Commands in /opt/thinlinc/bin

tl-best-winserver server [server...]

The tl-best-winserver command asks the Windows Terminal Servers listed on its commandline for their respective load status. It then prints the name of the least loaded terminal server on standard out, and exits. If the file .thinlinc/last-winserver exists in the user's home directory, the server listed there will be checked for sessions owned by the user. If such a session exists, tl-best-winserver will print the name of that terminal server regardless of its load, since the user should get his/her old session when logging in again. The information that this script prints out is used by tl-run-rdesktop when it chooses which Windows Terminal Server to connect to.

tl-session-param [options] parameter

The tl-session-param command is used to access the session information managed by the VSM server. This includes information sent by the client, such as if the client has exported any local drives, or what language is set on the client side. This command is used by for example tl-set-clientlang.sh, documented later in this chapter.

tl-clean-sessiondirs

The tl-clean-sessiondirs command is used to prune old data from the directories in /var/opt/thinlinc/session/. By default, its configured to be run at session termination, by a symlink in /opt/thinlinc/etc/xlogout.d. For further information, see Section 14.3.9, “ Pruning data in /var/opt/thinlinc/sessions/ ”.

tl-clipboard-helper

The tl-clipboard-helper should be running as a background process, to support clipboard transfer to and from the ThinLinc client.

tl-config options

The tl-config command is used to access configuration parameters used by the ThinLinc system. It is also used to set parameters from scripts, and can be used instead of an editor when some parameter needs to be changed. tl-config uses hivetool, part of the Hiveconf system. See Chapter 15, Hiveconf for more information about Hiveconf.

tl-desktop-restore

When a user's Gnome or KDE desktop needs to be reset to default, the command tl-desktop-restore can be run. This will move the settings directories for KDE and Gnome to a backup directory named .old-thinlinc-desktop in the user's home directory, which will make both Gnome and KDE revert to the default settings.

tl-idmap-tool

This tool is used to verify that an LDAP-based idmap is correctly configured in clusters authenticating to Active Directory. See Section 9.3.5, “ Cluster Configuration ” for more information.

tl-limit-printers

This command is run by VSM Server at session startup and reconnect if the Printer Access Control feature of ThinLinc is activated. See Section 5.5, “ Printer Access Control ” for details.

tl-mount-cifs

This command is used to mount CIFS/SMB network file systems at login-time. See Section 10.1, “ Accessing Windows File Servers ” for documentation on this subject.

tl-memberof-group groupname

This command can be used to determine if the current user is a member of the specified group. It returns true (0) if the user is a member, false (1) if the user is not a member and false (2) if the specified group does not exist.

tl-nds-memberof-container LDAP container

This command can be used to determine if a user is member of a specific LDAP/eDirectory container, in eDirectory known as ou. It returns true (0) if the LDAP object corresponding to the current user resides under the container specified as parameter and false(1) if not.

This command connects to the LDAP/eDirectory server using the parameters specified in /etc/ldap.conf.

tl-passwd

This command is used to let the user change their password, both in the underlying authentication mechanism and in the ThinLinc Single Sign-On mechanism.

In order for this to work, any user must be able to read the file /etc/pam.d/sshd (or, more correct, the file that the symbolic link /etc/pam.d/thinlinc points at. On for example Fedora Core 2, the /etc/pam.d/sshd file is readable only by root. If tl-passwd is to be used, this must be fixed.

Also, in the case where the underlying authentication mechanism is LDAP or eDirectory, make sure that the parameter pam_password in /etc/ldap.conf is set to a value that is appropriate for your environment. If you're authenticating against eDirectory servers, it must be set to nds. See the comments in ldap.conf for more information.

tl-rsync-all

This command is used to synchronize files and directories in a ThinLinc cluster. It runs the rsync command over SSH against all terminal servers in the cluster. When using this command, it's convenient if password-less SSH login between the servers in the clusters has been setup.

See also tl-ssh-all below for some tips regarding password-less running of ssh.

tl-run-rdesktop [options]

The tl-run-rdesktop program is a wrapper around the rdesktop program. It extends the functionality of rdesktop by connecting to one of the Windows Terminal Servers specified by the system administrator in /appservergroups/rdp/<group>/servers . If the user has a pre-existing session on one of the servers in the list, the session is reconnected. If not, the server with the least load is selected. The command creates the connection with the correct domain and keyboard layout. For more information, see Section 14.1.4, “ Parameters in /appservergroups/ ”. Multiple groups of Windows Terminal Servers can be specified. This makes it possible to direct different groups of users to different Terminal Servers in an easy way. In the parameters specified above, exchange <group> for the group you have specified in Hiveconf, and tell tl-run-rdesktop which group to use by using the -G commandline option. If no group is selected, the group named default is used.

tl-run-unixapp [arguments]

This command uses single sign-on to login to a UNIX server defined in /appservergroups/x11/<group>/servers , executing either a shell or the commands specified. It also sets up X11 over SSH if defined in /appservergroups/x11/<group>/use_ssh_encryption . Just as with tl-run-rdesktop, tl-run-unixapp supports application server groups, which means multiple groups of Unix servers can be specified. The application server group to be used is choosen by using the -G commandline option to tl-run-unixapp. If no group is selected, the group named default is used.

Best Practice

If the host key of the server tl-run-unixapp is configured to connect to is not known, a window will be shown where the user is asked if the host key should be trusted. If this question is confusing your users, add the host keys of the servers in /etc/ssh/ssh_known_hosts. That will make SSH recognize the host, removing the question for the users. It will also increase security, since the host key is then checked by personell that have the ability to actually verify the key.

tl-run-winapp [-D] [-T title] [arguments] windows-app [application arguments]

This is a wrapper around tl-run-rdesktop that executes a single command on the Windows Terminal Server with most system resources left.

tl-run-winapp takes many different arguments, but the most common ones are -D , which hides the window manager decorations. -T title sets the title of the window to the string in question.

Example

tl-run-winapp -D -T Excel excel.exe

tl-run-winapp-seamless [arguments] windows-app [application arguments]

This command resembles tl-run-winapp except that the application is executed in SeamlessRDP mode. This allows for full integration with the desktop. For more information, see Section 11.2.4, “ Running a WTS application in SeamlessRDP Mode ”.

tl-run-winapp-seamless takes the same arguments as rdesktop, except for the -G parameter.

Example

tl-run-winapp-seamless c:\program\mozilla.org\mozilla\mozilla.exe http://www.cendio.com

tl-run-windesk

This is a wrapper for tl-run-rdesktop that starts a full screen session against the best Windows Terminal Server available.

tl-run-xstartup.d

This command is run by the session startup file (~/.thinlinc/xstartup) in its default form to execute all start scripts in the directory /opt/thinlinc/etc/xstartup.d/. Files with the suffix .sh will be sourced. All other files will be executed.

tl-select-profile

This command is run by the session setup file (/opt/thinlinc/etc/xstartup.default or ~/.thinlinc/xstartup) and provides a menu where the user can choose what kind of session to run. See Section 14.3, “ Customizing the User's Session ” for more information.

tl-set-clientlang.sh

By creating a symlink from /opt/thinlinc/etc/xstartup.d to this command, the user's LANG environment will be set to the langugage environment reported by the client.

Note

In order for this to work, the client must be of version 1.4 or newer.

tl-shadow-notify.sh

This command starts the tl-shadow-notify command for the lifetime of the session. This will enable notifications when the session is shadowed.

tl-ssh-all

This command is used to perform shell commands on all slaves in a ThinLinc cluster. It works by running the ssh command against all terminal servers in the cluster. When using this command, it's convenient if password-less SSH login between the servers in the clusters has been set up.

Best Practice

An alternative approach to using password-less login is to use the SSH agent to cache the passphrase of a SSH keypair. This increases the security, since a malicious party that gains access to the server which is configured to login to the other servers with SSH key-pair does not automatically get access to the rest of the servers - a password is needed.

First, setup the SSH key-pair as described below:

#
# First time / One time procedure
#
# Generate a private and public key-pair for SSH with SSH keygen.
# When prompted pick a secret password for the key-pair.
#
ssh-keygen -t dsa

# Copy the public key to SSH authorized_keys
cp /root/.ssh/id_dsa.pub /root/.ssh/authorized_keys

# Make sure the authorized key has the right permissions
chmod 600 /root/.ssh/authorized_keys

# Copy the authorized key to all Thinlinc Agents
tl-rsync-all /root/.ssh/authorized_keys

Next, before using tl-ssh-all, do as follows

eval `ssh-agent`
ssh-add

# Run your commands
tl-ssh-all rpm -Uvh /root/kdelibs-3.5.1-1.fc4.i386.rpm

tl-sso-update-password

This command requests a password from the user, to be used with the Single Sign-On mechanism of ThinLinc. It is useful when the password is not already available, for example, when using One Time Passwords. See Section 9.8.4, “ Configuration for RSA SecurID ” for more information.

tl-support [-p listen-port] [-u user] [host]

The tl-support command can be used to enable a support technician to login to your ThinLinc server, even though the server is behind a firewall that doesn't allow connections to the ssh port. This is accomplished by opening a ssh connection from the server to an external server on the internet, at the same time setting up a tunnel from the remote host to the local host's ssh port. The default server to connect to is support.thinlinc.com with the default username "support". This command should only be used after contacting your ThinLinc support technician.

tl-umount-all-cifs

This command is used to unmount CIFS/SMB network file systems at logout-time. See Section 10.1, “ Accessing Windows File Servers ” for documentation on this subject.

tl-wfica [options] [Connection File]

This command is a front-end for the Citrix ICA client (wfica), which provides Single Sign-On for ICA sessions in a secure fashion. This command does not modify any ICA Client configuration files. The ThinLinc Single Sign-On password is only used for connection which lacks a manually configured password. The arguments are the same as for wfica. For more information, consult the Citrix ICA Client documentation.

tl-wfcmgr [options] [Connection File]

This command is a front-end for the Citrix ICA client GUI (wfcmgr), which provides Single Sign-On for ICA sessions in a secure fashion. Single Sign-On is provided both for the "Connection" and "PNAgent" view, through modifications to ~/.ICAClient/appsrv.ini and ~/.ICAClient/reg.ini. Only connections which lacks a manually configured password are modified. Single Sign-On for the "PNAgent" view requires that the Citrix server allows the user to save passwords.

Warning

When using tl-wfcmgr, the ThinLinc Single Sign-On password is permanently stored in ~/.ICAClient/appsrv.ini and ~/.ICAClient/reg.ini.

The arguments are the same as for wfcmgr. For more information, consult the Citrix ICA Client documentation.

tl-disconnect

This command is used to disconnect from the current session. This can be used to provide an alternative to the F8 key, such as a disconnect button on the Gnome panel.

tl-sso-password [--check]

This command can be used to hook up the Single Sign-on mechanism of ThinLinc with new applications. It can be used to test for the presence of a valid password and to feed that password out on standard output to another application.

To check for the existance of a valid password, invoke the command as tl-sso-password --check. A return code of zero indicates a valid password.

There are two basic models to connect tl-sso-password to an application. The first is to use shell pipes:

# tl-sso-password | /usr/bin/application --read-password-on-stdin

The second is to have the application invoke tl-sso-password as needed:

# /usr/bin/application --password-prog tl-sso-password

tl-sso-token-passphrase [--check]

This command is identical to tl-sso-password, except that it uses the smart card token passphrase (PIN) instead of the user's password. For usage, see

tl-sso-password [--check]

.

Commands in /opt/thinlinc/libexec

tl-crossover-drives

CodeWeavers CrossOver allows you to configure the mapping between Windows drive letters and paths in the Linux file system. This can be done globally by adding symbolic links to the directory /opt/cxoffice/support/BOTTLENAME/dosdevices. However, this does not work if drive letters should correspond to different paths for different users. In this case, a bottle hook script is required. tl-crossover-drives is such a script that automatically maps "personal" mounts to separate drive letters in CrossOver. This includes all mounts mounted on subdirectories in the users home directory. Normally, the first character of the directory name determines the drive letter. As a special case, a mount on a directory called floppy will be mapped to drive a:. To activate this command for all bottles, execute:

# mkdir /opt/cxoffice/support/scripts.d
# ln -s /opt/thinlinc/libexec/tl-crossover-drives \
 /opt/cxoffice/support/scripts.d/02.tl-crossover-drives