GDM is not yet the default login program on Solaris. If you wish to switch to using GDM, then you need to turn off CDE login and start the GDM service. Note that turning off or disabiling CDE login will cause any running sessions to immediately exit, and any unsaved data will be lost. Only run these commands if you are sure there is no unsaved data in your running sessions. It would be best to run these commands from console login, or a Failsafe Terminal rather than from a running GUI session. The first step is to run the following command to see if CDE login is running as an SMF service.
svcs cde-login
If the svcs command responds that this service is enabled, then run this command to disable CDE login:
svcadm disable cde-login
If the svcs command responds that this pattern doesn't match any instances, then run these commands to stop CDE login:
/usr/dt/config/dtconfig -d Either reboot, or kill any running dtlogin processes.
At this point you will be presented with a console login. Login as root, and run the following command. If on Solaris 10 the servicename is "gdm2-login", if on Solaris Nevada the servicename is "gdm".
svcadm enable servicename
On Solaris, the following configuration is recommended. This turns on IPv6 and also turns on PreFetch for performance benefit.
./autogen.sh --prefix=/usr --sysconfdir=/etc/X11 --localstatedir=/var --libexecdir=/usr/lib --enable-ipv6=yes --with-at-bindir=/usr/sfw/bin --with-prefetch --with-post-path=/usr/openwin/bin --with-pam-prefix=/etc --with-lang-file=/etc/default/init
Configuring GDM with the "--with-post-path=/usr/openwin/bin" on Solaris is recommended for accessing X server programs.
GDM supports /etc/logindevperm, but only on Solaris 10 and higher. Refer to the logindevperm.4 man page for more information.
To make /etc/logindevperm functionality work on Solaris 9 or earlier you would have to hack the GDM PreSession and PostSession script to chmod the device permissions directly. In other words, if /etc/logindevperm had a listing like this:
/dev/console 0600 /dev/sound/* # audio devices
Then the PreSession script would need to be modified to chown /dev/console to the user:group who is logging into the console and ensure whatever permissions is specified in /etc/logindevperm (0600 for the line above). Then in the PostSession script chmod the device back to root:root and ensure 0600 this time (do not use the value in the /etc/logindevperm file). Linux uses a different mechanism for managing device permissions, so this extra scripting is not needed.
Automatic login does not work on Solaris 10 and earlier because PAM is not configured to support this feature by default. Automatic login is a GDM feature that is not enabled by default, so you would only notice this problem if you try to make use of it. Turning this feature on causes your computer to login to a specified username on startup without asking for username and password. This is an insecure way to set up your computer.
If using Solaris 10 or lower, then you need to compile the pam_allow.c code provided with the GDM release and install it to /usr/lib/security (or provide the full path in /etc/pam.conf) and ensure it is owned by uid 0 and not group or world writable.
The following are reasonable pam.conf values for turning on automatic login in GDM. Make sure to read the PAM documentation (e.g. pam.d/pam.conf man page) and be comfortable with the security implications of any changes you intend to make to your configuration.
gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 gdm-autologin account sufficient pam_allow.so.1 gdm-autologin session sufficient pam_allow.so.1 gdm-autologin password sufficient pam_allow.so.1
The above setup will cause no lastlog entry to be generated. If a lastlog entry is desired, then use the following for session:
gdm-autologin session required pam_unix_session.so.1
Starting with GDM 2.19, GDM supports RBAC (Role Based Access Control) for enabling the system commands (Shutdown, Reboot, Suspend, etc.) that appear in the greeter system menu and via the gdmflexiserver QUERY_LOGOUT_ACTION, SET_LOGOUT_ACTION, and SET_SAFE_LOGOUT_ACTION commands.
On Solaris GDM has the following value specified for the
RBACSystemCommandKeys
configuration
option.
HALT:solaris.system.shutdown;REBOOT:solaris.system.shutdown
This will cause the SHUTDOWN and REBOOT features to only be
enabled for users who have RBAC authority. In other words,
those users who have the "solaris.system.shutdown"
authorization name specified. The GDM greeter will only
display these options if the gdm user (specified in the
User
configuration option, "gdm" by
default) has such RBAC permissions.
Therefore, add the "solaris.system.shutdown"
authorization name to the /etc/user_attr
for all users who should have authority to shutdown and
reboot the system. If you want these options to appear in
the greeter program, also add this authorization name to
the gdm user. If you don't want to use RBAC, then you may
unset the RBACSystemCommandKeys
GDM
configuration key, and this will make the system commands
available for all users. Refer to the
user_attr
man page for more information
about setting RBAC privileges.
Note that on Solaris there are two programs that can be used to shutdown the system. These are GDM and gnome-sys-suspend. gnome-sys-suspend is a GUI front-end for the sys-suspend.
If GDM is being used as the login program and the user has RBAC permissions to shutdown the machine (or RBAC support is disabled in GDM), then the GNOME panel "Shut Down.." option will use GDM to shutdown, reboot, and suspend the machine. This is a bit nicer than using gnome-sys-suspend since GDM will wait until the user session has finished (including running the PostSession script, etc.) before running the shutdown/reboot/suspend command. Also the gnome-sys-suspend command is less functional since it does not support a reboot option, only shutdown and suspend.
If GDM is not being used to manage shutdown, reboot, and suspend; then the GNOME panel uses gnome-sys-suspend when you select the "Shut Down..." option from the application menu. If the pop-up that appears when you select this only shows the suspend and shutdown options, then you are likely using gnome-sys-suspend. If you are using this, then refer to the sys-suspend man page for information about how to configure it. Or consider using GDM and configuring it to provide these options.
GDM supports a few features specific to Solaris, as follows:
GDM supports Solaris Auditing if running on Solaris 10 or higher. GDM should not be used if auditing is needed and running Solaris 9 or older.
GDM supports a security feature which causes the X server to run as the user instead of as the root user. GDM must be using PAM for this feature to be enabled, which is the normal case for Solaris. This second feature has the side-effect of causing the X server to always restart between sessions, which disables the AlwaysRestartServer configuration option.
Solaris supports the /etc/default/login
interface, which affects the DefaultPath
,
RootPath
,
PasswordRequired
, and
AllowRemoteRoot
options as described in the
"Configuration" section.