Well first of all I'd very much like to thank you for that detailed explanation of the pam modules. It's helping me to understand much better what is going on in those pam scripts, especially /etc/pam.d/gdm, which is where I believe the issue is most probably taking place.
I did run across a module that you didn't mention, however. <sunlib>/pam_kiosk.so, and I've been unable to find any more detailed information than the manpage for it (in /opt/SUNWKio...). The manpage is still leaving me a little confused, as it appears that this module has many different possible behaviors. Honestly I'm not even sure what kiosk mode would be used for in our setting, as every user has to authenticate at the gdm screen and we have no unauthenticated sessions. This is probably due to the fact that I don't have much understanding of the module, however. This is the context in which it appears: -=-=- #%PAM-1.0 password include common-password # BEGIN: added to gdm by SunRay Server Software -- gdm auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 auth sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user ignoreuser auth requisite /opt/SUNWkio/lib/pam_kiosk.so log=user auth required /opt/SUNWut/lib/sunray_get_user.so.1 prompt auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser auth include common-auth session required /opt/SUNWkio/lib/pam_kiosk.so log=user session required pam_loginuid.so session include common-session session required pam_resmgr.so account sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user account include common-account -=-=- Is there any chance that you could explain to me the behavior of that particular module a bit? Also, thanks to the greater pouring over documentation that I did today compared to previously, I figured out where I think the PAM modules are dumping their logging information on these systems. The only authentication error I saw from my testing the other day was the following: -=-=- /var/log/warn:May 26 13:22:15 srss-bismarck-gamma gdm[4175]: WARNING: Couldn't authenticate user /var/log/warn:May 26 13:22:28 srss-bismarck-gamma gdm[4175]: WARNING: Couldn't authenticate user /var/log/warn:May 26 13:29:16 srss-bismarck-gamma gdm[13323]: pam_krb5[13323]: error resolving user name 'dgetsman' to uid/gid pair /var/log/warn:May 26 13:29:19 srss-bismarck-gamma gdm[13323]: WARNING: Couldn't authenticate user /var/log/warn:May 26 13:36:45 srss-bismarck-gamma gdm[6638]: WARNING: Couldn't authenticate user /var/log/warn:May 26 13:37:17 srss-bismarck-gamma gdm[6846]: WARNING: Couldn't authenticate user /var/log/warn:May 26 13:41:12 srss-bismarck-gamma gdm[6846]: WARNING: Couldn't authenticate user /var/log/warn:May 26 13:42:33 srss-bismarck-gamma gdm[6846]: WARNING: Couldn't authenticate user /var/log/warn:May 26 13:52:21 srss-bismarck-gamma sshd[8323]: fatal: login_init_entry: Cannot find user "dgetsman" /var/log/warn:May 26 13:52:21 srss-bismarck-gamma sshd[8323]: fatal: login_init_entry: Cannot find user "dgetsman" /var/log/warn:May 26 13:52:21 srss-bismarck-gamma sshd[8328]: pam_krb5[8328]: error resolving user name 'dgetsman' to uid/gid pair /var/log/warn:May 26 13:52:21 srss-bismarck-gamma sshd[8328]: pam_krb5[8328]: no user info for dgetsman (shouldn't happen) /var/log/warn:May 26 13:52:21 srss-bismarck-gamma sshd[8328]: pam_krb5[8328]: error resolving user name 'dgetsman' to uid/gid pair /var/log/warn:May 26 13:52:21 srss-bismarck-gamma sshd[8328]: pam_krb5[8328]: no user info for dgetsman (shouldn't happen) -=-=- Now I can't be sure as I'm still learning about the SRSS PAM modules and admittedly still have a LONG way to go, but I'd imagine that if the problem encompassed more than just kerberos, I'd see other modules complaining in the log. This definitely makes sense. I have a working kerberos server set up on the same box that LDAP is running from, but it's not configured specially right now at all. It's just set up to serve and verify tickets when a user types 'kinit'. I don't have a clue how I would set this up for SRSS; right now I'd really like to just bypass it completely and only implement the LDAP directory for serving centralized user information. Thank you very much for your detailed explanations so far, I really appreciate it and what you've said is a lot more insightful and straightforward than what I've seen in any of the numerous documents that I've come across. -Damon
_______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
