[SunRay-Users] Problems with pam, screenlock and uthotdesking

Martin Allert allert at arago.de
Wed Feb 17 05:35:20 EET 2010 

Hello Joerg,

Thank you for your help. As you asked I just tried it again and had a look into the mentioned log files. Because they are too long for inline display (it would destroy the whole thread), I attached them as .txt files to this email.

As far as I understand it, pulling the card and pushing it in again has also something to do with utaction, right? And what if I could configure utaction for all users to use the gnome screensaver unlock (if there is such a feature of gnome-screensaver)?

Yours sincerely,

Martin

-----Ursprüngliche Nachricht-----
Von: Joerg.Barfurth at Sun.COM [mailto:Joerg.Barfurth at Sun.COM] 
Gesendet: Dienstag, 16. Februar 2010 10:11
An: SunRay-Users mailing list
Cc: Martin Allert
Betreff: Re: [SunRay-Users] Problems with pam, screenlock and uthotdesking

Martin Allert schrieb:
> Sorry for getting so late back to you, but I am currently on a night shift.
> Here are the files that you requested:
> 
> [root at vm-tesla-1-lan pam.d]# cat gnome-screensaver
> #%PAM-1.0
> 
> # Fedora Core
> auth       include      system-auth
> account    include      system-auth
> password   include      system-auth
> session    include      system-auth
> 
> # SuSE/Novell
> #auth       include      common-auth
> #account    include      common-account
> #password   include      common-password
> #session    include      common-session
> 

OK. So this is the one that is used by the "gnome themed locking 
window", which you reported working.

> [root at vm-tesla-1-lan pam.d]# cat uthotdesk
> #%PAM-1.0
> # BEGIN: added to uthotdesk by SunRay Server Software -- uthotdesk
> 
> # Fedora Core
> auth       include      system-auth
> account    include      system-auth
> password   include      system-auth
> session    include      system-auth
> 
> # SuSE/Novell
> #auth       include      common-auth
> #account    include      common-account
> #password   include      common-password
> #session    include      common-session
> 

And this is the one used by Sun Ray loginGUI - the "grayish OpenWindows 
like Xlock unlock window". (This was really originally modeled after an 
old version of CDE dtlogin.)

Both look correct - in fact they are identical except for a comment. If 
one works and the other doesn't, something else must be going on.

Is there anything in applicable logs that could be related?

- /var/opt/SUNWut/log/messages
- /var/log/messages
- /var/log/secure

The difference indicates that there might be a bug in Sun Ray loginGUI 
wrt proper handling of Active Directory credentials upon unlock. It 
would be useful, if you could provide log messages that substantiate 
this guess.

- Jörg


> -----Ursprüngliche Nachricht-----
> Von: Joerg.Barfurth at Sun.COM [mailto:Joerg.Barfurth at Sun.COM] 
> Gesendet: Montag, 15. Februar 2010 11:46
> An: SunRay-Users mailing list
> Cc: Martin Allert
> Betreff: Re: [SunRay-Users] Problems with pam, screenlock and uthotdesking
> 
> Martin Allert schrieb:
>> Hello,
>>
>> Maybe an interesting observation: 
>>
>> - When the session idle timout comes and the user session is locked,
>> there comes a gnome themed locking window asking for the password,
>> displaying my real name. And after entering it works, I am in!
>>
>> - When I pull the card, there comes an grayish OpenWindows like Xlock
>> unlock window I used to see on old SPARC SRSS installations with a
>> picture of some DTU models on the right. I am asked for my password
>> displaying my username.
>>
> 
> Can you show us your /etc/pam.d/gnome-screensaver and 
> /etc/pam.d/uthotdesk files?
> 
> - Jörg
> 
>> -----Ursprüngliche Nachricht-----
>> Von: Martin Allert [mailto:allert at arago.de] 
>> Gesendet: Montag, 15. Februar 2010 03:32
>> An: SunRay User Mailing List
>> Betreff: Problems with pam, screenlock and uthotdesking
>>
>>
>> Hello everybody,
>>
>>
>> I have the following problem with SRSS 4.2 and RHEL 5.4:
>> My utpolicy allows only login for registered cards. Self registration is
>> enabled. Users can login and work.
>>
>> The server authenticates user against a Active Directory Server Win2k03
>> R2 with "Identity Management for Unix" installed. Logging in works
>> perfect.
>>
>> When you pull the card or hit <SHIFT-break>, some greyish screenlock
>> window appears which asks me for my password to login. It looks like an
>> ancient Openwin Motif window.
>>
>> Now entering my password says "Login incorrect.". I think this has
>> s.th. to do with my pam stacks, 'cause when I disable the current policy
>> by "/opt/SUNWut/sbin/utpolicy -D -a -M -r card -s card -g" and doing a
>> "utrestart -c", this screensaver password does not appear any more and I
>> am directly logged in to my session.
>>
>> I also tried regenerating the SunRay pam settings by
>> "/opt/SUNWut/lib/utgenpam disable && /opt/SUNWut/lib/utgenpam enable" -
>> no avail.
>>
>> This is what my /etc/pam.d/system-auth looks like:
>>
>> [root at vm-tesla-1-lan pam.d]# cat system-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      pam_env.so
>> auth        sufficient    pam_krb5.so forwardable
>> auth        sufficient    pam_unix.so nullok_secure use_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        required      pam_deny.so
>> auth        sufficient    pam_winbind.so use_first_pass
>>
>> account     required      pam_unix.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     required      pam_permit.so
>> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
>> account     sufficient    pam_krb5.so minimum_uid=1000
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    required      pam_deny.so
>> password    sufficient    pam_winbind.so use_authtok
>> password    sufficient    pam_krb5.so minimum_uid=1000
>> password    required      pam_unix.so nullok obscure min=4 max=8 md5
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     required      pam_mkhomedir.so skel=/etc/skel umask=0077
>> session     optional      pam_krb5.so minimum_uid=1000
>>
>> And this is what my /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver
>> look like:
>> [root at vm-tesla-1-lan pam.d]# cat gdm
>> #%PAM-1.0
>> # BEGIN: added to gdm by SunRay Server Software -- gdm
>> auth requisite /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_hotdesk.so.1
>> auth requisite /etc/opt/SUNWut/lib/$PLATFORM/sunray_get_user.so.1
>> property=username
>> auth required /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_amgh.so.1
>> auth sufficient /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
>> ignoreuser
>> auth requisite /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
>> auth required /etc/opt/SUNWut/lib/$PLATFORM/sunray_get_user.so.1 prompt
>> auth required /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_amgh.so.1
>> clearuser
>> # END: added to gdm by SunRay Server Software -- gdm
>> auth       required    pam_env.so
>> auth       include     system-auth
>> # BEGIN: added to gdm by SunRay Server Software -- gdm
>> account sufficient /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
>> # END: added to gdm by SunRay Server Software -- gdm
>> account    required    pam_nologin.so
>> account    include     system-auth
>> password   include     system-auth
>> # BEGIN: added to gdm by SunRay Server Software -- gdm
>> session requisite /etc/opt/SUNWut/lib/$PLATFORM/pam_sunray_hotdesk.so.1
>> session required /etc/opt/SUNWut/lib/$PLATFORM/pam_kiosk.so.1 log=user
>> # END: added to gdm by SunRay Server Software -- gdm
>> session    optional    pam_keyinit.so force revoke
>> session    include     system-auth
>> session    required    pam_loginuid.so
>> session    optional    pam_console.so
>>
>> I can see no error - Do you have a hint for this?
>>
>>
>> Yours sincerely,
>>
>> Martin Allert
>>
> 

-- 
Joerg Barfurth           Phone: +49 40 23646662
Software Engineer        mailto:joerg.barfurth at sun.com
Desktop Technology
Thin Client Software     http://www.sun.com/software/sunray/
Sun Microsystems GmbH    http://www.sun.com/software/javadesktopsystem/

Sitz der Gesellschaft:
Sun Microsystems GmbH, Sonnenallee 1, D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels
Vorsitzender des Aufsichtsrates: Martin Haering

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: var_opt_SUNWut_log_messages.txt
URL: <http://www.filibeto.org/pipermail/sunray-users/attachments/20100217/d72f1dd8/attachment-0003.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: var_log_messages.txt
URL: <http://www.filibeto.org/pipermail/sunray-users/attachments/20100217/d72f1dd8/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: var_log_secure.txt
URL: <http://www.filibeto.org/pipermail/sunray-users/attachments/20100217/d72f1dd8/attachment-0005.txt>

More information about the SunRay-Users mailing list