I tried on a NetBSD 3.0 system and it didn't work for me either. (And I 
tested again on -current and it does work there.)

Have a look in your /var/log/authlog.

On my 3.0 system I have:

Aug  3 18:54:37 ca su: default: unknown class
Aug  3 18:54:37 ca su: pam_acct_mgmt: error in service module
Aug  3 18:56:07 ca su: default: unknown class
Aug  3 18:56:07 ca su: pam_acct_mgmt: error in service module

So I added the "default" to the /etc/login.conf. And then I didn't get 
that error, but it ended up using "default" and never used the -c class 
that I chose.

It looks like the usr.bin/su code is the same.

In revision 1.21 of lib/libutil/login_cap.c the need for "default" was 
removed.

Probably difference in PAM or setusercontext.

One difference is that on -current using bogus su -c class fails:

# su -c kldfhkjfhdsjksdfh dummy 
su: Unknown class kldfhkjfhdsjksdfh

# id
uid=0(root) gid=0(wheel) 
groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest)


But does not fail on 3.0:

# su -c dumsdhjkhdfsjkhdfjksmy dummy
% id
uid=1006(dummy) gid=100(users) groups=100(users)


We need to find where the -c class name is lost with su. 

Please file a PR for this.

- Jeremy C. Reed