Hi all,

Running as an ordinary user, straight from the beginning.

Is the (default) suid of/usr/bin/su causing this?
Anyway: the info requested:

/var/log/secure will tell:
Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create session: Already running in a session
Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened for user root by testuser(uid=10005)

De pam.d files are from a clean fresh Fedora23 install and ipa-client-install afterwards:

auth        sufficient    pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth        sufficient    pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth        required    pam_wheel.so use_uid
auth        substack    system-auth
auth        include        postlogin
account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
account        include        system-auth
password    include        system-auth
session        include        system-auth
session        include        postlogin
session        optional    pam_xauth.so

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp silent
session     optional      pam_lastlog.so silent noupdate showfailed

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Op 24-11-15 om 10:37 schreef Jakub Hrozek:
re you running su as an ordinary user or root? What does appear in
/var/log/secure when you run su ?

Can you show what is the /etc/pam.d/su config and the config of the
service that is included from /etc/pam.d/su ? (typically system-auth)

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to