Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing

Fri, 19 Sep 2008 10:47:17 -0700

You have no PAM stack for dtlogin, only for dtlogin-Sunray. Therefore, your console is using the "other" stack, which isn't instrumented for LDAP.
I recommend that you copy the "other" stacks to "dtlogin" stacks, and then instrument it for LDAP in a way similar to what you did for dtlogin-Sunray. 

-Bob

Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO wrote:

I am unable to login to the physical console via ldap user.  I am able to "su - <username>" from command line and ssh via ldap user.  Contents of the pam.conf and nsswitch.conf are below.  Thanks.  


pam.conf:

#
#ident  "@(#)pam.conf   1.31    07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_dial_auth.so.1
login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)

# 
rlogin  auth sufficient         pam_rhosts_auth.so.1

rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth binding            pam_unix_auth.so.1 server_policy
rlogin  auth required           pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth sufficient         pam_dial_auth.so.1
ppp     auth required           pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth binding            pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding            pam_passwd_auth.so.1 server_policy
passwd  auth required           pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account binding         pam_unix_account.so.1 server_policy
other   account required        pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required                pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# BEGIN: added to xscreensaver by SunRay Server Software -- xscreensaver
xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay

xscreensaver auth requisite pam_authtok_get.so.1 
xscreensaver auth required pam_dhkeys.so.1 
xscreensaver auth required pam_unix_cred.so.1 
xscreensaver auth binding pam_unix_auth.so.1 server_policy
xscreensaver auth required pam_ldap.so.1 
xscreensaver account requisite pam_roles.so.1 
xscreensaver account binding pam_unix_account.so.1 server_policy

xscreensaver account required pam_ldap.so.1

xscreensaver session required pam_unix_session.so.1 
xscreensaver password required pam_dhkeys.so.1 
xscreensaver password requisite pam_authtok_get.so.1 
xscreensaver password requisite pam_authtok_check.so.1 
xscreensaver password required pam_authtok_store.so.1 
# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay

dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 
property=username
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser

dtlogin-SunRay auth requisite pam_authtok_get.so.1 
dtlogin-SunRay auth required pam_dhkeys.so.1 
dtlogin-SunRay auth required pam_unix_cred.so.1 
dtlogin-SunRay auth binding pam_unix_auth.so.1 server_policy
dtlogin-SunRay auth required pam_ldap.so.1 
 
dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay account requisite pam_roles.so.1 
dtlogin-SunRay account binding pam_unix_account.so.1 server_policy
dtlogin-SunRay account required pam_ldap.so.1 
 
dtlogin-SunRay session required pam_unix_session.so.1 
dtlogin-SunRay password required pam_dhkeys.so.1 
dtlogin-SunRay password requisite pam_authtok_get.so.1 
dtlogin-SunRay password requisite pam_authtok_check.so.1 
dtlogin-SunRay password binding pam_authtok_store.so.1 server_policy

dtlogin-SunRay password required pam_ldap.so.1
# added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay
dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay

dtsession-SunRay auth requisite pam_authtok_get.so.1 
dtsession-SunRay auth required pam_dhkeys.so.1 
dtsession-SunRay auth required pam_unix_cred.so.1 
dtsession-SunRay auth binding pam_unix_auth.so.1 server_policy
dtsession-SunRay auth required pam_ldap.so.1 
 
dtsession-SunRay account requisite pam_roles.so.1 
dtsession-SunRay account binding pam_unix_account.so.1 server_policy
dtsession-SunRay account required pam_ldap.so.1 
 
dtsession-SunRay session required pam_unix_session.so.1 
dtsession-SunRay password required pam_dhkeys.so.1 
dtsession-SunRay password requisite pam_authtok_get.so.1 
dtsession-SunRay password requisite pam_authtok_check.so.1 
dtsession-SunRay password binding pam_authtok_store.so.1 server_policy

# added to utnsclogin by SunRay Server Software -- utnsclogin
utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username
utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

utnsclogin auth requisite pam_authtok_get.so.1 
utnsclogin auth required pam_dhkeys.so.1 
utnsclogin auth required pam_unix_cred.so.1 
utnsclogin auth binding pam_unix_auth.so.1 server_policy
utnsclogin auth required pam_ldap.so.1 
 
utnsclogin account requisite pam_roles.so.1 
utnsclogin account binding pam_unix_account.so.1 server_policy
utnsclogin account required pam_ldap.so.1 
 
utnsclogin session required pam_unix_session.so.1 
utnsclogin password required pam_dhkeys.so.1 
utnsclogin password requisite pam_authtok_get.so.1 
utnsclogin password requisite pam_authtok_check.so.1 
utnsclogin password required pam_authtok_store.so.1 server_policy

# added to utadmingui by SunRay Server Software -- utadmingui
utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
#added to utgulogin by SunRay Server Software -- utgulogin
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 
token=auth,JavaBadge
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1








nsswitch.conf:



#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap      1.10    06/05/03 SMI"

 
#

# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

 
# LDAP service requires that svc:/network/ldap/client:default be enabled

# and online.

 
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

passwd:     files ldap
group:      files ldap

 
# consult /etc "files" only if ldap is down. 
hosts:      ldap files
 
# Note that IPv4 addresses are searched for in all of the ipnodes databases

# before searching the hosts databases.
ipnodes:    ldap files

 
networks:   ldap files

protocols:  ldap files
rpc:        ldap files
ethers:     ldap files
netmasks:   ldap files
bootparams: ldap files
publickey:  ldap files

 
netgroup:   ldap
 
automount:  files ldap

aliases:    files ldap

 
# for efficient getservbyname() avoid ldap

services:   files ldap

 
printers:   user files ldap
 
auth_attr:  files ldap

prof_attr:  files ldap

 
project:    files ldap
 
tnrhtp:     files ldap

tnrhdb:     files ldap



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joerg Barfurth
Sent: Friday, September 19, 2008 5:13 AM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing

Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO schrieb:


  

I have configured SRSS (4.0 patch 127553-02) for ldap using "ldapclient
init ...".  SSH and su work fine using ldap for authentication, but Sun
Ray users are unable to login.  Receive "Login incorrect".  Below is the

pam.conf and ldap log.  We are using Sun Java Directory Server 6.3.  

    



Does the system have console (physical or LOM)? Can you log into a 
graphical session there? If not, does it work for a command line login?



Can you provide the entire pam.conf, or at least full entries for a 
service that does work and for 'other'?


Can you also show us your nsswitch.conf file?


  

Another error (attached below) that is related to ldap occurs during
reboot.  The Sun Ray services cannot bind to the Sun Ray Data Store.
Can I configure the Sun Ray server as an ldap client or will it mess up

the Sun Ray Data Store connection?  

    


These should not interfere at all.

- Jörg

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

  


_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users






















					Reply via email to