This section describes some additional notes about installing ThinLinc on certain Linux distributions.
When running ThinLinc on a SELinux enabled distribution, you must make sure that the active policy allows unrestricted access for all of the components of ThinLinc. For Red Hat's distributions, this is true for the "targeted" policy, but not the "strict" policy.
The web server is commonly heavily locked down on a SELinux enabled system, which can prevent the Browser Clients from functioning correctly. There are several solutions to the problem:
Modify the file contexts using chcon. On a Red Hat distribution the required context is httpd_sys_script_exec_t :
# chcon -t httpd_sys_script_exec_t /opt/thinlinc/share/browser_client/tlclient.cgi
Unfortunately this is only a temporary solution that will have to be redone every time the system is relabeled, which happens when the SELinux policy is changed or updated.
Copy the CGI script to a directory that the policy has designated as a script directory. On Red Hat distributions this is /var/www/cgi-bin. Simply copy the file to that directory and restore its file contexts:
# cp /opt/thinlinc/share/browser_client/tlclient.cgi /var/www/cgi-bin # restorecon /var/www/cgi-bin/tlclient.cgi
Users will now log on using the URL to that CGI script, commonly http://www.example.com/cgi-bin/tlclient.cgi.
Modify the system policy to allow the script to execute. This is only possible if you are running your own policy, and not one that is provided with the distribution.
The required policy changes are to allow execution of /opt/thinlinc/share/browser_client/tlclient.cgi by the web server and allow reading of the remaining files in /opt/thinlinc/share/browser_client. The file is a script that will be executed by python-thinlinc through /usr/bin/env. You must also allow the CGI script to contact the local VSM Server.
Remember to set the correct file contexts for your policy once the required changes are done.
The Browser Clients normally writes its log file to /var/log/tlclient.cgi.log. If the SELinux policy prevents it from accessing this file, then you can reconfigure it to put it in a less restricted area, like /tmp:
# tl-config /tlclient.cgi/logging/logfile=/tmp/tlclient.cgi.log
Some SELinux policies prevent the CGI script from initiating network connections to other servers. This will cause the Browser Clients to fail since it needs to contact the VSM Server. Under Red Hat distributions, this restriction can be lifted without replacing the entire policy. Open the "Security Level" administration tool and enable the setting "Allow HTTPD scripts to the network".
On SUSE Linux Enterprise 10, the default AppArmor profiles prevents the nscd daemon to read from /etc/passwdaliases. This is a problem when you want to use the nss-passwdaliases NSS module. You may work around this by disabling caching of the passwd database in nscd or disabling AppArmor. To disable caching, find the following line in /etc/nscd.conf.
enable-cache passwd yes
Change it to the following.
enable-cache passwd no
This workaround will put additional load on your user database servers, since caching is disabled.
The AppArmor profile for /usr/sbin/cupsd on Ubuntu 7.10 needs to be modified for the thinlocal and nearest printer backends to work properly. To work around this, add the following line after the other #include statements in /etc/apparmor.d/usr.sbin.cupsd, then restart the machine.
#include <abstractions/python>
There is a known issue with ThinLinc and the AppArmor profile for CUPS on Ubuntu 7.10. See Section 3.6.9, “ Debian 3.1 and Ubuntu ”.
A 32-bit runtime environment is required. On Red Hat and Fedora system, it can be installed with:
# yum install redhat-lsb.i386
On Debian and Ubuntu based systems, install the ia32-libs package:
# apt-get install ia32-libs
When using 32-bit applications that communicates with a smart card, such as the ThinLinc client, pcsc-lite version 1.4.99 or newer is required.
To use local drive redirection, the util-linux package must be updated. Further details on this issue can be found at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154533.
The net ads join command tries to use the wrong Kerberos domain when joining Windows Active Directory. Correct this by setting your Active Directory realm as default_realm under [libdefaults] in /etc/krb5.conf.
Further details on this issue can be found at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219300.
If LDAP/eDirectory is used as user/group database backend, be sure to correct the /etc/nsswitch.conf generated by Yast as detailed in Section 9.4.6, “ LDAP Query Performance Tuning ”.
SUSE Linux Enterprise Desktop 10 does not include a web server and can therefore not support the Java Browser Client.
The default configuration of the Gnome desktop in SUSE Linux Enterprise Desktop 10 uses an alternative menu called the "Application Browser". This menu doesn't work well with the ThinLinc Desktop Customizer (TLDC). Applications added to the root menu in TLDC will show up under "More Applications...", but applications added to submenus will not. If the TLDC is to be used with Gnome on SLED10, the recommended solution is to replace the "Application Browser" with a standard gnome menu, something that can be done on a system-wide basis using Gconf.
The CUPS configuration on SUSE Linux Enterprise 10 does special processing of print jobs from Mozilla based applications (e.g. Firefox) that results in CUPS being unable to convert it to PDF for ThinLinc's local printer redirection. To disable this special processing, uncomment the following line in /etc/cups/mime.convs:
#application/mozilla-ps application/postscript 33 pswrite
The nfs-client package in SUSE Linux Enterprise Desktop 11 contains a bug which prevents local drive redirection to work. Until an updated package is available, it is possible to downgrade to the nfs-client-1.1.2 package from OpenSUSE 11.0, available from http://software.opensuse.org/search?baseproject=openSUSE%3A11.0&p=1&q=nfs-client.
The Webmin package shipped with ThinLinc doesn't support neither Debian 3.1 nor any version of Ubuntu. Instead, download and install the Debian package of Webmin available from http://www.webmin.com/.
The PATH is not automatically extended with /opt/thinlinc/bin for normal users and /opt/thinlinc/sbin/ for root on Debian systems. For easy ThinLinc usage, you need to fix this using some system-wide configuration file.
The nfs-common package is required for local drive access to work. Additionally, the nfs-common package in Ubuntu 8.04 is known to not work. See the bug report at https://bugs.launchpad.net/ubuntu/+bug/213444/. A patch is available from https://bugs.launchpad.net/ubuntu/+bug/213444/comments/23.
The local and nearest printer features of ThinLinc doesn't work with the default AppArmor profile for CUPS on Ubuntu 7.10. See Section 3.6.2, “ AppArmor enabled distributions ” for a solution.
Many of the third party packages that ThinLinc requires can be downloaded from http://www.sunfreeware.com. Some ThinLinc features are currently not available on Solaris. This includes:
High Availability
Local Drive Redirection
Automatic creation of home directories using pam_mkhomedir
If the installation fails with the error message "ERROR: attempt to process datastream failed", please make sure that the latest package tool patches have been installed.
On some Solaris versions, the sshd configuration does not permit TCP forwarding, which is required by ThinLinc. To resolve this, set "AllowTcpForwarding yes" in /etc/ssh/sshd_config.
The profile selection dialog requires PyGTK. The recommended installation path is to build PyGTK against the Python and GTK+ version shipped with Solaris.