Dear list members, 

I tried the pam.conf suggested by Jörg, without success : the login with the AD 
user from the Sun Ray is not possible with the proposed stack.

So, I use the pam.conf file as I first posted.

With the initial pam.conf file, the use of smart cards seems to work well. I 
can connect on a DTU-A, then take my card to a DTU-B, and my session follows.

I haven't try the kiosk mode at this time.

Best regards
__________________

Stéphanie Lanthier

Analyste de l'informatique
Université du Québec à Montréal
Service de l'informatique et des télécommunications [EMAIL PROTECTED] 
Téléphone : 514-987-3000 poste 6106 
Bureau : PK-M535



-----Message d'origine-----
De : Lanthier, Stéphanie
Envoyé : 16 juillet, [EMAIL PROTECTED] 10:10
À : ''
Objet : Sunray login succeeded with likewise-open/AD2003 user

Dear lists members,

I have a solaris 10 box acting as a Sun Ray server, v4.0. 

I used likewise-open software to enable authentication against an Active 
Directory 2003 server on this solaris box.

I was then able to login on my solaris box by ssh or directly on the graphical 
console, both with local accounts and the AD2003 accounts.

But, on the Sun Ray Client, I was able to login only with local accounts (ie. 
the ones in /etc/passwd).

I took a look on the error messages I got when I joined the AD2003 domain. 
Then, I added some lines in my /etc/pam.conf, some "dtlogin-SunRay auth" and 
"xsreensaver auth" lines

I'm writing all this because :

1) It could inspire people that have problems to connect to Sun Rays with non 
local users

2) I would like a "pam expert" to verify and confirm the order of my new lines. 
The new lines are the ones directly below the "Ajout par Stephanie" lines.


Here is my /etc/pam.conf :

#
#ident  "@(#)pam.conf   1.29    07/04/10 SMI"
#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules # defined in the 
"other" section.
#
# Modules are defined with relative pathnames, i.e., they are # relative to 
/usr/lib/security/$ISA. Absolute path names, as # present in this file in 
previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth) #
login   auth requisite          pam_lwidentity.so               
set_default_repository
login   auth requisite          pam_authtok_get.so.1
login   auth sufficient         pam_lwidentity.so               try_first_pass
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth) #
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_lwidentity.so               
set_default_repository
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth sufficient         pam_lwidentity.so               try_first_pass
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for 
meaningful pam_setcred) #
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth) #
ppp     auth requisite          pam_lwidentity.so               
set_default_repository
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth sufficient         pam_lwidentity.so               try_first_pass
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management # Used when service name is 
not explicitly mentioned for authentication #
other   auth requisite          pam_lwidentity.so               
set_default_repository
other   auth requisite          pam_authtok_get.so.1
other   auth sufficient         pam_lwidentity.so               try_first_pass
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module) #
passwd  auth requisite          pam_lwidentity.so               
set_default_repository
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth sufficient         pam_lwidentity.so               try_first_pass
passwd  auth required           pam_deny.so
#
# cron service (explicit because of non-usage of pam_roles.so.1) #
cron    account required        pam_lwidentity.so       unknown_ok
cron    account sufficient      pam_lwidentity.so
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management # Used when service name is not 
explicitly mentioned for account management #
other   account requisite       pam_roles.so.1
other   account required        pam_lwidentity.so       unknown_ok
other   account sufficient      pam_lwidentity.so
other   account required        pam_unix_account.so.1
#
# Default definition for Session management # Used when service name is not 
explicitly mentioned for session management #
other   session required        pam_unix_session.so.1
other   session sufficient      pam_lwidentity.so
#
# Default definition for  Password management # Used when service name is not 
explicitly mentioned for password management #
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password sufficient     pam_lwidentity.so       try_first_pass  
use_authtok
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can # be 
found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# BEGIN: added to xscreensaver by SunRay Server Software -- xscreensaver # 
Ajout par Stephanie xscreensaver auth sufficient pam_lwidentity.so xscreensaver 
auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay xscreensaver auth 
requisite pam_authtok_get.so.1 # Ajout par Stephanie xscreensaver auth 
sufficient pam_lwidentity.so try_first_pass xscreensaver auth required 
pam_dhkeys.so.1 xscreensaver auth required pam_unix_cred.so.1 xscreensaver auth 
required pam_unix_auth.so.1 # BEGIN: added to dtlogin-SunRay by SunRay Server 
Software -- dtlogin-SunRay dtlogin-SunRay password required pam_dhkeys.so.1 
dtlogin-SunRay password requisite pam_authtok_get.so.1 dtlogin-SunRay password 
sufficient pam_lwidentity.so try_first_pass use_authtok dtlogin-SunRay password 
requisite pam_authtok_check.so.1 dtlogin-SunRay password required 
pam_authtok_store.so.1 # Ajout par Stephanie dtlogin-SunRay auth sufficient 
pam_lwidentity.so # Ajout par Stephanie dtlogin-SunRay auth sufficient pam_lwid!
 entity.so try_first_pass dtlogin-SunRay auth requisite 
/opt/SUNWut/lib/sunray_get_user.so.1 property=username dtlogin-SunRay auth 
required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user 
ignoreuser dtlogin-SunRay auth requisite /opt/SUNWkio/lib/pam_kiosk.so log=user 
dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay 
auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt dtlogin-SunRay auth 
required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser dtlogin-SunRay auth 
requisite pam_authtok_get.so.1 dtlogin-SunRay auth required pam_dhkeys.so.1 
dtlogin-SunRay auth required pam_unix_cred.so.1 dtlogin-SunRay auth required 
pam_unix_auth.so.1 dtlogin-SunRay account required pam_lwidentity.so unknown_ok 
dtlogin-SunRay account sufficient pam_lwidentity.so dtlogin-SunRay account 
sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user dtlogin-SunRay account 
sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay account requisite 
pam_roles.so.1 dtlogin-SunRay account required pam_unix_account.so.1 
dtlogin-SunRay session required /opt/SUNWkio/lib/pam_kiosk.so log=user 
dtlogin-SunRa!
 y session required pam_unix_session.so.1 dtlogin-SunRay session sufficient 
pam_lwidentity.so # BEGIN: added to dtsession-SunRay by SunRay Server Software 
-- dtsession-SunRay dtsession-SunRay account requisite pam_roles.so.1 
dtsession-SunRay account required pam_lwidentity.so unknown_ok dtsession-SunRay 
account sufficient pam_lwidentity.so dtsession-SunRay account required 
pam_unix_account.so.1 dtsession-SunRay session required pam_unix_session.so.1 
dtsession-SunRay session sufficient pam_lwidentity.so dtsession-SunRay password 
required pam_dhkeys.so.1 dtsession-SunRay password requisite 
pam_authtok_get.so.1 dtsession-SunRay password sufficient pam_lwidentity.so 
try_first_pass use_authtok dtsession-SunRay password requisite 
pam_authtok_check.so.1 dtsession-SunRay password required 
pam_authtok_store.so.1 dtsession-SunRay auth sufficient 
/opt/SUNWut/lib/pam_sunray.so syncondisplay dtsession-SunRay auth requisite 
pam_authtok_get.so.1 dtsession-SunRay auth required pam_dhkeys.so!
 .1 dtsession-SunRay auth required pam_unix_cred.so.1 dtsession-SunRay 
a
uth required pam_unix_auth.so.1 # BEGIN: added to utnsclogin by SunRay Server 
Software -- utnsclogin utnsclogin account requisite pam_roles.so.1 utnsclogin 
account required pam_lwidentity.so unknown_ok utnsclogin account sufficient 
pam_lwidentity.so utnsclogin account required pam_unix_account.so.1 utnsclogin 
session required pam_unix_session.so.1 utnsclogin session sufficient 
pam_lwidentity.so utnsclogin password required pam_dhkeys.so.1 utnsclogin 
password requisite pam_authtok_get.so.1 utnsclogin password sufficient 
pam_lwidentity.so try_first_pass use_authtok utnsclogin password requisite 
pam_authtok_check.so.1 utnsclogin password required pam_authtok_store.so.1 
utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 
property=username utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utnsclogin auth requisite pam_lwidentity.so set_default_repository utnsclogin 
auth requisite pam_authtok_get.so.1 utnsclogin auth sufficient 
pam_lwidentity.so try_first_pass utnsclogin auth required pam_dhkeys.so.1 
utnsclogin auth required pam_unix_cred.so.1 utnsclogin auth required 
pam_unix_auth.so.1 # BEGIN: added to utadmingui by SunRay Server Software -- 
utadmingui utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
# BEGIN: added to utgulogin by SunRay Server Software -- utgulogin utgulogin 
auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username utgulogin 
auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 token=auth,JavaBadge 
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt utgulogin 
auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1


Best regards
__________________

Stéphanie Lanthier

Analyste de l'informatique
Université du Québec à Montréal
Service de l'informatique et des télécommunications [EMAIL PROTECTED] Téléphone 
: 514-987-3000 poste 6106 Bureau : PK-M535

 



_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

Reply via email to