What my users have experienced is they are presented with a screensaver and they enter their password. It looks as if it's logging them in and then it kicks them back to the screensaver asking for a password. What they've told me is they put the wrong password in it immediately balks. So I would think it's authenticating correctly. What I've found as a quick fix is to go into the Sun Ray GUI and terminate any session with that users name and they can login once again, just from the initial login screen. Hope this helps clarify a little. Certainly appreciate the help, that's for sure.
Fred R. Lucas III -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bob Doolittle Sent: Thursday, April 21, 2011 3:31 PM To: SunRay-Users mailing list Cc: Arthurpeck Subject: Re: [SunRay-Users] login loop On 04/21/11 04:17 PM, Arthurpeck wrote: > This sounds like RHA, Bob. What do you think? I see the same behavior without > cards. I have to enter my passwd twice. Do you mean when NSCM policy is configured? Then your pam.conf is messed up somehow. pam_sunray.so should be near the top of your dtlogin/gdm stack, and also your xscreensaver stack. It will ensure you don't have to authenticate a second time when logging in or unlocking your screen. On Linux, where gnome-screensaver is now used instead of xscreensaver, a different technique had to be used because gnome-screensaver doesn't play by the PAM rules properly. For that case, a utaction should be running in the background of every logged-in session, which will run "utxunlock" upon hotdesking (which happens after an RHA authentication for out-of-session screen unlocks). utxunlock will use a gnome-screensaver-cmd remote operation to unlock the desktop. You should never be entering passwords twice on a properly configured system. > Fred: The first login looks like a normal Solaris/JDS login screen? Then the > user gets his/her JDS desktop? Then the smartcard is pulled and later > reinserted, what happens then? > > Unless you have direct session access enabled ( not good ) I would expect a > JDS looking password solicitation followed by an Xscreensaver looking passwd > solicitation. The RHA feature keeps you in jail until you enter the correct > passwd, the you get connected to the original desktop where Xscreensaver is > waiting. For me, when I enter my passwd the second time, I go right to my JDS > desktop. You should only need to do this if PAM is misconfigured. To correct your PAM configurations, you can run '/opt/SUNWut/lib/utctl enable', which should rewrite your PAM stacks properly to avoid this duplicate authentication. Unless you manually edited your PAM stacks and somehow broke the configuration, the other possible root cause for duplicate authentication is forgetting to reboot after product installation (where utctl enable should be run from an RC script). -Bob _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
