"Markolf Gudjons" <[EMAIL PROTECTED]> wrote: > On Wed, 19 Oct 2005, Lebar, Russell J wrote: > > > Anyway, I suspect that the SRSS listens on every interface so all a Sun > > Ray needs to do is be able to hit a Sun Ray server. > > Well, at least with 3.0 that didn't work. I could see the Ray sending > utauthd packets to the server, with no response until I added the subnet.
authd listens on all interfaces but by default it will serve sessions only to Sun Rays on subnets that have been configured as "Sun Ray interconnects" by 'utadm -a'. authd's concept of the network world is very simple. There are interconnects, and there's the rest of the world. A single authd configuration switch controls whether it will serve sessions to Sun Rays in "the rest of the world", i.e. to Sun Rays on subnets that are not interconnects. That switch gets turned on if you run 'utadm -L on' or 'utadm -A'. Once it's turned on, authd will serve sessions to Sun Rays on any subnet anywhere. The purpose of 'utadm -A' is to automate the creation of DHCP entries for the specified non-interconnect subnet. If you don't need to provide DHCP service to that subnet then you don't need 'utadm -A', you can just run 'utadm -L on' instead. > > I've definitely seen a Sun Ray come up on a network not configured in > > utadm before. I think with SRSS 1.3 (or maybe 2.0). > > If a network is not specified in /etc/netmasks, Solaris uses classful > addressing by default. So if your Ray subnet is at e.g. 172.20.0.0/24, > configuring this means that in fact every Ray in 172.16/16 is allowed to > connect. Maybe that's what happened. As soon as you run 'utadm -A' for *any* subnet, authd is permitted to serve sessions to any Sun Ray. Personally I'm amazed that no customer has ever asked for authd to be able to serve sessions only to Sun Rays on specific subnets. I've been expecting to see that RFE for years. Of course you can use a firewall to control this; disallowing TCP connections to the Sun Ray server's port 7009 will do it. OttoM. __ ottomeister Disclaimer: These are my opinions. I do not speak for my employer. -- ___________________________________________________ Play 100s of games for FREE! http://games.mail.com/ _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
