Am 03.01.13 16:48, schrieb John Shott:
[...] using 'utconfig' to reset my policy and start again cleared whatever problem I had created.
Note: Jim Klimov also asked whether I really wanted zero-admin cards to be our kiosk sessions and then use NSCM for regular logins. In our case, we need to provide SunRay-to-SunRay mobility for both our regular login users as well as for our kiosk users. While I may be wrong, my assumption was that NSCM doesn't work for kiosk users because there's no easy way to detect and move their session. It seemed that for NSCM to work with a kiosk user, they would have to know that they were utku43 (for example) and then know a password ... and, as far as I know, the utku* users don't have passwords.
No utku users are assigned when NSCM does its work (and they would not have passwords). When you use kiosk policy for NSCM users, your users must provide name and password of a valid UNIX user, but don't get a session as that user. Instead they get a kiosk session as 'utku' user.
You can retrieve the NSCM user name from the environment ("KIOSK_IGNORED_USER" or "SUN_SUNRAY_TOKEN"), but the authentication credentials (and really also the authentication status) are lost. You might be able to map that name to a username for your kiosk application, but users would have to log in again with their application (or for example Windows) password.
Your approach for combining regular, mobile Sun Ray sessions (using NSCM) and mobile kiosk sessions (using cards) looks resonable to me.
One caveat is, that with mobile kiosk sessions it may be difficult to require re-authentication upon hotdesking. That may be a security problem, because a lost smart-card provides unprotected access to the running kiosk session. To fix that you'd need a lock mechanism that you can trigger remotely from a utaction script.
If this doesn't work well, I realize that I can register some of our smartcards as kiosk smart cards and then the remaining cards would default to zero-admin regular cards.
HTH - Jörg Barfurth -- Jörg Barfurth http://blogs.oracle.com/joergb Disclaimer: I am employed by Oracle. The statements and opinions expressed here are my own and do not necessarily represent those of Oracle Corporation. _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
