The ThinLinc Administrator’s Guide

Version 4.19.0

Introduction

• Introduction
  • About the documentation
  • Finding more information
• ThinLinc architecture
  • Major components
  • System integration
  • Session overview
• Obtaining ThinLinc
  • Verifying the software packages

Server installation

• Server requirements
  • ThinLinc system and software requirements
  • A note on server sizing
• Network requirements
  • A simple ThinLinc setup
  • ThinLinc in a NAT/split-DNS environment
    • Relays
    • DNS
    • Configuring the agents
• Installing the ThinLinc server
  • ThinLinc setup
  • Sudo configuration
  • External access behind NAT
  • Next steps

Optional setup

• Authentication in ThinLinc
  • Pluggable Authentication Modules
    • Configuration files for PAM
  • Limitations
  • Using public key authentication
    • Introduction
    • Key generation
    • Server configuration
    • Client configuration
  • Using smart card public key authentication
    • Introduction
    • General requirements
    • Key generation
    • Server configuration
    • Client configuration
    • Automatic connection
    • LDAP automatic update (tl-ldap-certalias)
  • Using one-time passwords
    • Introduction
    • General requirements
    • Configuration for RSA SecurID
• License handling
  • Overview
  • License counting
  • Location and format of license files
  • Log files and e-mail messages
  • Checking the number of valid licenses
• Cluster installation
  • Prerequisites
  • New agent configuration
  • Master configuration
  • Next steps
• High availability
  • High availability overview
    • Background — reasons for a HA setup
    • Solution — elimination of single point of failure
    • Theory of operation
  • Configuration of ThinLinc for HA operations
    • Installation of a new HA cluster
    • Reconfiguring an existing ThinLinc installation into HA mode
  • Recovering from hardware failures
    • Recovering from minor failures
    • Recovering from catastrophic failure
• Printer features
  • Printer configuration overview
    • CUPS browsing
    • CUPS configuration on the master machine
    • CUPS configuration on the agent machines(s)
  • Local printer support
    • Theory of operation
    • Device-independent mode
    • Device dependent mode
    • Installation and configuration
    • Parallel port emulation
  • Nearest printer support
    • Administration of the nearest printer feature in ThinLinc
    • Nearest printer selection algorithm
    • Printer drivers
  • Printer access control
    • Theory of operation
    • Requirements
    • Activating the printer access control feature
    • Configuration
• 3D acceleration
  • Overview
  • Installation and configuration
• Automated installation
• Uninstalling the ThinLinc server

Clients

• Choosing a client
• The native client
  • Installation
    • Windows
    • macOS
    • Linux PC
    • Thin terminals
    • Running ThinLinc on a ThinStation terminal
  • Client usage
    • The started ThinLinc client
    • Logging in to a ThinLinc server
    • Language settings
    • The ThinLinc session life cycle
    • The session menu
  • Client command line usage
    • Description of available command-line arguments
  • Local device export
    • Sound device
    • Drives
    • Printer
    • Smart card readers
  • Client configuration
    • Display tab
    • Local devices tab
    • Optimization tab
    • Security tab
    • Advanced tab
    • Configuration storage
  • Client touch gestures
  • Log file placement
    • Linux log file
    • Windows log file
    • macOS log file
  • Client customizer
    • Introduction
    • Installation
    • Building a customized client
    • Adding SSH host keys
  • Launching the client from a web page
    • Requirements
    • Installation
    • Usage
    • The CGI script tlclient.cgi
  • Advanced topics
    • Hardware address reporting
    • Client update notifications
    • Adding custom branding to the login window
    • XDM mode (Linux only)
• ThinLinc Web Access
  • Server configuration
    • Certificates
  • Usage
    • Requirements
    • Logging in to a ThinLinc server
    • The toolbar
    • Extra keys
    • Clipboard
    • Touch gestures
    • Command and Alt keys on macOS and iOS

Administration

• Accessing client resources from the ThinLinc session
  • Accessing the client’s local drives
    • Introduction
    • Mounting and unmounting local drives
    • Mounting drives at login
    • Limitations and additional information
  • Using sound device redirection
    • Introduction
    • Requirements
    • PulseAudio applications
    • OSS applications
    • ALSA applications
    • Choosing sound system
  • Using smart card redirection
    • Introduction
    • Requirements
    • Enabling smart card redirection
    • Limitations and additional information
• Clustering
  • Load balancing
  • Subclusters
  • Keeping agent configuration synchronized in a cluster
    • Using the master node as a staging agent
  • Limiting number of users per agent
  • Stopping new session creation on select agents in a cluster
• Server configuration
  • Configuring logging on ThinLinc servers
    • ThinLinc server components
    • Per-session logging
  • Customizing the user’s session
    • Session startup — the big picture
    • Session startup on agent
    • xstartup.default
    • Start program from client
    • Speeding up session startup
    • Use client language
  • ThinLinc profiles
    • Configuration
    • Custom desktops
    • Single application
    • Common issues
  • Limiting lifetime of ThinLinc sessions
  • Configuring HSTS headers
    • Warnings and limitations
    • Overview
    • Enable HSTS headers
    • Include subdomains in the HSTS policy
    • Allow browser HSTS preloading
• Upgrading ThinLinc
  • Upgrading a cluster
  • New licenses
  • Upgrading the package
  • Configuration migration
• Shadowing
  • Introduction
  • Disable shadowing feature
  • Granting shadowing access to users
  • Shadowing notification
  • Shadowing a user session
• Hiveconf
  • Overview
    • Basic syntax
    • Tree structure
    • Mounting datasources
    • Host-wide configuration
    • Hiveconf tools
  • Hiveconf and ThinLinc
    • The ThinLinc configuration tool
• Command line
  • Managing sessions
  • Notifying users
  • Cluster load
  • License monitoring
• Web administration interface
  • Introduction
  • Modules
    • System health module
    • Status module
    • Cluster module
    • Services module
    • Profiles module
    • Locations module
    • Desktop customizer module
• Building custom Linux desktops with the ThinLinc desktop customizer
  • Introduction
  • Using the ThinLinc desktop customizer
    • Concepts
    • Using the ThinLinc desktop customizer
    • Handling applications
    • Defining a menu structure
    • Defining application groups
    • Distribute configuration to all agent hosts
  • Enabling the custom desktops for users
  • Tips & tricks with TLDC
    • Unwanted icons on the desktop with KDE
    • File associations in KDE for applications not in the menu
    • Home icon not working in KDE

Appendixes

• Commands on the ThinLinc server
  • tl-config
    • Synopsis
    • Description
    • Options
    • Examples
  • tl-desktop-restore
    • Synopsis
    • Description
  • tl-disconnect
    • Synopsis
    • Description
  • tl-env
    • Synopsis
    • Description
    • Options
  • tl-memberof-group
    • Synopsis
    • Description
    • Exit status
    • Examples
  • tl-mount-localdrives
    • Synopsis
    • Description
    • Options
    • Notes
    • See also
  • tl-session-param
    • Synopsis
    • Description
    • Options
    • Examples
  • tl-single-app
    • Synopsis
    • Description
    • Examples
  • tl-sso-password
    • Synopsis
    • Description
    • Options
    • See also
  • tl-sso-token-passphrase
    • Synopsis
    • Description
    • Options
    • See also
  • tl-sso-update-password
    • Synopsis
    • Description
  • tl-umount-localdrives
    • Synopsis
    • Description
    • Options
    • Notes
    • See also
  • tl-while-x11
    • Synopsis
    • Description
  • tlctl
    • Synopsis
    • Description
    • Options
    • Commands
  • tlctl license
    • Synopsis
    • Description
    • Options
    • Commands
  • tlctl load
    • Synopsis
    • Description
    • Options
    • Commands
  • tlctl session
    • Synopsis
    • Description
    • Options
    • Commands
  • tl-gen-auth
    • Synopsis
    • Description
  • tl-ldap-certalias
    • Synopsis
    • Description
    • Options
  • tl-notify
    • Synopsis
    • Description
    • Options
  • tl-rsync-all
    • Synopsis
    • Description
    • Examples
    • See also
  • tl-setup
    • Synopsis
    • Description
    • Options
  • tl-ssh-all
    • Synopsis
    • Description
    • See also
  • tl-support
    • Synopsis
    • Description
    • Options
• Server configuration parameters
  • Parameters in /profiles/
  • Parameters in /tlwebadm/
  • Parameters in /sessionstart/
  • Parameters in /shadowing/
  • Parameters in /utils/
    • Parameters in /utils/tl-desktop-customizer/
    • Parameters in /utils/tl-ldap-certalias/
    • Parameters in /utils/tl-mount-localdrives/
  • Parameters in /vsm/
  • Parameters in /vsmagent/
  • Parameters in /vsmserver/
  • Parameters in /subclusters/
  • Parameters in /agents/
  • Parameters in /HA/
  • Parameters in /webaccess/
• Client configuration parameters
• TCP ports used by ThinLinc
  • On a machine running VSM Server
  • On a machine running VSM Agent
• Troubleshooting ThinLinc
  • General troubleshooting method
  • Troubleshooting specific problems
    • Problems where the client reports an error
    • Problems that occur after session start
• Restricting access to ThinLinc servers
  • Disabling SSH access
  • Disabling shell access
    • Changing the configured shell
    • Using ForceCommand
  • Disabling port forwarding
    • Disabling remote port forwarding
  • Disabling clipboard
  • Disabling local drives
  • Restricting write access to users’ home directories
    • Configuration
    • Security considerations and limitations
• GnuTLS priority strings
  • Standard configuration
    • Cipher suites
    • Protocols
    • Ciphers
    • MACs
    • Key Exchange Algorithms
    • Groups
    • PK-signatures
  • Available algorithms
    • Cipher suites
    • Certificate types
    • Protocols
    • Ciphers
    • MACs
    • Digests
    • Key exchange algorithms
    • Compression
    • Groups
    • Public Key Systems
    • PK-signatures
• SELinux enabled distributions