Su command fails after installing PIM Endpoint agent
search cancel

Su command fails after installing PIM Endpoint agent


Article ID: 29151


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


The customer had QUEST Vintela Authentication Services (VAS) installed on their machine and were able to run all standard OS commands properly without any issues.

Once PIM 12.8 endpoint was introduced into the environment (SunOS 5.10 update 11) the users lost the ability to execute the su command and were only able to run the PIM version (sesu). There were no errors being displayed except for:

#su 'sorry'


# su: unable to set credentials


Release: ACP1M005900-12.8-Privileged Identity Manager
Component: Privileged Identity Manager

PIM 12.8 endpoint
SunOS 5.10 Update 11


Within the execution of the command su there were no errors or denials from PIM or VAS, although it would display: "INFO    : 0 no such process" in the trace that was set around the command. In the pam.conf file it only contained which only utilizes PIM to execute su. With the addition of the optional file it has the choice to go through either OR to execute the command.

For a more precise method of discovering the file that su is utilizing the following procedure can be done:

  1. Place the added line AFTER the CM su auth line (may cause su to stop working or may proceed to the

  2. Set the pam_vas3 line from option to required (forces pam.conf to utilize pam_vas3 for su rather than pam_seos)

  3. Attempt a combination of the two above tests (results unpredictable as they would be based solely of the results of steps 1 & 2)

I would not however suggest removing the 'su auth option' line as it may cause the same errors that were being received when was not added to the pam.conf (although it is a valid test I wouldn't remove the line completely as it may be needed for sanity checks).



Modified  the pam.conf file with the following line:


**su auth optional create_homedir get_nonvas_pass try_first_pass**

and read as follows:

su auth optional create_homedir get_nonvas_pass try_first_pass

su auth    optional

The addition of this line allows the su command to authenticate via the which was required for this user.