It has no logic in it at all it only has
#!/bin/bash
echo "use_firstserver=true"
exit 0
So this should redirect them regardless of their token type or username.
I'm not sure when they log out if they will typically remove their card,
they might want the chance to log onto some other system and this would
disorientate them.
>OTOH this may mess up if people botch their
> username and select "Start Over" from dtlogin - it may send them back at
> that time but I'm not positive about that. Hopefully that's a minor
> inconvenience in an unusual situation in any case.
This would be fine by me. It would give them a route back to the
"Broker" if they choose the wrong machine to logon to.
Bob Doolittle wrote:
> David Markey wrote:
>> This is what it's telling me in log/messages
>>
>
> What does your AMGH script look like? Under what conditions does it emit
> "use_firstserver=true"? If it's only for pseudo tokens, then you'll have
> to pull your smartcard before the redirect occurs, because you won't
> have a pseudo token while the smartcard is inserted. I presume that,
> after logging out, people will typically remove their smartcard? In this
> case, whether you log out or not, removing your smartcard should send
> your Sun Ray "home", which I believe was your goal, correct?
>
> If you really need to detect a condition described as "User logged out,
> but smartcard inserted", then you could perhaps detect:
>
> [ $insert_token != "pseudo.*" -a $username = "" ]
>
> to emit "use_firstserver=true". You'll be protected when your front-end
> chooser server redirects you to this back-end FOG initially because AMGH
> will be disarmed to avoid overriding a manual placement. But upon logout
> it should take effect. OTOH this may mess up if people botch their
> username and select "Start Over" from dtlogin - it may send them back at
> that time but I'm not positive about that. Hopefully that's a minor
> inconvenience in an unusual situation in any case.
>
> -Bob
>
>> When dtlogin starts up:
>>
>> Mar 5 18:12:35 sunray-test.cs.dit.ie
>> kiosk:utkioskconfig:refresh[13413]: [ID 702911 user.info] Disabled Kiosk
>> Mode for display ':2'
>> Mar 5 18:12:35 sunray-test.cs.dit.ie dtlogin[13310]: [ID 118685
>> user.info] pam_sunray_amgh::[DPY=2] AMGH_SUMMARY:
>> token=Payflex.xxxxxxxxxxxxx, username=, AMGH_Done?=NO(Local Session),
>> Details=AMGH is not required., AMGH_Target=*NONE*
>>
>> When i enter my username:
>>
>> Mar 5 18:12:58 sunray-test.cs.dit.ie utauthd: [ID 558384 user.info]
>> Worker1 NOTICE: AuthRecord:redirect:: Redirecting terminal
>> IEEE802.0018ed000629 to a non-trusted host xxxxx
>> Mar 5 18:12:58 sunray-test.cs.dit.ie utauthd: [ID 279884 user.info]
>> Worker1 NOTICE: Redirecting with params: {forceInsert=true,
>> redirectProps=null username=dmarkey subcause=amgh doamgh=false,
>> authport=7009, authipa=xxxxx, roamInitiated=true}
>> Mar 5 18:12:58 sunray-test.cs.dit.ie dtlogin[13310]: [ID 118685
>> user.info] pam_sunray_amgh::[DPY=2] AMGH_SUMMARY:
>> token=Payflex.xxxxxxxxxxxxxxxxx, username=dmarkey, AMGH_Done?=YES,
>> Details=AMGH Completed successfully, AMGH_Target=147.x.x.x
>>
>>
>> At this stage DTU gets redirected.
>>
>>
>> For this im using a smartcard, NSCM works flawlessly.
>>
>> Looks like amgh gets called but doesnt think it should do anything.
>> "Details=AMGH is not required"
>>
>>
>> hmm..
>>
>>
>> Any ideas?
>>
>>
>>
>>
>> Bob Doolittle wrote:
>>
>>> David Markey wrote:
>>>
>>>> I'm using use_firstserver=true to make my DTU's go back to their first
>>>> Sunray server after the user has logged out of any other sunray server.
>>>>
>>>> I've noticed that AMGH seems to only be fired off when the user enters
>>>> their username into dtlogin, i.e. if a user logs in to dtlogin and then
>>>> logs out, AMGH wont redirect the DTU back to their first server until
>>>> the user has entered their username into dtlogin.
>>>>
>>>> Is there any way to change this behavior so that as soon as the user
>>>> logs out of their session, AMGH is fired off, instead of the user
>>>> having
>>>> to enter their username before being redirected?
>>>>
>>> Actually this should work without having to enter a username.
>>> Is this in an NSCM or smartcard environment?
>>>
>>> For smartcards, look at the dtlogin/gdm PAM stacks, for NSCM, look at
>>> the utgulogin PAM stack.
>>> You'll see that pam_sunray_amgh comes both before *and* after
>>> sunray_get_user prompt, which is where the username is acquired.
>>>
>>> You should find an AMGH_SUMMARY line in /var/opt/SUNWut/log/messages for
>>> every pass through pam_sunray_amgh. Do you see it for the pre-prompt
>>> pass? (log out of a session, then from a different rlogin/ssh/SRSS
>>> session look at the last AMGH_SUMMARY line in the log for that MAC
>>> address). What does it report?
>>>
>>> -Bob
>>>
>>> _______________________________________________
>>> SunRay-Users mailing list
>>> [email protected]
>>> http://www.filibeto.org/mailman/listinfo/sunray-users
>>>
>>
>> _______________________________________________
>> SunRay-Users mailing list
>> [email protected]
>> http://www.filibeto.org/mailman/listinfo/sunray-users
>>
>
> _______________________________________________
> SunRay-Users mailing list
> [email protected]
> http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
