On Mar 22,  9:30am, sigsegv@rambler.ru (sigsegv@rambler.ru) wrote:
-- Subject: Re: su and PAM

| Below are the contents of /etc/pam.d/su.
| By the way, did you see my previous message where I posted the contents 
| of /var/log/auth.log file? Why does the log show things like:
| 
| Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_rootok.so: 
| pam_sm_acct_mgmt(): Undefined symbol "pam_sm_acct_mgmt"
|
| Maybe this has something to do with it?

This is normal... Pam tries to use every module for every function,
and if a function is not defined, then it just does not use it. In
this case, it says that rootok, does not handle account management.

| $ cat su
| # $NetBSD: su,v 1.5 2005/03/01 16:28:46 christos Exp $
| #
| # PAM configuration for the "su" service
| #
| 
| # auth
| auth            sufficient      pam_rootok.so           no_warn
| auth            sufficient      pam_self.so             no_warn
| auth            sufficient      pam_ksu.so              no_warn 
| try_first_pass
| auth            requisite       pam_group.so            no_warn 
| group=wheel root_only fail_safe
| #auth           sufficient      pam_group.so            no_warn 
| group=rootauth root_only fail_safe authenticate
| auth            required        pam_unix.so             no_warn 
| try_first_pass nullok
| 
| # account
| account         required        pam_login_access.so
| account         include         system
| 
| # session
| session         required        pam_permit.so

This is the same file that I have. I guess I'll have to checkout the
branch and test there.

christos