Jorg,
Thanks for the response.
"- Does
$ svcs name-service-cache
report any problem (that nscd is not 'online')?"
- No, name-service-cache is online.
The passwd line in the /etc/nsswitch.conf file reads:
passwd: files winbind
"- Is there any error message from ncsd at the same time as the hdlogin
error, for example in /var/adm/messages?"
There are no error messages from ncsd at the same time. I only see the same
error message "...Cannot resolve altuid (42795)..." in /var/adm/messages. I had
been told from the previous admin that ncsd should be turned off when using
winbind, but I have seen no difference in behavior when the service is on or
off.
Thanks again,
Damien
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Joerg Barfurth
Sent: Tuesday, March 09, 2010 3:23 AM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] Smartcard cycles continuously for "regular" sessions
Damien R Plunkett schrieb:
> Hi all,
>
> I've got an interesting problem occurring on our systems. This is probably a
> winbind question, but I thought it wouldn't hurt to run it by the Sun Ray
> user list first to see if any of you have encountered this.
>
> We have Solaris 10 on X86 machines that we have joined with our 2008 Active
> Directory domain. All authentication through ssh and sun ray logins work
> great. All of our units sit in a kiosk mode to terminal servers and a handful
> of users (about 75) get Payflex smart cards so they can access a Unix
> Desktop. Occasionally, a card will be inserted and it will continuously cycle
> the DTU. The logs below repeat every 5 seconds, or so:
>
> Mar 8 11:34:56 haven utauthd: [ID 817972 user.info] Worker1 NOTICE:
> CLAIMED by StartxlationSession.m3 NAME: hotdesk.IEEE802-0021283a0a32
> PARAMETERS: {savedType=Payflex, altuid=42795, stealProtected=true,
> terminalIPA=10.5.165.104, type=hotdesk,
> fw=GUI4.2_77_2009.10.19.17.01,Boot:MfgPkg_4.15_2006.07.20.16.57;
> 2006.07.20-17:04:56-PDT, state=disconnected, cause=insert,
> doamgh=true, barrierLevel=420, altlocale=en_US.UTF-8,
> rawId=500974b200130100, terminalCID=IEEE802.0021283a0a32, MTU=1500,
> tokenSeq=30, firstServer=8672500f, atr.hist_len=09, namespace=IEEE802,
> keyTypes=dsa-sha1-x1,dsa-sha1, ddcconfig=1:0,
> clientRand=7ykES4vyKDbweKhgEvyw0zLOcsWjFVQzUWK/L/tZnGi,
> id=IEEE802-0021283a0a32, realIP=0a05a568,
> startRes=1920x1200:1920x1200, useReal=true,
> atr=3b6900002494010201000101a9, event=insert, atr.hs=04,
> sn=0021283a0a32, savedId=500974b200130100, rawType=Payflex,
> hw=SunRayP8-FS, initState=0, usersession=true, _=1} Mar 8 11:34:56
> haven utauthd: [ID 706759 user.info] Worker1 NOTICE: CONNECT
> IEEE802.0021283a0a32, hotdesk.IEEE802-0021283a0a32, all connections
> allowed Mar 8 11:34:56 haven utauthd: [ID 118787 user.info] Worker0
> NOTICE: MTU = 1500 Mar 8 11:34:56 haven utdtsession: [ID 702911
> user.info] Add (134,hotdesk.IEEE802-0021283a0a32,special)
> Mar 8 11:34:56 haven kiosk:utkioskconfig:configure[1430]: [ID 702911
> user.info] Disabled Kiosk Mode for display ':134'
> Mar 8 11:34:56 haven utauthd: [ID 446208 user.info] Worker0 NOTICE:
> SESSION_OK hotdesk.IEEE802-0021283a0a32 Mar 8 11:34:58 haven hdloginGUI: [ID
> 183284 user.error] Error: Cannot resolve altuid (42795) to user (error: Error
> 0).
This message means that the screen lock program can't get information on the
session user. Here getpwuid(3C) reports that the user is not found (return
NULL, errno=0).
Combined with the remedies you list below, there seems to be a problem with the
name service cache (ncsd) or with the name service plugin behind it.
If there is a specific winbind nsswitch module, that could be an explanation.
Afaik the name service switch module interface in Solaris is not 'public', so
third party plugins are not really supported.
- Does
$ svcs name-service-cache
report any problem (that nscd is not 'online')?
- What is the 'passwd' line in your /etc/nsswitch.conf?
- Is there any error message from ncsd at the same time as the hdlogin
error, for example in /var/adm/messages?
>
> *Note: This only occurs if the user is hotdesking. If the session is new,
> this doesn't occur.
>
> I've found three ways of fixing this:
> 1. Kill the user's session (not ideal) 2. From any user's terminal,
> run "getent passwd <user id>"
> 3. ssh from anywhere (windows or unix) to the sunray server as the user in
> question. In this case I don't even have to have the user login...just the
> act of starting an ssh session stops this process and their login screen
> appears.
>
It sounds as if these prime the name service cache with the user record.
I have no idea how they differ from a plain invocation of getpwuid(1M).
> I've set a cron job to execute every 15 minutes that runs "getent passwd" for
> every card user in the system, but we still see some users with this problem.
> I could run it every minute, but I'd like to find the cause of this.
>
> Anybody have any experience with this? I'm fairly new to Solaris and this is
> my first set of systems with a working winbind, so any guidance would be
> greatly appreciated.
>
I haven't seen this before, but would be interested in the outcome.
- Jörg
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
