ThinLinc is designed to run with reference SELinux policy and users in the unconfined context. It is possible to use ThinLinc with other policies and more restricted contexts, but will most likely require modifications to your policy to accommodate ThinLinc.

The local system policy will optionally be modified by tl-setup during installation. The SELinux module and other policy changes performed can be examined in /opt/thinlinc/share/selinux. Execute the command /opt/thinlinc/share/selinux/install to reapply ThinLinc's policy changes.

The reference SELinux policy by default prevents the ThinLinc CGI script from initiating network connections to other servers. This will cause the Browser Clients to fail since it needs to contact the VSM Server. This restriction can be lifted by changing the "httpd_can_network_connect" setting. In graphics user interfaces this setting can also be labeled "Allow HTTPD scripts to the network".

On SUSE Linux Enterprise 10, the default AppArmor profiles prevents the nscd daemon to read from /etc/passwdaliases. This is a problem when you want to use the nss-passwdaliases NSS module. You may work around this by disabling caching of the passwd database in nscd or disabling AppArmor. To disable caching, find the following line in /etc/nscd.conf.

enable-cache passwd yes

Change it to the following.

enable-cache passwd no

The AppArmor profile for /usr/sbin/cupsd on Ubuntu 7.10 needs to be modified for the thinlocal and nearest printer backends to work properly. To work around this, add the following line after the other #include statements in /etc/apparmor.d/usr.sbin.cupsd, then restart the machine.

  #include <abstractions/python>

There is a known issue with ThinLinc and the AppArmor profile for CUPS on Ubuntu 7.10. See Section 3.6.7, “ Debian 3.1 and Ubuntu ”.

To use local drive redirection, the util-linux package must be updated. Further details on this issue can be found at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154533.

See also Section 3.6.1, “ SELinux enabled distributions ”.

If LDAP/eDirectory is used as user/group database backend, be sure to correct the /etc/nsswitch.conf generated by Yast as detailed in Section 9.4.6, “ LDAP Query Performance Tuning ”.

SUSE Linux Enterprise Desktop 10 does not include a web server and can therefore not support the Java Browser Client.

The default configuration of the Gnome desktop in SUSE Linux Enterprise Desktop 10 uses an alternative menu called the "Application Browser". This menu doesn't work well with the ThinLinc Desktop Customizer (TLDC). Applications added to the root menu in TLDC will show up under "More Applications...", but applications added to submenus will not. If the TLDC is to be used with Gnome on SLED10, the recommended solution is to replace the "Application Browser" with a standard gnome menu, something that can be done on a system-wide basis using Gconf.

The CUPS configuration on SUSE Linux Enterprise 10 does special processing of print jobs from Mozilla based applications (e.g. Firefox) that results in CUPS being unable to convert it to PDF for ThinLinc's local printer redirection. To disable this special processing, uncomment the following line in /etc/cups/mime.convs:

#application/mozilla-ps        application/postscript  33      pswrite

The nfs-client package in SUSE Linux Enterprise Desktop 11 contains a bug which prevents local drive redirection to work. Until an updated package is available, it is possible to downgrade to the nfs-client-1.1.2 package from OpenSUSE 11.0, available from http://software.opensuse.org/search?baseproject=openSUSE%3A11.0&p=1&q=nfs-client.

The OpenSSH server required by ThinLinc is not installed on Ubuntu by default. This must be done manually, by installing the openssh-server package:

        # apt-get install openssh-server
        

The PATH is not automatically extended with /opt/thinlinc/bin for normal users and /opt/thinlinc/sbin/ for root on Debian systems. For easy ThinLinc usage, you need to fix this using some system-wide configuration file.

The nfs-common package is required for local drive access to work. Additionally, the nfs-common package in Ubuntu 8.04 is known to not work. See the bug report at https://bugs.launchpad.net/ubuntu/+bug/213444/. A patch is available from https://bugs.launchpad.net/ubuntu/+bug/213444/comments/23.

The local and nearest printer features of ThinLinc doesn't work with the default AppArmor profile for CUPS on Ubuntu 7.10. See Section 3.6.2, “ AppArmor enabled distributions ” for a solution.

On the Mandriva Enterprise Server, the following packages are required for all components of ThinLinc to work properly:

A 64-bit ThinLinc installation includes compatibility libraries for running 32-bit applications. If you want to use 32-bit applications with full functionality on a 64-bit installation, you will also need to install the libglib2.0_0 package.

The default settings of the firewall disallows incoming SSH connections. Since ThinLinc uses SSH, having TCP port 22 open to your clients is a requirement for the ThinLinc servers. For a more detailed description on what ports are used in a ThinLinc system, see Appendix A, TCP Ports Used by ThinLinc .

The default settings of the OpenSSH server on Mandriva is to allow ChallengeResponseAuthentication (presented to the SSH client as keyboard-interactive) but disallow use of PAM. This is incompatible with the ThinLinc client which assumes that both keyboard-interactive and password shares the same underlying user database, and because of that aborts if keyboard-interactive fails. This can be fixed by changing the UsePAM setting from no to yes in /etc/ssh/sshd_config and restarting sshd.

Many of the third party packages that ThinLinc requires can be downloaded from http://www.sunfreeware.com. Some ThinLinc features are currently not available on Solaris. This includes:

If the installation fails with the error message "ERROR: attempt to process datastream failed", please make sure that the latest package tool patches have been installed.

On some Solaris versions, the sshd configuration does not permit TCP forwarding, which is required by ThinLinc. To resolve this, set "AllowTcpForwarding yes" in /etc/ssh/sshd_config.

The profile selection dialog requires PyGTK. The recommended installation path is to build PyGTK against the Python and GTK+ version shipped with Solaris.

It is possible to run ThinLinc in Solaris Zones. In this case, the package installation as well as tl-setup must be executed in the global zone. Then, either copy the ThinLinc configuration files to the zone, or adapt them manually. In particular, make sure to configure /vsmagent/fontpath correctly. Typically, this is done by:

svcadm enable xfs
svcadm restart xfs
/opt/thinlinc/bin/tl-config /vsmagent/fontpath=tcp/127.0.0.1:7100
/etc/init.d/vsmagent restart