Hello Bob
your solution seems to be a fairly good one
but how to edit Xstartup outside the sunray stanzas? i have tried and
indeed when I started the sunray, the file was overwritten. as well as
/etc/dt/config/Xconfig.
there are files where i can do the 'logout that don't get overwritten
when I restart the sunray server?
@Jörg
does your method also kill the pseudo. section... when I retire the
smartcard there's a pseudo.[mac] that gets connected? that's also a
dtlogin session.. I think that if I add a script to Xsession.d it will
also kill the pseudo session and i end up with nothing.
i just need to have the payflex session (smartcard) stopped, logged out
when the smartcard is removed. without messing everything else up.
On 09/08/2010 05:07 PM, Bob Doolittle wrote:
On 09/08/10 10:50, Mario Garcia Ortiz wrote:
the setup so far is that each user has it's smartcard and can't
login as another user...
do you have by any chance an workaround to force the session to log
out using utaction when the smartcard is removed, i have read about
dtaction ExitSession but this doesn't seem to exist in solaris.
Right. dtaction is part of CDE, which nobody uses anymore.
Unfortunately Gnome doesn't supply a way to terminate a session (even
your own) non-interactively.
I believe that's due to a bug in gnome-session-save, which claims to
provide this functionality but does not (i.e. with the --kill option,
even if you don't supply --gui it still puts up an interactive GUI,
thus preventing it from being scripted). I'm trying to get that bug
fixed, but it's been open for years now so don't hold your breath :-(
Otherwise you could use gnome-session-save with utaction to do what
you describe.
If you like, you can modify the Display Manager pre-session hook to
invoke a utaction with utsession -k to do this job. It will run as
root and can self-destruct the session when it's disconnected. This
approach is a bit heavy-handed and may disrupt accounting or auditing
if they rely on graceful session exit, but it will work. The
pre-session hooks are:
dtlogin: Add some code to /usr/dt/config/Xstartup (outside of the Sun
Ray stanzas, so they don't get ripped out during SRSS restart)
gdm: Add a new script to /etc/X11/gdm/PreSession
I'd write a little script something like this:
#!/bin/ksh -p
DISP=${DISPLAY##*:}
DISP=${DISP%%.*}
/opt/SUNWut/bin/utaction -e -d "utsession -k -d $DISP"
Then I'd either drop that into /etc/X11/gdm/PreSession (location of
gdm directory can vary by Linux distro - if in doubt you can run
/opt/SUNWut/lib/utgdmconfigpath to determine the correct directory),
or call it from /usr/dt/config/Xstartup.
-Bob
is this part of AMGH the logging out of session or it's a feature
that must be configured in the sunray server?
where the utaction command should be placed?
it's a mystery to know what exactly happens when the smartcard is
removed..
thank you.
Mario G.
On 09/08/2010 02:33 PM, Bob Doolittle wrote:
On second thought, it is possible that if you comment these lines
out (losing NSCM and RHA), smartcard-based AMGH will work in a
non-intuitive, not-as-designed fashion. Which is what you are seeing
apparently. :-)
-Bob
On 09/08/10 08:29, Bob Doolittle wrote:
On 09/08/10 07:35, alessio wrote:
On 9/8/10 12:47 PM, Mario Garcia Ortiz wrote:
also i have remove the clearuser from pam.conf but the start over
button
still clears the username... how can i override the reset session
and
start over button in the login screen?
I can answer only to the second question.
Removing "clearuser" from pam.conf didn't worked for me.
So I've also commented some other lines in pam.conf
...
dtlogin-SunRay auth requisite /opt/SUNWkio/lib/pam_kiosk.so.1
log=user
#dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
#dtlogin-SunRay auth requisite
/opt/SUNWut/lib/sunray_get_user.so.1 prompt
#dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth requisite pam_authtok_get.so.1
...
In this way "start over" button no more clear the username, in amgh.
I don't know if it is right to comment such lines... by the way it
works.
I presume you're not a kiosk user, or you wouldn't be using
username. This will break the following functionality:
- NSCM (not important if you are a Linux user)
- RHA (are you using the -D option to utpolicy?)
In both of the above cases, the user will have to authenticate a
second time during login (NSCM only) or hotdesk due to lack of
pam_sunray.so
- smartcard-based AMGH (instead of username-based)
If you don't care about any of these, it seems to me that you might
be OK commenting out those lines (we don't test such a
configuration, which is why I use the word "might").
-Bob
--
Mario GARCIA ORTIZ
System Engineer
Neerstalsestwg. 42 chée. de Neerstalle
B-1190 Brussels
Tel.: +32(0)2 333 40 00
[email protected]
http://www.absi.be
The information contained in or attached to this email is confidential and
may be privileged. If you have received it by mistake,please notify the
sender by return e-mail and delete it from your system.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
