[Thinlinc-technical] Forcing sessions for some users to certain agent hosts

[Samuel Mannehed]

Hi again Philippe,

> I don't have users defined on the Master, still I am able to login
> into the first Agent, is this as designed ?

No this is not possible, you must be misunderstanding something. If
you are running a ThinLinc cluster with multiple agent machines, the
users authenticate firstly towards the master and secondly to the
selected agent when logging in. Your master must find the user in order
for the login to a ThinLinc session to work.

Are you maybe running both the agent and the master on the same machine
and connecting to that?

And Rob:

> I understood that it's only the agent who needs to be able to
> authenticate users.

No, both the master and the agent are required to authenticate the
users.

This is the order of things happening when a user logs in:

* The ThinLinc client tries to authenticate with the user information
  through a new SSH tunnel to the master.
* Upon successful authentication the master gives information about
  potential existing sessions or starts a new session on an agent
  server and gives information about that.
* The master sends information about the agent server that was
  selected. The agent server is selected based on load balancing or
  explicit_agentselection.
* The client closes the SSH tunnel to the master and opens a SSH tunnel
  to the correct agent.
* The client tries to authenticate with the user information to the
  agent through the tunnel.
* Upon successful authentication ports are opened on for VNC and local
  devices, and the VNC viewer is started.

I hope this clears things up.

Regards,
-- 
Samuel Mannehed         ThinLinc Developer
Cendio AB               https://cendio.com
Teknikringen 8          https://twitter.com/ThinLinc
583 30 Linköping        https://facebook.com/ThinLinc
Phone: +46-13-214600    https://plus.google.com/+CendioThinLinc