Hi Tom, Tom Stanley schrieb:
Thank you for that explanation. I was thinking if the card was never used before, and so is not associated with a session, I would enter my user ID in the mobile session login, that would be fed to the AMGH script, and I'd be connected to my home SRS based on my user ID. From then on, the card would be associated with my session and I'd get connected automatically.
It won't work that way. AMGH is about affinity to a particular group of servers, whereas the association of a session to its token is valid within a single group.
If your AMGH script operates based on user id and does not know individual smart cards, you will have to enter your user name every time you connect to the 'wrong' server group (i.e. to a server that directs you away). Only when you reach the 'right' server group the existing session is found and you get reconnected instead of a new login.
Since nothing happened when I put my card in, I thought it was because SRS was calling the wrong login routines. I guess I was going in the right direction but picking the wrong symptoms. So PAM should be calling the AMGH routines before the login screen comes up but that doesn't seem to be happening. My AMGH script appends the params it is passed to a log file in /tmp so I can tell when it is being called. It is not being called when I insert a card. When there is no smartcard inserted, it is being called before drawing the login screen (pseudo session) and after I enter my user ID. I just installed the SRS software a few days ago but the OS is an upgrade from Solaris 9. Here are the Sun Ray references in pam.conf:
/# grep -i sunray /etc/pam.conf # added to xscreensaver by SunRay Server Software -- xscreensaver xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay dtlogin-SunRay session required pam_unix_session.so.1 dtlogin-SunRay password required pam_dhkeys.so.1 dtlogin-SunRay password requisite pam_authtok_get.so.1 dtlogin-SunRay password requisite pam_authtok_check.so.1 dtlogin-SunRay password required pam_authtok_store.so.1 dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser dtlogin-SunRay auth requisite pam_authtok_get.so.1 dtlogin-SunRay auth required pam_dhkeys.so.1 dtlogin-SunRay auth required pam_unix_cred.so.1 dtlogin-SunRay auth required pam_unix_auth.so.1 dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay account requisite pam_roles.so.1 dtlogin-SunRay account required pam_unix_account.so.1
Your pam.conf looks fine. Your AMGH script should be called both before and after entering a user name on the login screen.
- Joerg -- Joerg Barfurth Phone: +49 40 23646662 Software Engineer mailto:[EMAIL PROTECTED] Desktop Technology Thin Client Software http://www.sun.com/software/sunray/ Sun Microsystems GmbH http://www.sun.com/software/javadesktopsystem/ Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1, D-85551 Kirchheim-Heimstetten Amtsgericht Muenchen: HRB 161028 Geschaeftsfuehrer: Marcel Schneider, Wolfgang Engels, Dr. Roland Boemer Vorsitzender des Aufsichtsrates: Martin Haering _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
