The customer had QUEST Vintela Authentication Services (VAS) installed on their machine and were able to run all standard OS commands properly without any issues.
Once PIM 12.8 endpoint was introduced into the environment (SunOS 5.10 update 11) the users lost the ability to execute the su command and were only able to run the PIM version (sesu). There were no errors being displayed except for:
#su 'sorry'
or
# su: unable to set credentials
Release: ACP1M005900-12.8-Privileged Identity Manager
Component: Privileged Identity Manager
Environment:
PIM 12.8 endpoint
SunOS 5.10 Update 11
Within the execution of the command su there were no errors or denials from PIM or VAS, although it would display: "INFO : 0 no such process" in the trace that was set around the command. In the pam.conf file it only contained pam_sesos.so which only utilizes PIM to execute su. With the addition of the optional pam_vas3.so file it has the choice to go through either pam_seos.so OR pam_vas3.so to execute the command.
For a more precise method of discovering the pam_seos.so file that su is utilizing the following procedure can be done:
I would not however suggest removing the 'su auth option pam_seos.so' line as it may cause the same errors that were being received when pam_vas3.so was not added to the pam.conf (although it is a valid test I wouldn't remove the line completely as it may be needed for sanity checks).
Modified the pam.conf file with the following line:
**su auth optional pam_vas3.so create_homedir get_nonvas_pass try_first_pass**
and read as follows:
su auth optional pam_vas3.so create_homedir get_nonvas_pass try_first_pass
su auth optional pam_seos.so
The addition of this line allows the su command to authenticate via the pam_vas3.so which was required for this user.