I have configured PAM authentication on Linux box to restrict particular group only to login.

I have enabled pam and ldap through authconfig and modified access.conf like below,

[root@test root]# tail -1 /etc/security/access.conf
- : ALL EXCEPT root test-auth : ALL

Also modified sudoers file, to get su for this group

<code>
[root@test ~]# tail -1 /etc/sudoers
%test-auth               ALL=/bin/su</code>

Now, only this ldap group members can login to system.

However when from any of this authorized user, I tried for su, it asks for password and then though I enter correct password it gives message like Incorrect password and login failed.

/var/log/secure shows that user is not having permission to get the access, but then it should print message like Access denied.The way it prints for console login.

My functionality is working but its no giving proper messages. Could anyone please help on this.

My /etc/pam.d/su file,

[root@test root]# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so