Solaris 10 w/ Trusted Extensions & SRSS4u2 @ B48
Detailed Build Instructions for Sun Ray Deep Dive 
Last Update: 20 Aug 2007
Send errata, suggestions to: matt.hatley@sun.com

Setup Background:
    Network topo:
        vni0:    all-zones interface
        ce0:     129.154.16.86, Plus Sun Rays @ 129.154.16.201 - 210
        qfe1:1:  plumbed in global zone, 192.168.1.86, sbu zone
        qfe2:1:  plumbed in global zone, 192.168.2.86, secret zone
        qfe3:1:  plumbed in global zone, 192.168.3.86, topsecret zone
        
    Using Gov't Based Label Encodings File (see attached file: label_encodings)
    Finalized tnrhtp, tnrhdb, tnzonecfg, sbu.cfg, secret.cfg, topsecret.cfg
    
    SRSS Port Usage:
        7012: Sun Ray Data Store (not required in tnzonecfg as an MLP)
        7007: SRSS, set as an MLP for global zone
        7010: SRSS, set as an MLP for global zone
        7015: SRSS, set as an MLP for global zone        
        7014: SRWC, set as MLP in global zone


Base install of Solaris 10 via jumpstart.

Run netservices limited & 
    svcadm enable ftp
    svcadm disable sendmail snmpdx auditd webconsole wbem
    
    
Install Other Applications:
    Why?  
    B/c we find out early in the system build process if the label zones
    will have problems any of our CORE applications!!!
    
    Firefox: 
        Download from mozilla.org
        mkdir -p /usr/local/pkgs
        mkdir -p /usr/local/bin
        cd /usr/local/pkgs
        bzcat /export/download/firefox-2.0.0.6.en-US.solaris10-sparc.tar.bz2 | tar xf -
        ln -s /usr/local/pkgs/firefox/firefox /usr/local/bin
        
    
    RDestkop 1.5.0:
        Download from sunfreeware.com
        pkgadd -d libiconv-1.11-sol10-sparc-local
        pkgadd -d rdesktop-1.5.0-sol10-sparc-local
        (cd /usr/sfw/lib; ln -s libcrypto.so.0.9.7 libcrypto.so.0.9.8)
        
    Top:
        wget ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/top-3.6.1-sol10-sparc-local.gz
        gunzip top-3.6.1-sol10-sparc-local.gz
        pkgadd -d top-3.6.1-sol10-sparc-local
    
    Staroffice 8 & patch:
        Uninstall Star7:
            /usr/staroffice7/setup -deinstall -d /usr/staroffice7 -n
            pkgrm SUNWsogm SUNWsom
        so8_u2_sol.sh
        rm -R /var/tmp/unpack_staroffice
        patchadd 120185-11
        

Apply dtlogin Patch:
    patchadd 119278-15
    This corrects for bug #: 6524040 (caused 14D-26D Sun Ray loop).  
    This patch is NOT in the reco'd cluster.
    
    SPARC: 119278
    x86:   119279


~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Trusted Extensions Installation/Configuration
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Install TX Pkgs:
    cd /<MEDIA LOCATION>/Solaris_10_1106/Solaris_10/ExtraValue/CoBundled/Trusted_Extensions
    MEDIA LOCATION = Jumpstart Server, CD or DvD

    Run: java wizard 
        Take defaults
    
    
Save off default TX files:
    cp -p /etc/pam.conf /etc/pam.conf.txdef
    cp -p /etc/security/tsol/label_encodings /etc/security/tsol/label_encodings.txdef
    cp -p /etc/security/tsol/tnrhdb /etc/security/tsol/tnrhdb.txdef
    cp -p /etc/security/tsol/tnrhtp /etc/security/tsol/tnrhtp.txdef
    cp -p /etc/security/tsol/tnzonecfg /etc/security/tsol/tnzonecfg.txdef
  

Set up all-zones for NICs:
    /etc/hostname.vni0 = "tx-srss all-zones"
    /etc/nodename = tx-srss

    echo "0.0.0.0" > hostname.qfe1
    echo "0.0.0.0" > hostname.qfe2
    echo "0.0.0.0" > hostname.qfe3  
       

Edit /etc/hosts:
    127.0.0.1       localhost       loghost
    10.254.254.254  tx-srss         # Primaray Hostname/Nodename (vni0/all-zones)
    129.154.16.86   sf6800b-d       # ce0 SWAN IP/global zone (simulates TX net)

    192.168.1.86    sbu             # qfe1:1 for TX SBU Zone
    192.168.2.86    secret          # qfe2:1 for TX SECRET Zone
    192.168.3.86    topsecret       # qfe3:1 for TX TOP SECRET Zone
    
    rm /etc/inet/ipnodes
    ln -s /etc/inet/hosts /etc/inet/ipnodes


vi /etc/security/tsol/tnrhdb:
    10.254.254.254:cipso
    129.154.16.86:cipso
    192.168.1.86:cipso
    192.168.2.86:cipso
    192.168.3.86:cipso
    

vi /etc/netmasks:
    192.168.1.0     255.255.255.0
    192.168.2.0     255.255.255.0
    192.168.3.0     255.255.255.0


Drop in NCTC SBU, Secret & Top Secret label_codings:
    cp /export/tx-config-files/label_encodings.nctc /etc/security/tsol/label_encodings
    rehash
    # chk_encodings
    No errors found in /etc/security/tsol/label_encodings.     
       

Edit pam.conf & txzonecfg to enable remote & unlabeled access:
    vi /etc/pam.conf
        Before:  other  account requisite pam_roles.so.1
        After:   other  account requisite pam_roles.so.1 allow_remote 
                
        Before:  other  account required  pam_tsol_account.so.1
        After:   other  account required  pam_tsol_account.so.1 allow_unlabeled
                
    vi /etc/security/tsol/tnzonecfg
        Before: global:ADMIN_LOW:1:111/tcp;111/udp;        515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000-6003/tcp
        After:  global:ADMIN_LOW:1:111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000-6003/tcp
           

Check TX DB files, make sure there are zero errors before rebooting:
    tnckdb
    

REBOOT/REBOOT/REBOOT -- init 6
 


Establish Security Classifications For Each Zone:
    Retrieve hex labels for our security classifications:
        atohexlabel SBU
        0x0002-08-
        atohexlabel SECRET
        0x0005-08-
        atohexlabel "TOP SECRET"
        0x0006-08-


    vi /etc/security/tsol/tnzonecfg   
        sbu:0x0002-08-:0::
        secret:0x0005-08-:0::
        topsecret:0x0006-08-:0::

    vi /etc/security/tsol/tnrhtp
        # Unlabeled host definitions for our security labels
        sbu_tmpl:host_type=unlabeled;doi=1;def_label=0x0002-08-;min_sl=0x0002-08-;max_sl=0x0002-08-;
        secret_tmpl:host_type=unlabeled;doi=1;def_label=0x0005-08-;min_sl=0x0005-08-;max_sl=0x0005-08-;
        topsecret_tmpl:host_type=unlabeled;doi=1;def_label=0x0006-08-;min_sl=0x0006-08-;max_sl=0x0006-08-;
        
    vi /etc/security/tsol/tnrhdb
        # Unlabeled host definitions
        192.168.1.0/24:sbu_tmpl
        192.168.2.0/24:secret_tmpl
        192.168.3.0/24:topsecret_tmpl
    
    Check the TX db's, then make them hot...
    tnchkdb
    tnctl -fz /etc/security/tsol/tnzonecfg
    tnctl -fT /etc/security/tsol/tnrhtp
    tnctl -fH /etc/security/tsol/tnrhdb


Setup ZFS Pool for Zones:
    We didn't allocate a slice for the zonepool
        mkfile 2048m /export/zonepool
        zpool create -f zone /export/zonepool    
    
    You could also create the zpool from a file, like this:
        zpool create -f zone c1t1d0s6


Create ZFS for lowest classification zone:
    zfs create zone/sbu
    chmod 0700 /zone/sbu

    
Create Zones:
    zonecfg -z sbu       -f /export/tx-config-files/sbu.cfg
    zonecfg -z secret    -f /export/tx-config-files/secret.cfg
    zonecfg -z topsecret -f /export/tx-config-files/topsecret.cfg
        
    sbu.cfg (others are same, but different IP's & NIC's):    
        create -t SUNWtsoldef
        set zonepath=/zone/sbu
        add net
        set address=192.168.1.86/24
        set physical=qfe1
        end
        commit
        
        
Install sbu zone (takes about 20 mins):
    zoneadm -z sbu install
        Preparing to install zone <sbu>.
        Creating list of files to copy from the global zone.
        Copying <2382> files to the zone.
        Initializing zone product registry.
        Determining zone package initialization order.
        Preparing to initialize <1151> packages on the zone.
        Initialized <1151> packages on zone.                                 
        Zone <sbu> is initialized.
        Installation of these packages generated warnings: <SUNWjdtts SUNWkdtts>
        The file </zone/sbu/root/var/sadm/system/logs/install_log> contains a log of the zone installation.

   
Est zone console, do some customization/setup & boot 1st zone:
    zlogin -C sbu
    zoneadm -z sbu boot
        Answer questions, sbu uses qfe1:1
        
    Customize & setup for cloning:
        cp /.cshrc /zone/sbu/root
        netservices limited
        svcadm disable auditd sendmail snmpdx cde-login wbem webconsole
        rm /etc/auto_home_sbu 
        
    Prep zone for cloning...        
        sys-unconfig
    
    
Cloning sbu (1st, lowest class) Zone:
    zfs snapshot zone/sbu@snapshot
    zfs clone zone/sbu@snapshot zone/secret
    zfs clone zone/sbu@snapshot zone/topsecret
        
    zoneadm -z secret attach -F
    zoneadm -z topsecret attach -F
    

Boot up all the zones & answere 1st time bootup questions:
    Connect to Console: zlogin -C secret
    Boot Zone: zoneadm -z secret boot
        Reboot zone & id as secret zone, answer 1st time boot questions
            zoneadm -z secret boot
            secret         qfe2:1

            netservices limited
            svcadm disable auditd sendmail snmpdx cde-login wbem webconsole

    Connect to Console: zlogin -C topsecret
    Boot Zone: zoneadm -z topsecret boot       
        Reboot zone & id as secret zone, answer 1st time boot questions
            zoneadm -z topsecret boot
            topsecret      qfe3:1

            netservices limited
            svcadm disable auditd sendmail snmpdx cde-login wbem webconsole

    Boot sbu zone back up: zoneadm -z sbu boot
        sbu        qfe1:1

        netservices limited
        svcadm disable auditd sendmail snmpdx cde-login wbem webconsole


Example loopback mount of /export/logs to each zone...
    zoneadm -z sbu halt
    We'll loopback mount /export/logs, by adding these lines to each zone cfg file 
    (sbu.xml, secret.xml, topsecret.xml) in /etc/zones (after <network address line):
        <filesystem special="/export/logs" directory="/export/logs" type="lofs">
          <fsoption name="ro"/>
        </filesystem>
        
    
    Or by running these cmds (for each zone):
        zonecfg -z sbu
            add fs
                set special=/export/logs
                set dir=/export/logs
                set type=lofs
                set options=ro
            end
            exit
            
    zoneadm -z sbu boot
            
  

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Sun Ray Server Software Installation/Configuration
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

SRSS v4 u2 (B48), prerequisites, preparation, p. 9 of install guide:
    tar xf TXfixes_Beta-01.tar
        Contains 126365-01, but the 02 rev is available.  Pull it.
        Contains 126366-01, but the 02 rev is available.  Pull it.
        
    Install SPARC patches:
        patchadd 125533-01
        patchadd 126450-01
        patchadd 126363-01 
        patchadd 126365-02
        
    Install TX Fixes:
        cd TXfixes_Beta-01
        ./install-txfixes
            Installing TX bin...
            copying /usr/openwin/server/etc/TrustedExtensionsPolicy
            copying /usr/sbin/allocate
            copying /lib/libbsm.so.1
            Done!

    Install Apache Tomcat:
        cd /opt
        gtar xfz /export/download/srss_4.0/Supplemental/Apache_Tomcat/apache-tomcat-5.5.20.tar.gz
        mv apache-tomcat-5.5.20 apache-tomcat


SRSS v4 u2 Install (Chap 3 Installation, p. 13):
    cd /export/download/srss_4.0
    utinstall
        Java 1.5 loc is: /usr/java
        
    Sun Ray installation guide calls for a reboot here, but we're gonna hold off
    & do a few other configs that also a require a reboot.  That way we avoid 2
    nearly successive reboots.

    
Setup tnrhdb for DTUs (Chap 7, p. 40):
    DTU's @ SWAN .  Add following entries to tnrhtp:
        129.154.0.0/24:admin_low
        
        NORMALLY, you'd setup for DTU's on a local net
            Shared Sun Ray Topo: 129.154.16.0
        or behind a NIC (Private Sun Ray topo):
            ce1: 192.168.128
        
    
    tnchkdb
    tnctl -fH /etc/security/tsol/tnrhdb
    
    Verify:
        tninfo -h 129.154.16.1
        IP address= 129.154.16.1
        Template = admin_low

   
Add & modify to support SRSS MLP requirements (changes to tnzonecfg):
    SRSS services: 7007, 7010, 7015
    Increase # of ports for X (change port range from 6000-6003 to 6000-6050)
    
    Check MLP's in global zone before: tninfo -m global
        private: 111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp;32779/tcp;32780/ip
        shared: 6000-6003/tcp

    vi tnzonecfg (we're using zone specific IP's, field 5 is for private NICs, field 4 is shared)...
    Before: global:ADMIN_LOW:1:111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000-6003/tcp

    After:  global:ADMIN_LOW:1:111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp; \
            6000-6050/tcp;7007/tcp;7010/tcp;7015/tcp:6000-6050/tcp

    After line is 1 contiguous line, it's only continued for viewing simplicity.
    This mod covers zone specific NICs
    
    Syntax check: tnchkdb
    Make it hot:  tnctl -fz tnzonecfg
    Check MLP's in global zone after: tninfo -m global
        private: 111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7010/tcp;7015/tcp
        shared: 6000-6050/tcp
    
        
For convenience, add Sun Ray to path & manpath (this is a C-Shell/.cshrc example):
    # If SunRay is installed, then config environment
    if (-d /opt/SUNWut) then
            setenv PATH       ${PATH}:/opt/SUNWut/bin:/opt/SUNWut/sbin:/opt/SUNWuttsc/bin
            setenv MANPATH ${MANPATH}:/opt/SUNWut/man:/opt/SUNWuttsc/man
    endif
    

Apply this correction as work-around for bug #6550104:
    This corrects a TX bug in the Trusted JDS workspace switcher.
    Per Glenn Faden.
    
    At EOF add this line:
        extension MIT-SHM
    to this file:
        /usr/openwin/server/etc/TrustedExtensionsPolicy
    & this file, if the file exists:
        /usr/X11/lib/X11/xserver/TrustedExtensionsPolicy


Lock Screen Work-Around (requires root):
    TX Xscreensaver fix (bug id 5106790), make this mod to both files:
        /usr/dt/config/Xinitrc.jds
        /usr/dt/config/Xinitrc.tjds
        Add this line directly after the initial comments:
            # Added the line below for workaround of bug id 5106790
            export PATH=$PATH:/usr/openwin/bin:/usr/dt/bin 

SRSS Release Notes & other called for Work-Arounds...
    Audio Bug (# 6540145): chmod u-s /opt/SUNWut/bin/utaudio
    
            
REBOOT/REBOOT/REBOOT -- init 6
    

Configure SRSS Shared Interconnect (we're gonna use that) & restart SRSS Services:
    Normally, you'd configure shared or private subnet
        Shared:  /opt/SUNWut/sbin/utadm -A 192.168.1.0
        Private: /opt/SUNWut/sbin/utadm -a ce1 (192.168.128.1, DHCP here as well)
        
    But we want to make sure we don't interfere w/ existing SWAN SRSS's.  So, 
    we'll just run:
        utadm -L on
    
    Example run turning on DHCP...
        # /opt/SUNWut/sbin/utadm -A 129.154.16.0
        ### Configuring /etc/nsswitch.conf
        ### Configuring Service information for Sun Ray
        ### Disabling Routing
          Selected values for subnetwork "129.154.16.0" 
            net mask:           255.255.255.0
            no IP addresses offered
            auth server list:   129.154.16.86
            firmware server:    129.154.16.86
          Accept as is? ([Y]/N): n
          netmask: 255.255.255.0 (cannot be changed - system defined netmask)
          Do you want to offer IP addresses for this subnet? (Y/[N]): y
          new first Sun Ray address: [129.154.16.245] 129.154.16.201
          number of Sun Ray addresses to allocate: [54] 10
          auth server list:     129.154.16.86
        To read auth server list from file, enter file name: 
        Auth server IP address (enter <CR> to end list): 
        If no server in the auth server list responds, 
        should an auth server be located by broadcasting on the network? ([Y]/N): 
          new firmware server: [129.154.16.86] 
          new router: [129.154.16.1] 
          Selected values for subnetwork "129.154.16.0" 
            net mask:           255.255.255.0
            first unit address: 129.154.16.201
            last unit address:  129.154.16.210
            auth server list:   129.154.16.86
            firmware server:    129.154.16.86
            router:             129.154.16.1
          Accept as is? ([Y]/N): Y
        ### Configuring firmware version for Sun Ray
        ### Successfully enabled tftp for firmware downloads
                All the units served by "hobart-tx" on the 129.154.16.0
                network interface, running firmware other than version
                "4.0_26_2007.05.01.18.32" will be upgraded at their next power-on.

        ### Configuring Sun Ray Logging Functions
        ### Turning on Sun Ray LAN connection

        NOTE: utrestart must be run before LAN connections will be allowed

        DHCP is not currently running, should I start it? ([Y]/N): Y
        
	# utrestart -c
        A cold restart has been initiated... messages will be logged to /var/opt/SUNWut/log/messages.



SRSS Configuration, Cont'd:
    utconfig
        Web GUI Login: admin
        Password: cangetin
    
    If utconfig'd for a FOG, follow directions in install/config guide chap 7.
    


REBOOT/REBOOT/REBOOT -- init 6
    
   
    
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Sun Ray Windows Connector Installation/Configuration
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Pre-Config:
    groupadd srwcgrp

Installation/Base Config:
    cd /export/download/srwc_2.0/
    ./installer
    
    /opt/SUNWuttsc/sbin/uttscadm -c
    /opt/SUNWut/sbin/utrestart
    

Be sure Windows TS servers are configured in tnrhdb
    They are picked up by these entries:
        192.168.1.0/24:sbu_tmpl
        192.168.2.0/24:secret_tmpl
        192.168.3.0/24:topsecret_tmpl

Setup up Shared MLP for uttscpd daemon (7014) in global zone:
    Add 7014/tcp to last field
    Before: global:ADMIN_LOW:1:111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7015/tcp:\
            6000-6050/tcp
    After:  global:ADMIN_LOW:1:111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7014/tcp;7015/tcp:\
            6000-6050/tcp
    
    tnchkdb
    tnctl -fz /etc/security/tsol/tnzonecfg
    tninfo -m global
        private: 111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7014/tcp;7015/tcp
        shared: 6000-6050/tcp
        

Create /etc/services entries for uttscpd daemon 
    This 7014 port is added to global zone /etc/services, but not for each zone.
    You can add it by hand or loopback mount /etc/services to each zone.
    
    We'll loopback mount /etc/services, by adding these lines to each zone cfg file 
    (sbu.xml, secret.xml) in /etc/zones (after <network address line):
        <filesystem special="/etc/inet/services" directory="/etc/inet/services" type="lofs">
          <fsoption name="ro"/>
        </filesystem>
    Or by running these cmds (for each zone):
        zoneadm -z sbu halt
        zonecfg -z sbu
            add fs
                set special=/etc/inet/services
                set dir=/etc/inet/services
                set type=lofs
                set options=ro
            end
            exit

    Then reboot each zone: zoneadm -z <zone> reboot
    
    
REBOOT/REBOOT/REBOOT -- init 6

   
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
User Customization
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

Build Logon:
    Start SMC
    Bring up the User Manager. Add yourself as a user.

    After account is created, click on it to modify settings:

    Regular users get:
        Basic Solaris 
    	Device Management

    Modify TX settings
    	Set Timeout to Forever
    	Set Lock account to No
    	Set Clearance

    Instead of making root a role, just edit the file /etc/user_attr
    add ";roles=root" to end of the entry for yourself.

