Hi Joerg
Thank you for your reply and suggestions.
You hit the right target with regards to our site Kiosk problem.
Yes, to my surprise, i saw some 3 normal users account ID with the range
of 150000.
Basically, i just change the normal user id to 1001 above.
To be safe, i did utconfig -u and utconfig to recreate the kiosk account
automatically.
So far both SunRay servers were providing kiosk session to all the DTU270.
Before signing off, again, i really appreciate your discussion and
suggestions to my problem.
Have A Nice Weekend.
Regards,
Alisampras
On 12/17/2010 6:00 PM, sunray-users-requ...@filibeto.org wrote:
Message: 1
Date: Thu, 16 Dec 2010 11:32:04 +0100
From: J?rg Barfurth<joerg.barfu...@oracle.com>
To: SunRay-Users mailing list<sunray-users@filibeto.org>
Subject: Re: [SunRay-Users] SRSS-4.2 - Error starting Kiosk session:
Cannot Allocate Kiosk Account
Message-ID:<4d09eaa4.9040...@oracle.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Mohamed Ali Abdullah schrieb:
This morning we observed a strange behavior on our SunRay DTU270
clients. Almost all of the DTU screen shows the following error message:
"Error starting Kiosk session: Cannot Allocate Kiosk Account"
The more interesting message is "Account should be Kiosk account, but is
improperly configured" in the logs.
This means that there is a user account in the user id range that was
allocated for kiosk use, which is not a valid kiosk user account.
Possible ways an account could be invalid:
- The username does not start with the configured prefix
(default 'utku')
- The group is not the configured kiosk group (usually 'utkiosk')
This could happen:
- If someone manually changed properties of a kiosk user account or the
utkiosk group.
- If someone allocated another user account that reuses a uid reserved
for kiosk or a group that reuses the utkiosk gid.
- If you also use a networked repository (NIS or LDAP) for UNIX user
accounts or groups and an account/group for the network collides with
the local 'files' entries for kiosk user accounts or group.
Another way this could happen is, if the internal configuration file of
the kiosk system was damaged, but only slightly so that it hasn't become
completely invalid, but doesn't match reality.
Q1) Why& what had happen to our SunRay servers which produce the error
messages on the DTU screens ?
See above: Something has altered or interferes with the passwd entries
for kiosk users. Or the kiosk-internal configuration file was altered.
Q2) We had created 200 kiosk users (utku). Is that allowed? or Is there
any kiosk users limitation?
Yes. No.
IIRC there is a limit of 9999 kiosk accounts. Certainly no less than 999.
IOW: there is no limitation that would apply here.
Q3) How could we prevent such issues repeating in the future?
You need to find the actual cause among the listed alternatives. Then
change processes to make sure uncontrolled alteration of configuration
files or uncontrolled use of reserved user id ranges don't ahppen.
Kindly, let me know if you need any other information.
Looking forward to hear troubleshooting& resolution action.
Some information that should help to get you started is the output of
the following commands:
# /opt/SUNWkio/bin/kioskuseradm show
# /opt/SUNWkio/bin/kioskuseradm status -v
# /opt/SUNWkio/bin/kioskuseradm leakcheck
You could also look for irregularities (or holes) in the output of
$ grep '^utku' /etc/passwd
Note: 200 entries is probably too long to paste into an email. And
validity checks can be scripted, but I leave that to you.
And finally, if you are using a networked user database/name service:
$ grep '^utku' /etc/passwd | cut -d: -f1 | \
xargs -n 20 getent passwd | grep -v '^utku'
HTH
- J?rg
So far, these are some of the error messages we saw on SunRay servers:
------------------------------------------------------------------------------------------------------
Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4326]: [ID
702911 user.info] Disabled Kiosk Mode for display ':3'
Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4403]: [ID
702911 user.info] Disabled Kiosk Mode for display ':4'
Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4419]: [ID
702911 user.info] Disabled Kiosk Mode for display ':5'
Dec 16 00:53:48 athqsvr07 kiosk:utkioskconfig:configure[4458]: [ID
702911 user.info] Disabled Kiosk Mode for display ':6'
Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 948806 user.debug]
sunray_get_user:pam_sm_auth: local display = 61. MODE=2
Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 662782 user.debug]
sunray_get_user:pam_sm_auth: get user from prop username
Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 363298 user.debug]
utinfo:_getSidAndCookie : dpFile = /var/opt/SUNWut/displays/61
Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 368275 user.debug]
Entering waitForConnected
Dec 16 08:38:39 athqsvr07 dtlogin[17787]: [ID 497227 user.debug]
waitForConnected: Not connected, waiting
Dec 16 09:03:07 athqsvr07 dtlogin[6810]: [ID 989859 user.debug]
pam_kiosk: pam_sm_authenticate: Kiosk enabled for display ':7'.
Dec 16 09:03:07 athqsvr07 dtlogin[6810]: [ID 476860 user.debug]
pam_kiosk: pam_sm_authenticate: Allocating a Kiosk user failed: Account
should be Kiosk account, but is improperly configured
Dec 16 09:03:08 athqsvr07 dtlogin[6810]: [ID 567917 user.debug]
pam_kiosk: pam_sm_authenticate: Sleeping now for 59 sec to defer retry.
Dec 16 09:03:13 athqsvr07 utdtsession: [ID 702911 user.info] Delete
(62,user.1292093794-1615)
Dec 16 09:03:13 athqsvr07 dtlogin[1827]: [ID 691260 user.notice]
pam_sunray_hotdesk:pam_sm_auth: ut_getTokenByDisplay failed -1 for
display :62
Dec 16 09:03:23 athqsvr07 dtlogin[26960]: [ID 424893 user.debug]
pam_kiosk: pam_sm_authenticate: Module FAILED for service dtlogin-SunRay
[Error in underlying service module]
_______________________________________________
SunRay-Users mailing list
SunRay-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sunray-users
