<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=607541716-30032007><FONT face=Arial
color=#0000ff size=2>I'm doing a check right now. Can anyone suggest a
good kit for this? I'm sure there's some better than the
rest...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=607541716-30032007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=607541716-30032007><FONT face=Arial
color=#0000ff size=2>Phil.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=607541716-30032007></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Daniel Pearson (Flashware Solutions)
[mailto:daniel@flashware.net] <BR><B>Sent:</B> 30 March 2007 16:58<BR><B>To:</B>
plug@plug.org.au; phillip@mve.com<BR><B>Subject:</B> Re: [plug] Help with
SU<BR></FONT><BR></DIV>
<DIV></DIV>No worries :-D<BR><BR>Is it worth doing a check for a rootkit? Have
any other files done odd things?<BR><BR>Phillip Bennett wrote:
<BLOCKQUOTE cite=mid00e801c772e3$dbeea020$27c909c0@glas.mve.com type="cite"><PRE wrap="">Sorry Daniel. I saw Mark at the top and addressed that to the wrong person.
Apologies,
Phil.
-----Original Message-----
From: <A class=moz-txt-link-abbreviated href="mailto:plug-bounces@plug.org.au">plug-bounces@plug.org.au</A> [<A class=moz-txt-link-freetext href="mailto:plug-bounces@plug.org.au">mailto:plug-bounces@plug.org.au</A>] On Behalf
Of Daniel Pearson (Flashware Solutions)
Sent: 30 March 2007 16:24
To: <A class=moz-txt-link-abbreviated href="mailto:plug@plug.org.au">plug@plug.org.au</A>
Subject: Re: [plug] Help with SU
Mark O'Shea wrote:
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">On Thu, 2007-03-29 at 14:46 +0100, Phillip Bennett wrote:
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">However, now I can't su to root. It gives me a 'wrong password' error.
Fortunately, I can still use 'sudo su -' to get root.
</PRE></BLOCKQUOTE><PRE wrap="">
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Can anyone shed any light on why this would happen? Or at least
where to look? I've checked the PAM files and the nsswitch.conf.
There's nothing in any of the logs (messages, secure etc..) I'm
completely stumped. I thought I knew how logging in worked, but I
guess I've missed something fairly important.
</PRE></BLOCKQUOTE><PRE wrap="">Curious. There's *nothing* in the logs for the auth facility (check
where it's going in the config for your syslogd, whichever one you
use) for su? Not even for the successful ones executed under sudo?
It sounds like you can authenticate okay for everything apart from su
using local password files now that your not going through kerberos to
authenticate to ad. This does suggest pam config, maybe things are
out of order. What does the pam config for su actually say?
</PRE></BLOCKQUOTE><PRE wrap=""><!---->What about sudo passwd root ?
_______________________________________________
PLUG discussion list: <A class=moz-txt-link-abbreviated href="mailto:plug@plug.org.au">plug@plug.org.au</A>
<A class=moz-txt-link-freetext href="http://www.plug.org.au/mailman/listinfo/plug">http://www.plug.org.au/mailman/listinfo/plug</A>
Committee e-mail: <A class=moz-txt-link-abbreviated href="mailto:committee@plug.linux.org.au">committee@plug.linux.org.au</A>
_______________________________________________
PLUG discussion list: <A class=moz-txt-link-abbreviated href="mailto:plug@plug.org.au">plug@plug.org.au</A>
<A class=moz-txt-link-freetext href="http://www.plug.org.au/mailman/listinfo/plug">http://www.plug.org.au/mailman/listinfo/plug</A>
Committee e-mail: <A class=moz-txt-link-abbreviated href="mailto:committee@plug.linux.org.au">committee@plug.linux.org.au</A>
</PRE></BLOCKQUOTE></BODY></HTML>