On 09/08/10 10:50, Mario Garcia Ortiz wrote:
the setup so far is that each user has it's smartcard and can't login as
another user...
do you have by any chance an workaround to force the session to log out using
utaction when the smartcard is removed, i have read about dtaction ExitSession
but this doesn't seem to exist in solaris.
Right. dtaction is part of CDE, which nobody uses anymore. Unfortunately Gnome
doesn't supply a way to terminate a session (even your own) non-interactively.
I believe that's due to a bug in gnome-session-save, which claims to provide
this functionality but does not (i.e. with the --kill option, even if you don't
supply --gui it still puts up an interactive GUI, thus preventing it from being
scripted). I'm trying to get that bug fixed, but it's been open for years now
so don't hold your breath :-(
Otherwise you could use gnome-session-save with utaction to do what you
describe.
If you like, you can modify the Display Manager pre-session hook to invoke a
utaction with utsession -k to do this job. It will run as root and can
self-destruct the session when it's disconnected. This approach is a bit
heavy-handed and may disrupt accounting or auditing if they rely on graceful
session exit, but it will work. The pre-session hooks are:
dtlogin: Add some code to /usr/dt/config/Xstartup (outside of the Sun Ray
stanzas, so they don't get ripped out during SRSS restart)
gdm: Add a new script to /etc/X11/gdm/PreSession
I'd write a little script something like this:
#!/bin/ksh -p
DISP=${DISPLAY##*:}
DISP=${DISP%%.*}
/opt/SUNWut/bin/utaction -e -d "utsession -k -d $DISP"
Then I'd either drop that into /etc/X11/gdm/PreSession (location of gdm
directory can vary by Linux distro - if in doubt you can run
/opt/SUNWut/lib/utgdmconfigpath to determine the correct directory), or call it
from /usr/dt/config/Xstartup.
-Bob
is this part of AMGH the logging out of session or it's a feature that must be
configured in the sunray server?
where the utaction command should be placed?
it's a mystery to know what exactly happens when the smartcard is removed..
thank you.
Mario G.
On 09/08/2010 02:33 PM, Bob Doolittle wrote:
On second thought, it is possible that if you comment these lines out (losing
NSCM and RHA), smartcard-based AMGH will work in a non-intuitive,
not-as-designed fashion. Which is what you are seeing apparently. :-)
-Bob
On 09/08/10 08:29, Bob Doolittle wrote:
On 09/08/10 07:35, alessio wrote:
On 9/8/10 12:47 PM, Mario Garcia Ortiz wrote:
also i have remove the clearuser from pam.conf but the start over button
still clears the username... how can i override the reset session and
start over button in the login screen?
I can answer only to the second question.
Removing "clearuser" from pam.conf didn't worked for me.
So I've also commented some other lines in pam.conf
...
dtlogin-SunRay auth requisite /opt/SUNWkio/lib/pam_kiosk.so.1 log=user
#dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
#dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
#dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth requisite pam_authtok_get.so.1
...
In this way "start over" button no more clear the username, in amgh.
I don't know if it is right to comment such lines... by the way it works.
I presume you're not a kiosk user, or you wouldn't be using username. This will
break the following functionality:
- NSCM (not important if you are a Linux user)
- RHA (are you using the -D option to utpolicy?)
In both of the above cases, the user will have to authenticate a second time
during login (NSCM only) or hotdesk due to lack of pam_sunray.so
- smartcard-based AMGH (instead of username-based)
If you don't care about any of these, it seems to me that you might be OK commenting out
those lines (we don't test such a configuration, which is why I use the word
"might").
-Bob
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
