Fixed it. Thanks for the thoughts all.
Based on following down the thread pointed to below by Chuck, found that
there was a config file that was bad in our broken RHEL install. (Fine on
the others that are working happily). Specifically, the file
/etc/pam.d/uthotdesk needs to look something like:
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
The file had lines of the form "<blah> required pam_deny.so" -- that does
not work, resulting in the card-based hotdesking lock-ups. Looks like it
was sending authorizations to oblivion (ie denying access, returning an
internal error)? Perhaps others deeper in this area could explain.
Any thoughts on how our system might have gotten into this state would be
appreciated. Especially, what install process may have gone wrong.
One thing I noticed, gnome-screensaver was not installed on our busted
system. (This cam up as related in the other thread.) It generates a
file for itself in same pm.d directory, of exact form we are looking for
here. Could it be SRSS install tries to clone the screensaver file?? Just
typing out loud here...
-- Peter
"Charles Greco" <cgr...@qualys.com>
Sent by: sunray-users-boun...@filibeto.org
17/03/2009 19:04
Please respond to SunRay-Users mailing list
To: "SunRay-Users mailing list" <sunray-users@filibeto.org>
cc:
Subject: Re: [SunRay-Users] Issue with native-mode card
login on RHEL
Peter,
I just recently addressed this issue with SRSS 4.1 and RHEL 5.3. For me it
turned out to be a pam configuration issue. Check /etc/pam.d/uthotdesk. It
should look more or less exactly like /etc/pam.d/gnome-screensaver however
I found SRSS 4.1 creates a copy that denies everything, resulting in the
authentication error you experienced when trying to reconnect to the
session.
This was also discussed in the archives here:
http://www.mail-archive.com/sunray-users@filibeto.org/msg10806.html
and may be of additional help.
Cheers,
-Chuck
-----Original Message-----
From: sunray-users-boun...@filibeto.org
[mailto:sunray-users-boun...@filibeto.org] On Behalf Of scorp123
Sent: Tuesday, March 17, 2009 3:39 PM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] Issue with native-mode card login on RHEL
> "Login incorrect; please try again." [OK]
Funny that you mention this ... Today I had the same error on CentOS
5.2. But because this was a lab machine (not used in production) I
thought that one of my colleagues had played around with it and that
something had locked up .... so I simply rebooted the machine without
looking any deeper. After that everything worked. Duh. :-)
I am not anywhere near that CentOS machine at the moment but as soon
as I get back I will take a look, maybe I have log entries that are
similar to your's ...
Regards,
DJM.
2009/3/17 <peter_blatherw...@mitel.com>:
>
> Hi,
> We are experiencing a nasty issue with native-mode card logins on SRSS
4.1
> with RHEL 5.3.
>
> Basically, native-mode card login to RHEL desktop succeeds, session
logout
> through the OS succeeds. However, card out followed by card in results
in
> an error dialog (appears SRSS-generated):
> "Login incorrect; please try again." [OK]
>
> The Linux desktop login does not appear after card-out / card-in, nor
does
> the Sun Ray greeter login, only the error dialog. Clicking [OK] causes
> brief delay, then the same error dialog returns. (Occasionally, the
dialog
> goes blank -- no text only the [OK] -- then returns again.) This
repeats
> forever; user is completely stuck at this point. It is currently
happening
> for all card users on our system whose cards are configured to "Regular"
> user in SRSS Web Admin.
>
> Only way we have found to clear it is to terminate the user session
though
> SRSS Web Admin. (Of course, this is VERY BAD!)
>
> Further factiods:
> - We are running RHEL 5.3 pretty much fully up to date patch-wise, SRSS
4.1,
> along with SRCW 2.1 on the kiosk side.
> - Issue is not affecting kiosk users.
> - Users in this state show as disconnected User sessions in SRSS Web
Admin,
> even when card in (not greeter). Would expect this, given they are not
> getting login greeter.
> - At same time (while card still in) there is also a greeter session of
the
> form "hotdesk.IEEE802-<DTU MAC>. When card removed, IEEE greeter
session
> disappears. (I believe this is normal prior to desktop login.)
> - Linux reboots and SRSS cold or warm restarts also do not clear the
issue
> (ie. after reboots or cold restarts, the full login / logouts succeed,
but
> card out - card in immediately gets stuck again).
> - System policy is Access = Card users all, Non-card users = none.
> - Another RHEL based system we have is working just fine, nominally
> configured identically. (Go figure.)
>
> At the time, logs are coming out as pasted in below. (That last one in
> login sequence, about "Error opening catalog hdloginGUI" sure looks
mighty
> suspect! ;-)
>
> Especially since we have one system happy, and another one most
definitely
> not happy, this leads me to believe something got corrupted somehow, or
> there is a Linux or SRSS configuration issue that has crept in.
>
> Anyone else finding this? Any thoughts on where to look for issues, or
how
> to correct it?
>
> Cheers, Peter
>
> --- logs, card out after initial session (Linux desktop) login
>
> Mar 17 13:37:17 trialsunray utauthd: Worker3 NOTICE: DISCONNECT
> IEEE802.00144fa817f3, Payflex.500dd28600130200 token removed:
> Payflex.500dd28600130200
> Mar 17 13:37:17 trialsunray utauthd: Worker3 NOTICE: DESTROY
> Payflex.500dd28600130200 lifetime=298518
> Mar 17 13:37:17 trialsunray utauthd: Worker3 NOTICE: whichServer
> pseudo.00144fa817f3:
> Mar 17 13:37:17 trialsunray utauthd: Worker3 NOTICE: CLAIMED by
> StartSession.m3 NAME: pseudo.00144fa817f3 PARAMETERS:
{stealProtected=true,
> terminalIPA=10.35.5.156, type=pseudo, fw=GUI4.0_48_2007.08.01.15.48,
> state=connected, cause=insert, doamgh=true, barrierLevel=320,
> rawId=00144fa817f3, terminalCID=IEEE802.00144fa817f3, MTU=1500,
tokenSeq=25,
> firstServer=0a236503, namespace=IEEE802, ddcconfig=1, id=00144fa817f3,
> clientRand=.Btz8tl19L5SL8N1XwHyBblKCuD9ZqqnM4i35KI8Tam, realIP=0a23059c,
> startRes=1600x1200:1600x1200, useReal=true, event=insert, pn=48904,
> sn=00144fa817f3, rawType=pseudo, hw=SunRayP8, initState=0,
> usersession=false, _=1}
> Mar 17 13:37:17 trialsunray utauthd: Worker3 NOTICE: CONNECT
> IEEE802.00144fa817f3, pseudo.00144fa817f3, all connections allowed
> Mar 17 13:37:17 trialsunray utauthd: Worker1 NOTICE: MTU = 1500
> Mar 17 13:37:18 trialsunray utdtsession: Add
> (19,pseudo.00144fa817f3,special)
> Mar 17 13:37:18 trialsunray kiosk:utkioskconfig:configure[1898]:
Disabled
> Kiosk Mode for display ':19'
> Mar 17 13:37:18 trialsunray utauthd: Worker1 NOTICE: SESSION_OK
> pseudo.00144fa817f3
>
> --- logs, card in (error dialog) ---
>
> Mar 17 13:38:12 trialsunray utauthd: Worker1 NOTICE: DISCONNECT
> IEEE802.00144fa817f3, pseudo.00144fa817f3 token removed:
pseudo.00144fa817f3
> Mar 17 13:38:12 trialsunray utauthd: Worker1 NOTICE: DESTROY
> pseudo.00144fa817f3 lifetime=54191
> Mar 17 13:38:12 trialsunray utauthd: Worker1 NOTICE: whichServer
> Payflex.500dd28600130200:
> Mar 17 13:38:12 trialsunray utauthd: Worker1 NOTICE: CLAIMED by
> StartxlationSession.m2 NAME: hotdesk.IEEE802-00144fa817f3 PARAMETERS:
> {savedType=Payflex, altuid=0, stealProtected=true,
terminalIPA=10.35.5.156,
> type=hotdesk, fw=GUI4.0_48_2007.08.01.15.48, state=connected,
cause=insert,
> doamgh=true, barrierLevel=320, altlocale=en_CA.UTF-8,
> rawId=500dd28600130200, terminalCID=IEEE802.00144fa817f3, MTU=1500,
> tokenSeq=26, firstServer=0a236503, atr.hist_len=09, namespace=IEEE802,
> ddcconfig=1, id=IEEE802-00144fa817f3,
> clientRand=hsxnT32fCz.K.IPE7gdZqE//UDnrIWH1wIL4sofMqjC, realIP=0a23059c,
> startRes=1600x1200:1600x1200, useReal=true,
atr=3b6900002494010201000101a9,
> event=insert, pn=34799, atr.hs=04, sn=00144fa817f3,
> savedId=500dd28600130200, rawType=Payflex, hw=SunRayP8, initState=0,
> usersession=true, _=1}
> Mar 17 13:38:12 trialsunray utauthd: Worker1 NOTICE: CONNECT
> IEEE802.00144fa817f3, hotdesk.IEEE802-00144fa817f3, all connections
allowed
> Mar 17 13:38:12 trialsunray utauthd: Worker0 NOTICE: MTU = 1500
> Mar 17 13:38:12 trialsunray utdtsession: Add
> (26,hotdesk.IEEE802-00144fa817f3,special)
> Mar 17 13:38:12 trialsunray kiosk:utkioskconfig:configure[2584]:
Disabled
> Kiosk Mode for display ':26'
> Mar 17 13:38:12 trialsunray utauthd: Worker0 NOTICE: SESSION_OK
> hotdesk.IEEE802-00144fa817f3
> Mar 17 13:38:13 trialsunray hdloginGUI: Error opening catalog hdloginGUI
>
> --- logs card out ---
>
> Mar 17 13:38:42 trialsunray utauthd: SessionManager0 NOTICE: TERMINATE:
> inactive session
> Mar 17 13:38:42 trialsunray utdtsession: Delete (19,pseudo.00144fa817f3)
> Mar 17 13:38:46 trialsunray utauthd: Worker1 NOTICE: DISCONNECT
> IEEE802.00144fa817f3, hotdesk.IEEE802-00144fa817f3 token removed:
> hotdesk.IEEE802-00144fa817f3
> Mar 17 13:38:47 trialsunray utauthd: Worker1 NOTICE: DESTROY
> hotdesk.IEEE802-00144fa817f3 lifetime=34998
> Mar 17 13:38:47 trialsunray utauthd: Worker1 NOTICE: whichServer
> pseudo.00144fa817f3:
> Mar 17 13:38:47 trialsunray utauthd: Worker1 NOTICE: CLAIMED by
> StartSession.m3 NAME: pseudo.00144fa817f3 PARAMETERS:
{stealProtected=true,
> terminalIPA=10.35.5.156, type=pseudo, fw=GUI4.0_48_2007.08.01.15.48,
> state=connected, cause=insert, doamgh=true, barrierLevel=320,
> rawId=00144fa817f3, terminalCID=IEEE802.00144fa817f3, MTU=1500,
tokenSeq=27,
> firstServer=0a236503, namespace=IEEE802, ddcconfig=1, id=00144fa817f3,
> clientRand=mW0UaGPKwnRtvtSQjO/Ys9ZHHMx1MoAzHqQFYspKNIe, realIP=0a23059c,
> startRes=1600x1200:1600x1200, useReal=true, event=insert, pn=35139,
> sn=00144fa817f3, rawType=pseudo, hw=SunRayP8, initState=0,
> usersession=false, _=1}
> Mar 17 13:38:47 trialsunray utauthd: Worker1 NOTICE: CONNECT
> IEEE802.00144fa817f3, pseudo.00144fa817f3, all connections allowed
> Mar 17 13:38:47 trialsunray utdtsession: Delete
> (26,hotdesk.IEEE802-00144fa817f3)
> Mar 17 13:38:47 trialsunray utauthd: Worker2 NOTICE: MTU = 1500
> Mar 17 13:38:47 trialsunray utauthd: SessionManager0 NOTICE: TERMINATE:
> inactive session
> Mar 17 13:38:47 trialsunray utdtsession: Add
> (19,pseudo.00144fa817f3,special)
> Mar 17 13:38:47 trialsunray kiosk:utkioskconfig:configure[3421]:
Disabled
> Kiosk Mode for display ':19'
> Mar 17 13:38:47 trialsunray utauthd: Worker2 NOTICE: SESSION_OK
> pseudo.00144fa817f3
>
>
>
> _______________________________________________
> SunRay-Users mailing list
> SunRay-Users@filibeto.org
> http://www.filibeto.org/mailman/listinfo/sunray-users
>
>
_______________________________________________
SunRay-Users mailing list
SunRay-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sunray-users
--------------------------------------------------------------------
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
Thank you.
_______________________________________________
SunRay-Users mailing list
SunRay-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
SunRay-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sunray-users
