> Bob Doolittle wrote: > > This error is coming from OCF, which is associated with pam_smartcard.so. > > What are you hoping to accomplish by using this PAM module with Sun Ray?
This is not my aim. I want that you have to authenticate with a smartcard and PIN on the server with its local built-in smartcard reader independent of the authentication policies for Sun Ray login. It should protect the access to the server login. I do not want to use OCF in connection with Sun Ray authentication. Is there a way to use the local server authentication with smartcard and PIN without affecting the Sun Ray configuration? Thanks a lot, Jan > > -Bob > > Jan Rottkamp wrote: > >> On 8/6/06, Jan Rottkamp <[EMAIL PROTECTED]> wrote: > >> > >>> When using Gnome as GUI, a white screen appears on the monitor with > the > >>> following output: > >>> Enter password to unlock; select icon to lock. > >>> > >> This is the 'xlock' program. SRSS uses 'xlock' to lock your screen > >> when 'xscreensaver' is unable to lock it. > >> > >> > >>> And nothing happens. > >>> > >>> When using CDE as GUI, after the user inserts the smartcard, the CDE > >>> > >> dialog > >> > >>> appears to unlocking the locked screen with the users' password, but > no > >>> password will be accept and nothing happens. > >>> > >> [snip] > >> > >>> In the system log I find at this time the line (it is a German > system): > >>> > >>> Aug 7 01:20:12 picasso xlock[15300]: [ID 112702 auth.error] > >>> > >> pam_smartcard: > >> > >>> Unexpected error from SCF_Session_getTerminal: Unbekannter > Terminalname > >>> (unknown terminal name) > >>> > >> It looks like the PAM configuration on this machine is broken. > >> Please post the contents of /etc/pam.conf from this system. > >> > >> > > > > Here is the /etc/pam.conf > > > > # > > #ident "@(#)pam.conf 1.28 04/04/21 SMI" > > # > > # Copyright 2004 Sun Microsystems, Inc. All rights reserved. > > # Use is subject to license terms. > > # > > # PAM configuration > > # > > # Unless explicitly defined, all services use the modules > > # defined in the "other" section. > > # > > # Modules are defined with relative pathnames, i.e., they are > > # relative to /usr/lib/security/$ISA. Absolute path names, as > > # present in this file in previous releases are still acceptable. > > # > > # Authentication management > > # > > # login service (explicit because of pam_dial_auth) > > # > > login auth requisite pam_authtok_get.so.1 > > login auth required pam_dhkeys.so.1 > > login auth required pam_unix_cred.so.1 > > login auth required pam_unix_auth.so.1 > > login auth required pam_dial_auth.so.1 > > # > > # rlogin service (explicit because of pam_rhost_auth) > > # > > rlogin auth sufficient pam_rhosts_auth.so.1 > > rlogin auth requisite pam_authtok_get.so.1 > > rlogin auth required pam_dhkeys.so.1 > > rlogin auth required pam_unix_cred.so.1 > > rlogin auth required pam_unix_auth.so.1 > > # > > # Kerberized rlogin service > > # > > krlogin auth required pam_unix_cred.so.1 > > krlogin auth binding pam_krb5.so.1 > > krlogin auth required pam_unix_auth.so.1 > > # > > # rsh service (explicit because of pam_rhost_auth, > > # and pam_unix_auth for meaningful pam_setcred) > > # > > rsh auth sufficient pam_rhosts_auth.so.1 > > rsh auth required pam_unix_cred.so.1 > > # > > # Kerberized rsh service > > # > > krsh auth required pam_unix_cred.so.1 > > krsh auth binding pam_krb5.so.1 > > krsh auth required pam_unix_auth.so.1 > > # > > # Kerberized telnet service > > # > > ktelnet auth required pam_unix_cred.so.1 > > ktelnet auth binding pam_krb5.so.1 > > ktelnet auth required pam_unix_auth.so.1 > > # > > # PPP service (explicit because of pam_dial_auth) > > # > > ppp auth requisite pam_authtok_get.so.1 > > ppp auth required pam_dhkeys.so.1 > > ppp auth required pam_unix_cred.so.1 > > ppp auth required pam_unix_auth.so.1 > > ppp auth required pam_dial_auth.so.1 > > # > > # Default definitions for Authentication management > > # Used when service name is not explicitly mentioned for authentication > > # > > other auth requisite pam_authtok_get.so.1 > > other auth required pam_dhkeys.so.1 > > other auth required pam_unix_cred.so.1 > > other auth required pam_unix_auth.so.1 > > # > > # passwd command (explicit because of a different authentication module) > > # > > passwd auth required pam_passwd_auth.so.1 > > # > > # cron service (explicit because of non-usage of pam_roles.so.1) > > # > > cron account required pam_unix_account.so.1 > > # > > # Default definition for Account management > > # Used when service name is not explicitly mentioned for account > management > > # > > other account requisite pam_roles.so.1 > > other account required pam_unix_account.so.1 > > # > > # Default definition for Session management > > # Used when service name is not explicitly mentioned for session > management > > # > > other session required pam_unix_session.so.1 > > # > > # Default definition for Password management > > # Used when service name is not explicitly mentioned for password > management > > # > > other password required pam_dhkeys.so.1 > > other password requisite pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 > > other password required pam_authtok_store.so.1 > > # > > # Support for Kerberos V5 authentication and example configurations can > > # be found in the pam_krb5(5) man page under the "EXAMPLES" section. > > # > > > > # dtlogin settings added by /usr/bin/smartcard > > dtlogin auth requisite pam_smartcard.so.1 > > dtlogin auth requisite pam_authtok_get.so.1 > > dtlogin auth required pam_dhkeys.so.1 > > dtlogin auth required pam_unix_cred.so.1 > > dtlogin auth required pam_unix_auth.so.1 > > > > # dtsession settings added by /usr/bin/smartcard > > dtsession auth requisite pam_smartcard.so.1 > > dtsession auth requisite pam_authtok_get.so.1 > > dtsession auth required pam_dhkeys.so.1 > > dtsession auth required pam_unix_cred.so.1 > > dtsession auth required pam_unix_auth.so.1 > > > > # xlock settings added by /usr/bin/smartcard > > xlock auth requisite pam_smartcard.so.1 > > xlock auth requisite pam_authtok_get.so.1 > > xlock auth required pam_dhkeys.so.1 > > xlock auth required pam_unix_cred.so.1 > > xlock auth required pam_unix_auth.so.1 > > # added to xscreensaver by SunRay Server Software -- xscreensaver > > xscreensaver auth requisite pam_smartcard.so.1 > > xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay > > xscreensaver auth requisite pam_authtok_get.so.1 > > xscreensaver auth required pam_dhkeys.so.1 > > xscreensaver auth required pam_unix_cred.so.1 > > xscreensaver auth required pam_unix_auth.so.1 > > xscreensaver account requisite pam_roles.so.1 > > xscreensaver account required pam_unix_account.so.1 > > xscreensaver session required pam_unix_session.so.1 > > xscreensaver password required pam_dhkeys.so.1 > > xscreensaver password requisite pam_authtok_get.so.1 > > xscreensaver password requisite pam_authtok_check.so.1 > > xscreensaver password required pam_authtok_store.so.1 > > # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay > > dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so > > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > > property=username > > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > prompt > > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > clearuser > > dtlogin-SunRay auth requisite pam_authtok_get.so.1 > > dtlogin-SunRay auth required pam_dhkeys.so.1 > > dtlogin-SunRay auth required pam_unix_cred.so.1 > > dtlogin-SunRay auth required pam_unix_auth.so.1 > > dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so > > dtlogin-SunRay account requisite pam_roles.so.1 > > dtlogin-SunRay account required pam_unix_account.so.1 > > # added to dtsession-SunRay by SunRay Server Software -- dtsession- > SunRay > > dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so > syncondisplay > > dtsession-SunRay auth requisite pam_authtok_get.so.1 > > dtsession-SunRay auth required pam_dhkeys.so.1 > > dtsession-SunRay auth required pam_unix_cred.so.1 > > dtsession-SunRay auth required pam_unix_auth.so.1 > > # added to utnsclogin by SunRay Server Software -- utnsclogin > > utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > > property=username > > utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > > utnsclogin auth requisite pam_authtok_get.so.1 > > utnsclogin auth required pam_dhkeys.so.1 > > utnsclogin auth required pam_unix_cred.so.1 > > utnsclogin auth required pam_unix_auth.so.1 > > # added to utadmingui by SunRay Server Software -- utadmingui > > utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1 > > # added to utgulogin by SunRay Server Software -- utgulogin > > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > > property=username > > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > > token=auth,JavaBadge > > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt > > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > > > > > >> Are you intentionally trying to use some sort of additional > >> smartcard-based authentication for your Sun Ray logins? > >> > > > > What do you mean whith additional smartcard-based authentication? > > > > I only use smartcard-based authentication with PIN on the server > (ocfserv > > daemon), but I think this is only a local configuration with the > smartcard > > reader in the server and the local dtlogin, or is it not? > > > > > >> OttoM. > >> __ > >> ottomeister > >> > >> Disclaimer: These are my opinions. I do not speak for my employer. > >> _______________________________________________ > >> SunRay-Users mailing list > >> [email protected] > >> http://www.filibeto.org/mailman/listinfo/sunray-users > >> > > > > _______________________________________________ > > SunRay-Users mailing list > > [email protected] > > http://www.filibeto.org/mailman/listinfo/sunray-users > > > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
