[SunRay-Users] Smartcard cycles continuously for "regular" sessions

Joerg Barfurth jub at sun.com
Tue Mar 9 12:22:56 EET 2010

Damien R Plunkett schrieb:
> Hi all,
> I've got an interesting problem occurring on our systems. This is probably a winbind question, but I thought it wouldn't hurt to run it by the Sun Ray user list first to see if any of you have encountered this. 
> We have Solaris 10 on X86 machines that we have joined with our 2008 Active Directory domain. All authentication through ssh and sun ray logins work great. All of our units sit in a kiosk mode to terminal servers and a handful of users (about 75) get Payflex smart cards so they can access a Unix Desktop. Occasionally, a card will be inserted and it will continuously cycle the DTU. The logs below repeat every 5 seconds, or so: 
> Mar  8 11:34:56 haven utauthd: [ID 817972 user.info] Worker1 NOTICE: CLAIMED by StartxlationSession.m3 NAME: hotdesk.IEEE802-0021283a0a32 PARAMETERS: {savedType=Payflex, altuid=42795, stealProtected=true, terminalIPA=, type=hotdesk, fw=GUI4.2_77_2009.,Boot:MfgPkg_4.15_2006.; 2006.07.20-17:04:56-PDT, state=disconnected, cause=insert, doamgh=true, barrierLevel=420, altlocale=en_US.UTF-8, rawId=500974b200130100, terminalCID=IEEE802.0021283a0a32, MTU=1500, tokenSeq=30, firstServer=8672500f, atr.hist_len=09, namespace=IEEE802, keyTypes=dsa-sha1-x1,dsa-sha1, ddcconfig=1:0, clientRand=7ykES4vyKDbweKhgEvyw0zLOcsWjFVQzUWK/L/tZnGi, id=IEEE802-0021283a0a32, realIP=0a05a568, startRes=1920x1200:1920x1200, useReal=true, atr=3b6900002494010201000101a9, event=insert, atr.hs=04, sn=0021283a0a32, savedId=500974b200130100, rawType=Payflex, hw=SunRayP8-FS, initState=0, usersession=true, _=1}
> Mar  8 11:34:56 haven utauthd: [ID 706759 user.info] Worker1 NOTICE: CONNECT IEEE802.0021283a0a32, hotdesk.IEEE802-0021283a0a32, all connections allowed
> Mar  8 11:34:56 haven utauthd: [ID 118787 user.info] Worker0 NOTICE: MTU = 1500
> Mar  8 11:34:56 haven utdtsession: [ID 702911 user.info] Add (134,hotdesk.IEEE802-0021283a0a32,special)
> Mar  8 11:34:56 haven kiosk:utkioskconfig:configure[1430]: [ID 702911 user.info] Disabled Kiosk Mode for display ':134'
> Mar  8 11:34:56 haven utauthd: [ID 446208 user.info] Worker0 NOTICE: SESSION_OK hotdesk.IEEE802-0021283a0a32
> Mar  8 11:34:58 haven hdloginGUI: [ID 183284 user.error] Error: Cannot resolve altuid (42795) to user (error: Error 0).

This message means that the screen lock program can't get information on 
the session user. Here getpwuid(3C) reports that the user is not found 
(return NULL, errno=0).

Combined with the remedies you list below, there seems to be a problem 
with the name service cache (ncsd) or with the name service plugin 
behind it.

If there is a specific winbind nsswitch module, that could be an 
explanation. Afaik the name service switch module interface in Solaris 
is not 'public', so third party plugins are not really supported.

- Does
     $ svcs name-service-cache
   report any problem (that nscd is not 'online')?

- What is the 'passwd' line in your /etc/nsswitch.conf?

- Is there any error message from ncsd at the same time as the hdlogin
   error, for example in /var/adm/messages?

> *Note: This only occurs if the user is hotdesking. If the session is new, this doesn't occur.
> I've found three ways of fixing this: 
> 1. Kill the user's session (not ideal)
> 2. From any user's terminal, run "getent passwd <user id>"
> 3. ssh from anywhere (windows or unix) to the sunray server as the user in question. In this case I don't even have to have the user login...just the act of starting an ssh session stops this process and their login screen appears.

It sounds as if these prime the name service cache with the user record. 
I have no idea how they differ from a plain invocation of getpwuid(1M).

> I've set a cron job to execute every 15 minutes that runs "getent passwd" for every card user in the system, but we still see some users with this problem. I could run it every minute, but I'd like to find the cause of this. 
> Anybody have any experience with this? I'm fairly new to Solaris and this is my first set of systems with a working winbind, so any guidance would be greatly appreciated. 

I haven't seen this before, but would be interested in the outcome.

- Jörg

More information about the SunRay-Users mailing list