Damien R Plunkett schrieb:
Hi all,
I've got an interesting problem occurring on our systems. This is probably a winbind question, but I thought it wouldn't hurt to run it by the Sun Ray user list first to see if any of you have encountered this.
We have Solaris 10 on X86 machines that we have joined with our 2008 Active Directory domain. All authentication through ssh and sun ray logins work great. All of our units sit in a kiosk mode to terminal servers and a handful of users (about 75) get Payflex smart cards so they can access a Unix Desktop. Occasionally, a card will be inserted and it will continuously cycle the DTU. The logs below repeat every 5 seconds, or so:
Mar 8 11:34:56 haven utauthd: [ID 817972 user.info] Worker1 NOTICE: CLAIMED by
StartxlationSession.m3 NAME: hotdesk.IEEE802-0021283a0a32 PARAMETERS:
{savedType=Payflex, altuid=42795, stealProtected=true,
terminalIPA=10.5.165.104, type=hotdesk,
fw=GUI4.2_77_2009.10.19.17.01,Boot:MfgPkg_4.15_2006.07.20.16.57;
2006.07.20-17:04:56-PDT, state=disconnected, cause=insert, doamgh=true,
barrierLevel=420, altlocale=en_US.UTF-8, rawId=500974b200130100,
terminalCID=IEEE802.0021283a0a32, MTU=1500, tokenSeq=30, firstServer=8672500f,
atr.hist_len=09, namespace=IEEE802, keyTypes=dsa-sha1-x1,dsa-sha1,
ddcconfig=1:0, clientRand=7ykES4vyKDbweKhgEvyw0zLOcsWjFVQzUWK/L/tZnGi,
id=IEEE802-0021283a0a32, realIP=0a05a568, startRes=1920x1200:1920x1200,
useReal=true, atr=3b6900002494010201000101a9, event=insert, atr.hs=04,
sn=0021283a0a32, savedId=500974b200130100, rawType=Payflex, hw=SunRayP8-FS,
initState=0, usersession=true, _=1}
Mar 8 11:34:56 haven utauthd: [ID 706759 user.info] Worker1 NOTICE: CONNECT
IEEE802.0021283a0a32, hotdesk.IEEE802-0021283a0a32, all connections allowed
Mar 8 11:34:56 haven utauthd: [ID 118787 user.info] Worker0 NOTICE: MTU = 1500
Mar 8 11:34:56 haven utdtsession: [ID 702911 user.info] Add
(134,hotdesk.IEEE802-0021283a0a32,special)
Mar 8 11:34:56 haven kiosk:utkioskconfig:configure[1430]: [ID 702911
user.info] Disabled Kiosk Mode for display ':134'
Mar 8 11:34:56 haven utauthd: [ID 446208 user.info] Worker0 NOTICE: SESSION_OK
hotdesk.IEEE802-0021283a0a32
Mar 8 11:34:58 haven hdloginGUI: [ID 183284 user.error] Error: Cannot resolve
altuid (42795) to user (error: Error 0).
This message means that the screen lock program can't get information on
the session user. Here getpwuid(3C) reports that the user is not found
(return NULL, errno=0).
Combined with the remedies you list below, there seems to be a problem
with the name service cache (ncsd) or with the name service plugin
behind it.
If there is a specific winbind nsswitch module, that could be an
explanation. Afaik the name service switch module interface in Solaris
is not 'public', so third party plugins are not really supported.
- Does
$ svcs name-service-cache
report any problem (that nscd is not 'online')?
- What is the 'passwd' line in your /etc/nsswitch.conf?
- Is there any error message from ncsd at the same time as the hdlogin
error, for example in /var/adm/messages?
*Note: This only occurs if the user is hotdesking. If the session is new, this
doesn't occur.
I've found three ways of fixing this:
1. Kill the user's session (not ideal)
2. From any user's terminal, run "getent passwd <user id>"
3. ssh from anywhere (windows or unix) to the sunray server as the user in
question. In this case I don't even have to have the user login...just the act
of starting an ssh session stops this process and their login screen appears.
It sounds as if these prime the name service cache with the user record.
I have no idea how they differ from a plain invocation of getpwuid(1M).
I've set a cron job to execute every 15 minutes that runs "getent passwd" for every card user in the system, but we still see some users with this problem. I could run it every minute, but I'd like to find the cause of this.
Anybody have any experience with this? I'm fairly new to Solaris and this is my first set of systems with a working winbind, so any guidance would be greatly appreciated.
I haven't seen this before, but would be interested in the outcome.
- Jörg
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
