[SunRay-Users] Smartcard cycles continuously for "regular" sessions

Damien R Plunkett Damien.Plunkett at nau.edu
Mon Mar 15 23:14:43 EET 2010


Thanks for the response. 

"- Does
     $ svcs name-service-cache
   report any problem (that nscd is not 'online')?"
- No, name-service-cache is online. 

The passwd line in the /etc/nsswitch.conf file reads: 
passwd:	files winbind 

"- Is there any error message from ncsd at the same time as the hdlogin
   error, for example in /var/adm/messages?"

There are no error messages from ncsd at the same time. I only see the same error message "...Cannot resolve altuid (42795)..." in /var/adm/messages. I had been told from the previous admin that ncsd should be turned off when using winbind, but I have seen no difference in behavior when the service is on or off. 

Thanks again,

-----Original Message-----
From: sunray-users-bounces at filibeto.org [mailto:sunray-users-bounces at filibeto.org] On Behalf Of Joerg Barfurth
Sent: Tuesday, March 09, 2010 3:23 AM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] Smartcard cycles continuously for "regular" sessions

Damien R Plunkett schrieb:
> Hi all,
> I've got an interesting problem occurring on our systems. This is probably a winbind question, but I thought it wouldn't hurt to run it by the Sun Ray user list first to see if any of you have encountered this. 
> We have Solaris 10 on X86 machines that we have joined with our 2008 Active Directory domain. All authentication through ssh and sun ray logins work great. All of our units sit in a kiosk mode to terminal servers and a handful of users (about 75) get Payflex smart cards so they can access a Unix Desktop. Occasionally, a card will be inserted and it will continuously cycle the DTU. The logs below repeat every 5 seconds, or so: 
> Mar  8 11:34:56 haven utauthd: [ID 817972 user.info] Worker1 NOTICE: 
> CLAIMED by StartxlationSession.m3 NAME: hotdesk.IEEE802-0021283a0a32 
> PARAMETERS: {savedType=Payflex, altuid=42795, stealProtected=true, 
> terminalIPA=, type=hotdesk, 
> fw=GUI4.2_77_2009.,Boot:MfgPkg_4.15_2006.; 
> 2006.07.20-17:04:56-PDT, state=disconnected, cause=insert, 
> doamgh=true, barrierLevel=420, altlocale=en_US.UTF-8, 
> rawId=500974b200130100, terminalCID=IEEE802.0021283a0a32, MTU=1500, 
> tokenSeq=30, firstServer=8672500f, atr.hist_len=09, namespace=IEEE802, 
> keyTypes=dsa-sha1-x1,dsa-sha1, ddcconfig=1:0, 
> clientRand=7ykES4vyKDbweKhgEvyw0zLOcsWjFVQzUWK/L/tZnGi, 
> id=IEEE802-0021283a0a32, realIP=0a05a568, 
> startRes=1920x1200:1920x1200, useReal=true, 
> atr=3b6900002494010201000101a9, event=insert, atr.hs=04, 
> sn=0021283a0a32, savedId=500974b200130100, rawType=Payflex, 
> hw=SunRayP8-FS, initState=0, usersession=true, _=1} Mar  8 11:34:56 
> haven utauthd: [ID 706759 user.info] Worker1 NOTICE: CONNECT 
> IEEE802.0021283a0a32, hotdesk.IEEE802-0021283a0a32, all connections 
> allowed Mar  8 11:34:56 haven utauthd: [ID 118787 user.info] Worker0 
> NOTICE: MTU = 1500 Mar  8 11:34:56 haven utdtsession: [ID 702911 
> user.info] Add (134,hotdesk.IEEE802-0021283a0a32,special)
> Mar  8 11:34:56 haven kiosk:utkioskconfig:configure[1430]: [ID 702911 user.info] Disabled Kiosk Mode for display ':134'
> Mar  8 11:34:56 haven utauthd: [ID 446208 user.info] Worker0 NOTICE: 
> SESSION_OK hotdesk.IEEE802-0021283a0a32 Mar  8 11:34:58 haven hdloginGUI: [ID 183284 user.error] Error: Cannot resolve altuid (42795) to user (error: Error 0).

This message means that the screen lock program can't get information on the session user. Here getpwuid(3C) reports that the user is not found (return NULL, errno=0).

Combined with the remedies you list below, there seems to be a problem with the name service cache (ncsd) or with the name service plugin behind it.

If there is a specific winbind nsswitch module, that could be an explanation. Afaik the name service switch module interface in Solaris is not 'public', so third party plugins are not really supported.

- Does
     $ svcs name-service-cache
   report any problem (that nscd is not 'online')?

- What is the 'passwd' line in your /etc/nsswitch.conf?

- Is there any error message from ncsd at the same time as the hdlogin
   error, for example in /var/adm/messages?

> *Note: This only occurs if the user is hotdesking. If the session is new, this doesn't occur.
> I've found three ways of fixing this: 
> 1. Kill the user's session (not ideal) 2. From any user's terminal, 
> run "getent passwd <user id>"
> 3. ssh from anywhere (windows or unix) to the sunray server as the user in question. In this case I don't even have to have the user login...just the act of starting an ssh session stops this process and their login screen appears.

It sounds as if these prime the name service cache with the user record. 
I have no idea how they differ from a plain invocation of getpwuid(1M).
> I've set a cron job to execute every 15 minutes that runs "getent passwd" for every card user in the system, but we still see some users with this problem. I could run it every minute, but I'd like to find the cause of this. 
> Anybody have any experience with this? I'm fairly new to Solaris and this is my first set of systems with a working winbind, so any guidance would be greatly appreciated. 

I haven't seen this before, but would be interested in the outcome.

- Jörg

SunRay-Users mailing list
SunRay-Users at filibeto.org

More information about the SunRay-Users mailing list