On Friday 30 July 2010 15:28:00 [email protected] wrote:
> Send SunRay-Users mailing list submissions to
> [email protected]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.filibeto.org/mailman/listinfo/sunray-users
> or, via email, send a message with subject or body 'help' to
> [email protected]
>
> You can reach the person managing the list at
> [email protected]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of SunRay-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Sun Ray authentication with LDAP (Alex Brulo)
> 2. Re: Sun Ray authentication with LDAP (Michel Dubois)
> 3. Re: Sun Ray authentication with LDAP (William Yang)
> 4. Intel or AMD for Linux Sunray Server? (Ken Mandelberg)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 30 Jul 2010 10:45:53 +0100
> From: Alex Brulo <[email protected]>
> To: <[email protected]>
> Subject: Re: [SunRay-Users] Sun Ray authentication with LDAP
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Sorry Michel
>
> I'd must have missed a post or two and thought you were using VDI
> and not native sessions.
>
> I attach my pam.conf for Solaris 10
> which works with JDS, Sun Ray clients against OpenLDAP
>
> A
>
>
>
> =======================================
> Alex Brulo
> Senior Server Engineer (HPC)
> Information Systems Aston (ISA)
> Aston University, Aston Triangle,
> Birmingham, B4 7ET
> Tel: 0121 204 3673
> ISA "Aiming for Excellence in ICT Services"
> =======================================
> Please consider the environment before printing this e-mail
> =======================================
> -------------- next part --------------
> #
> #ident "@(#)pam.conf 1.31 07/12/07 SMI"
> #
> # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> #login auth required pam_dhkeys.so.1
> login auth sufficient pam_ldap.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_ldap.so.1
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> #krlogin auth required pam_unix_cred.so.1
> #krlogin auth required pam_krb5.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> ssh auth sufficient pam_ldap.so.1
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> #krsh auth required pam_unix_cred.so.1
> #krsh auth required pam_krb5.so.1
> #
> # Kerberized telnet service
> #
> #ktelnet auth required pam_unix_cred.so.1
> #ktelnet auth required pam_krb5.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> #ppp auth requisite pam_authtok_get.so.1
> #ppp auth required pam_dhkeys.so.1
> #ppp auth required pam_unix_cred.so.1
> #ppp auth required pam_unix_auth.so.1
> #ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth sufficient pam_ldap.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth sufficient pam_ldap.so.1
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other account sufficient pam_ldap.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password
> management #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
> # BEGIN: added to xscreensaver by SunRay Server Software -- xscreensaver
> xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
> xscreensaver auth requisite pam_authtok_get.so.1
> xscreensaver auth sufficient pam_ldap.so.1
> xscreensaver auth required pam_dhkeys.so.1
> xscreensaver auth required pam_unix_cred.so.1
> xscreensaver auth required pam_unix_auth.so.1
> xscreensaver account sufficient /opt/SUNWut/lib/pam_sunray.so
> xscreensaver account requisite pam_roles.so.1
> xscreensaver account required pam_unix_account.so.1
> xscreensaver account sufficient pam_ldap.so.1
> # BEGIN: added to dtlogin-SunRay by SunRay Server Software --
> dtlogin-SunRay dtlogin-SunRay password required pam_dhkeys.so.1
> dtlogin-SunRay password requisite pam_authtok_get.so.1
> dtlogin-SunRay password requisite pam_authtok_check.so.1
> dtlogin-SunRay password required pam_authtok_store.so.1
> dtlogin-SunRay auth requisite /opt/SUNWut/lib/pam_sunray_hotdesk.so.1
> dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> property=username dtlogin-SunRay auth required
> /opt/SUNWut/lib/pam_sunray_amgh.so.1
> dtlogin-SunRay auth sufficient /opt/SUNWkio/lib/pam_kiosk.so.1 log=user
> ignoreuser dtlogin-SunRay auth requisite /opt/SUNWkio/lib/pam_kiosk.so.1
> log=user dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
> dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
> dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser
> dtlogin-SunRay auth requisite pam_authtok_get.so.1
> dtlogin-SunRay auth sufficient pam_ldap.so.1
> dtlogin-SunRay auth required pam_dhkeys.so.1
> dtlogin-SunRay auth required pam_unix_cred.so.1
> dtlogin-SunRay auth required pam_unix_auth.so.1
> dtlogin-SunRay account sufficient /opt/SUNWkio/lib/pam_kiosk.so.1 log=user
> dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
> dtlogin-SunRay account requisite pam_roles.so.1
> dtlogin-SunRay account required pam_unix_account.so.1
> dtlogin-SunRay account sufficient pam_ldap.so.1
> dtlogin-SunRay session requisite /opt/SUNWut/lib/pam_sunray_hotdesk.so.1
> dtlogin-SunRay session required /opt/SUNWkio/lib/pam_kiosk.so.1 log=user
> dtlogin-SunRay session required pam_unix_session.so.1
> # BEGIN: added to dtsession-SunRay by SunRay Server Software --
> dtsession-SunRay dtsession-SunRay account sufficient
> /opt/SUNWut/lib/pam_sunray.so
> dtsession-SunRay account requisite pam_roles.so.1
> dtsession-SunRay account required pam_unix_account.so.1
> dtsession-SunRay account sufficient pam_ldap.so.1
> dtsession-SunRay session required pam_unix_session.so.1
> dtsession-SunRay password required pam_dhkeys.so.1
> dtsession-SunRay password requisite pam_authtok_get.so.1
> dtsession-SunRay password requisite pam_authtok_check.so.1
> dtsession-SunRay password required pam_authtok_store.so.1
> dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
> syncondisplay dtsession-SunRay auth requisite pam_authtok_get.so.1
> dtsession-SunRay auth sufficient pam_ldap.so.1
> dtsession-SunRay auth required pam_dhkeys.so.1
> dtsession-SunRay auth required pam_unix_cred.so.1
> dtsession-SunRay auth required pam_unix_auth.so.1
> # BEGIN: added to utnsclogin by SunRay Server Software -- utnsclogin
> utnsclogin account requisite pam_roles.so.1
> utnsclogin account required pam_unix_account.so.1
> utnsclogin account sufficient pam_ldap.so.1
> utnsclogin session required pam_unix_session.so.1
> utnsclogin password required pam_dhkeys.so.1
> utnsclogin password requisite pam_authtok_get.so.1
> utnsclogin password requisite pam_authtok_check.so.1
> utnsclogin password required pam_authtok_store.so.1
> utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> property=username utnsclogin auth required
> /opt/SUNWut/lib/pam_sunray_amgh.so.1
> utnsclogin auth requisite pam_authtok_get.so.1
> utnsclogin auth sufficient pam_ldap.so.1
> utnsclogin auth required pam_dhkeys.so.1
> utnsclogin auth required pam_unix_cred.so.1
> utnsclogin auth required pam_unix_auth.so.1
> # BEGIN: added to utadmingui by SunRay Server Software -- utadmingui
> # utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
> # BEGIN: added to utgulogin by SunRay Server Software -- utgulogin
> utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> property=username utgulogin auth requisite
> /opt/SUNWut/lib/sunray_get_user.so.1 token=auth,JavaBadge utgulogin auth
> required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
> utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> # BEGIN: added to uthotdesk by SunRay Server Software -- uthotdesk
> uthotdesk account requisite pam_roles.so.1
> uthotdesk account required pam_unix_account.so.1
> uthotdesk account sufficient pam_ldap.so.1
>
> ------------------------------
>
> Message: 2
> Date: Fri, 30 Jul 2010 13:49:33 +0200
> From: Michel Dubois <[email protected]>
> To: SunRay-Users mailing list <[email protected]>
> Subject: Re: [SunRay-Users] Sun Ray authentication with LDAP
> Message-ID:
> <[email protected]>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Alex
> Thanks very much for your pam.conf, but this is not solve my problem
> For resume, I believe I can be connected with a LDAP user on my DTU, but
> I've got a black screen followed by the login screen of Sun Ray server. If
> I type a wrong password the login screen of my DTU told me the wrong type.
Michel,
it looks like LDAP problem. On my server
all the files under /var/dt are own by root
rw------- 1 root root 44 Mar 15 10:15 A:0-rOaikc
-rw------- 1 root root 44 Jul 30 16:00 A:0-VfbWpc
-rw------- 1 utku32 utkiosk 44 Mar 15 08:33 A:11-sOaikc
-rw------- 1 utku34 utkiosk 44 Mar 15 09:01 A:12-vOaikc
-rw------- 1 utku35 utkiosk 44 Mar 15 09:09 A:13-wOaikc
-rw------- 1 utku21 utkiosk 44 Mar 10 10:48 A:14-2Laikc
-rw------- 1 utku41 utkiosk 44 Jul 29 18:29 A:15-jfbWpc
-rw------- 1 root root 44 Jul 30 16:00 A:16-WfbWpc
-rw------- 1 utku36 utkiosk 44 Jul 29 11:59 A:17-kfbWpc
-rw------- 1 utku42 utkiosk 44 Jul 30 09:56 A:18-KfbWpc
-rw------- 1 utku43 utkiosk 44 Jul 30 09:56 A:19-LfbWpc
-rw------- 1 utku1 utkiosk 44 May 28 10:26 A:2-pKaWpc
-rw------- 1 utku47 utkiosk 44 Jul 30 15:27 A:20-TfbWpc
-rw------- 1 root root 44 Jul 30 16:00 A:24-ccbWpc
-rw------- 1 utku33 utkiosk 44 Mar 15 08:49 A:3-tOaikc
-rw------- 1 utku36 utkiosk 44 Mar 15 09:36 A:9-xOaikc
drwxr-xr-x 3 root root 512 Dec 10 2009 appconfig
-rw-r--r-- 1 root root 0 Jul 30 16:00 bw.10
-rw-r--r-- 1 root root 0 Jul 30 16:00 bw.11
-rw-r--r-- 1 root root 0 Jul 30 16:00 bw.12
only the files of kiosk (VDI) users are different
My Xerror file is nearly identical to yours, including errors
but that does not stop the operation of JDS sessions and Kiosk sessions.
> I created a local login, it works without PB.
again looks like LDAP / Solaris errors.
I would also check that name services can actually get information from LDAP
As William suggested running: getent passwd , getent passwd username, getent
group
It also might be worth checking that user $HOME exist in the right place
For example on mine server:
getent passwd bruloay
bruloay:x:46021:2099:AY BRULO:/home/bruloay:/bin/bash all user directories
are under /home
where as on Solaris it would be traditionally under /export/home
The other place to check is /var/ldap
ldap_client_cred for example
and compare the cipher type with what is your ldap server is using and
expecting for proxy account (if you are using one for NS_LDAP_AUTH=simple
ldapclient on Solaris 10 puts in the {} type used by Sun Directory server
also might be worth checking the mapping in ldap_client_file and compare to
what is used by your ldap server.
for example on Solaris 10 I had to have this entry.
NS_LDAP_OBJECTCLASSMAP= passwd:unixAccount=posixAccount
Alex
> I noted a Magik Cookies with the GID and the UID of root in /var/dt/
> directory when I try a ldap user login
>
> :/var/dt# ll
>
> total 140
> -rw------- 1 root root 44 juil 30 13:13 A:2-j8aiPc
> If I'm connected with the local user this file has the GID and UID of the
> local user.
>
> I 've got errors the /var/dt/Xerror file like :
> Fri Jul 30 09:34:32 2010
> error (pid 2893): Session start failed
> utdmevent: unable to delete file
> FreeFontPath: FPE "/usr/X11/lib/X11/fonts/misc/" refcount is 2, should be
> 1; fixing.
>
> The XKEYBOARD keymap compiler (xkbcomp) reports:
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod2, ignoring Mod3.
> > Warning: Symbol map for key <KPEQ> redefined
> > Using last definition for conflicting fields
>
> Errors from xkbcomp are not fatal to the X server
>
> The XKEYBOARD keymap compiler (xkbcomp) reports:
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod2, ignoring Mod3.
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod3, ignoring Mod2.
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod2, ignoring Mod3.
>
> Errors from xkbcomp are not fatal to the X server
>
> Fri Jul 30 13:13:47 2010
> error (pid 3293): Session start failed
> Error in getting user name: Bad file number
> Fri Jul 30 13:13:47 2010
> error (pid 1353): Server for display :2 terminated unexpectedly 0
> id: invalid user name: "mdubois"
> id: invalid user name: "mdubois"
> utdmevent: unable to delete file
> /tmp/SUNWut/mnt/mdubois: No such file or directory
>
> The XKEYBOARD keymap compiler (xkbcomp) reports:
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod2, ignoring Mod3.
> > Warning: Symbol map for key <KPEQ> redefined
> > Using last definition for conflicting fields
>
> Errors from xkbcomp are not fatal to the X server
>
> The XKEYBOARD keymap compiler (xkbcomp) reports:
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod2, ignoring Mod3.
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod3, ignoring Mod2.
> > Error: Mode_switch added to symbol map for multiple modifiers
> > Using Mod2, ignoring Mod3.
>
> Errors from xkbcomp are not fatal to the X server
>
> Regards,
>
> 2010/7/30 Alex Brulo <[email protected]>
>
> > Sorry Michel
> >
> > I'd must have missed a post or two and thought you were using VDI
> > and not native sessions.
> >
> > I attach my pam.conf for Solaris 10
> > which works with JDS, Sun Ray clients against OpenLDAP
> >
> > A
> >
> >
> >
> > =======================================
> > Alex Brulo
> > Senior Server Engineer (HPC)
> > Information Systems Aston (ISA)
> > Aston University, Aston Triangle,
> > Birmingham, B4 7ET
> > Tel: 0121 204 3673
> > ISA "Aiming for Excellence in ICT Services"
> > =======================================
> > Please consider the environment before printing this e-mail
> > =======================================
> >
> > _______________________________________________
> > SunRay-Users mailing list
> > [email protected]
> > http://www.filibeto.org/mailman/listinfo/sunray-users
> >
> >
> >
> >
> > Alex
> > Thanks very much for your pam.conf, but this is not solve my problem
> > For resume, I believe I can be connected with a LDAP user on my DTU, but
> > I've got a black screen followed by the login screen of Sun Ray server.
>
> If
>
> > I
> > type a wrong password the login screen of my DTU told me the wrong type.
>
> I
>
> > created a local login, it works without PB.
> > I noted a Magik Cookies with the GID and the UID of root in /var/dt/
> > directory when I try a ldap user login
> >
> > :/var/dt# ll
> >
> > total 140
> > -rw------- 1 root root 44 juil 30 13:13 A:2-j8aiPc
> > If I'm connected with the local user this file has the GID and UID of
>
> the
>
> > local user.
> >
> > I 've got errors the /var/dt/Xerror file like :
> > Fri Jul 30 09:34:32 2010
> > error (pid 2893): Session start failed
> > utdmevent: unable to delete file
> > FreeFontPath: FPE "/usr/X11/lib/X11/fonts/misc/" refcount is 2, should
>
> be
>
> > 1;
> > fixing.
> >
> > The XKEYBOARD keymap compiler (xkbcomp) reports:
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod2, ignoring Mod3.
> >> Warning: Symbol map for key <KPEQ> redefined
> >> Using last definition for conflicting fields
> >
> > Errors from xkbcomp are not fatal to the X server
> >
> > The XKEYBOARD keymap compiler (xkbcomp) reports:
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod2, ignoring Mod3.
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod3, ignoring Mod2.
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod2, ignoring Mod3.
> >
> > Errors from xkbcomp are not fatal to the X server
> >
> > Fri Jul 30 13:13:47 2010
> > error (pid 3293): Session start failed
> > Error in getting user name: Bad file number
> > Fri Jul 30 13:13:47 2010
> > error (pid 1353): Server for display :2 terminated unexpectedly 0
> > id: invalid user name: "mdubois"
> > id: invalid user name: "mdubois"
> > utdmevent: unable to delete file
> > /tmp/SUNWut/mnt/mdubois: No such file or directory
> >
> > The XKEYBOARD keymap compiler (xkbcomp) reports:
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod2, ignoring Mod3.
> >> Warning: Symbol map for key <KPEQ> redefined
> >> Using last definition for conflicting fields
> >
> > Errors from xkbcomp are not fatal to the X server
> >
> > The XKEYBOARD keymap compiler (xkbcomp) reports:
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod2, ignoring Mod3.
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod3, ignoring Mod2.
> >> Error: Mode_switch added to symbol map for multiple
>
> modifiers
>
> >> Using Mod2, ignoring Mod3.
> >
> > Errors from xkbcomp are not fatal to the X server
> >
> > Regards,
> >
> > 2010/7/30 Alex Brulo <[email protected]>
> >
> >> Sorry Michel
> >>
> >> I'd must have missed a post or two and thought you were using VDI
> >> and not native sessions.
> >>
> >> I attach my pam.conf for Solaris 10
> >> which works with JDS, Sun Ray clients against OpenLDAP
> >>
> >> A
> >>
> >>
> >>
> >> =======================================
> >> Alex Brulo
> >> Senior Server Engineer (HPC)
> >> Information Systems Aston (ISA)
> >> Aston University, Aston Triangle,
> >> Birmingham, B4 7ET
> >> Tel: 0121 204 3673
> >> ISA "Aiming for Excellence in ICT Services"
> >> =======================================
> >> Please consider the environment before printing this e-mail
> >> =======================================
> >>
> >> _______________________________________________
> >> SunRay-Users mailing list
> >> [email protected]
> >> http://www.filibeto.org/mailman/listinfo/sunray-users
>
> ------------------------------
>
> Message: 4
> Date: Fri, 30 Jul 2010 10:27:51 -0400
> From: Ken Mandelberg <[email protected]>
> To: [email protected]
> Subject: [SunRay-Users] Intel or AMD for Linux Sunray Server?
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> We are looking at upgrading our Linux Sunray server. We run a single
> Linux image (no virtualiztion). The choices in 2 socket servers seem to
> be dual Intel 6 core chips (eg X5670 2.93 ghz) or dual AMD Opeteron 12
> core chips (eg 6168 1.9ghz).
>
> The Intels support 2 threads per core, the AMD's just 1, so either way
> 24 threads.
>
> The Spec benchmarks for servers do not really relate well to Sunray
> desktop performance. The two dimensions of interest to us are:
>
> * Single user perceived performance of desktop applications assuming
> no lack of resources due to other users.
>
> * Number of Sunray sessions it can handle before performance degrades.
>
> We have always been critical of single user performance even when
> graphics haven't been the bottleneck. I'm suspicious of the low
> clockrate AMD cores for applications that are dominated by a single thread.
>
> Any thoughts?
>
>
>
> ------------------------------
>
> _______________________________________________
> SunRay-Users mailing list
> [email protected]
> http://www.filibeto.org/mailman/listinfo/sunray-users
>
>
> End of SunRay-Users Digest, Vol 78, Issue 58
> ********************************************
>
--
=======================================
Alex Brulo
Senior Server Engineer (HPC)
Information Systems Aston (ISA)
Aston University, Aston Triangle,
Birmingham, B4 7ET
Tel: 0121 204 3673
ISA "Aiming for Excellence in ICT Services"
=======================================
Please consider the environment before printing this e-mail
=======================================
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
