Su command fails after installing PIM Endpoint agent

Document ID : KB000029151
Last Modified Date : 14/02/2018
Show Technical Document Details


The customer had QUEST Vintela Authentication Services (VAS) installed on their machine and were able to run all standard OS commands properly without any issues.

Once PIM 12.8 endpoint was introduced into the environment (SunOS 5.10 update 11) the users lost the ability to execute the su command and were only able to run the PIM version (sesu). There were no errors being displayed except for:

#su 'sorry'


# su: unable to set credentials



PIM 12.8 endpoint

SunOS 5.10 Update 11



Within the execution of the command su there were no errors or denials from PIM or VAS, although it would display: "INFO    : 0 no such process" in the trace that was set around the command. In the pam.conf file it only contained which only utilizes PIM to execute su. With the addition of the optional file it has the choice to go through either OR to execute the command.

For a more precise method of discovering the file that su is utilizing the following procedure can be done:

  1. Place the added line AFTER the CM su auth line (may cause su to stop working or may proceed to the

  2. Set the pam_vas3 line from option to required (forces pam.conf to utilize pam_vas3 for su rather than pam_seos)

  3. Attempt a combination of the two above tests (results unpredictable as they would be based solely of the results of steps 1 & 2)

I would not however suggest removing the 'su auth option' line as it may cause the same errors that were being received when was not added to the pam.conf (although it is a valid test I wouldn't remove the line completely as it may be needed for sanity checks).



Modified  the pam.conf file with the following line:


**su auth optional create_homedir get_nonvas_pass try_first_pass**

and read as follows:

su auth optional create_homedir get_nonvas_pass try_first_pass

su auth    optional

The addition of this line allows the su command to authenticate via the which was required for this user.