4.1 on S10U6. I don't know if this is possible because of the way AFS does PAGs.
William Yang > -----Original Message----- > From: [email protected] [mailto:sunray-users- > [email protected]] On Behalf Of Bob Doolittle > Sent: Monday, February 02, 2009 11:12 AM > To: SunRay-Users mailing list > Subject: Re: [SunRay-Users] How to make JDS lock screen lock the screen > and not utdetach with NSCM > > William Yang wrote: > > Regarding RHA security... > > > > Does anyone else on the list deploy Sun Rays in a Kerberos 5 and AFS > setup? > > We seem to be stuck with forcing users to unlock twice since > unfortunately > > we need the screensaver to refresh a user's tickets and tokens. Since > the > > RHA dialog creates a temporary session, the tickets and tokens for the > > user's session aren't refreshed when it is used, so for the time being > we > > use RHA and screensaver lock to achieve better security and still > maintain > > the ability to refresh session creds. Any ideas? > > > > What version of SRSS? > > What OS platform are you using? If it's Linux, then we may have an issue > here since gnome-screensaver doesn't handle PAM properly so we can't > utilize pam_sunray (which refreshes creds on the screensaver stack) and > use utxunlock instead. utxunlock has no way of directly refreshing creds. > > -Bob > > > William Yang > > > > > >> -----Original Message----- > >> From: [email protected] [mailto:sunray-users- > >> [email protected]] On Behalf Of Joerg Barfurth > >> Sent: Monday, February 02, 2009 6:39 AM > >> To: SunRay-Users mailing list > >> Subject: Re: [SunRay-Users] How to make JDS lock screen lock the screen > >> and not utdetach with NSCM > >> > >> You can do much of what you desire by editing /etc/pam.conf. But the > >> result is an unsupported configuration. > >> > >> David Markey schrieb: > >> > >>> They could manually detach the session using shift+pause, its just > >>> complicated for our users and id like to disable it. i see its hard > >>> coded into xscreensaver. Any way to disable it even unsupported? > >>> > >>> > >> You could remove or turn into a comment the > >> xscreensaver auth sufficient pam_sunray.so syncondisplay > >> line in /etc/pam.conf. > >> > >> The price you have to pay for that is that when hotdesking to a > >> different DTU with your NSCM session or after the session has been > >> detached in whatever other way (e.g. by rebooting the DTU), you'll have > >> to enter your password twice - first for NSCM, then for the screensaver. > >> > >> You also lower security for your session, as explained by Bob. > >> > >> > >>> Also, when i do a utswitch -h <hostname> the previous user name gets > >>> entered into the new sunray servers login, any way to disable that > also? > >>> > >>> > >> For NSCM users: To get rid of the name you can use the startover button. > >> To never get that name in the first place, you could try to remove the > >> utgulogin auth requisite sunray_get_user.so property=username > >> line in /etc/pam.conf. > >> > >> To achieve the same effect for smartcard users, you'd need to also > >> remove the > >> dtlogin-SunRay auth requisite sunray_get_user.so property=username > >> line. Beware: This might be incompatible with NSCM (though I haven't > >> tried). In any case you enter unsupported territory here. > >> > >> Do not remove the analogous line for utsclogin! > >> > >> HTH > >> > >> - Jörg > >> > >> _______________________________________________ > >> SunRay-Users mailing list > >> [email protected] > >> http://www.filibeto.org/mailman/listinfo/sunray-users > >> > > > > _______________________________________________ > > SunRay-Users mailing list > > [email protected] > > http://www.filibeto.org/mailman/listinfo/sunray-users > > > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
