This content has been marked as final. Show 1 reply
There is only a single switch to determine whether all labeled zones share their name services with the global zone. Normally, when per-zone name services are enabled, authentication is required when changing workspace labels. However, it is still possible to configure PAM to bypass this authentication. The procedure described in Solaris 11 Express needs to be updated now that we manage PAM configuration in /etc/pam.d.
In each labeled zone in which you don't want authentication to occur do the following:
1. cd /etc/pam.d
2. cp other tsoljds-userlogin
3. comment out all the lines starting with "auth "
4. Add this line:
auth sufficient pam_allow.so.1
In this way, you can customize the authentication policy for each labeled zone. It is also possible to further customize the PAM authentication policy so that only specific users require authentication. For more information, see my blog posting:
[What's New in User Rights Management|https://blogs.oracle.com/gfaden/entry/what_s_new_in_user]
Edited by: Glenn Faden on Apr 22, 2013 9:31 AM