David Markey wrote:
This is what it's telling me in log/messages
What does your AMGH script look like? Under what conditions does it emit
"use_firstserver=true"? If it's only for pseudo tokens, then you'll have
to pull your smartcard before the redirect occurs, because you won't
have a pseudo token while the smartcard is inserted. I presume that,
after logging out, people will typically remove their smartcard? In this
case, whether you log out or not, removing your smartcard should send
your Sun Ray "home", which I believe was your goal, correct?
If you really need to detect a condition described as "User logged out,
but smartcard inserted", then you could perhaps detect:
[ $insert_token != "pseudo.*" -a $username = "" ]
to emit "use_firstserver=true". You'll be protected when your front-end
chooser server redirects you to this back-end FOG initially because AMGH
will be disarmed to avoid overriding a manual placement. But upon logout
it should take effect. OTOH this may mess up if people botch their
username and select "Start Over" from dtlogin - it may send them back at
that time but I'm not positive about that. Hopefully that's a minor
inconvenience in an unusual situation in any case.
-Bob
When dtlogin starts up:
Mar 5 18:12:35 sunray-test.cs.dit.ie
kiosk:utkioskconfig:refresh[13413]: [ID 702911 user.info] Disabled Kiosk
Mode for display ':2'
Mar 5 18:12:35 sunray-test.cs.dit.ie dtlogin[13310]: [ID 118685
user.info] pam_sunray_amgh::[DPY=2] AMGH_SUMMARY:
token=Payflex.xxxxxxxxxxxxx, username=, AMGH_Done?=NO(Local Session),
Details=AMGH is not required., AMGH_Target=*NONE*
When i enter my username:
Mar 5 18:12:58 sunray-test.cs.dit.ie utauthd: [ID 558384 user.info]
Worker1 NOTICE: AuthRecord:redirect:: Redirecting terminal
IEEE802.0018ed000629 to a non-trusted host xxxxx
Mar 5 18:12:58 sunray-test.cs.dit.ie utauthd: [ID 279884 user.info]
Worker1 NOTICE: Redirecting with params: {forceInsert=true,
redirectProps=null username=dmarkey subcause=amgh doamgh=false,
authport=7009, authipa=xxxxx, roamInitiated=true}
Mar 5 18:12:58 sunray-test.cs.dit.ie dtlogin[13310]: [ID 118685
user.info] pam_sunray_amgh::[DPY=2] AMGH_SUMMARY:
token=Payflex.xxxxxxxxxxxxxxxxx, username=dmarkey, AMGH_Done?=YES,
Details=AMGH Completed successfully, AMGH_Target=147.x.x.x
At this stage DTU gets redirected.
For this im using a smartcard, NSCM works flawlessly.
Looks like amgh gets called but doesnt think it should do anything.
"Details=AMGH is not required"
hmm..
Any ideas?
Bob Doolittle wrote:
David Markey wrote:
I'm using use_firstserver=true to make my DTU's go back to their first
Sunray server after the user has logged out of any other sunray server.
I've noticed that AMGH seems to only be fired off when the user enters
their username into dtlogin, i.e. if a user logs in to dtlogin and then
logs out, AMGH wont redirect the DTU back to their first server until
the user has entered their username into dtlogin.
Is there any way to change this behavior so that as soon as the user
logs out of their session, AMGH is fired off, instead of the user having
to enter their username before being redirected?
Actually this should work without having to enter a username.
Is this in an NSCM or smartcard environment?
For smartcards, look at the dtlogin/gdm PAM stacks, for NSCM, look at
the utgulogin PAM stack.
You'll see that pam_sunray_amgh comes both before *and* after
sunray_get_user prompt, which is where the username is acquired.
You should find an AMGH_SUMMARY line in /var/opt/SUNWut/log/messages for
every pass through pam_sunray_amgh. Do you see it for the pre-prompt
pass? (log out of a session, then from a different rlogin/ssh/SRSS
session look at the last AMGH_SUMMARY line in the log for that MAC
address). What does it report?
-Bob
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
