I currently have a small network that is comprised of Solaris 10 08/07 machines 
with Trusted Extensions enable on all machines.  The network does have a 
Trusted Extensions LDAP server that serves the network. The LDAP server is 
Directory Server 5.2 P4.  I have not loaded any patch clusters on any of the 
systems.

When I create a user I have to perform a lengthy process to ensure the user can 
log in at multiple levels simultaneously.   After the user is created, the 
process is as follows:
    On the LDAP/Home Directory Server (My LDAP Server also serves the Home 
Directories)
1.      Log into the system as the newly created user
2.      Ensure the session is Trusted JDS. 
3.      Ensure ?Restrict to Single level? is selected.  
4.      Select the Lowest Level Label available to the user. For example if 
your label encodings file contain the labels FU and BAR, with FU being 
dominated by BAR you would select FU.
5.      Continue the login process.  A single level desktop would be displayed 
and the user can open terminal windows, etc..
6.      Logout of the system. Do not logout until a desktop is displayed.
7.      Repeat steps 1-6 for all possible labels for the user, selecting 1 at a 
time.
8.      Once the user has a desktop at all levels, log in to the system.
9.      Make sure ?Restrict to Single Label? is NOT checked.
10.     Select the Highest possible label for the user.  This will enable the 
user to select workspaces at all levels.
11.     The desktop is loaded for the highest label available.  
12.     In the workspace selector, select each workspace and change the label 
on the workspace to another security label.
13.     Repeat step 12 until all labels are represented. (The only desktop the 
will be available is the highest level desktop, the other desktops WILL NOT be 
loaded)
14.     Log out and log back in again ensuring that the ?Restrict to Single 
Label? is NOT checked and select the highest possible label for the user. At 
this point all desktops will appear.
15.     Repeat the entire process for every client machine that the user will 
need access to.

This process only needs to be executed once for each user on each system for 
all labels. Currently this is a small network, and although time consuming this 
process is Ok. However, as the network increases and users increase the process 
will to cumbersome.

I have read in the TX install guide explains this process for the Home 
Directory server.  But I have to do this on the clients as well.  Once the 
process is complete I can log in as the user and verify that autofs is mounting 
the home directory properly.  I have not tried the script that is in the 
install guide either.  I will need to modify the script to ensure only new 
users are given home dirs.

Has anyone else experienced this behavior or found a fix?  Again I am running 
DS 5.2 P4 and no additional patch clusters.
 
 
This message posted from opensolaris.org

Reply via email to