Document Actions
3.6. Platform Specific Notes
This section describes some additional notes about installing ThinLinc on certain Linux distributions.
When running ThinLinc on a SELinux enabled distribution, you must make sure that the active policy allows unrestricted access for all of the components of ThinLinc. For Red Hat's distributions, this is true for the "targeted" policy, but not the "strict" policy.
The web server is commonly heavily locked down on a SELinux enabled system, which can prevent the Browser Clients from functioning correctly. There are several solutions to the problem:
Modify the file contexts using chcon. On a Red Hat distribution the required context is httpd_sys_script_exec_t :
# chcon -t httpd_sys_script_exec_t /opt/thinlinc/share/browser_client/tlclient.cgi
Unfortunately this is only a temporary solution that will have to be redone every time the system is relabeled, which happens when the SELinux policy is changed or updated.
Copy the CGI script to a directory that the policy has designated as a script directory. On Red Hat distributions this is /var/www/cgi-bin. Simply copy the file to that directory and restore its file contexts:
# cp /opt/thinlinc/share/browser_client/tlclient.cgi /var/www/cgi-bin # restorecon /var/www/cgi-bin/tlclient.cgi
Users will now log on using the URL to that CGI script, commonly http://www.example.com/cgi-bin/tlclient.cgi.
Modify the system policy to allow the script to execute. This is only possible if you are running your own policy, and not one that is provided with the distribution.
The required policy changes are to allow execution of /opt/thinlinc/share/browser_client/tlclient.cgi by the web server and allow reading of the remaining files in /opt/thinlinc/share/browser_client. The file is a script that will be executed by python-thinlinc through /usr/bin/env. You must also allow the CGI script to contact the local VSM Server.
Remember to set the correct file contexts for your policy once the required changes are done.
The Browser Clients normally writes its log file to /var/log/tlclient.cgi.log. If the SELinux policy prevents it from accessing this file, then you can reconfigure it to put it in a less restricted area, like /tmp:
# tl-config /tlclient.cgi/logging/logfile=/tmp/tlclient.cgi.log
Some SELinux policies prevent the CGI script from initiating network connections to other servers. This will cause the Browser Clients to fail since it needs to contact the VSM Server. Under Red Hat distributions, this restriction can be lifted without replacing the entire policy. Open the "Security Level" administration tool and enable the setting "Allow HTTPD scripts to the network".
ThinLinc has been tested with the default AppArmor profiles of SUSE Linux Enterprise Desktop 10 without trouble.
The AppArmor profile for /usr/sbin/cupsd on Ubuntu 7.10 needs to be modified for the thinlocal and nearest printer backends to work properly. To work around this, add the following line after the other #include statements in /etc/apparmor.d/usr.sbin.cupsd, then restart the machine.
#include <abstractions/python>
There is a known issue with ThinLinc and the AppArmor profile for CUPS on Ubuntu 7.10. See Section 3.6.13, “ Debian 3.1 and Ubuntu ”.
The mount command is unable to mount NFS exports on a specific port. This makes it impossible to mount clients local drives. A temporary workaround is to install an updated util-linux package from Fedora Core 2 or newer.
These distributions do not include the python-ldap package. You should be able to use the python-ldap in the /extras directory. Make sure you install all OpenSSL packages.
When running tl-passwd on Fedora Core, it's important that the /etc/pam.d/sshd is readable by everyone, or the tl-lsh-checkpw command will not work unless it's run by root.
On a freshly installed Fedora Core 2 system, local drives will not function. Update the installation from the Fedora Core update system, and an updated util-linux package with a working mount command will be installed.
Further details on this issue can be found at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140016.
On a freshly installed Fedora Core 3 system, local drives will not function. Update the installation from the Fedora Core update system, and an updated util-linux package with a working mount command will be installed.
Further details on this issue can be found at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140016.
The net ads join command tries to use the wrong Kerberos domain when joining Windows Active Directory. Correct this by setting your Active Directory realm as default_realm under [libdefaults] in /etc/krb5.conf.
Further details on this issue can be found at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219300.
If LDAP/eDirectory is used as user/group database backend, be sure to correct the /etc/nsswitch.conf generated by Yast as detailed in Section 9.4.6, “ LDAP Query Performance Tuning ”.
This distribution includes the python-ldap package. Make sure to install the package "python-xml". When using SUSE Linux 9.1 as a ThinLinc server, all clients must be 1.3.0 or newer.
The Konqueror application hangs at startup. This can be solved by setting the environment variable XMODIFIERS="". One easy way to do this is to run:
# tl-config /vsmagent/default_environment/XMODIFIERS=" "
There is a problem with the keyboard-interactive authentication in the Java Browser Client. In order to enable use of the Java Browser Client against a ThinLinc server running SUSE, you need to make the server accept "password" authentication. If you want to use PAM, you must use OpenSSH 3.9 or later. Configure SSH by modifying the file /etc/ssh/sshd_config on all servers in the ThinLinc cluster. Make sure the following lines are present in the file:
PasswordAuthentication yes UsePAM yes
You can verify that keyboard-interactive authentication works correctly by trying to log in with an OpenSSH client:
# ssh -o PreferredAuthentications=password someuser@suseserver
HA has not been tested on SUSE Linux 9.1.
SUSE Linux Enterprise Desktop 10 does not include a web server and can therefore not support the Java Browser Client.
The default configuration of the Gnome desktop in SUSE Linux Enterprise Desktop 10 uses an alternative menu called the "Application Browser". This menu doesn't work well with the ThinLinc Desktop Customizer (TLDC). Applications added to the root menu in TLDC will show up under "More Applications...", but applications added to submenus will not. If the TLDC is to be used with Gnome on SLED10, the recommended solution is to replace the "Application Browser" with a standard gnome menu, something that can be done on a system-wide basis using Gconf.
The CUPS configuration on SUSE Linux Enterprise 10 does special processing of print jobs from Mozilla based applications (e.g. Firefox) that results in CUPS being unable to convert it to PDF for ThinLinc's local printer redirection. To disable this special processing, uncomment the following line in /etc/cups/mime.convs:
#application/mozilla-ps application/postscript 33 pswrite
Webmin version 1.136 or newer is required. Also, since this is a desktop-centric distribution, several key components are missing:
python-ldap is not included. To build python-ldap the package python-devel is required, but this package is missing from the distribution. It it possible to manually download it from ftp://ftp.suse.com/pub/suse/i386/8.1/suse/i586/, though.
No web server is included. If the server should support Java Browser Clients, a web server must be installed manually.
The Webmin package shipped with ThinLinc doesn't support neither Debian 3.1 nor any version of Ubuntu. Instead, download and install the Debian package of Webmin available from http://www.webmin.com/.
The PATH is not automatically extended with /opt/thinlinc/bin for normal users and /opt/thinlinc/sbin/ for root on Debian systems. For easy ThinLinc usage, you need to fix this using some system-wide configuration file.
The nfs-common package is required for local drive access to work. Additionally, the nfs-common package in Ubuntu 8.04 is known to not work. See the bug report at https://bugs.launchpad.net/ubuntu/+bug/213444/. A patch is available from https://bugs.launchpad.net/ubuntu/+bug/213444/comments/23.
The local and nearest printer features of ThinLinc doesn't work with the default AppArmor profile for CUPS on Ubuntu 7.10. See Section 3.6.2, “ AppArmor enabled distributions ” for a solution.
Many of the third party packages that ThinLinc requires can be downloaded from http://www.sunfreeware.com. Some ThinLinc features are currently not available on Solaris. This includes:
High Availability
Local Drive Redirection
Automatic creation of home directories using pam_mkhomedir
If the installation fails with the error message "ERROR: attempt to process datastream failed", please make sure that the latest package tool patches have been installed.
On some Solaris versions, the sshd configuration does not permit TCP forwarding, which is required by ThinLinc. To resolve this, set "AllowTcpForwarding yes" in /etc/ssh/sshd_config.