[
    {
        "role": "user",
        "content": "I%20am%20root%20on%20a%20debian%2013%20system.%20I%20am%20trying%20to%20change%20to%20another%20user%20with%20su%20newuser%20but%20it%20says%20authentication%20failure"
    },
    {
        "role": "assistant",
        "content": "If you\u2019re getting `su: Authentication failure` on a Debian 13 system when trying to switch to another user (e.g. `su newuser`), there are a few common causes. Since you're root already, this is less straightforward than when a normal user tries `su` \u2014 root should normally be able to switch to any user without entering the target user's password. Here's how to troubleshoot and fix it.\n\n---\n\n## How `su` works for root\n\n- If you're logged in as **root** (UID 0) and run `su username`, you should *not* need the password of `username` (unless PAM is configured to block that).  \n- If root\u2019s account is locked, or PAM is configured to treat root-user requests differently, you could see authentication failures.  \n\nSo first check why `root` can't do this, because something\u2019s interfering with a normally unrestricted usage of `su`.\n\n---\n\n## Possible causes & how to check/fix\n\n| Cause | How to check | How to fix |\n|---|---|---|\n| **Root account is locked or password not set/unusable** | Check root\u2019s status: `passwd -S root`\u2014look for \"L\" indicating locked. Or `grep root /etc/shadow`\u2014if second field starts with `!` or `*`, it's locked. | Unlock root: `passwd root` to set a password, or `passwd -u root` to unlock. ([idroot.us](https://idroot.us/change-root-password-debian-13/?utm_source=openai)) |\n| **Filesystem is accidentally read-only** | Run `mount` and check `/` or wherever `/etc/shadow` lives\u2014if it's ro, you\u2019ll see `(ro,...)`. | Remount read-write: `mount -o remount,rw /` (or adjust your fstab/init system). ([idroot.us](https://idroot.us/change-root-password-debian-13/?utm_source=openai)) |\n| **PAM (\u201cPluggable Authentication Modules\u201d) is configured to restrict `su` for even root** | Inspect `/etc/pam.d/su` and see if lines like `auth requisite pam_wheel.so group=wheel` are active. Or see if `pam_listfile` or `pam_deny` etc. are in effect. | Modify `/etc/pam.d/su`, comment out restrictive lines (if safe to do so). Make sure root is in any required group, or remove group restriction. ([debian.org](https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.html?utm_source=openai)) |\n| **User `newuser` has expired/locked password or no login shell** | Check `getent passwd newuser` for shell, check `/etc/shadow` for lock or expiration. | Give newuser a valid shell in `/etc/passwd`, unlock or reset their password: `passwd newuser`. |\n\n---\n\n## Steps you should try (as root)\n\nHere\u2019s a sequence to diagnose/fix:\n\n```sh\n# 1. Check root\u2019s status\npasswd -S root\ngrep '^root:' /etc/shadow\n\n# 2. If locked or invalid password:\npasswd root\n# optionally:\npasswd -u root\n\n# 3. Check PAM configuration for su\ncat /etc/pam.d/su | grep -E 'wheel|restrict|auth required'\n\n# If you find something like pam_wheel configured:\n# ensure root (or your real user) is in the wheel group\naddgroup root wheel  # root likely already has UID 0, but just in case\n\n# or comment out the wheel check if you don't want that restriction\n\n# 4. Check newuser's account\ngetent passwd newuser\ngrep '^newuser:' /etc/shadow\n\n# If newuser locked or no login shell:\nchsh newuser --shell /bin/bash\npasswd newuser\n\n# 5. Try switching again:\nsu newuser\n```\n\n---\n\n## More context specific to Debian 13 (\u201cTrixie\u201d)\n\n- By default in Debian 13 (as of around release), if you **didn\u2019t set a root password during the install**, Debian might lock root account and rely on sudo instead. ([idroot.us](https://idroot.us/change-root-password-debian-13/?utm_source=openai))  \n- \u201csu: Authentication failure\u201d in this context is frequently because root is locked or has no usable password. Without a working root password, `su newuser` might fail under certain PAM settings. ([idroot.us](https://idroot.us/change-root-password-debian-13/?utm_source=openai))\n\n---\n\nIf you want, I can walk you through exactly what's on your system (owners of `/etc/shadow`, contents of `/etc/pam.d/su`, etc.) to figure out which case you\u2019re hitting. Do you want to try that?"
    }
]