Hello i am forwarding one of the problems faced by a sysad. Please help. ---------- Hi
One of our sysadmins is having trouble configuring Sunray server software 4 on a Solaris 10 box to accept NIS users. Does the box need some kind of PAM-magic gesture to make dtlogin accept NIS users? Best, Sidsel > > ---------- Forwarded message ---------- > Date: Wed, 18 Jun 2008 19:08:37 +0200 > From: Truls Asheim <truls at diku.dk> > To: sunray-users at filibeto.org > Cc: purps at diku.dk > Subject: Sunray login fails with NIS users (PAM_CONV_ERR) > > Hi > > I'm working on configuring SRSS 4 on a Solaris 10 box. I want authenticate > users using NIS but I've run into some problems doing this. > > When I try to log on as a NIS user on a DTU the login screen disappears for a > while and then comes back and dtlogin reports a PAM conversation error > (PAM_CONV_ERR) in /var/adm/messages). Logging in as a user which is created > locally on the server works perfectly and i am also able to log into the > server as a NIS user through, for instance, SSH. So i am pretty sure that > both NIS and the Sunray software are working fine by themselves. > > Below i shall first list whats going on in various log files when I try to > log on as a NIS user and then i will dump some config files: > > From /var/adm/messages > Jun 18 17:21:09 skinfaxe dtlogin[3492]: [ID 699796 user.error] > sunray_get_user:pam_sm_auth: pam_get_user returned 6 (PAM_CONV_ERR) > Jun 18 17:21:09 skinfaxe dtlogin[3492]: [ID 699796 user.error] > sunray_get_user:pam_sm_auth: pam_get_user returned 6 (PAM_CONV_ERR) > > From /var/opt/SUNWut/log/messages: > > Jun 18 17:55:42 skinfaxe dtlogin[5549]: [ID 118685 user.info] > pam_sunray_amgh::[DPY=2] AMGH_SUMMARY: token=pseudo.00144fad7c0b, > username=truls, AMGH_Done?=NO(Local Session), Details=AMGH is not > configured., AMGH_Target=*NONE* > Jun 18 17:55:45 skinfaxe dtlogin[5549]: [ID 118685 user.info] > pam_sunray_amgh::[DPY=2] AMGH_SUMMARY: token=pseudo.00144fad7c0b, > username=*NONE*, AMGH_Done?=NO(Local Session), Details=AMGH is not > configured., AMGH_Target=*NONE* > Jun 18 17:55:46 skinfaxe dtlogin[5549]: [ID 699796 user.error] > sunray_get_user:pam_sm_auth: pam_get_user returned 6 (PAM_CONV_ERR) > Jun 18 17:55:46 skinfaxe utauthd: [ID 794400 user.info] SessionManager0 > NOTICE: EMPTY: ACTIVE session > Jun 18 17:55:48 skinfaxe kiosk:utkioskconfig:refresh[5785]: [ID 702911 > user.info] Disabled Kiosk Mode for display ':2' > Jun 18 17:55:48 skinfaxe dtlogin[5670]: [ID 118685 user.info] > pam_sunray_amgh::[DPY=2] AMGH_SUMMARY: token=pseudo.00144fad7c0b, username=, > AMGH_Done?=NO(Local Session), Details=AMGH is not configured., > AMGH_Target=*NONE* > > From auth.debug: > Jun 18 17:57:21 skinfaxe dtlogin[5670]: [ID 579461 auth.debug] > pam_unix_account: entering pam_sm_acct_mgmt() > Jun 18 17:57:21 skinfaxe dtlogin[5670]: [ID 390149 auth.debug] Unix > Policy:truls, pw=Unix PW, lstchg=-1, min=-1, max=-1, warn=-1, inact=-1, > expire=-1 > > My /etc/pam.conf (The debugs are added by me) > > # # ident "@(#)pam.conf 1.29 07/04/10 SMI" > # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. > # Use is subject to license terms. > # # PAM configuration > # # Unless explicitly defined, all services use the modules > # defined in the "other" section. > # # Modules are defined with relative pathnames, i.e., they are > # relative to /usr/lib/security/$ISA. Absolute path names, as > # present in this file in previous releases are still acceptable. > # # Authentication management > # # login service (explicit because of pam_dial_auth) > # login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > # # rlogin service (explicit because of pam_rhost_auth) > # rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth required pam_unix_auth.so.1 > # # Kerberized rlogin service > # krlogin auth required pam_unix_cred.so.1 > krlogin auth required pam_krb5.so.1 > # # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # # Kerberized rsh service > # krsh auth required pam_unix_cred.so.1 > krsh auth required pam_krb5.so.1 > # # Kerberized telnet service > # ktelnet auth required pam_unix_cred.so.1 > ktelnet auth required pam_krb5.so.1 > # # PPP service (explicit because of pam_dial_auth) > # ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth required pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > # # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth required pam_unix_auth.so.1 > # # passwd command (explicit because of a different authentication module) > # passwd auth required pam_passwd_auth.so.1 > # # cron service (explicit because of non-usage of pam_roles.so.1) > # cron account required pam_unix_account.so.1 > # # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > # # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # other session required pam_unix_session.so.1 > # # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 > # # Support for Kerberos V5 authentication and example configurations can > # be found in the pam_krb5(5) man page under the "EXAMPLES" section. > # # BEGIN: added to xscreensaver by SunRay Server Software -- xscreensaver > xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay > xscreensaver auth requisite pam_authtok_get.so.1 > xscreensaver auth required pam_dhkeys.so.1 > xscreensaver auth required pam_unix_cred.so.1 > xscreensaver auth required pam_unix_auth.so.1 > # BEGIN: added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay > dtlogin-SunRay password required pam_dhkeys.so.1 debug > dtlogin-SunRay password requisite pam_authtok_get.so.1 debug > dtlogin-SunRay password requisite pam_authtok_check.so.1 debug > dtlogin-SunRay password required pam_authtok_store.so.1 debug > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > property=username debug > > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 debug > dtlogin-SunRay auth sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user > ignoreuser debug > dtlogin-SunRay auth requisite /opt/SUNWkio/lib/pam_kiosk.so log=user debug > dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so debug > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt > debug > #prompt debug > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser > debug > dtlogin-SunRay auth requisite pam_authtok_get.so.1 debug > dtlogin-SunRay auth required pam_dhkeys.so.1 debug > dtlogin-SunRay auth required pam_unix_cred.so.1 debug > dtlogin-SunRay auth required pam_unix_auth.so.1 debug > dtlogin-SunRay account sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user debug > dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so debug > dtlogin-SunRay account requisite pam_roles.so.1 debug > dtlogin-SunRay account required pam_unix_account.so.1 debug > dtlogin-SunRay session required /opt/SUNWkio/lib/pam_kiosk.so log=user debug > dtlogin-SunRay session required pam_unix_session.so.1 debug > # BEGIN: added to dtsession-SunRay by SunRay Server Software -- > dtsession-SunRay > dtsession-SunRay account requisite pam_roles.so.1 > dtsession-SunRay account required pam_unix_account.so.1 > dtsession-SunRay session required pam_unix_session.so.1 > dtsession-SunRay password required pam_dhkeys.so.1 > dtsession-SunRay password requisite pam_authtok_get.so.1 > dtsession-SunRay password requisite pam_authtok_check.so.1 > dtsession-SunRay password required pam_authtok_store.so.1 > dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay > dtsession-SunRay auth requisite pam_authtok_get.so.1 > dtsession-SunRay auth required pam_dhkeys.so.1 > dtsession-SunRay auth required pam_unix_cred.so.1 > dtsession-SunRay auth required pam_unix_auth.so.1 > # BEGIN: added to utnsclogin by SunRay Server Software -- utnsclogin > utnsclogin account requisite pam_roles.so.1 > utnsclogin account required pam_unix_account.so.1 > utnsclogin session required pam_unix_session.so.1 > utnsclogin password required pam_dhkeys.so.1 > utnsclogin password requisite pam_authtok_get.so.1 > utnsclogin password requisite pam_authtok_check.so.1 > utnsclogin password required pam_authtok_store.so.1 > utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > property=username > utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > utnsclogin auth requisite pam_authtok_get.so.1 > utnsclogin auth required pam_dhkeys.so.1 > utnsclogin auth required pam_unix_cred.so.1 > utnsclogin auth required pam_unix_auth.so.1 > # BEGIN: added to utadmingui by SunRay Server Software -- utadmingui > utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1 > # BEGIN: added to utgulogin by SunRay Server Software -- utgulogin > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > property=username > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > token=auth,JavaBadge > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > > > My /etc/nsswitch.conf (if its relevant?) > > ## --- Enable backward compatibility --- > passwd: compat > group: compat > shadow: compat > > > ## --- Use DNS; fall back on NIS or local file --- > hosts: files dns nis > networks: files dns nis > > ## --- Use NIS; fall back on local files --- > ethers: nis files > netgroup: nis files > publickey: nis files > > ## --- Speed up lookups by avoiding NIS --- > protocols: files nis > rpc: files nis > services: files nis > > ## --- Local files take precedence --- > aliases: files nis > > Does anyone have a clue of whats going on here? > > Thanks in advance > > Truls Asheim This message posted from opensolaris.org
