Thanks for the details. Comments inline:
David Markey wrote:
Ok to explain why its inconvenient i'll try to explain my setup. Please
note i may have designed this ass about face, so if anyone can see any
improvements let me know.
The SunRays are configured to connect to a single T1000 "Broker" Machine
called antrim.
This has a custom kiosk mode with NSCM. Students log into NSCM login
with their ldap/kerberos ID. the kiosk script then generates a list of
machines (based on ldap group membership), puts the list of machines in
a nice GUI and presents it the the user.
If the users picks a windows machine this is trivial, we just use the
windows connector. If they pick a Linux/Solaris machine then utswitch is
used to switch to the desired machine, it is designed that these other
SunRay servers have standard solaris and linux sessions(also with NSCM),
the only kiosk mode is on the broker "antrim". For this example i'll
call one other solaris sunray server mayo(The one students get a JDS
session on)
The problems with this design
1. I want to utswitch back to the "Broker" machine mayo when the session
on the other solaris/linux session has ended(i have achieved this with a
hack)
One word - AMGH. Write an AMGH script that always returns
"use_firstserver=true".
If you're using utswitch to direct the user to their server, that will
override AMGH when they are connecting. However, when they log out (or
disconnect their session or remove their smartcard) AMGH will take
effect and send the DTU back.
2. When i utswitch back the broker i want to clear all usernames(Bob you
have covered this i think)
AMGH wouldn't have this issue.
3. On the solaris desktop server, mayo, when the student locks his/het
JDS session i want it to either not show the NSCM login(just
gnome-screensaver) or utswitch back to the broker. The reason for this
is if the next student sits down and logs in they will get a solaris
session and not the GUI selector because he/she will be logging into
mayo and not antrim(the broker).
Not with AMGH :)
But I still don't see how gnome-screensaver helps here, vs NSCM login.
In either case (without AMGH) you'll be on mayo, when you want to be on
antrim. So why is gnome-screensaver better? Have you applied some hack
to gnome-screensaver to send you back to antrim?
My case is probably a very isolated one.
Also i dont want to enable direct session access because its a good
security feature on the cards. I could live without it on NSCM sessions.
Wow - that's a pretty odd requirement (sorry), and one we've never
considered.
First off, the security implications regarding token spoofing for card
and non-card use are identical. So really the requirements should be the
same.
I take this as implying that you're willing to live with less security
in the NSCM case.
Let me know what you think of the AMGH idea - that would seem to greatly
simplify your situation, as well as meet your requirements without
compromising security for NSCM users.
-Bob
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
