In article <20050301133609.626732AC97@beowulf.gw.com>,
Christos Zoulas <christos@zoulas.com> wrote:
>On Mar 1,  9:57am, tih@eunetnorge.no (Tom Ivar Helbekkmo) wrote:
>-- Subject: Re: PAM enabled on head
>
>| christos@zoulas.com (Christos Zoulas) writes:
>| 
>| > Everything should work as expected, but if it does not, there is always
>| > send-pr.
>| 
>| Before I do that, could I have a sanity check from people on
>| something?  I use Kerberos 5, and have a /root/.k5login that specifies
>| who is allowed to access each system's root account.  Using lines of
>| the form "myuser/root@MY.REALM" here, I expect su to check that the
>| user invoking su is listed in the file, and ask for the Kerberos
>| password of the myuser/root instance listed.
>| 
>| With a fresh -current, su doesn't do this check, but just asks for the
>| Kerberos password of "root@MY.REALM", which doesn't even exist.
>
>There is PR29553 for that already, and elric is looking at it.
>

Can you try this patch?

christos

Index: su
===================================================================
RCS file: /cvsroot/src/etc/pam.d/su,v
retrieving revision 1.4
diff -u -u -r1.4 su
--- su	27 Feb 2005 03:40:14 -0000	1.4
+++ su	1 Mar 2005 16:19:10 -0000
@@ -6,9 +6,10 @@
 # auth
 auth		sufficient	pam_rootok.so		no_warn
 auth		sufficient	pam_self.so		no_warn
+auth		sufficient	pam_ksu.so		no_warn try_first_pass
 auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
 #auth		sufficient	pam_group.so		no_warn group=rootauth root_only fail_safe authenticate
-auth		include		system
+auth		required	pam_unix.so		no_warn try_first_pass nullok
 
 # account
 account		required	pam_login_access.so