Thank you for that explanation. I was thinking if the card was never
used before, and so is not associated with a session, I would enter my
user ID in the mobile session login, that would be fed to the AMGH
script, and I'd be connected to my home SRS based on my user ID. From
then on, the card would be associated with my session and I'd get
connected automatically.
Since nothing happened when I put my card in, I thought it was because
SRS was calling the wrong login routines. I guess I was going in the
right direction but picking the wrong symptoms.
So PAM should be calling the AMGH routines before the login screen comes
up but that doesn't seem to be happening. My AMGH script appends the
params it is passed to a log file in /tmp so I can tell when it is being
called. It is not being called when I insert a card. When there is no
smartcard inserted, it is being called before drawing the login screen
(pseudo session) and after I enter my user ID. I just installed the SRS
software a few days ago but the OS is an upgrade from Solaris 9. Here
are the Sun Ray references in pam.conf:
/# grep -i sunray /etc/pam.conf
# added to xscreensaver by SunRay Server Software -- xscreensaver
xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay
dtlogin-SunRay session required pam_unix_session.so.1
dtlogin-SunRay password required pam_dhkeys.so.1
dtlogin-SunRay password requisite pam_authtok_get.so.1
dtlogin-SunRay password requisite pam_authtok_check.so.1
dtlogin-SunRay password required pam_authtok_store.so.1
dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
prompt
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
clearuser
dtlogin-SunRay auth requisite pam_authtok_get.so.1
dtlogin-SunRay auth required pam_dhkeys.so.1
dtlogin-SunRay auth required pam_unix_cred.so.1
dtlogin-SunRay auth required pam_unix_auth.so.1
dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay account requisite pam_roles.so.1
dtlogin-SunRay account required pam_unix_account.so.1
# added to dtsession-SunRay by SunRay Server Software --
dtsession-SunRay
dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
syncondisplay
dtsession-SunRay auth requisite pam_authtok_get.so.1
dtsession-SunRay auth required pam_dhkeys.so.1
dtsession-SunRay auth required pam_unix_cred.so.1
dtsession-SunRay auth required pam_unix_auth.so.1
dtsession-SunRay account requisite pam_roles.so.1
dtsession-SunRay account required pam_unix_account.so.1
dtsession-SunRay session required pam_unix_session.so.1
dtsession-SunRay password required pam_dhkeys.so.1
dtsession-SunRay password requisite pam_authtok_get.so.1
dtsession-SunRay password requisite pam_authtok_check.so.1
dtsession-SunRay password required pam_authtok_store.so.1
# added to utnsclogin by SunRay Server Software -- utnsclogin
utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username
utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
# added to utadmingui by SunRay Server Software -- utadmingui
utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
# added to utgulogin by SunRay Server Software -- utgulogin
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
token=auth,JavaBadge
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
If anything looks out of place please let me know. Thanks.
-Tom
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ottomeister
Sent: Sunday, July 08, 2007 4:10 PM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] No "Mobile Session Login" for smartcards
On 7/7/07, Tom Stanley <[EMAIL PROTECTED]> wrote:
> ... But when I insert a smartcard, I am immediately taken to a
> standard all-blue Solaris login screen. It looks like an Exit session.
> The AMGH script is not called at all since this is just a local
> Solaris login screen.
> ...
> Shouldn't I get a mobile login screen for my smartcards too? Or how to
> I get my AMGH script to be called with a smartcard? Thanks.
The behaviour you're seeing is correct. A smartcard should take you
straight to a regular login greeter.
You don't get a mobile login screen for a smartcard because the
session-mobility token is obtained directly from the smartcard and
therefore does not need to be obtained (as in the NSCM case) by asking
the user to provide an and authenticate a user name.
Your AMGH scipt should still be called for a smartcard session. The
AMGH processing should be wired in to the PAM stack for the regular
login greeter, just as it is wired in to the PAM stack for the NSCM
greeter. What does 'grep SunRay /etc/pam.conf' show on this system?
OttoM.
__
ottomeister
Disclaimer: These are my opinions. I do not speak for my employer.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
