This occurs for me as well. Mostly in my lab setting. The problem comes in with the fact that we use LDAP to authenticate users then map it to a local account. The local accounts password is different from the password that the user enters to authenticate based on LDAP. This cause the login.keychain to lock. SU access the login.keychain. At the moment there is not a way to unlock the keychain based on Directory access such as ldap. What this means is that anyone one in a lab setting using a similar authentication method will run into it. It would be nice to be able to turn off SU so it didn't need to access the login keychain. Or an even better solution that I haven't been able to find either is something that either resets or changes the keychain password to match the LDAP Authentication. Just thought it is irritating because student users that login get freaked out when they see dialog boxes that ask for passwords. If you hit cancel 3 times it still allows the program to work so I assume that what ever it is doing is not critical but it help in terms of user experience to have it not happen at all.