Sorry there was another typo there Also i dont want to DISABLE direct session access because its a good security feature on the cards. I could live without it on NSCM sessions.
Anyhoo, AMGH seems to be solving all my problems here. How easy would it be to implement? could i mold my kiosk script to work with AMGH? Would you have any sample AMGH setups that i could view? For some reason thought AMGH was for big multi nationals that had campuses all around the world :). Your help is really appreciated. Cheers. Bob Doolittle wrote: > Thanks for the details. Comments inline: > > David Markey wrote: >> Ok to explain why its inconvenient i'll try to explain my setup. Please >> note i may have designed this ass about face, so if anyone can see any >> improvements let me know. >> >> The SunRays are configured to connect to a single T1000 "Broker" Machine >> called antrim. >> >> This has a custom kiosk mode with NSCM. Students log into NSCM login >> with their ldap/kerberos ID. the kiosk script then generates a list of >> machines (based on ldap group membership), puts the list of machines in >> a nice GUI and presents it the the user. >> If the users picks a windows machine this is trivial, we just use the >> windows connector. If they pick a Linux/Solaris machine then utswitch is >> used to switch to the desired machine, it is designed that these other >> SunRay servers have standard solaris and linux sessions(also with NSCM), >> the only kiosk mode is on the broker "antrim". For this example i'll >> call one other solaris sunray server mayo(The one students get a JDS >> session on) >> >> The problems with this design >> >> 1. I want to utswitch back to the "Broker" machine mayo when the session >> on the other solaris/linux session has ended(i have achieved this with a >> hack) >> > > One word - AMGH. Write an AMGH script that always returns > "use_firstserver=true". > If you're using utswitch to direct the user to their server, that will > override AMGH when they are connecting. However, when they log out (or > disconnect their session or remove their smartcard) AMGH will take > effect and send the DTU back. > >> 2. When i utswitch back the broker i want to clear all usernames(Bob you >> have covered this i think) >> > > AMGH wouldn't have this issue. > >> 3. On the solaris desktop server, mayo, when the student locks his/het >> JDS session i want it to either not show the NSCM login(just >> gnome-screensaver) or utswitch back to the broker. The reason for this >> is if the next student sits down and logs in they will get a solaris >> session and not the GUI selector because he/she will be logging into >> mayo and not antrim(the broker). >> > > Not with AMGH :) > > But I still don't see how gnome-screensaver helps here, vs NSCM login. > In either case (without AMGH) you'll be on mayo, when you want to be > on antrim. So why is gnome-screensaver better? Have you applied some > hack to gnome-screensaver to send you back to antrim? > >> My case is probably a very isolated one. >> >> >> Also i dont want to enable direct session access because its a good >> security feature on the cards. I could live without it on NSCM sessions. >> > > Wow - that's a pretty odd requirement (sorry), and one we've never > considered. > First off, the security implications regarding token spoofing for card > and non-card use are identical. So really the requirements should be > the same. > I take this as implying that you're willing to live with less security > in the NSCM case. > > Let me know what you think of the AMGH idea - that would seem to > greatly simplify your situation, as well as meet your requirements > without compromising security for NSCM users. > > -Bob > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
