Dear lists members, I have a solaris 10 box acting as a Sun Ray server, v4.0.
I used likewise-open software to enable authentication against an Active Directory 2003 server on this solaris box. I was then able to login on my solaris box by ssh or directly on the graphical console, both with local accounts and the AD2003 accounts. But, on the Sun Ray Client, I was able to login only with local accounts (ie. the ones in /etc/passwd). I took a look on the error messages I got when I joined the AD2003 domain. Then, I added some lines in my /etc/pam.conf, some "dtlogin-SunRay auth" and "xsreensaver auth" lines I'm writing all this because : 1) It could inspire people that have problems to connect to Sun Rays with non local users 2) I would like a "pam expert" to verify and confirm the order of my new lines. The new lines are the ones directly below the "Ajout par Stephanie" lines. Here is my /etc/pam.conf : # #ident "@(#)pam.conf 1.29 07/04/10 SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_lwidentity.so set_default_repository login auth requisite pam_authtok_get.so.1 login auth sufficient pam_lwidentity.so try_first_pass login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_lwidentity.so set_default_repository rlogin auth requisite pam_authtok_get.so.1 rlogin auth sufficient pam_lwidentity.so try_first_pass rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_lwidentity.so set_default_repository ppp auth requisite pam_authtok_get.so.1 ppp auth sufficient pam_lwidentity.so try_first_pass ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_lwidentity.so set_default_repository other auth requisite pam_authtok_get.so.1 other auth sufficient pam_lwidentity.so try_first_pass other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth requisite pam_lwidentity.so set_default_repository passwd auth sufficient pam_passwd_auth.so.1 passwd auth sufficient pam_lwidentity.so try_first_pass passwd auth required pam_deny.so # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_lwidentity.so unknown_ok cron account sufficient pam_lwidentity.so cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_lwidentity.so unknown_ok other account sufficient pam_lwidentity.so other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 other session sufficient pam_lwidentity.so # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password sufficient pam_lwidentity.so try_first_pass use_authtok other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # # BEGIN: added to xscreensaver by SunRay Server Software -- xscreensaver # Ajout par Stephanie xscreensaver auth sufficient pam_lwidentity.so xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay xscreensaver auth requisite pam_authtok_get.so.1 # Ajout par Stephanie xscreensaver auth sufficient pam_lwidentity.so try_first_pass xscreensaver auth required pam_dhkeys.so.1 xscreensaver auth required pam_unix_cred.so.1 xscreensaver auth required pam_unix_auth.so.1 # BEGIN: added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay dtlogin-SunRay password required pam_dhkeys.so.1 dtlogin-SunRay password requisite pam_authtok_get.so.1 dtlogin-SunRay password sufficient pam_lwidentity.so try_first_pass use_authtok dtlogin-SunRay password requisite pam_authtok_check.so.1 dtlogin-SunRay password required pam_authtok_store.so.1 # Ajout par Stephanie dtlogin-SunRay auth sufficient pam_lwidentity.so # Ajout par Stephanie dtlogin-SunRay auth sufficient pam_lwidentity.so try_first_pass dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 dtlogin-SunRay auth sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user ignoreuser dtlogin-SunRay auth requisite /opt/SUNWkio/lib/pam_kiosk.so log=user dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser dtlogin-SunRay auth requisite pam_authtok_get.so.1 dtlogin-SunRay auth required pam_dhkeys.so.1 dtlogin-SunRay auth required pam_unix_cred.so.1 dtlogin-SunRay auth required pam_unix_auth.so.1 dtlogin-SunRay account required pam_lwidentity.so unknown_ok dtlogin-SunRay account sufficient pam_lwidentity.so dtlogin-SunRay account sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay account requisite pam_roles.so.1 dtlogin-SunRay account required pam_unix_account.so.1 dtlogin-SunRay session required /opt/SUNWkio/lib/pam_kiosk.so log=user dtlogin-SunRay session required pam_unix_session.so.1 dtlogin-SunRay session sufficient pam_lwidentity.so # BEGIN: added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay dtsession-SunRay account requisite pam_roles.so.1 dtsession-SunRay account required pam_lwidentity.so unknown_ok dtsession-SunRay account sufficient pam_lwidentity.so dtsession-SunRay account required pam_unix_account.so.1 dtsession-SunRay session required pam_unix_session.so.1 dtsession-SunRay session sufficient pam_lwidentity.so dtsession-SunRay password required pam_dhkeys.so.1 dtsession-SunRay password requisite pam_authtok_get.so.1 dtsession-SunRay password sufficient pam_lwidentity.so try_first_pass use_authtok dtsession-SunRay password requisite pam_authtok_check.so.1 dtsession-SunRay password required pam_authtok_store.so.1 dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay dtsession-SunRay auth requisite pam_authtok_get.so.1 dtsession-SunRay auth required pam_dhkeys.so.1 dtsession-SunRay auth required pam_unix_cred.so.1 dtsession-SunRay auth required pam_unix_auth.so.1 # BEGIN: added to utnsclogin by SunRay Server Software -- utnsclogin utnsclogin account requisite pam_roles.so.1 utnsclogin account required pam_lwidentity.so unknown_ok utnsclogin account sufficient pam_lwidentity.so utnsclogin account required pam_unix_account.so.1 utnsclogin session required pam_unix_session.so.1 utnsclogin session sufficient pam_lwidentity.so utnsclogin password required pam_dhkeys.so.1 utnsclogin password requisite pam_authtok_get.so.1 utnsclogin password sufficient pam_lwidentity.so try_first_pass use_authtok utnsclogin password requisite pam_authtok_check.so.1 utnsclogin password required pam_authtok_store.so.1 utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 utnsclogin auth requisite pam_lwidentity.so set_default_repository utnsclogin auth requisite pam_authtok_get.so.1 utnsclogin auth sufficient pam_lwidentity.so try_first_pass utnsclogin auth required pam_dhkeys.so.1 utnsclogin auth required pam_unix_cred.so.1 utnsclogin auth required pam_unix_auth.so.1 # BEGIN: added to utadmingui by SunRay Server Software -- utadmingui utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1 # BEGIN: added to utgulogin by SunRay Server Software -- utgulogin utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 token=auth,JavaBadge utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 Best regards __________________ Stéphanie Lanthier Analyste de l'informatique Université du Québec à Montréal Service de l'informatique et des télécommunications [EMAIL PROTECTED] Téléphone : 514-987-3000 poste 6106 Bureau : PK-M535 _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
