All, Thanks for the help. Stefan that worked. Thanks! Big key to the solution was restarting dtlogin. Very strange "sufficient" rather than "binding" is the key after reading pam_ldap man. Pam_ldap man makes it sound like it should be the other way around.
Thanks for all the input. Clinton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Varga Sent: Sunday, September 21, 2008 10:48 AM To: SunRay-Users mailing list Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO wrote: > I am unable to login to the physical console via ldap user. I am able to "su > - <username>" from command line and ssh via ldap user. Contents of the > pam.conf and nsswitch.conf are below. Thanks. > > Hi, 1. remove server_policy keyword 2. replace "binding pam_unix_auth.so.1" with "sufficient pam_unix_auth.so.1" - example: other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 3. use files ldap combination within your nsswitch.conf file 4. restart dtlogin while modifing pam.conf these recommendations presumes, that you are using SSHA crypted userpassword attribute without trusted Solaris enhancements Stefan > pam.conf: > > # > #ident "@(#)pam.conf 1.31 07/12/07 SMI" > # > # Copyright 2007 Sun Microsystems, Inc. All rights reserved. > # Use is subject to license terms. > # > # PAM configuration > # > # Unless explicitly defined, all services use the modules > # defined in the "other" section. > # > # Modules are defined with relative pathnames, i.e., they are > # relative to /usr/lib/security/$ISA. Absolute path names, as > # present in this file in previous releases are still acceptable. > # > # Authentication management > # > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth required pam_dial_auth.so.1 > login auth binding pam_unix_auth.so.1 server_policy > login auth required pam_ldap.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth binding pam_unix_auth.so.1 server_policy > rlogin auth required pam_ldap.so.1 > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth required pam_krb5.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth required pam_krb5.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth required pam_krb5.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth required pam_unix_auth.so.1 > ppp auth sufficient pam_dial_auth.so.1 > ppp auth required pam_ldap.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth binding pam_unix_auth.so.1 server_policy > other auth required pam_ldap.so.1 > # > # passwd command (explicit because of a different authentication module) > # > passwd auth binding pam_passwd_auth.so.1 server_policy > passwd auth required pam_ldap.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > other account requisite pam_roles.so.1 > other account binding pam_unix_account.so.1 server_policy > other account required pam_ldap.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 server_policy > # > # Support for Kerberos V5 authentication and example configurations can > # be found in the pam_krb5(5) man page under the "EXAMPLES" section. > # > # BEGIN: added to xscreensaver by SunRay Server Software -- xscreensaver > xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay > xscreensaver auth requisite pam_authtok_get.so.1 > xscreensaver auth required pam_dhkeys.so.1 > xscreensaver auth required pam_unix_cred.so.1 > xscreensaver auth binding pam_unix_auth.so.1 server_policy > xscreensaver auth required pam_ldap.so.1 > xscreensaver account requisite pam_roles.so.1 > xscreensaver account binding pam_unix_account.so.1 server_policy > xscreensaver account required pam_ldap.so.1 > xscreensaver session required pam_unix_session.so.1 > xscreensaver password required pam_dhkeys.so.1 > xscreensaver password requisite pam_authtok_get.so.1 > xscreensaver password requisite pam_authtok_check.so.1 > xscreensaver password required pam_authtok_store.so.1 > # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay > dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > property=username > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser > dtlogin-SunRay auth requisite pam_authtok_get.so.1 > dtlogin-SunRay auth required pam_dhkeys.so.1 > dtlogin-SunRay auth required pam_unix_cred.so.1 > dtlogin-SunRay auth binding pam_unix_auth.so.1 server_policy > dtlogin-SunRay auth required pam_ldap.so.1 > > dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so > dtlogin-SunRay account requisite pam_roles.so.1 > dtlogin-SunRay account binding pam_unix_account.so.1 server_policy > dtlogin-SunRay account required pam_ldap.so.1 > > dtlogin-SunRay session required pam_unix_session.so.1 > dtlogin-SunRay password required pam_dhkeys.so.1 > dtlogin-SunRay password requisite pam_authtok_get.so.1 > dtlogin-SunRay password requisite pam_authtok_check.so.1 > dtlogin-SunRay password binding pam_authtok_store.so.1 server_policy > dtlogin-SunRay password required pam_ldap.so.1 > # added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay > dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay > dtsession-SunRay auth requisite pam_authtok_get.so.1 > dtsession-SunRay auth required pam_dhkeys.so.1 > dtsession-SunRay auth required pam_unix_cred.so.1 > dtsession-SunRay auth binding pam_unix_auth.so.1 server_policy > dtsession-SunRay auth required pam_ldap.so.1 > > dtsession-SunRay account requisite pam_roles.so.1 > dtsession-SunRay account binding pam_unix_account.so.1 server_policy > dtsession-SunRay account required pam_ldap.so.1 > > dtsession-SunRay session required pam_unix_session.so.1 > dtsession-SunRay password required pam_dhkeys.so.1 > dtsession-SunRay password requisite pam_authtok_get.so.1 > dtsession-SunRay password requisite pam_authtok_check.so.1 > dtsession-SunRay password binding pam_authtok_store.so.1 server_policy > # added to utnsclogin by SunRay Server Software -- utnsclogin > utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > property=username > utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > utnsclogin auth requisite pam_authtok_get.so.1 > utnsclogin auth required pam_dhkeys.so.1 > utnsclogin auth required pam_unix_cred.so.1 > utnsclogin auth binding pam_unix_auth.so.1 server_policy > utnsclogin auth required pam_ldap.so.1 > > utnsclogin account requisite pam_roles.so.1 > utnsclogin account binding pam_unix_account.so.1 server_policy > utnsclogin account required pam_ldap.so.1 > > utnsclogin session required pam_unix_session.so.1 > utnsclogin password required pam_dhkeys.so.1 > utnsclogin password requisite pam_authtok_get.so.1 > utnsclogin password requisite pam_authtok_check.so.1 > utnsclogin password required pam_authtok_store.so.1 server_policy > # added to utadmingui by SunRay Server Software -- utadmingui > utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1 > #added to utgulogin by SunRay Server Software -- utgulogin > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > property=username > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > token=auth,JavaBadge > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt > utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > > > > > > > > > nsswitch.conf: > > > > # > # Copyright 2006 Sun Microsystems, Inc. All rights reserved. > # Use is subject to license terms. > # > # ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI" > > # > # /etc/nsswitch.ldap: > # > # An example file that could be copied over to /etc/nsswitch.conf; it > # uses LDAP in conjunction with files. > # > # "hosts:" and "services:" in this file are used only if the > # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. > > # LDAP service requires that svc:/network/ldap/client:default be enabled > # and online. > > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. > passwd: files ldap > group: files ldap > > # consult /etc "files" only if ldap is down. > hosts: ldap files > > # Note that IPv4 addresses are searched for in all of the ipnodes databases > # before searching the hosts databases. > ipnodes: ldap files > > networks: ldap files > protocols: ldap files > rpc: ldap files > ethers: ldap files > netmasks: ldap files > bootparams: ldap files > publickey: ldap files > > netgroup: ldap > > automount: files ldap > aliases: files ldap > > # for efficient getservbyname() avoid ldap > services: files ldap > > printers: user files ldap > > auth_attr: files ldap > prof_attr: files ldap > > project: files ldap > > tnrhtp: files ldap > tnrhdb: files ldap > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joerg Barfurth > Sent: Friday, September 19, 2008 5:13 AM > To: SunRay-Users mailing list > Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing > > Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO schrieb: > > >> I have configured SRSS (4.0 patch 127553-02) for ldap using "ldapclient >> init ...". SSH and su work fine using ldap for authentication, but Sun >> Ray users are unable to login. Receive "Login incorrect". Below is the >> pam.conf and ldap log. We are using Sun Java Directory Server 6.3. >> >> > > Does the system have console (physical or LOM)? Can you log into a > graphical session there? If not, does it work for a command line login? > > Can you provide the entire pam.conf, or at least full entries for a > service that does work and for 'other'? > > Can you also show us your nsswitch.conf file? > > >> Another error (attached below) that is related to ldap occurs during >> reboot. The Sun Ray services cannot bind to the Sun Ray Data Store. >> Can I configure the Sun Ray server as an ldap client or will it mess up >> the Sun Ray Data Store connection? >> >> > > These should not interfere at all. > > - Jörg > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users > -- +----------------------------------------------+ | Stefan Varga TEMPEST a.s. | | Senior Systems Engineer Services Division | | +421908 760617 Plynarenska 7/B | | [EMAIL PROTECTED] Bratislava | | Sun Microsystems Executive Partner | | Symantec(Veritas) Platinum Partner | +----------------------------------------------+ _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
