On 04/21/11 04:17 PM, Arthurpeck wrote:
This sounds like RHA, Bob. What do you think? I see the same behavior without cards. I have to enter my passwd twice.
Do you mean when NSCM policy is configured? Then your pam.conf is messed up somehow. pam_sunray.so should be near the top of your dtlogin/gdm stack, and also your xscreensaver stack. It will ensure you don't have to authenticate a second time when logging in or unlocking your screen. On Linux, where gnome-screensaver is now used instead of xscreensaver, a different technique had to be used because gnome-screensaver doesn't play by the PAM rules properly. For that case, a utaction should be running in the background of every logged-in session, which will run "utxunlock" upon hotdesking (which happens after an RHA authentication for out-of-session screen unlocks). utxunlock will use a gnome-screensaver-cmd remote operation to unlock the desktop. You should never be entering passwords twice on a properly configured system.
Fred: The first login looks like a normal Solaris/JDS login screen? Then the user gets his/her JDS desktop? Then the smartcard is pulled and later reinserted, what happens then? Unless you have direct session access enabled ( not good ) I would expect a JDS looking password solicitation followed by an Xscreensaver looking passwd solicitation. The RHA feature keeps you in jail until you enter the correct passwd, the you get connected to the original desktop where Xscreensaver is waiting. For me, when I enter my passwd the second time, I go right to my JDS desktop.
You should only need to do this if PAM is misconfigured. To correct your PAM configurations, you can run '/opt/SUNWut/lib/utctl enable', which should rewrite your PAM stacks properly to avoid this duplicate authentication. Unless you manually edited your PAM stacks and somehow broke the configuration, the other possible root cause for duplicate authentication is forgetting to reboot after product installation (where utctl enable should be run from an RC script). -Bob _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
