This error is coming from OCF, which is associated with pam_smartcard.so.
What are you hoping to accomplish by using this PAM module with Sun Ray?
-Bob
Jan Rottkamp wrote:
On 8/6/06, Jan Rottkamp <[EMAIL PROTECTED]> wrote:
When using Gnome as GUI, a white screen appears on the monitor with the
following output:
Enter password to unlock; select icon to lock.
This is the 'xlock' program. SRSS uses 'xlock' to lock your screen
when 'xscreensaver' is unable to lock it.
And nothing happens.
When using CDE as GUI, after the user inserts the smartcard, the CDE
dialog
appears to unlocking the locked screen with the users' password, but no
password will be accept and nothing happens.
[snip]
In the system log I find at this time the line (it is a German system):
Aug 7 01:20:12 picasso xlock[15300]: [ID 112702 auth.error]
pam_smartcard:
Unexpected error from SCF_Session_getTerminal: Unbekannter Terminalname
(unknown terminal name)
It looks like the PAM configuration on this machine is broken.
Please post the contents of /etc/pam.conf from this system.
Here is the /etc/pam.conf
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# dtlogin settings added by /usr/bin/smartcard
dtlogin auth requisite pam_smartcard.so.1
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_cred.so.1
dtlogin auth required pam_unix_auth.so.1
# dtsession settings added by /usr/bin/smartcard
dtsession auth requisite pam_smartcard.so.1
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth required pam_unix_cred.so.1
dtsession auth required pam_unix_auth.so.1
# xlock settings added by /usr/bin/smartcard
xlock auth requisite pam_smartcard.so.1
xlock auth requisite pam_authtok_get.so.1
xlock auth required pam_dhkeys.so.1
xlock auth required pam_unix_cred.so.1
xlock auth required pam_unix_auth.so.1
# added to xscreensaver by SunRay Server Software -- xscreensaver
xscreensaver auth requisite pam_smartcard.so.1
xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
xscreensaver auth requisite pam_authtok_get.so.1
xscreensaver auth required pam_dhkeys.so.1
xscreensaver auth required pam_unix_cred.so.1
xscreensaver auth required pam_unix_auth.so.1
xscreensaver account requisite pam_roles.so.1
xscreensaver account required pam_unix_account.so.1
xscreensaver session required pam_unix_session.so.1
xscreensaver password required pam_dhkeys.so.1
xscreensaver password requisite pam_authtok_get.so.1
xscreensaver password requisite pam_authtok_check.so.1
xscreensaver password required pam_authtok_store.so.1
# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay
dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser
dtlogin-SunRay auth requisite pam_authtok_get.so.1
dtlogin-SunRay auth required pam_dhkeys.so.1
dtlogin-SunRay auth required pam_unix_cred.so.1
dtlogin-SunRay auth required pam_unix_auth.so.1
dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay account requisite pam_roles.so.1
dtlogin-SunRay account required pam_unix_account.so.1
# added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay
dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
dtsession-SunRay auth requisite pam_authtok_get.so.1
dtsession-SunRay auth required pam_dhkeys.so.1
dtsession-SunRay auth required pam_unix_cred.so.1
dtsession-SunRay auth required pam_unix_auth.so.1
# added to utnsclogin by SunRay Server Software -- utnsclogin
utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username
utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utnsclogin auth requisite pam_authtok_get.so.1
utnsclogin auth required pam_dhkeys.so.1
utnsclogin auth required pam_unix_cred.so.1
utnsclogin auth required pam_unix_auth.so.1
# added to utadmingui by SunRay Server Software -- utadmingui
utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
# added to utgulogin by SunRay Server Software -- utgulogin
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
token=auth,JavaBadge
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
Are you intentionally trying to use some sort of additional
smartcard-based authentication for your Sun Ray logins?
What do you mean whith additional smartcard-based authentication?
I only use smartcard-based authentication with PIN on the server (ocfserv
daemon), but I think this is only a local configuration with the smartcard
reader in the server and the local dtlogin, or is it not?
OttoM.
__
ottomeister
Disclaimer: These are my opinions. I do not speak for my employer.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users