Re: Odd problem with SU command
Sorry, Meant to include this output too: cat /etc/SuSE-release SUSE LINUX Enterprise Server 9 (s390x) VERSION = 9 PATCHLEVEL = 3 Jeremy Warren <[EMAIL PROTECTED]> Sent by: Linux on 390 Port 10/11/2006 08:41 AM Please respond to Linux on 390 Port To LINUX-390@VM.MARIST.EDU cc Subject Re: [LINUX-390] Odd problem with SU command Marcy, We are connecting to Win2K3 (Not R2) AD using nss_ldap + pam_kerberos (not vintella). Works fine for us. ** [OUTPUT OF ID COMMAND OBFUSCATED TO PROTECT THE INNOCENT] linux249:/var/log # cat /etc/passwd | grep tstjrw linux249:/var/log # su - tstjrw -c id;echo $? uid=[MASKED](tstjrw) gid=[MASKED]([MASKED]) groups=[MASKED] 0 linux249:/var/log # cat /etc/passwd | grep tst000 tst000:x:[MASKED]:[MASKED]:[MASKED]:/home/tst000:/bin/bash linux249:/var/log # su - tst000 -c id;echo $? uid=[MASKED](tst000) gid=[MASKED]([MASKED]) groups=[MASKED] 0 Marcy Cortes <[EMAIL PROTECTED]> Sent by: Linux on 390 Port 10/10/2006 03:23 PM Please respond to Linux on 390 Port To LINUX-390@VM.MARIST.EDU cc Subject [LINUX-390] Odd problem with SU command Running Sles9x, SP3. We have sw installed that authenticates users against Active Directory using pam.d stuff (Vintela VAS). Those users don't have to be in /etc/passwd at all. In trying to install db2, we needed to create a local userid. Fine, no problem this is supported. But the su command returns rc 1 if the user is local and rc 0 if the user is VAS. This makes the db2icrt script fail. Was wondering if someone out there is also using an off server authentication method could check and see if it fails for them too? >From root: su (localuser) -c id echo $? su (non-localuser) -c id echo $? Return code 1 is supposed to mean su failed, but su doesn't fail - we do get the results of the command properly. The RH Intel Linux servers don't have this problem and removing the VAS calls from /etc/pam.d/su didn't seem to make a difference either. We're reporting it to support, but was hoping to narrow it down to whose support :) Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Odd problem with SU command
Marcy, We are connecting to Win2K3 (Not R2) AD using nss_ldap + pam_kerberos (not vintella). Works fine for us. ** [OUTPUT OF ID COMMAND OBFUSCATED TO PROTECT THE INNOCENT] linux249:/var/log # cat /etc/passwd | grep tstjrw linux249:/var/log # su - tstjrw -c id;echo $? uid=[MASKED](tstjrw) gid=[MASKED]([MASKED]) groups=[MASKED] 0 linux249:/var/log # cat /etc/passwd | grep tst000 tst000:x:[MASKED]:[MASKED]:[MASKED]:/home/tst000:/bin/bash linux249:/var/log # su - tst000 -c id;echo $? uid=[MASKED](tst000) gid=[MASKED]([MASKED]) groups=[MASKED] 0 Marcy Cortes <[EMAIL PROTECTED]> Sent by: Linux on 390 Port 10/10/2006 03:23 PM Please respond to Linux on 390 Port To LINUX-390@VM.MARIST.EDU cc Subject [LINUX-390] Odd problem with SU command Running Sles9x, SP3. We have sw installed that authenticates users against Active Directory using pam.d stuff (Vintela VAS). Those users don't have to be in /etc/passwd at all. In trying to install db2, we needed to create a local userid. Fine, no problem this is supported. But the su command returns rc 1 if the user is local and rc 0 if the user is VAS. This makes the db2icrt script fail. Was wondering if someone out there is also using an off server authentication method could check and see if it fails for them too? >From root: su (localuser) -c id echo $? su (non-localuser) -c id echo $? Return code 1 is supposed to mean su failed, but su doesn't fail - we do get the results of the command properly. The RH Intel Linux servers don't have this problem and removing the VAS calls from /etc/pam.d/su didn't seem to make a difference either. We're reporting it to support, but was hoping to narrow it down to whose support :) Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Odd problem with SU command
Post, Mark K wrote: Marcy, Your syntax is suspect to me. According to the man page, -c specifies a command to be executed, not a userid. Whatcha smokin, man? id is a command: [EMAIL PROTECTED] ~]$ su root -c id Password: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t [EMAIL PROTECTED] ~]$ This, of course, us how Marcy should have shown is what works, what doesn't;-) Mark Post -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Marcy Cortes Sent: Tuesday, October 10, 2006 3:24 PM To: LINUX-390@VM.MARIST.EDU Subject: Odd problem with SU command Running Sles9x, SP3. We have sw installed that authenticates users against Active Directory using pam.d stuff (Vintela VAS). Those users don't have to be in /etc/passwd at all. In trying to install db2, we needed to create a local userid. Fine, no problem this is supported. But the su command returns rc 1 if the user is local and rc 0 if the user is VAS. This makes the db2icrt script fail. Was wondering if someone out there is also using an off server authentication method could check and see if it fails for them too? From root: su (localuser) -c id echo $? su (non-localuser) -c id echo $? Return code 1 is supposed to mean su failed, but su doesn't fail - we do get the results of the command properly. The RH Intel Linux servers don't have this problem and removing the VAS calls from /etc/pam.d/su didn't seem to make a difference either. We're reporting it to support, but was hoping to narrow it down to whose support :) Marcy Cortes -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ Please do not reply off-list -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Odd problem with SU command
We run using LDAP for the bulk of our authentication. I tried your test and got a zero return code for both: rockhopper:~ # su suseftp -c id uid=1002(suseftp) gid=100(users) groups=14(uucp),16(dialout),17(audio),33(video),100(users) rockhopper:~ # echo $? 0 rockhopper:~ # su rpn01 -c id uid=42312(rpn01) gid=5037(rpn01) groups=4(nssunix),100(users),500(mail),2501(nssldap),5036(nssprintmgr),5 037(rpn01),5146(focapp),5147(rrisapp),5148(ecapp),5149(retroapp),5150(bs c),5151(prptng) rockhopper:~ # echo $? 0 rockhopper:~ # -- .~.Robert P. Nix Mayo Foundation /V\RO-OC-1-13 200 First Street SW /( )\ 507-284-0844Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but in practice, theory and practice are different." -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Marcy Cortes Sent: Tuesday, October 10, 2006 2:24 PM To: LINUX-390@VM.MARIST.EDU Subject: Odd problem with SU command Running Sles9x, SP3. We have sw installed that authenticates users against Active Directory using pam.d stuff (Vintela VAS). Those users don't have to be in /etc/passwd at all. In trying to install db2, we needed to create a local userid. Fine, no problem this is supported. But the su command returns rc 1 if the user is local and rc 0 if the user is VAS. This makes the db2icrt script fail. Was wondering if someone out there is also using an off server authentication method could check and see if it fails for them too? >From root: su (localuser) -c id echo $? su (non-localuser) -c id echo $? Return code 1 is supposed to mean su failed, but su doesn't fail - we do get the results of the command properly. The RH Intel Linux servers don't have this problem and removing the VAS calls from /etc/pam.d/su didn't seem to make a difference either. We're reporting it to support, but was hoping to narrow it down to whose support :) Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Odd problem with SU command
Right, the "id" (/usr/bin/id) command for test. db2 uses -c /bin/pwd I just tried id because then one can tell that it did really execute as someone else. Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Post, Mark K Sent: Tuesday, October 10, 2006 12:55 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Odd problem with SU command Marcy, Your syntax is suspect to me. According to the man page, -c specifies a command to be executed, not a userid. Mark Post -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Marcy Cortes Sent: Tuesday, October 10, 2006 3:24 PM To: LINUX-390@VM.MARIST.EDU Subject: Odd problem with SU command Running Sles9x, SP3. We have sw installed that authenticates users against Active Directory using pam.d stuff (Vintela VAS). Those users don't have to be in /etc/passwd at all. In trying to install db2, we needed to create a local userid. Fine, no problem this is supported. But the su command returns rc 1 if the user is local and rc 0 if the user is VAS. This makes the db2icrt script fail. Was wondering if someone out there is also using an off server authentication method could check and see if it fails for them too? >From root: su (localuser) -c id echo $? su (non-localuser) -c id echo $? Return code 1 is supposed to mean su failed, but su doesn't fail - we do get the results of the command properly. The RH Intel Linux servers don't have this problem and removing the VAS calls from /etc/pam.d/su didn't seem to make a difference either. We're reporting it to support, but was hoping to narrow it down to whose support :) Marcy Cortes -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Odd problem with SU command
Marcy, Your syntax is suspect to me. According to the man page, -c specifies a command to be executed, not a userid. Mark Post -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Marcy Cortes Sent: Tuesday, October 10, 2006 3:24 PM To: LINUX-390@VM.MARIST.EDU Subject: Odd problem with SU command Running Sles9x, SP3. We have sw installed that authenticates users against Active Directory using pam.d stuff (Vintela VAS). Those users don't have to be in /etc/passwd at all. In trying to install db2, we needed to create a local userid. Fine, no problem this is supported. But the su command returns rc 1 if the user is local and rc 0 if the user is VAS. This makes the db2icrt script fail. Was wondering if someone out there is also using an off server authentication method could check and see if it fails for them too? >From root: su (localuser) -c id echo $? su (non-localuser) -c id echo $? Return code 1 is supposed to mean su failed, but su doesn't fail - we do get the results of the command properly. The RH Intel Linux servers don't have this problem and removing the VAS calls from /etc/pam.d/su didn't seem to make a difference either. We're reporting it to support, but was hoping to narrow it down to whose support :) Marcy Cortes -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Odd problem with SU command
Running Sles9x, SP3. We have sw installed that authenticates users against Active Directory using pam.d stuff (Vintela VAS). Those users don't have to be in /etc/passwd at all. In trying to install db2, we needed to create a local userid. Fine, no problem this is supported. But the su command returns rc 1 if the user is local and rc 0 if the user is VAS. This makes the db2icrt script fail. Was wondering if someone out there is also using an off server authentication method could check and see if it fails for them too? >From root: su (localuser) -c id echo $? su (non-localuser) -c id echo $? Return code 1 is supposed to mean su failed, but su doesn't fail - we do get the results of the command properly. The RH Intel Linux servers don't have this problem and removing the VAS calls from /etc/pam.d/su didn't seem to make a difference either. We're reporting it to support, but was hoping to narrow it down to whose support :) Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390