Re: [SunRay-Users] AMGH - unable to get started with "Getting Started"

Fri, 05 Dec 2008 15:00:27 -0800 

William Yang wrote:
I split the scripts for the reason I mentioned on the documentation wiki...at least when I was initially playing with it I found that any changes to the script registered with AMGH required a utrestart to work, as if AMGH were reading in the script at software startup time instead of on-demand. 


Not true.  I suspect subtle artifacts were misconstrued (easy to do).  
All utamghadm does is to store the location of the script and activate 
the mechanism.  The script is run - in place, every time the PAM stack 
is invoked.


One common issue when people are initially experimenting with AMGH is this:

AMGH works in PAM.  That means a new greeter session has to be created 
for AMGH to take effect.
When you remove a token from a greeter session (i.e. disconnect it) it 
doesn't die for 15 minutes by default.



Therefore if you're inserting and removing your card and actively 
experimenting with AMGH parameters in your script or the DB it relies 
upon, you might not see what you expect because when you re-insert your 
token you get the existing greeter session, which has already run the 
PAM stack and is waiting for user input so AMGH doesn't get another 
swing with the changed parameters.



People don't typically run into this in production because it's usually 
more than 15 minutes after an AMGH parameter change before a token is 
inserted.  If this is really an issue for you you can change the 
idle-session reap timeout by:

# cp /etc/opt/SUNWut/reaper.conf.template /etc/opt/SUNWut/reaper.conf

- edit reaper.conf to set REAPER_TIMEOUT to a smaller value.  You might 
try 0 if you are experimenting but this might cause race cases in 
production so I recommend at least 30 seconds for busy systems.  We 
don't test with reduced values so there can be issues if you use too 
small a value.



Note that by reducing this value you may increase overhead of session 
startup when a token is inserted.  The reason for this hysteresis is 
because people sometimes leave and then return within a short interval 
and this prevents overhead of session teardown/startup.



Of course the other alternative while experimenting is to use "utsession 
-k" to actively kill the session after you change an AMGH parameter and 
start fresh.


-Bob

Disclaimer: Opinions expressed in this mail are my own,
and are not necessarily shared by my employer

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users






















					Reply via email to