[SunRay-Users] SRSS-4.2 - Error starting Kiosk session: Cannot Allocate Kiosk Account

Mohamed Ali Abdullah alisampras at esuria.com.bn
Sat Dec 18 06:22:58 EET 2010


Hi Joerg

Thank you for your reply and suggestions.

You hit the right target with regards to our site Kiosk problem.

Yes, to my surprise, i saw some 3 normal users account ID with the range 
of 150000.
Basically, i just change the normal user id to 1001 above.
To be safe, i did utconfig -u and utconfig to recreate the kiosk account 
automatically.

So far both SunRay servers were providing kiosk session to all the DTU270.

Before signing off, again, i really appreciate your discussion and 
suggestions to my problem.

Have A Nice Weekend.

Regards,
Alisampras

On 12/17/2010 6:00 PM, sunray-users-request at filibeto.org wrote:
> Message: 1
> Date: Thu, 16 Dec 2010 11:32:04 +0100
> From: J?rg Barfurth<joerg.barfurth at oracle.com>
> To: SunRay-Users mailing list<sunray-users at filibeto.org>
> Subject: Re: [SunRay-Users] SRSS-4.2 - Error starting Kiosk session:
> 	Cannot Allocate Kiosk Account
> Message-ID:<4D09EAA4.9040503 at oracle.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Mohamed Ali Abdullah schrieb:
>>> This morning we observed a strange behavior on our SunRay DTU270
>> clients. Almost all of the DTU screen shows the following error message:
>> "Error starting Kiosk session: Cannot Allocate Kiosk Account"
>>
> The more interesting message is "Account should be Kiosk account, but is
> improperly configured" in the logs.
>
> This means that there is a user account in the user id range that was
> allocated for kiosk use, which is not a valid kiosk user account.
> Possible ways an account could be invalid:
> - The username does not start with the configured prefix
>     (default 'utku')
> - The group is not the configured kiosk group (usually 'utkiosk')
>
> This could happen:
> - If someone manually changed properties of a kiosk user account or the
> utkiosk group.
> - If someone allocated another user account that reuses a uid reserved
> for kiosk or a group that reuses the utkiosk gid.
> - If you also use a networked repository (NIS or LDAP) for UNIX user
> accounts or groups and an account/group for the network collides with
> the local 'files' entries for kiosk user accounts or group.
>
> Another way this could happen is, if the internal configuration file of
> the kiosk system was damaged, but only slightly so that it hasn't become
> completely invalid, but doesn't match reality.
>
>
>> Q1) Why&  what had happen to our SunRay servers which produce the error
>> messages on the DTU screens ?
>>
> See above: Something has altered or interferes with the passwd entries
> for kiosk users. Or the kiosk-internal configuration file was altered.
>
>
>> Q2) We had created 200 kiosk users (utku). Is that allowed? or Is there
>> any kiosk users limitation?
>>
> Yes. No.
>
> IIRC there is a limit of 9999 kiosk accounts. Certainly no less than 999.
>
> IOW: there is no limitation that would apply here.
>
>> Q3) How could we prevent such issues repeating in the future?
>>
> You need to find the actual cause among the listed alternatives. Then
> change processes to make sure uncontrolled alteration of configuration
> files or uncontrolled use of reserved user id ranges don't ahppen.
>
>> Kindly, let me know if you need any other information.
>>
>> Looking forward to hear troubleshooting&  resolution action.
>>
> Some information that should help to get you started is the output of
> the following commands:
>
>     # /opt/SUNWkio/bin/kioskuseradm show
>
>     # /opt/SUNWkio/bin/kioskuseradm status -v
>
>     # /opt/SUNWkio/bin/kioskuseradm leakcheck
>
> You could also look for irregularities (or holes) in the output of
>     $ grep '^utku' /etc/passwd
>
> Note: 200 entries is probably too long to paste into an email. And
> validity checks can be scripted, but I leave that to you.
>
> And finally, if you are using a networked user database/name service:
>
>     $ grep '^utku' /etc/passwd | cut -d: -f1 | \
>         xargs -n 20 getent passwd | grep -v '^utku'
>
> HTH
>
> - J?rg
>
>> So far, these are some of the error messages we saw on SunRay servers:
>> ------------------------------------------------------------------------------------------------------
>>
>> Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4326]: [ID
>> 702911 user.info] Disabled Kiosk Mode for display ':3'
>> Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4403]: [ID
>> 702911 user.info] Disabled Kiosk Mode for display ':4'
>> Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4419]: [ID
>> 702911 user.info] Disabled Kiosk Mode for display ':5'
>> Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4458]: [ID
>> 702911 user.info] Disabled Kiosk Mode for display ':6'
>>
>> Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 948806 user.debug]
>> sunray_get_user:pam_sm_auth: local display = 61. MODE=2
>> Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 662782 user.debug]
>> sunray_get_user:pam_sm_auth: get user from prop username
>> Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 363298 user.debug]
>> utinfo:_getSidAndCookie : dpFile = /var/opt/SUNWut/displays/61
>> Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 368275 user.debug]
>> Entering waitForConnected
>> Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 497227 user.debug]
>> waitForConnected: Not connected, waiting
>>
>> Dec 16 09:03:07 athqsvr07 dtlogin[6810]: [ID 989859 user.debug]
>> pam_kiosk: pam_sm_authenticate: Kiosk enabled for display ':7'.
>> Dec 16 09:03:07 athqsvr07 dtlogin[6810]: [ID 476860 user.debug]
>> pam_kiosk: pam_sm_authenticate: Allocating a Kiosk user failed: Account
>> should be Kiosk account, but is improperly configured
>> Dec 16 09:03:08 athqsvr07 dtlogin[6810]: [ID 567917 user.debug]
>> pam_kiosk: pam_sm_authenticate: Sleeping now for 59 sec to defer retry.
>> Dec 16 09:03:13 athqsvr07 utdtsession: [ID 702911 user.info] Delete
>> (62,user.1292093794-1615)
>> Dec 16 09:03:13 athqsvr07 dtlogin[1827]: [ID 691260 user.notice]
>> pam_sunray_hotdesk:pam_sm_auth: ut_getTokenByDisplay failed -1 for
>> display :62
>> Dec 16 09:03:23 athqsvr07 dtlogin[26960]: [ID 424893 user.debug]
>> pam_kiosk: pam_sm_authenticate: Module FAILED for service dtlogin-SunRay
>> [Error in underlying service module]
>>
>
>


More information about the SunRay-Users mailing list