configured.

Also, are you using any backend name service for your /etc/passwd data, i.e. NIS, NIS+, LDAP, etc.?

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 09:21 AM

тАО07-27-2004 09:21 AM

Re: problems with su

Checking the passwd file and trusted system is not enabled. I have already tried su root. Same result.
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

тАО07-27-2004 09:23 AM

тАО07-27-2004 09:23 AM

Re: problems with su

Are you using any backend name service for your /etc/passwd data, i.e. NIS, NIS+, LDAP, etc.? Could you copy/paste your /etc/nsswitch.conf file contents here so we can see what the "passwd:" entry looks like?

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Richard Zawaski_2
Occasional Advisor

тАО07-27-2004 09:28 AM

тАО07-27-2004 09:28 AM

Re: problems with su

nsswitch.conf

passwd: files
group: files
hosts: dns [NOTFOUND=return] files
services: files
networks: files
protocols: files
rpc: files
publickey: files
netgroup: files
automount: files
aliases: files
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

тАО07-27-2004 09:32 AM

тАО07-27-2004 09:32 AM

Re: problems with su

Ok, I'm running out of ideas. :)

In looking at the sulog output, the only field I haven't seen before is the "tc" or "td" entries. I'm used to seeing the device file name of the virtual terminal that you were using when you issued the "su" command. In my systems this looks like:

# cat /var/adm/sulog
SU 07/27 13:24 - ttyp1 dolker-root
SU 07/27 13:24 + ttyp1 dolker-root
SU 07/27 13:28 + ttyp1 dolker-root
SU 07/27 13:31 + ttyp1 dolker-root
SU 07/27 13:31 + ttyp1 dolker-root
SU 07/27 13:32 + ttyp1 dolker-root
SU 07/27 14:31 + ttyp1 dolker-root

On all of my systems I get the name of the device file like "ttyp1" meaning /dev/ttyp1 was used.

I don't know if there is any significance to the fact that your system is logging "tc" and "td" when you telnet into your system and issue the command, and mine all say "ttyp#". Could be significant, or it could simply be my lack of experience with the sulog format.

Does anyone else see "tc" or "td" in their sulog file for this field?

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО07-27-2004 01:42 PM

тАО07-27-2004 01:42 PM

Re: problems with su

Do you have any special characters in the root's password? If so, have you tried using just a combination of letters and numbers for the root's password?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.