Martin Allert schrieb:
Sorry for getting so late back to you, but I am currently on a night shift.
Here are the files that you requested:
[r...@vm-tesla-1-lan pam.d]# cat gnome-screensaver
#%PAM-1.0
# Fedora Core
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
# SuSE/Novell
#auth include common-auth
#account include common-account
#password include common-password
#session include common-session
OK. So this is the one that is used by the "gnome themed locking
window", which you reported working.
[r...@vm-tesla-1-lan pam.d]# cat uthotdesk
#%PAM-1.0
# BEGIN: added to uthotdesk by SunRay Server Software -- uthotdesk
# Fedora Core
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
# SuSE/Novell
#auth include common-auth
#account include common-account
#password include common-password
#session include common-session
And this is the one used by Sun Ray loginGUI - the "grayish OpenWindows
like Xlock unlock window". (This was really originally modeled after an
old version of CDE dtlogin.)
Both look correct - in fact they are identical except for a comment. If
one works and the other doesn't, something else must be going on.
Is there anything in applicable logs that could be related?
- /var/opt/SUNWut/log/messages
- /var/log/messages
- /var/log/secure
The difference indicates that there might be a bug in Sun Ray loginGUI
wrt proper handling of Active Directory credentials upon unlock. It
would be useful, if you could provide log messages that substantiate
this guess.
- Jörg
-----Ursprüngliche Nachricht-----
Von: [email protected] [mailto:[email protected]]
Gesendet: Montag, 15. Februar 2010 11:46
An: SunRay-Users mailing list
Cc: Martin Allert
Betreff: Re: [SunRay-Users] Problems with pam, screenlock and uthotdesking
Martin Allert schrieb:
Hello,
Maybe an interesting observation:
- When the session idle timout comes and the user session is locked,
there comes a gnome themed locking window asking for the password,
displaying my real name. And after entering it works, I am in!
- When I pull the card, there comes an grayish OpenWindows like Xlock
unlock window I used to see on old SPARC SRSS installations with a
picture of some DTU models on the right. I am asked for my password
displaying my username.
Can you show us your /etc/pam.d/gnome-screensaver and
/etc/pam.d/uthotdesk files?
- Jörg
-----Ursprüngliche Nachricht-----
Von: Martin Allert [mailto:[email protected]]
Gesendet: Montag, 15. Februar 2010 03:32
An: SunRay User Mailing List
Betreff: Problems with pam, screenlock and uthotdesking
Hello everybody,
I have the following problem with SRSS 4.2 and RHEL 5.4:
My utpolicy allows only login for registered cards. Self registration is
enabled. Users can login and work.
The server authenticates user against a Active Directory Server Win2k03
R2 with "Identity Management for Unix" installed. Logging in works
perfect.
When you pull the card or hit <SHIFT-break>, some greyish screenlock
window appears which asks me for my password to login. It looks like an
ancient Openwin Motif window.
Now entering my password says "Login incorrect.". I think this has
s.th. to do with my pam stacks, 'cause when I disable the current policy
by "/opt/SUNWut/sbin/utpolicy -D -a -M -r card -s card -g" and doing a
"utrestart -c", this screensaver password does not appear any more and I
am directly logged in to my session.
I also tried regenerating the SunRay pam settings by
"/opt/SUNWut/lib/utgenpam disable && /opt/SUNWut/lib/utgenpam enable" -
no avail.
This is what my /etc/pam.d/system-auth looks like:
[r...@vm-tesla-1-lan pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_krb5.so forwardable
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth sufficient pam_winbind.so use_first_pass
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account sufficient pam_krb5.so minimum_uid=1000
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
password sufficient pam_winbind.so use_authtok
password sufficient pam_krb5.so minimum_uid=1000
password required pam_unix.so nullok obscure min=4 max=8 md5
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_krb5.so minimum_uid=1000
And this is what my /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver
look like:
[r...@vm-tesla-1-lan pam.d]# cat gdm
#%PAM-1.0
# BEGIN: added to gdm by SunRay Server Software -- gdm
auth requisite /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_hotdesk.so.1
auth requisite /etc/opt/SUNWut/lib/$PLATFORM/sunray_get_user.so.1
property=username
auth required /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_amgh.so.1
auth sufficient /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
ignoreuser
auth requisite /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
auth required /etc/opt/SUNWut/lib/$PLATFORM/sunray_get_user.so.1 prompt
auth required /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_amgh.so.1
clearuser
# END: added to gdm by SunRay Server Software -- gdm
auth required pam_env.so
auth include system-auth
# BEGIN: added to gdm by SunRay Server Software -- gdm
account sufficient /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
# END: added to gdm by SunRay Server Software -- gdm
account required pam_nologin.so
account include system-auth
password include system-auth
# BEGIN: added to gdm by SunRay Server Software -- gdm
session requisite /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_hotdesk.so.1
session required /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
# END: added to gdm by SunRay Server Software -- gdm
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
I can see no error - Do you have a hint for this?
Yours sincerely,
Martin Allert
--
Joerg Barfurth Phone: +49 40 23646662
Software Engineer mailto:[email protected]
Desktop Technology
Thin Client Software http://www.sun.com/software/sunray/
Sun Microsystems GmbH http://www.sun.com/software/javadesktopsystem/
Sitz der Gesellschaft:
Sun Microsystems GmbH, Sonnenallee 1, D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels
Vorsitzender des Aufsichtsrates: Martin Haering
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
