Re: [SunRay-Users] AMGH and Pseudo.xxxxxxxxxxxxxxx tokens

Tue, 14 Oct 2008 13:35:35 -0700 

Lars Tunkrans wrote:


   Hi,


   We are starting to play  with  placing  Sun-Rays in the network  on 
to a default  Kiosk-FoG

 If no-one is using a Sun Ray with a card.


 Its kind of chancy  if AMGH  Acts on the  Pseudo.xxxxxxxxxxxxxx  
token   and moves the DTU

to the  Kiosk-FOG.


By "chancy" do you mean it doesn't always work?


 Can you explain  or give guidelines  on what the underlying code 
pre-supposes  about pseudo-tokens

in respect to  AMGH ?  when is AMGH inwoked  ? when isn't it ?



This is pretty well described in my AMGH How-To at 
http://blogs.sun.com/bobd, but here are some details:



- AMGH is invoked from the PAM stack when the greeter calls 
pam_authenticate().

- pseudo-tokens are handled no differently than any other tokens.

- pam_sunray_amgh.so::pam_sm_authenticate() invokes the AMGH API and 
calls the customer-configured script.  If any hosts are returned which 
respond to SR service queries the DTU will be redirected to that host 
and the left-behind greeter session will be terminated (also if any 
username is returned it is carried along with the redirect and preset in 
the target server's PAM context).


There are some other subtleties:

- AMGH is suppressed when utselect/utswitch is explicitly invoked to 
redirect a DTU manually.
- AMGH is suppressed if a redirect has just occurred due to AMGH, unless 
the initial API call returned "chain_amgh=true"



The suppression of AMGH is handled by redirect properties called 
"doamgh" and "cause".



You can learn a lot by looking at the /var/opt/SUNWut/log/messages 
AMGH_SUMMARY messages to see why AMGH did or did not occur.



Try to identify the steps you're taking when AMGH does and does not do 
what you expected, and take especial note of Control-Moon/resets.  Are 
you playing with your AMGH configuration and just inserting/removing a 
smartcard to test it?  That likely won't work, since the underlying 
pseudo session remains on the server and it's already passed its AMGH 
processing step when you insert your card a 2nd time.  This shouldn't 
affect a real-world scenario since detached greeter sessions are 
terminated after 15 minutes.  You can play with reducing the 
idle-session reaper's interval by copying 
/etc/opt/SUNWut/reaper.conf.template to /etc/opt/SUNWut/reaper.conf and 
changing the REAPER_TIMEOUT value.  You can even set it to 0, although I 
wouldn't do that in production since it will cause additional overhead 
and might introduce some race cases.


-Bob

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users






















					Reply via email to