Re: [SunRay-Users] AMGH and Pseudo.xxxxxxxxxxxxxxx tokens

[Brad Lackey - US-SW Desktop Virtualization Technology Lead]

I was also wondering ig the AMGH scripts are copied to all of your servers? On Oct 14, 2008, at 1:27 PM, Bob Doolittle wrote: Lars Tunkrans wrote:   Hi,   We are starting to play  with  placing  Sun-Rays in the network  on to a default  Kiosk-FoG If no-one is using a Sun Ray with a card. Its kind of chancy  if AMGH  Acts on the  Pseudo.xxxxxxxxxxxxxx  token   and moves the DTU to the  Kiosk-FOG. By "chancy" do you mean it doesn't always work? Can you explain  or give guidelines  on what the underlying code pre-supposes  about pseudo-tokens in respect to  AMGH ?  when is AMGH inwoked  ? when isn't it ? This is pretty well described in my AMGH How-To at http://blogs.sun.com/bobd, but here are some details: - AMGH is invoked from the PAM stack when the greeter calls pam_authenticate(). - pseudo-tokens are handled no differently than any other tokens. - pam_sunray_amgh.so::pam_sm_authenticate() invokes the AMGH API and calls the customer-configured script.  If any hosts are returned which respond to SR service queries the DTU will be redirected to that host and the left-behind greeter session will be terminated (also if any username is returned it is carried along with the redirect and preset in the target server's PAM context). There are some other subtleties: - AMGH is suppressed when utselect/utswitch is explicitly invoked to redirect a DTU manually. - AMGH is suppressed if a redirect has just occurred due to AMGH, unless the initial API call returned "chain_amgh=true" The suppression of AMGH is handled by redirect properties called "doamgh" and "cause". You can learn a lot by looking at the /var/opt/SUNWut/log/messages AMGH_SUMMARY messages to see why AMGH did or did not occur. Try to identify the steps you're taking when AMGH does and does not do what you expected, and take especial note of Control-Moon/resets.  Are you playing with your AMGH configuration and just inserting/removing a smartcard to test it?  That likely won't work, since the underlying pseudo session remains on the server and it's already passed its AMGH processing step when you insert your card a 2nd time.  This shouldn't affect a real-world scenario since detached greeter sessions are terminated after 15 minutes.  You can play with reducing the idle-session reaper's interval by copying /etc/opt/SUNWut/reaper.conf.template to /etc/opt/SUNWut/reaper.conf and changing the REAPER_TIMEOUT value.  You can even set it to 0, although I wouldn't do that in production since it will cause additional overhead and might introduce some race cases. -Bob _______________________________________________ SunRay-Users mailing list SunRay-Users@filibeto.org http://www.filibeto.org/mailman/listinfo/sunray-users Brad Lackey Desktop Virtualization Technology Lead US Software Practice (720) 548-3339 [EMAIL PROTECTED]

BEGIN:VCARD
VERSION:3.0
N:Lackey;Brad;;;
FN:Brad Lackey
ORG:Sun Microsystems;
TITLE:US-SW Desktop Virtualization Technology Lead
EMAIL;type=INTERNET;type=WORK;type=pref:[EMAIL PROTECTED]
TEL;type=WORK;type=pref:720-548-3339
TEL;type=CELL:303-875-8616
TEL;type=WORK;type=FAX:(720) 548-3339
item1.ADR;type=WORK;type=pref:;;13320 Racquet Ct.;Poway;CA;92064;United States of America
item1.X-ABADR:us
CATEGORIES:Personal
X-ABUID:57E6612B-F276-4934-9C7A-CC683249EDB1\:ABPerson
END:VCARD

_______________________________________________
SunRay-Users mailing list
SunRay-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sunray-users