Hi Bob,
Thanks for the reply. That was very informative, along with your other clarification e-mail. I think you misread part of my initial question though. While all of the 4 PAM sections dtlogin-SunRay are used, what about for dtSESSION-SunRay (which was my original question)? Also, does that mean the other 3 PAM sections for utnsclogin are unnecessarily copied when the Sun Ray install script runs? If only auth is used, shouldn't that be the only section copied by the script? Thanks, William Yang From: Bob Doolittle [mailto:[email protected]] Sent: Wednesday, January 05, 2011 5:17 PM To: SunRay-Users mailing list Cc: William Yang Subject: Re: [SunRay-Users] PAM configuration on Solaris Yes, dtlogin is just for CDE. However, it's incorrect to say that only the auth stack is used (thanks IBM). The other stacks are all important: account is for accounting, if you want to user logins/logouts to be logged (which is sort of the main point IMO). password is to implement password aging, so that people are forced to specify a new password after some period of time. session is to manage the user session context. Sun Ray uses this stack for example to implement parts of RHA, because it's the earliest hook available after the user has successfully authenticated within the session. Any Display Manager (e.g. dtlogin and gdm) will need all these stacks. utnsclogin doesn't need these, because it's not actually a Display Manager - it doesn't manage displays/sessions. It only does authentication and potentially redirection to the server hosting the token's session (if a session already exists). If a session doesn't yet exist, it uses the underlying Display Manager to create the actual session, so the stacks for the underlying DM will get utilized. The underlying DM's auth stack is effectively "bypassed" after NSCM authentication (to avoid duplicate authentication) via the pam_sunray "sufficient" module near the top of the DM's auth stack so the DM doesn't expose its greeter and is therefore relatively transparent to users, but it's being used. -Bob On 01/05/11 16:57, William Yang wrote: I was working on overhauling our PAM configuration today and wondered, as before, what the dtsession-SunRay entries are for. As far as I can tell, dtsession is only for unlocking a locked CDE session, and this IBM link (http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm. aix.cmds/doc/aixcmds2/dtsession.htm) implies that only the auth stack is used. If that's the case, why are account, session, and password all duplicated as well? I don't see any modifications to those parts of the stack; perhaps that's an oversight? Similarly, I was wondering if the account, session, and password stacks are called by utnsclogin. Thanks, William Yang _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
