su: Permission denied despite correct password

You have to add your user to the wheel group:

 gpasswd -a youruser wheel

Alternatively, you can disable the group membership check for su in pam by editing

 /etc/pam.d/su

and commenting out this line:

auth       required     pam_wheel.so use_uid

It requires users to be in the wheel group to be able to switch user. User switching as non-root works again when this pam module is disabled for su.

There could be many problems. Check some of these items, using the hypothetical user, erik:

1. Is erik a member of the wheel group (groups)?
2. Are you providing the root password? (And not the password for erik)
3. Does /bin/su have these privileges: rwsr-xr-x (Is it setuid root? ls -l /bin/su)
4. Can you log in as root via the console?
5. Have you looked at the logs for a clue in an error message?
6. Have you turned on grsecurity in the kernel?
7. Did it ever work? If so, when did it break?
8. What happens if erik does a sudo su -?

There could be many reasons. It's very likely that the reason appears in the system logs. Look in /var/log for files that got modified at the time of an su attempt (the file name depends on your syslog configuration). If you have trouble interpreting log entries, copy-paste them into your question.