| Document ID | Synopsis | Date | ||
| ID70662 | Troubleshooting Hot Desking on Sun Ray[TM] | 2 Mar 2004 |
Keyword(s):Sun Ray, sunray, hot desking, failover, smartcard, NSCM
When a token (a smartcard, or the token assigned to the user's id at the NSCM login GUI) is presented which already has an active Sun Ray[TM] session on one of the Sun Ray[TM] servers within the same failover group, the user gets a new login screen, or a new session, or no session at all, rather than the most recently active session for that token.
Introduction to hot desking:
============================
Hot desking is a feature which works across all Sun Ray[TM] servers
within a failover group. When a token is presented, the
authentication manager checks whether there already exists
an active session for that token on any of the servers.
If yes, then the user gets the most recently active session.
If no, then a loadbalacing algorithm decides
on which server a new session will be created.
Note: only sessions where a user is logged in, the so-called "active"
sessions, will be hot desked. Sessions waiting at the dtgreet
screen might be ignored.
The Sun Ray[TM] Server Software was designed, in part, to provide hot
desking with smartcards. Configuring the Sun Ray[TM] Server Software 1.3
and higher with non-smartcard mobile (NSCM) sessions provides
the benefits of hot desking without the use of smartcards.
Both for smartcards and for NSCM, the hot desking feature requires that
all Sun Ray servers in the same failover group have the same
group signature. Hot desking is a very basic feature. If hot desking
fails, it is likely that other important functionality will fail also,
because there is a misconfiguration, or because critical files
have been accidentially deleted or corrupted.
Related Patches:
================
The Sun Ray Server Software patch:
114880 Sun Ray Server version 2.0 Patch Update
111891 Sun Ray Server version 1.3 Patch Update
110666 Sun Ray enterprise server version 1.2 Update Patch
109127 Sun Ray enterprise server version 1.1 Update Patch
108303 Sun Ray Enterprise Server version 1.0 Update Patch
The dtlogin patch:
112807 CDE 1.5: dtlogin patch (Solaris 9)
108919 CDE 1.4: dtlogin patch (Solaris 8)
107180 CDE 1.3: dtlogin patch (Solaris 7)
105703 CDE 1.2: dtlogin patch (Solaris 2.6 without SDE)
106661 SDE 1.0: Solaris Desktop Extensions patch (Solaris 2.6 with SDE)
The dtsession patch:
113240 CDE 1.5: dtsession patch (Solaris 9)
109354 CDE 1.4: dtsession patch (Solaris 8)
107702 CDE 1.3: dtsession patch (Solaris 7)
106027 CDE 1.2 / SDE 1.0: dtsession patch (Solaris 2.6)
Note: these patches typically require other patches to be installed.
Please refer to the patch READMEs before patch installation.
Possible hot desking failure scenarios:
=======================================
There exist several different failure scenarios, with different
possible root causes, and different troubleshooting steps.
1. Upon hot desking, the user gets neither a new session,
nor the existing old session. Instead, one or several icons
are displayed on the screen.
These icons serve to identify error state. Note the sequence
of icons. For the SRSS 2.0, see pages 195ff. of the SRSS 2.0
Administration Guide for a detailed explanation of the icons.
With the SRSS 1.3, the icons and the green newt are explained
in Appendix A of the SRSS 1.3 Administration Guide, pages 95ff.
2. Upon hot desking, the user gets a new session, and the
old session does not exist any more. Here, the failing hot desking
is just a symptom of the loss of the previous session.
Troubleshooting session loss is beyond the scope of this document.
3. The old session still exists. It is on the same Sun Ray server, but
the user gets a new session upon hot desking.
- Check for corruption of /tmp/SUNWut. Especially, check for
rogue scripts or cronjobs which delete files from /tmp/SUNWut.
/tmp/SUNWut contains crucial Sun Ray dynamic session data. Without
this data, both hot desking and creation of new sessions might fail.
- Check that the dtlogin master process (its pid is stored in
/var/dt/Xpid) is still running, and that the Xsun process
for the old session is a child process of the dtlogin master.
- Check that the token which has been presented is the same as
the token for which an old session exists. For example,
+ the user might have inserted his smartcard the wrong way,
thus creating a "pseudo terminal" session, rather than
creating or accessing a session for his smartcard.
+ The smartcard might not have been identified correctly,
or the token translation for the smartcard is non-unique.
This issue has been observed with JavaBadge cards, where
the cards were recognized as one of two different types.
4825808 is fixed in SRSS 2.0 patch 114880-01.
To check this, get the existing sessions' actual token id
from the corresponding file in /tmp/SUNWut/config/displays,
and crosscheck with the corresponding lines from
/var/opt/SUNWut/log/messages*.
- Check whether the locale was changed, or whether
an unusual locale was used.
4. The session still exists. It is on a different Sun Ray
server, but the user gets a new session upon hot desking.
This indicates a problem with the failover setup.
Frequently, the server on which the old session resides
simply was unreachable when hot desking was attempted.
- Use utgstatus to check that all Sun Ray interfaces are up
and reachable, and that the servers are trusted.
- On the user level, check whether utselect can be used
to access the existing session on the other server.
- The policy on all servers must be the same,
and the -g flag must be set.
- In /etc/opt/SUNWut/auth.props, for failover to work properly
useLocalPolicy must be false,
enableLoadBalancing should be true, and
enableGroupManager must be true.
- Check /var/opt/SUNWut/log/auth_log for "token query timed out"
messages. A network outage or an unusual loading situation
might be causing the authentication managers to not respond
in a timely fashion to the token queries.
- Try to identify Sun Ray appliances where hot desking works,
and Sun Ray appliances where hot desking fails. Look for
patterns to identify network component failure.
Example misconfiguration:
---------- ----------
| Server 1 |--------| Server 2 |
---------- ----------
| |
Sun Rays 1 Sun Rays 2
Sun Rays 1 are not reachable from Server 2, and
Sun Rays 2 are not reachable from Server 1.
Example outage scenario:
---------- ----------
| | ge1/VLAN 1 ge1 | |
| |------------- ok network components -----| |
| | | |
| | ge2/VLAN 2 ge2 | |
| server A |------------- ok network components -----| server B |
| | | |
| | | |
| | ge3/VLAN 3 ---------- --------- ge3 | |
| |------------|bad switch|----|ok switch|----| |
----------- | ---------- --------- ----------
| ||| |||
no appliances here Sun Rays here
Due to the bad switch, on VLAN 3 not all network traffic will get
through from server A to server B and vice versa. Thus, both
servers will think that the ge3 interface on the other server
is down, or unreachable. In SRSS 2.0 utgstatus output on server A,
you will see something like
serverA TN 10.10.10.1 U-- 10.21.0.1 UAM 10.22.0.1 UAM 10.23.0.1 UAM
serverB TN 10.10.10.2 U-- 10.21.1.1 UAM 10.22.1.1 UAM 10.23.1.1 -AM
where the "-AM" for 10.23.1.1 indicates that this interface
currently is unreachable or down. In such a scenario, hot desking
to a session which resides on the other server would still work
on all Sun Ray appliances connected to VLAN 1 and VLAN 2, but
might fail on all Sun Ray appliances in VLAN 3.
5. The old session still exists, but it is a remote login session.
Use utselect or utswitch to reaccess this session.
Steps to identify a user's token:
=================================
1. Have the user log in at the dtgreet screen.
2. Either
% echo $SUN_SUNRAY_TOKEN
user.1234567890-1234 <---- the current token
or
% echo $DISPLAY
:4.0
and, as root user on the same server:
# cat /tmp/SUNWut/config/displays/4
SESSION=labhost:7007:2328000552891973400
TOKEN=user.1234567890-1234 <----- the token
SESSION_TYPE=default
TOKEN_SET=MicroPayflex.5000f8ad00130100,user.1234567890-1234
CALLBACK_COOKIE=487228897641666981
DISPLAY=4
INSERT_TOKEN=MicroPayflex.5000f8ad00130100
will provide you with the user's token. You can then
grep through /tmp/SUNWut/config/displays on all servers
to check whether there exists another session for the same token.
Steps to find existing sessions for a user:
===========================================
1. using the user's unix id, grep the ps output
for Xsun processes owned by the user to identify the
corresponding display number:
# ps -ef | grep testuser | grep Xsun
testuser 20041 1165 0 14:41:53 ? 0:04 /usr/openwin/bin/Xsun :4
-nobanner -auth /var/dt/A:4-39aOrc -dpms
In this example, the display number is 4.
In an environment where Xsun is not used, you can grep the ps
output for dtsession or other processes owned by the user,
then use ptree to identify the corresponding dtlogin child process,
and get the display number from that process:
# ps -ef | grep testuser | grep dtsession
testuser 20343 20298 0 14:57:07 pts/15 0:00 /usr/dt/bin/dtsession
# ptree 20343
1165 /usr/dt/bin/dtlogin -daemon <--- dtlogin master process
20044 /usr/dt/bin/dtlogin -daemon <--- dtlogin child process
20220 /bin/ksh /usr/dt/bin/Xsession
20296 /usr/dt/bin/sdt_shell -c unsetenv _ PWD; unsetenv DT;
20298 -csh -c unsetenv _ PWD; unsetenv DT;setenv DISP
20343 /usr/dt/bin/dtsession
20349 dtwm
# /usr/ucb/ps -axuwww | grep dtlogin | grep 20044
root 20044 0.0 0.7 7088 3824 ? S 14:41:54 0:00 dtlogin<:4> -daemon
2. Get the corresponding displays files from
/tmp/SUNWut/config/displays, and extract the TOKEN.
3. Crosscheck whether there are other display files
with tokens tied to this user.
References:
utselect(1)
utswitch(1)
utgroupsig(1M)
Sun Ray[TM] Server Software 2.0 Administrator's Guide, chapters 5 and 11
See page 111 of the SRSS 2.0 Admin Guide for possible related network
configuration issues. Use utcapture to check for packet loss and latency.