If you unlock a locked CDE session, all your cached Kerberos version 5 (krb5) credentials might be removed. The result is you might not be able to access various system utilities. This problem occurs under the following conditions.
In the /etc/pam.conf file, the dtsession services for your system are configured to use the krb5 module by default.
You lock your CDE session, and then try to unlock the session.
If this problem occurs, the following error message is displayed.
lock screen: PAM-KRB5 (auth): Error verifying TGT with host/host-name: Permission denied in replay cache code |
Workaround: Add the following non-pam_krb5 dtsession entries to the /etc/pam.conf file.
dtsession auth requisite pam_authtok_get.so.1 dtsession auth required pam_unix_auth.so.1 |
With these entries in the /etc/pam.conf file, the pam_krb5 module does not run by default.
The Removable Media auto run capability in the CDE desktop environment has been temporarily removed from the Solaris 9 9/02 operating environment. This capability has been removed to mitigate potential security issues.
To use the auto run function for a CD-ROM or another removable media volume, you must do one of the following:
Run the volstart program from the top level of the removable media file system.
Follow the instructions that are included with the CD for access from outside of CDE.
For the latest information on security issues and patches, check the SunSolve web site at http://sunsolve.sun.com. All security patches are available from the SunSolve site without a support contract.
In the Solaris 9 9/02 operating environment, locked accounts are treated in the same way as expired or nonexistent accounts. As a result, the cron, at, and batch utilities cannot schedule jobs on locked accounts.
Workaround: To enable locked accounts to accept cron, at, or batch jobs, replace the password field of a locked account (*LK*) with the string NP, for no password.