[SunRay-Users] use_firstserver AMGH question

Bob Doolittle Robert.Doolittle at Sun.COM
Thu Mar 5 20:49:11 EET 2009 

David Markey wrote:
> This is what it's telling me in log/messages
>   

What does your AMGH script look like? Under what conditions does it emit 
"use_firstserver=true"? If it's only for pseudo tokens, then you'll have 
to pull your smartcard before the redirect occurs, because you won't 
have a pseudo token while the smartcard is inserted. I presume that, 
after logging out, people will typically remove their smartcard? In this 
case, whether you log out or not, removing your smartcard should send 
your Sun Ray "home", which I believe was your goal, correct?

If you really need to detect a condition described as "User logged out, 
but smartcard inserted", then you could perhaps detect:

[ $insert_token != "pseudo.*" -a $username = "" ]

to emit "use_firstserver=true". You'll be protected when your front-end 
chooser server redirects you to this back-end FOG initially because AMGH 
will be disarmed to avoid overriding a manual placement. But upon logout 
it should take effect. OTOH this may mess up if people botch their 
username and select "Start Over" from dtlogin - it may send them back at 
that time but I'm not positive about that. Hopefully that's a minor 
inconvenience in an unusual situation in any case.

-Bob

> When dtlogin starts up:
>
> Mar  5 18:12:35 sunray-test.cs.dit.ie
> kiosk:utkioskconfig:refresh[13413]: [ID 702911 user.info] Disabled Kiosk
> Mode for display ':2'
> Mar  5 18:12:35 sunray-test.cs.dit.ie dtlogin[13310]: [ID 118685
> user.info] pam_sunray_amgh::[DPY=2] AMGH_SUMMARY:
> token=Payflex.xxxxxxxxxxxxx, username=, AMGH_Done?=NO(Local Session),
> Details=AMGH is not required., AMGH_Target=*NONE*
>
> When i enter my username:
>
> Mar  5 18:12:58 sunray-test.cs.dit.ie utauthd: [ID 558384 user.info]
> Worker1 NOTICE: AuthRecord:redirect:: Redirecting terminal
> IEEE802.0018ed000629 to a non-trusted host xxxxx
> Mar  5 18:12:58 sunray-test.cs.dit.ie utauthd: [ID 279884 user.info]
> Worker1 NOTICE: Redirecting with params: {forceInsert=true,
> redirectProps=null username=dmarkey subcause=amgh doamgh=false,
> authport=7009, authipa=xxxxx, roamInitiated=true}
> Mar  5 18:12:58 sunray-test.cs.dit.ie dtlogin[13310]: [ID 118685
> user.info] pam_sunray_amgh::[DPY=2] AMGH_SUMMARY:
> token=Payflex.xxxxxxxxxxxxxxxxx, username=dmarkey, AMGH_Done?=YES,
> Details=AMGH Completed successfully, AMGH_Target=147.x.x.x
>
>
> At this stage DTU gets redirected.
>
>
> For this im using a smartcard, NSCM works flawlessly.
>
> Looks like amgh gets called but doesnt think it should do anything.
> "Details=AMGH is not required"
>
>
> hmm..
>
>
> Any ideas?
>
>
>
>
> Bob Doolittle wrote:
>   
>> David Markey wrote:
>>     
>>> I'm using use_firstserver=true to make my DTU's go back to their first
>>> Sunray server after the user has logged out of any other sunray server.
>>>
>>> I've noticed that AMGH seems to only be fired off when the user enters
>>> their username into dtlogin, i.e. if a user logs in to dtlogin and then
>>> logs out, AMGH wont redirect the DTU back to their first server until
>>> the user has entered their username into dtlogin.
>>>
>>> Is there any way to change this behavior so that as soon as the user
>>> logs out of their session, AMGH is fired off, instead of the user having
>>> to enter their username before being redirected?
>>>   
>>>       
>> Actually this should work without having to enter a username.
>> Is this in an NSCM or smartcard environment?
>>
>> For smartcards, look at the dtlogin/gdm PAM stacks, for NSCM, look at
>> the utgulogin PAM stack.
>> You'll see that pam_sunray_amgh comes both before *and* after
>> sunray_get_user prompt, which is where the username is acquired.
>>
>> You should find an AMGH_SUMMARY line in /var/opt/SUNWut/log/messages for
>> every pass through pam_sunray_amgh. Do you see it for the pre-prompt
>> pass? (log out of a session, then from a different rlogin/ssh/SRSS
>> session look at the last AMGH_SUMMARY line in the log for that MAC
>> address). What does it report?
>>
>> -Bob
>>
>> _______________________________________________
>> SunRay-Users mailing list
>> SunRay-Users at filibeto.org
>> http://www.filibeto.org/mailman/listinfo/sunray-users
>>     
>
> _______________________________________________
> SunRay-Users mailing list
> SunRay-Users at filibeto.org
> http://www.filibeto.org/mailman/listinfo/sunray-users
>

More information about the SunRay-Users mailing list