The ThinLinc Administrator’s Guide

Version 4.18.0

Introduction

• Introduction
  • About the documentation
  • Finding more information
• ThinLinc architecture
  • Major components
  • System integration
  • Session overview
• Obtaining ThinLinc
  • Verifying the software packages

Server installation

• Server requirements
  • ThinLinc system and software requirements
  • A note on server sizing
• Network requirements
  • A simple ThinLinc setup
  • ThinLinc in a NAT/split-DNS environment
    • Relays
    • DNS
    • Configuring the agents
• Installing the ThinLinc server
  • ThinLinc setup
  • Sudo configuration
  • External access behind NAT
  • Next steps

Optional setup

• Authentication in ThinLinc
  • Pluggable Authentication Modules
    • Configuration files for PAM
  • Limitations
  • Using public key authentication
    • Introduction
    • Key generation
    • Server configuration
    • Client configuration
  • Using smart card public key authentication
    • Introduction
    • General requirements
    • Key generation
    • Server configuration
    • Client configuration
    • Automatic connection
    • LDAP automatic update (tl-ldap-certalias)
  • Using one-time passwords
    • Introduction
    • General requirements
    • Configuration for RSA SecurID
• License handling
  • Overview
  • License counting
  • Location and format of license files
  • Log files and e-mail messages
  • Checking the number of valid licenses
• Cluster installation
  • Prerequisites
  • New agent configuration
  • Master configuration
  • Next steps
• High availability
  • High availability overview
    • Background — reasons for a HA setup
    • Solution — elimination of single point of failure
    • Theory of operation
  • Configuration of ThinLinc for HA operations
    • Installation of a new HA cluster
    • Reconfiguring an existing ThinLinc installation into HA mode
  • Recovering from hardware failures
    • Recovering from minor failures
    • Recovering from catastrophic failure
• Printer features
  • Printer configuration overview
    • CUPS browsing
    • CUPS configuration on the master machine
    • CUPS configuration on the agent machines(s)
  • Local printer support
    • Theory of operation
    • Device-independent mode
    • Device dependent mode
    • Installation and configuration
    • Parallel port emulation
  • Nearest printer support
    • Administration of the nearest printer feature in ThinLinc
    • Nearest printer selection algorithm
    • Printer drivers
  • Printer access control
    • Theory of operation
    • Requirements
    • Activating the printer access control feature
    • Configuration
• 3D acceleration
  • Overview
  • Installation and configuration
• Automated installation
• Uninstalling the ThinLinc server

Clients

• Choosing a client
• The native client
  • Installation
    • Windows
    • macOS
    • Linux PC
    • Thin terminals
    • Running ThinLinc on a ThinStation terminal
  • Client usage
    • The started ThinLinc client
    • Logging in to a ThinLinc server
    • Language settings
    • The ThinLinc session life cycle
    • The session menu
  • Client command line usage
    • Description of available command-line arguments
  • Local device export
    • Sound device
    • Serial ports (Windows and Linux only)
    • Drives
    • Printer
    • Smart card readers
  • Client configuration
    • Display tab
    • Local devices tab
    • Optimization tab
    • Security tab
    • Advanced tab
    • Configuration storage
  • Client touch gestures
  • Log file placement
    • Linux log file
    • Windows log file
    • macOS log file
  • Client customizer
    • Introduction
    • Installation
    • Building a customized client
    • Adding SSH host keys
  • Launching the client from a web page
    • Requirements
    • Installation
    • Usage
    • The CGI script tlclient.cgi
  • Advanced topics
    • Hardware address reporting
    • Client update notifications
    • Adding custom branding to the login window
    • XDM mode (Linux only)
• ThinLinc Web Access
  • Server configuration
    • Certificates
  • Usage
    • Requirements
    • Logging in to a ThinLinc server
    • The toolbar
    • Extra keys
    • Clipboard
    • Touch gestures
    • Command and Alt keys on macOS and iOS

Administration

• Accessing client resources from the ThinLinc session
  • Accessing the client’s local drives
    • Introduction
    • Mounting and unmounting local drives
    • Mounting drives at login
    • Limitations and additional information
  • Using serial port redirection
    • Introduction
    • Requirements
    • Enabling serial port redirection
    • Accessing the redirected port from applications
    • Limitations and additional information
  • Using sound device redirection
    • Introduction
    • Requirements
    • PulseAudio applications
    • OSS applications
    • ALSA applications
    • Choosing sound system
  • Using smart card redirection
    • Introduction
    • Requirements
    • Enabling smart card redirection
    • Limitations and additional information
• Server configuration
  • Cluster configuration
    • Subclusters
    • Keeping agent configuration synchronized in a cluster
    • Limiting number of users per agent
    • Stopping new session creation on select agents in a cluster
  • Configuring logging on ThinLinc servers
    • ThinLinc server components
    • Per-session logging
  • Customizing the user’s session
    • Session startup — the big picture
    • Session startup on VSM Agent
    • Profiles and the standard xstartup.default file
    • Session startup with a client supplied start program
    • Configuring available profiles
    • Configuring different Linux desktops based on the selected profile
    • Speeding up session startup
    • Configuring the language environment on the server based on the client language
  • Limiting lifetime of ThinLinc sessions
  • Configuring HSTS headers
    • Warnings and limitations
    • Overview
    • Enable HSTS headers
    • Include subdomains in the HSTS policy
    • Allow browser HSTS preloading
• Upgrading ThinLinc
  • Upgrading a cluster
  • New licenses
  • Upgrading the package
  • Configuration migration
• Shadowing
  • Introduction
  • Disable shadowing feature
  • Granting shadowing access to users
  • Shadowing notification
  • Shadowing a user session
• Hiveconf
  • Overview
    • Basic syntax
    • Tree structure
    • Mounting datasources
    • Host-wide configuration
    • Hiveconf tools
  • Hiveconf and ThinLinc
    • The ThinLinc configuration tool
• Command line
  • Managing sessions
  • Notifying users
  • Cluster load
• Administration of ThinLinc using the web administration interface
  • Introduction
  • Modules
    • The system health module
    • The status module
    • The VSM module
    • The profiles module
    • The locations module
    • The desktop customizer module
• Building custom Linux desktops with the ThinLinc desktop customizer
  • Introduction
  • Using the ThinLinc desktop customizer
    • Concepts
    • Using the ThinLinc desktop customizer
    • Handling applications
    • Defining a menu structure
    • Defining application groups
    • Distribute configuration to all agent hosts
  • Enabling the custom desktops for users
  • Tips & tricks with TLDC
    • Unwanted icons on the desktop with KDE
    • File associations in KDE for applications not in the menu
    • Home icon not working in KDE

Appendixes

• Commands on the ThinLinc server
  • tl-config
    • Synopsis
    • Description
    • Options
    • Examples
  • tl-desktop-restore
    • Synopsis
    • Description
  • tl-disconnect
    • Synopsis
    • Description
  • tl-env
    • Synopsis
    • Description
    • Options
  • tl-memberof-group
    • Synopsis
    • Description
    • Exit status
    • Examples
  • tl-mount-localdrives
    • Synopsis
    • Description
    • Options
    • Notes
    • See also
  • tl-session-param
    • Synopsis
    • Description
    • Options
    • Examples
  • tl-single-app
    • Synopsis
    • Description
    • Examples
  • tl-sso-password
    • Synopsis
    • Description
    • Options
    • See also
  • tl-sso-token-passphrase
    • Synopsis
    • Description
    • Options
    • See also
  • tl-sso-update-password
    • Synopsis
    • Description
  • tl-umount-localdrives
    • Synopsis
    • Description
    • Options
    • Notes
    • See also
  • tl-while-x11
    • Synopsis
    • Description
  • tlctl
    • Synopsis
    • Description
    • Options
    • Commands
  • tlctl load
    • Synopsis
    • Description
    • Options
    • Commands
  • tlctl session
    • Synopsis
    • Description
    • Options
    • Commands
  • tl-gen-auth
    • Synopsis
    • Description
  • tl-ldap-certalias
    • Synopsis
    • Description
    • Options
  • tl-notify
    • Synopsis
    • Description
    • Options
  • tl-rsync-all
    • Synopsis
    • Description
    • Examples
    • See also
  • tl-setup
    • Synopsis
    • Description
    • Options
  • tl-show-licenses
    • Synopsis
    • Description
  • tl-ssh-all
    • Synopsis
    • Description
    • See also
  • tl-support
    • Synopsis
    • Description
    • Options
• Server configuration parameters
  • Parameters in /profiles/
  • Parameters in /tlwebadm/
  • Parameters in /sessionstart/
  • Parameters in /shadowing/
  • Parameters in /utils/
    • Parameters in /utils/tl-desktop-customizer/
    • Parameters in /utils/tl-ldap-certalias/
    • Parameters in /utils/tl-mount-localdrives/
  • Parameters in /vsm/
  • Parameters in /vsmagent/
  • Parameters in /vsmserver/
  • Parameters in /vsmserver/subclusters/
  • Parameters in /webaccess/
• Client configuration parameters
• TCP ports used by ThinLinc
  • On a machine running VSM Server
  • On a machine running VSM Agent
• Troubleshooting ThinLinc
  • General troubleshooting method
  • Troubleshooting specific problems
    • Problems where the client reports an error
    • Problems that occur after session start
• Restricting access to ThinLinc servers
  • Disabling SSH access
  • Disabling shell access
    • Changing the configured shell
    • Using ForceCommand
  • Disabling port forwarding
    • Disabling remote port forwarding
  • Disabling clipboard
  • Disabling local drives
  • Restricting write access to users’ home directories
    • Configuration
    • Security considerations and limitations
• GnuTLS priority strings
  • Standard configuration
    • Cipher suites
    • Protocols
    • Ciphers
    • MACs
    • Key Exchange Algorithms
    • Groups
    • PK-signatures
  • Available algorithms
    • Cipher suites
    • Certificate types
    • Protocols
    • Ciphers
    • MACs
    • Digests
    • Key exchange algorithms
    • Compression
    • Groups
    • Public Key Systems
    • PK-signatures
• SELinux enabled distributions