su的時候報：could not open session

su的時候報：could not open session
新建立的使用者也不可以
使用者可以直接登入，但是報uid錯誤。

[root@XiMenFront ~]# useradd -g users -d /home/xxx -u 520 xxx
[root@XiMenFront ~]# su - xxx
could not open session

網上一位朋友的文章
Support wrote:
> I'm using RH 9, I could not su to other users besides root. when I do "su"
>
> [root@server] # su - user1
> could not open session
>
> If I do this directly from console:
> id: user1
> passwd:
>
> id: could not find name for uesr ID 1001
> id: could not find name for uesr ID 1001
> [I have no user1]$
> does any know about it? please advise.
>

1) Study the error messages in
# cat /var/log/messages (and possibly in /var/log/secure)

2) /etc/passwd and /etc/shadow files are propably OK.
Anyway, check the lines.
# grep user1 /etc/passwd /etc/shadow

3) Check file permissions
# ls -ld /etc /etc/passwd /etc/shadow /etc/pam.d
drwxr-xr-x 103 root root 12288 Mar 15 10:04 /etc
drwxr-xr-x 2 root root 4096 Mar 15 10:05 /etc/pam.d
-rw-r--r-- 1 root root 2623 Mar 15 09:50 /etc/passwd
-rw------- 1 root root 1588 Mar 15 09:52 /etc/shadow

(just note: /etc/shadow should always be -r-r--r--)

4) Maybe there is something wrong in "/etc/pam.d/su" file ?
# cat /etc/pam.d/su (note: this machine is Fedora-2 test)

#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_stack.so service=system-auth
session optional /lib/security/$ISA/pam_selinux.so multiple
session optional /lib/security/$ISA/pam_xauth.so

檢視出錯的伺服器
vi /var/log/messages

Nov 15 18:01:51 XiMenFront su(pam_unix)[3303]: session opened for user informix by root(uid=0)
Nov 15 18:01:51 XiMenFront su[3303]: Warning! Could not relabel /dev/pts/2 with user_u:object_r:initrc_devpts_t,
not relabeling.Operation not permitted

執行操作
[root@XiMenFront ~]# ls -ld /etc /etc/passwd /etc/shadow /etc/pam.d
drwxr-xr-x 80 root root 12288 Nov 15 18:08 /etc
drwxr-xr-x 2 root root 4096 Nov 14 18:33 /etc/pam.d
-rw------- 1 root root 2180 Nov 15 18:08 /etc/passwd
-rw------- 1 root root 1435 Nov 15 18:08 /etc/shadow
發現許可權不對，
[root@XiMenFront ~]# chmod go+r /etc/passwd
[root@XiMenFront ~]# ls -ld /etc /etc/passwd /etc/shadow /etc/pam.d
drwxr-xr-x 80 root root 12288 Nov 15 18:08 /etc
drwxr-xr-x 2 root root 4096 Nov 14 18:33 /etc/pam.d
-rw-r--r-- 1 root root 2180 Nov 15 18:08 /etc/passwd
-rw------- 1 root root 1435 Nov 15 18:08 /etc/shadow
執行許可權後Ok