Fingerprint sudo and su authentication on Thinkpad E430

Similar Messages

• Using two fingerprint readers and a docking station

  I'm having a problem with the fingerprint reader when used with an Advanced mini dock station.
  I recently aquired an Advanced mini dock and a Lenovo fingerprint keyboard to be used with my T61p and Windows 7 Ultimate.
  The problem is that each time the T61p is docked I need to open Windows Device Manager and disable the internal fingerprint reader - and when undocked - the internal fingerprint reader needs to be enabled again.
  This is a bit tedious - to say the least.
  I've heard from someone that Windows should 'remember' when you enable/disable like this when the machine is docked and undocked, but this doesn't happen here.
  Any ideas on how to make Windows automatically switch between the internal fingerprint reader when undocked - and the external fingerprint reader on the Lenovo keyboard - when docked? I know there is no longer machine hardware profiles - like in Win XP. But shouldn't there be some other feature to take care of stuff like this?
  Any hints are welcome.
  TIA.
  Nils G. Svedmyr
  Thinkpad W510 4318-CTO 15,6" 1920x1080 nVidia Quadro FX 880M Intel i7 CPU X920XM, 256GB SDD + 500 GB HD 16GB
  RAM Gobi Broadband Device Windows 7 Ultimate 64-bits In our company you can name your own salary. I named mine "Fred"

  Tinkerguy,
  Thank you for the tip.
  However, although very informative - it doesn't help in my case. On the Lenovo fingerprint keyboard I'm using the fingerprint reader is an UPEK as well - and for both FPR's the same driver version is loaded.
  I forgot to mention that I've already checked that the external FPR has been set to have precedence in BIOS.
  I'm now in contact with tech support at UPEK - Let's see if that gives anything.
  Question: Is there _anyone_ out there that is successfully using Lenovo's Fingerprint Reader keyboard with a Thinkpad and a docking station under Windows 7?
  By successful, I mean without having the necessity to switch the internal fingerprint reader off and on when docking/undocking?
  TIA.
  Nils G. Svedmyr
  Thinkpad W510 4318-CTO 15,6" 1920x1080 nVidia Quadro FX 880M Intel i7 CPU X920XM, 256GB SDD + 500 GB HD 16GB
  RAM Gobi Broadband Device Windows 7 Ultimate 64-bits In our company you can name your own salary. I named mine "Fred"

• Thinkpad E430: Is this some kind of a practical joke?

  I purchased a Thinkpad E430 in May this year, personally. Generally I don't post
  reviews, but this product deserves it.
  First of all, as a developer, my reasons for purchase of the machine were to get
  a computer with a decent keyboard and build quality better than the general
  consumer products. I don't have many complaints with the keyboard. The media
  keys should not be activated by `fn` key instead of the function keys. But
  considering the hardware and build quality, E430 fails miserably.
  I expected my E430 to hold up for a year at least, but it isn't designed for
  that apparently. This is the case when it was not my primary computer, I spend
  about 80% of my time on the office computer. The laptop just degrades while
  sitting there it seems.
  It has been about 200 days and so far, there have been 3 hardware service
  requests processed on the machine: Dead pixels on screen, dysfunctional
  microphone and then a broken case (probably because of the previous 2
  services). Plus there is the faulty BIOS, which issue
  (http://forums.lenovo.com/t5/ThinkPad-Edge-S-series/Fn-key-legacy-mode-is-unreliable/td-p/865927)
  has been ever pending.
  All this was fine until a few days back, when I realized the screen has
  developed a permanent spot in the middle - because of the way the screen and
  keyboard are placed. I haven't been able to find time to place another service
  request. Plus the behaviour of the people at the lenovo center is just so
  terrible that I am reluctant to visit them.
  I have owned 4 laptops from other brands - 3 consumer (2 HP, 1 Sony) and 1
  business (HP). None of these computers ever failed or required any hardware
  maintenance. A couple of were served upto 5 years, after which the hardware was
  just obsolete. Infact I have used Lenovo's ThinkPad X230 for a couple of months
  which was a decent experience.
  It is clear that Lenovo's plan is to make as much as they can from the ThinkPad
  brand name while they slowly kill it off.
  After the purchase, I actually recommended this machine to a couple of my
  friends. Mow my opinions regarding computers are valued much less thanks to the
  E430. What I wish now, is for someone to just take this machine away from me. It
  reminds me of a mistaken purchase (which actually seldom happens). I was never
  in my 3-4 calls with the sales people told about E430's quality even when I
  specifically enquired. It were the Lenovo's service guys that told me that the
  case is the same with all the other unit's which exist of this "ThinkPad" Edge.

  Im described as a thinkpad evangalist but I too agree with this disregard for the brand.
  Having owned multiple thinkpads over the years its very obvious that there is no longer care for build quality and / or knowledge on the phone.
  My X230T was plaqued with simple issues and phone support was laughable - the bottom line is to never let lenovo service your machine but to keep trying to get them to send you a unit that isnt broken.  Ive had lenovo say things are warrentable one day and not the next.
  My brand new TPY arrived with the screen bezel popped off in the right hand corner - this isnt a warrentable issue!? and the laptop itselve is plagued with driver / sleep errors rending the trackpad frozen / disconnected for large periods of time.
  All these issues would be resolved if someone in the factory took 5 seconds to look at the machine, or support to atually note down the failures that we are telling them about over the phone rather than mockingly being told that the "head engineer" doesnt regard xxxxx as a failure. 

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Graphics builder and os authentication

  I'm running on NT 4 sp6. I'm trying to get OS authentication working with graphics. It works great for forms and reports, but I cannot get graphics builder or the graphics runtime to work with os authentication. I've tried it with developer 2000 r2 and 6i release 2. Thanks is advance.
  null

  Is the state of OCCI and OS Authentication still the same? Or has it changed in the 2.5 years since this question was first asked and answered?
  I've yet to find any indication that it is now supported, but could I confirmation of that fact?
  If it is not, what is the Oracle recommended method for accomplishing this?

• Remote users sending email - RBL and SMTP authentication

  I've read about the problem of using RBL's with remote Outlook IMAP/SMTP users who may be using dynamically assigned IP addresses. There is a good chance that they will be appear on the RBL and so not be able to send email via the GWIA.
  One work around is to have them send their email via their ISP's SMTP server, but this is a pain, because when they are back in the office, then need to switch their SMTP server back to the inhouse one.
  So on the GW 7.0.3 server running on SLES 10, I wondered if the one host could handle multiple GWIA's??
  1st existing GWIA:
  To handle the regular in/out email with RBL's protection on it.
  2nd new GWIA on a separate port but same IP address to handle just inbound email. This would be used by remote users and require authentication so no need for an RBL on it.
  Is this a sound approach?
  Any gotchas for setting up two gwia's on the one server and IP address besides separate ports?
  I am aware there is the option of using the Groupiwse client or webmail, but firstly these users don't want to change from 'LookOut" due to their address book synch with their mobile phones and secondly sometimes they like to use their smart phones for remote email synchronisation.

  Maybe I should simplify this a little...
  Can the one host handle multiple GWIA's??
  1st existing GWIA:
  To handle the regular in/out email with RBL's protection on it.
  2nd new GWIA on the same host and IP address, but on a separate port to handle just inbound email. This would be used by remote users and require authentication.

• [SOLVED] How to get sudo and kdesu to honor my user password?

  Hi folks,
  Well, I must be missing something. I think I've tried everything listed here https://bbs.archlinux.org/viewtopic.php?id=143487 and in the referenced links, but I still have the problem of my system rejecting my password for some uses of sudo and kdesu but not others.  I've included my /etc/sudoers file below.
  My problem may be due to screwing around with users:  I started out using bruce (1000), then switched to bbraley (1001), then deleted bruce in kusers, then changed bbraley to 1000. When that created more problems without solving the original one, I switched back to 1001.  I've played with adding and removing my user from groups, including creating a sudo group, making sure I am a member of wheel group, etc. 
  What seemed to be everyone's magic fix,
  pacman -S pambase
  didn't work when I tried it successfully with my bbraley password, then later, when that began failing, using the root password. pambase reinstalls, but there is no resulting change in the behavior of sudo.
  Side question: Most of my experience is with kubuntu in which I never created a root user and never had any trouble having my user password work with sudo or kdesu. Is there a reason Archwiki beginners guide suggests assigning a separate root account and password?
  Can anyone help?
  Here's the output of
  groups
  root adm disk wheel log locate network video audio optical storage scanner power users nm-openconnect systemd-network bbraley sudo sddm
  Here's the output of
  cat /etc/group |grep `id -un`
  root:x:0:bbraley
  adm:x:4:root,daemon,bbraley
  disk:x:6:root,bbraley
  wheel:x:10:root,bbraley
  log:x:19:root,bbraley
  locate:x:21:bbraley
  network:x:90:bbraley
  video:x:91:bbraley
  audio:x:92:bbraley
  optical:x:93:bbraley
  storage:x:95:bbraley
  scanner:x:96:bbraley
  power:x:98:bbraley
  users:x:100:bbraley
  systemd-network:x:193:bbraley
  nm-openconnect:x:104:bbraley
  sddm:x:619:bbraley
  bbraley:x:500:
  sudo:*:501:bbraley
  Here's what
  ls -l /etc/sudoer
  yields:
  -r--r----- 1 root root 2948 Mar 22 07:25 /etc/sudoers
  And here's my sudoers file:
  ## Defaults specification
  ## You may wish to keep some of the following environment variables
  ## when running commands via sudo.
  ## Locale settings
  # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
  ## Run X applications through sudo; HOME is used to find the
  ## .Xauthority file. Note that other programs use HOME to find
  ## configuration files and this may lead to privilege escalation!
  # Defaults env_keep += "HOME"
  ## X11 resource path settings
  # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
  ## Desktop path settings
  # Defaults env_keep += "QTDIR KDEDIR"
  ## Allow sudo-run commands to inherit the callers' ConsoleKit session
  # Defaults env_keep += "XDG_SESSION_COOKIE"
  ## Uncomment to enable special input methods. Care should be taken as
  ## this may allow users to subvert the command being run via sudo.
  # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
  ## Uncomment to enable logging of a command's output, except for
  ## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
  # Defaults log_output
  # Defaults!/usr/bin/sudoreplay !log_output
  # Defaults!/usr/local/bin/sudoreplay !log_output
  # Defaults!REBOOT !log_output
  ## Runas alias specification
  ## User privilege specification
  root ALL=(ALL) ALL
  ## Uncomment to allow members of group wheel to execute any command
  ##%wheel ALL=(ALL) ALL
  ## Same thing without a password
  %wheel ALL=(ALL) NOPASSWD: ALL
  ## Uncomment to allow members of group sudo to execute any command
  %sudo ALL=(ALL) ALL
  bbraley ALL=(ALL) ALL
  ## Uncomment to allow any user to run sudo if they know the password
  ## of the user they are running the command as (root by default).
  Defaults targetpw # Ask for the password of the target user
  ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
  ## Read drop-in files from /etc/sudoers.d
  ## (the '#' here does not indicate a comment)
  #includedir /etc/sudoers.d
  Last edited by Bruce1956 (2015-03-28 05:16:03)

  Trilby wrote:I've never used the targetpw setting, but I wouldn't be surprised if that was the problem.  With that setting, if you want to run something as root (the default use of sudo) then you'd need the root password, not the user password.  Comment out that setting, and the next line.
  I had never used it, either, but I misread some reference and thought it might help. Since you say it causes the behaviour I'm trying to eliminate, I will get rid of it, as suggested. However, the behavior preceded my addition of this line in the file, so I don't think this will correct the problem. Edit: Removing it kept the root password from being universally required (I can now edit /etc/sudoers using my user password) and returned it to requiring it sometimes (I still need the root password to use kdesu).
  As for some other distro not having a root account, that is simply impossible.  There was a root account.  If you didn't have the password for it, then that installation was severely crippled.
  Sorry, you're right. I should have said that kubuntu does not expect users to assign a password to the root account and instead expects primary users to access that account's privileges via su, sudo, or kdesu only.
  https://help.ubuntu.com/community/RootSudo
  By default, the root account password is locked in Ubuntu. This means that you cannot login as root directly or use the su command to become the root user. However, since the root account physically exists it is still possible to run programs with root-level privileges. This is where sudo comes in - it allows authorized users (normally "Administrative" users; for further information please refer to AddUsersHowto) to run certain programs as root without having to know the root password.
  Thanks for responding to my request for help. Any other ideas?
  Edit:  Here's what I keep getting that only accepts the root password, not my user password
  http://s15.postimg.org/4z0o86oln/Runasroot_KDEsu.png
  -- mod edit: read the Forum Etiquette and only post thumbnails http://wiki.archlinux.org/index.php/For … s_and_Code [jwr] --
  Last edited by Bruce1956 (2015-03-23 04:41:06)

• Can we provide UN and pwd Authentication 4r SMTP Mail Configuration

  Dear All,
  Previously we are able to send the mails from SAP to Outside World. After chaning the Mail Server to MS Exchange 2003
  We enabled the Port the 25.
  We are facing a problem While configuring a mail via SMTP for Exchange Server 2003.
  Throws an Error Message:
  Internal error: CL_SMTP_RESPONSE ESMTP error code is not known. 554 554 > : Recipient add
  As per network Team :
  Unless we provide a Username and password, the Send/Receive process does not happen.
  Is there any option in SAP - SMTP Mail Configuration to Provide user and password Authentication.
  I searched in SDN as well as in market place. but i could not succeed. Please guide me the process.
  Regards
  SNB.

  Hi we are configuring Google SMTP getting below error..
  No delivery to xxx.com, authentication required
  Message no. XS856
  Diagnosis
  The message was processed successfully in the SAP system. The mail server that is to receive the message for further processing requires authentication. Probably there is no logon data specified in the SAPconnect configuration.
  Information from external system (if available)
  smtp.gmail.com:587
  530 5.7.0 Must issue a STARTTLS command first. i91sm11178241qgd.25 - gsmtp
  Procedure
  Enter the logon data in the SAPconnect node.
  Using Gmail SMTP server using "smtp.gmail.com" with port 587
  Please advise.
  Regards,
  Sudarshan

• XI 3.1 Client Tools and LDAP Authentication

  I have Business Objects XI 3.1 SP2 installed.  For the web clients (InfoView) single sign on and LDAP authentication are working correctly.  However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
  [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
  Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

  Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
  Take a look at note 1272536 (http://service.sap.com/notes)
  Regards,
  Stratos

• Username and Password authentication

  Hi,
  I am new to both JDBC and MSSQL. I've been connecting to msSQL server without providing username and password (DriverManager.getConnection(String url)). I am wondering how to enforce the username and password authentication so that username and password have to be verified before a connection is made. Thanks in advance.

  but where can I get the username & password? I can get
  the connection even with any username & password, why?Hi WeiHang,
  This is regarding the options you have set in the SQL Server. You have to choose from Windows NT authentication and SQL Server Authentication. If you give SQL Server authentication you have mentioned the username and password and you can connect to database simple using DSN(if you are using JDBC-ODBC). However if you choose WindowsNT authentication you donot specify the user name and password there and you have to enter the same at runtime.
  Hope this can help you

• Get an error for changing the windows authentication mode to the both SQL and windows authentication mode

  I installed the SQL server Express 2008 R2 and then SQL Server Management Studio 2008 R2 . But during the installation, I could not choose the both SQL and windows authentication mode and an error accrued so I did that just with windows authentication mode. 
  Now, I want to change the windows authentication mode account to the SQL authentication mode but it shows me an error which is you do not have permission (Although I am the administrator in windows), what can I do?
  Following steps are the steps that I went but I got an error:
  Server properties >> security >> choose the option of SQL Server and Windows Authentication mode 
  and the error that I got is attached(access is denied)  
  Can you please help me?

  You can change the setting after you gain admin rights to your SQL Server. You don't admin rights automatically, you have to explicitly add yourself during the install
  Here's a guide on how to (re)gain those rights:
  http://v-consult.be/2011/05/26/recover-sa-password-microsoft-sql-server-2008-r2/

• Cisco ISE (1.3) Posture and re-authentication

  Hello,
  With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
  Is there a way to work around this?
  Regards,
  Dennis

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

  Hi Experts,
  We have the following requirements:
  1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
  2. ECC6 user-id's differ from Active Directory user.
  3. User logs in to Active Directory.
  4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
  5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
  The following suggested solution was the closest to the requirement (without to much technical detail):
  1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
  This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
  2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
  This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
  Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
  Regards.

  AJP,
  The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
  If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
  Thankyou,
  Tim