I am unable to login to the physical console via ldap user. I am able to "su - <username>" from command line and ssh via ldap user. Contents of the pam.conf and nsswitch.conf are below. Thanks.
pam.conf: # #ident "@(#)pam.conf 1.31 07/12/07 SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth binding pam_unix_auth.so.1 server_policy rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth sufficient pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # # BEGIN: added to xscreensaver by SunRay Server Software -- xscreensaver xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay xscreensaver auth requisite pam_authtok_get.so.1 xscreensaver auth required pam_dhkeys.so.1 xscreensaver auth required pam_unix_cred.so.1 xscreensaver auth binding pam_unix_auth.so.1 server_policy xscreensaver auth required pam_ldap.so.1 xscreensaver account requisite pam_roles.so.1 xscreensaver account binding pam_unix_account.so.1 server_policy xscreensaver account required pam_ldap.so.1 xscreensaver session required pam_unix_session.so.1 xscreensaver password required pam_dhkeys.so.1 xscreensaver password requisite pam_authtok_get.so.1 xscreensaver password requisite pam_authtok_check.so.1 xscreensaver password required pam_authtok_store.so.1 # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser dtlogin-SunRay auth requisite pam_authtok_get.so.1 dtlogin-SunRay auth required pam_dhkeys.so.1 dtlogin-SunRay auth required pam_unix_cred.so.1 dtlogin-SunRay auth binding pam_unix_auth.so.1 server_policy dtlogin-SunRay auth required pam_ldap.so.1 dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay account requisite pam_roles.so.1 dtlogin-SunRay account binding pam_unix_account.so.1 server_policy dtlogin-SunRay account required pam_ldap.so.1 dtlogin-SunRay session required pam_unix_session.so.1 dtlogin-SunRay password required pam_dhkeys.so.1 dtlogin-SunRay password requisite pam_authtok_get.so.1 dtlogin-SunRay password requisite pam_authtok_check.so.1 dtlogin-SunRay password binding pam_authtok_store.so.1 server_policy dtlogin-SunRay password required pam_ldap.so.1 # added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay dtsession-SunRay auth requisite pam_authtok_get.so.1 dtsession-SunRay auth required pam_dhkeys.so.1 dtsession-SunRay auth required pam_unix_cred.so.1 dtsession-SunRay auth binding pam_unix_auth.so.1 server_policy dtsession-SunRay auth required pam_ldap.so.1 dtsession-SunRay account requisite pam_roles.so.1 dtsession-SunRay account binding pam_unix_account.so.1 server_policy dtsession-SunRay account required pam_ldap.so.1 dtsession-SunRay session required pam_unix_session.so.1 dtsession-SunRay password required pam_dhkeys.so.1 dtsession-SunRay password requisite pam_authtok_get.so.1 dtsession-SunRay password requisite pam_authtok_check.so.1 dtsession-SunRay password binding pam_authtok_store.so.1 server_policy # added to utnsclogin by SunRay Server Software -- utnsclogin utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 utnsclogin auth requisite pam_authtok_get.so.1 utnsclogin auth required pam_dhkeys.so.1 utnsclogin auth required pam_unix_cred.so.1 utnsclogin auth binding pam_unix_auth.so.1 server_policy utnsclogin auth required pam_ldap.so.1 utnsclogin account requisite pam_roles.so.1 utnsclogin account binding pam_unix_account.so.1 server_policy utnsclogin account required pam_ldap.so.1 utnsclogin session required pam_unix_session.so.1 utnsclogin password required pam_dhkeys.so.1 utnsclogin password requisite pam_authtok_get.so.1 utnsclogin password requisite pam_authtok_check.so.1 utnsclogin password required pam_authtok_store.so.1 server_policy # added to utadmingui by SunRay Server Software -- utadmingui utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1 #added to utgulogin by SunRay Server Software -- utgulogin utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 token=auth,JavaBadge utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 nsswitch.conf: # # Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI" # # /etc/nsswitch.ldap: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # LDAP service requires that svc:/network/ldap/client:default be enabled # and online. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap # consult /etc "files" only if ldap is down. hosts: ldap files # Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: ldap files networks: ldap files protocols: ldap files rpc: ldap files ethers: ldap files netmasks: ldap files bootparams: ldap files publickey: ldap files netgroup: ldap automount: files ldap aliases: files ldap # for efficient getservbyname() avoid ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project: files ldap tnrhtp: files ldap tnrhdb: files ldap -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joerg Barfurth Sent: Friday, September 19, 2008 5:13 AM To: SunRay-Users mailing list Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO schrieb: > I have configured SRSS (4.0 patch 127553-02) for ldap using "ldapclient > init ...". SSH and su work fine using ldap for authentication, but Sun > Ray users are unable to login. Receive "Login incorrect". Below is the > pam.conf and ldap log. We are using Sun Java Directory Server 6.3. > Does the system have console (physical or LOM)? Can you log into a graphical session there? If not, does it work for a command line login? Can you provide the entire pam.conf, or at least full entries for a service that does work and for 'other'? Can you also show us your nsswitch.conf file? > Another error (attached below) that is related to ldap occurs during > reboot. The Sun Ray services cannot bind to the Sun Ray Data Store. > Can I configure the Sun Ray server as an ldap client or will it mess up > the Sun Ray Data Store connection? > These should not interfere at all. - Jörg _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
