> On 8/6/06, Jan Rottkamp <[EMAIL PROTECTED]> wrote: > > When using Gnome as GUI, a white screen appears on the monitor with the > > following output: > > Enter password to unlock; select icon to lock. > > This is the 'xlock' program. SRSS uses 'xlock' to lock your screen > when 'xscreensaver' is unable to lock it. > > > And nothing happens. > > > > When using CDE as GUI, after the user inserts the smartcard, the CDE > dialog > > appears to unlocking the locked screen with the users' password, but no > > password will be accept and nothing happens. > [snip] > > In the system log I find at this time the line (it is a German system): > > > > Aug 7 01:20:12 picasso xlock[15300]: [ID 112702 auth.error] > pam_smartcard: > > Unexpected error from SCF_Session_getTerminal: Unbekannter Terminalname > > (unknown terminal name) > > It looks like the PAM configuration on this machine is broken. > Please post the contents of /etc/pam.conf from this system. >
Here is the /etc/pam.conf # #ident "@(#)pam.conf 1.28 04/04/21 SMI" # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # # dtlogin settings added by /usr/bin/smartcard dtlogin auth requisite pam_smartcard.so.1 dtlogin auth requisite pam_authtok_get.so.1 dtlogin auth required pam_dhkeys.so.1 dtlogin auth required pam_unix_cred.so.1 dtlogin auth required pam_unix_auth.so.1 # dtsession settings added by /usr/bin/smartcard dtsession auth requisite pam_smartcard.so.1 dtsession auth requisite pam_authtok_get.so.1 dtsession auth required pam_dhkeys.so.1 dtsession auth required pam_unix_cred.so.1 dtsession auth required pam_unix_auth.so.1 # xlock settings added by /usr/bin/smartcard xlock auth requisite pam_smartcard.so.1 xlock auth requisite pam_authtok_get.so.1 xlock auth required pam_dhkeys.so.1 xlock auth required pam_unix_cred.so.1 xlock auth required pam_unix_auth.so.1 # added to xscreensaver by SunRay Server Software -- xscreensaver xscreensaver auth requisite pam_smartcard.so.1 xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay xscreensaver auth requisite pam_authtok_get.so.1 xscreensaver auth required pam_dhkeys.so.1 xscreensaver auth required pam_unix_cred.so.1 xscreensaver auth required pam_unix_auth.so.1 xscreensaver account requisite pam_roles.so.1 xscreensaver account required pam_unix_account.so.1 xscreensaver session required pam_unix_session.so.1 xscreensaver password required pam_dhkeys.so.1 xscreensaver password requisite pam_authtok_get.so.1 xscreensaver password requisite pam_authtok_check.so.1 xscreensaver password required pam_authtok_store.so.1 # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser dtlogin-SunRay auth requisite pam_authtok_get.so.1 dtlogin-SunRay auth required pam_dhkeys.so.1 dtlogin-SunRay auth required pam_unix_cred.so.1 dtlogin-SunRay auth required pam_unix_auth.so.1 dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay account requisite pam_roles.so.1 dtlogin-SunRay account required pam_unix_account.so.1 # added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay dtsession-SunRay auth requisite pam_authtok_get.so.1 dtsession-SunRay auth required pam_dhkeys.so.1 dtsession-SunRay auth required pam_unix_cred.so.1 dtsession-SunRay auth required pam_unix_auth.so.1 # added to utnsclogin by SunRay Server Software -- utnsclogin utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 utnsclogin auth requisite pam_authtok_get.so.1 utnsclogin auth required pam_dhkeys.so.1 utnsclogin auth required pam_unix_cred.so.1 utnsclogin auth required pam_unix_auth.so.1 # added to utadmingui by SunRay Server Software -- utadmingui utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1 # added to utgulogin by SunRay Server Software -- utgulogin utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 token=auth,JavaBadge utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > Are you intentionally trying to use some sort of additional > smartcard-based authentication for your Sun Ray logins? What do you mean whith additional smartcard-based authentication? I only use smartcard-based authentication with PIN on the server (ocfserv daemon), but I think this is only a local configuration with the smartcard reader in the server and the local dtlogin, or is it not? > > OttoM. > __ > ottomeister > > Disclaimer: These are my opinions. I do not speak for my employer. > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
