Setting up an Ubuntu Thin Client Server
With austerity being the watchword of our times being able to get as much out of that IT hardware you have is as important as ever, more so when the industry is in shift at an OS level and maybe the hardware you have isn’t quite up to the task of Windows 8?
I have put this post together for a personal reference, it it helps someone else then that’s a good thing.
Thin Client computing is a good example of how the IT world goes round in a circle, 30 or so years ago computers were huge beasts filling rooms the size of offices. To attach to them you had a termina, that terminal had no hard disk and everything you did was done directly on the “mainframe” While examples of this style of computing never died they were quickly outpaced by the computers we know today where the processing and computing is done at your desk and the files then saved to a server. (The client server model).
However as networks have become spedier, and servers more powerful the recycling of that old Idea has gone full circle and in this article i’m going to show you how to install an Ubuntu LTSP server which will deliver a complete Ubuntu desktop to a machine with no hard disk over your network. And if you are doing this in an office with an existing AD Infrastructure make use of this so users can use their AD login credentials to access the OS.
LTSP
The Linux Terminal Server Project is not new and has been around for a very long time which has a few key things which are a positive to anyone who wants to implement it. There is a lost of support available online for the projects assisting in many areas which the project developers may not have envisaged the project going. It is well supported and still very much in development and important factor for any technology which you may be looking to integrate into a commercial or educational infrastructure. It has also been integrated into many popular distributions which again provides good backing and help when needed.
Originally, LTSP was a stand-alone package. LTSP had to be installed on top of the Linux distribution you were using, and then configured. As time progressed major Open Source Linux distributions like Ubuntu (Canonical Ltd.), Fedora (Red Hat Inc.), OpenSuSE (Novell), and more began integrating LTSP directly into their distribution releases. At present, LTSP can be installed automatically using the Linux distributions mentioned above. LTSP’s current version is: 5. LTSP 5 addresses many key issues regarding network bandwidth with the implementation of Local Applications. LTSP 5 greatly improves multimedia, and network intensive applications on LTSP Thin Clients.
Installing LTSP
Starting with the Hardy Heron (8.04) release the LTSP installer functionality was moved to the Ubuntu alternate CD. All future releases follow this format.
Using 12.04 provides you with a stable 4 year supported version of Ubuntu.
Get the Precise Pangolin alternate CD iso from http://releases.ubuntu.com/releases/12.04.
The installer will set up an out of the box working LTSP install for you if your server has two network cards built in.
If that is not the case it will tell you what to modify to run with a single network card.
Once you boot up the CD, hit F4. The “Modes” menu will pop up. Select “Install an LTSP Server”. Now just move on with the install.
Towards the end of the install the installer will start to build the client environment from the packages on the CD. When it gets to the 50% mark it might look like it has hung, it’s not it will just take a while to do the last stage.
Which then will be compressed into an image…
If the installer is done and has rebooted into your new system you will be able to boot your first Thin Client right away. However it’s useful to know what is happening under the hood and you may want to do some changes.
1. Change your available network adaptor IP to a fixed entry.
- Most local network already use the 192.168.0.xx range of IP addresses, but the default install of LTSP relies on this range being available. In this tutorial we will set up the LTSP network on the 192.168.1.xx range.
- You also need a separate network adaptor with internet access during the install process.
- The LTSP server install wants to install it’s own DHCP server, so if you have a router with it’s own DHCP server it could cause conflicts if in the same network IP range.
- So what to do is change your unused LAN port’s IP address to a fixed IP in another IP range. For example my setup has a router with a DHCP server running on 192.168.0.1, and provides the Internet access on the system. I changed my other LAN adaptor’s IP to 192.168.1.1 , this will be used for the LTSP network.
- NOTE: For some reason the DHCP server does not want to start correctly on system startup if the network adaptor’s IP is not set in the network interfaces config file. (see 1d. below)
1a. Go to Network Connections and select the LAN network adaptor you intend to use for your thin client network and click edit.
1b. Change your adaptor to use Manual IP and set a new fixed IP for the adaptor and save.
This will be your LTSP server IP.
1c. Set the fixed IP for the network adaptor the classic way to ensure the DHCP server starts correctly.
- Add the information for your network adaptor that you selected in 1c. as shown below.
- We added eth0 with a static IP of 192.168.1.1
- Open the Terminal Window and enter :
sudo gedit /etc/network/interfaces
1d. Change the Network Manager config file to allow control of your network adaptor with fixed IP.
- For some mysterious reason if you enter the IP manually in the interfaces file, Network Manager ignores them and you cannot use the Network Manager to control the adaptor any more. So we have to enable it.
- Change the “managed=false” to “managed=true” as seen below.
- Open the Terminal Window and enter :
sudo gedit /etc/NetworkManager/NetworkManager.conf
2. Install the LTSP server.
If you have followed the instructions above you can skip this and head to step 3. If you’ve got a dual nic stock Ubuntu Desktop or Server install you can install LTSP as a package.
- Open the Terminal Window and enter :
sudo apt-get install ltsp-server-standalone openssh-server
3. Edit the DHCP configuration for your LTSP server to match your chosen IP range.
- In this case 192.168.0.xx changes to 192.168.1.xx.
- Open the Terminal Window and enter :
sudo gedit /etc/ltsp/dhcpd.conf
4. Select the network interface/s for the DHCP server
- Add the network devices you would like the DHCP server to run on. In this case we changed the value of INTERFACES to include eth0
- Open the Terminal Window and enter :
sudo gedit /etc/default/isc-dhcp-server
5. Restart the DHCP server
- Open the Terminal Window and enter :
sudo /etc/init.d/isc-dhcp-server restart
Tip: previous ubuntu versions need to use : sudo /etc/init.d/dhcp3-server restart
6a. Optional step to configure a Fat Client not a Thin Client before build
- This step is only needed if you intend to use your LTSP server for Fat clients, rather than Thin clients or both. For more information between the differences between Thin and Fat clients and configuration see UbuntuLTSPFatClients
- This step edits the LTSP build client configuration file to install Ubuntu desktop and create LTSP Fat client image.
- NOTE: only software installed in the Fat client image will be available to the client, and internet access for each client needs to be configured as the clients will not share the server network connection to the internet as is the case with the thin clients.
- Open the Terminal Window and enter :
sudo gedit /etc/ltsp/ltsp-build-client.conf
- Here you can customize your installation image for Fat clients.
- We will only install the standard Ubuntu Desktop system to run on the client side for now. We can install more software to the image later, this is to get a basic Fat client image built.
- Add the following to the file and save.
# ltsp-build-client.conf - many other options available # The chroot architecture. ARCH=i386 # ubuntu-desktop and edubuntu-desktop are tested. # Ubuntu 12.04 LTS working perfectly with Unity and Unity 2D. FAT_CLIENT_DESKTOPS="ubuntu-desktop"
6b. Optional step to disable NBD compression
- NDB compression is enabled by default in Ubuntu 12.04 to speed up client disk access and boot times, but takes a much longer to generate a compressed image file. During development work is might be easier to disable this feature and re-enable it when the setup of the client image is complete.
- Open the Terminal Window and enter :
sudo gedit /etc/ltsp/ltsp-update-image.conf
- Add NO_COMP=”-noF -noD -noI -no-exports” line to disable compression. Enable the compressing by adding the # symbol, or delete the line completely
- Make sure the file now looks like this example below and save.
# Configuration file for ltsp-update-image # Do not compress the client image. Comment out the line below to enable again. NO_COMP="-noF -noD -noI -no-exports"
6c. Build the i386 (32bit) LTSP Thin/Fat Client
- This step builds the 32bit Thin Client Ubuntu 11.04 image needed to boot the thin clients on the network.
- This step downloads and installs all the 32bit Ubuntu client elements. Could take a while.
- Open the Terminal Window and enter :
sudo ltsp-build-client --arch i386
Tip: to set up 64bit thin clients leave out the ‘–arch i386′ part and enter: sudo ltsp-build-client
7. Reboot your new LTSP server to complete LTSP server install
- At this point your Ubuntu LTSP server should be up and running.
- You should be able to boot a Thin Client via the network.
- You could also set up a Virtual Machine to act as a thin client for testing your server. See: How to create a VirtualBox Ubuntu LTSP Thin Client.
Tip: After reboot make sure that the DHCP is running correctly. Open a Terminal Window and enter:
sudo /etc/init.d/isc-dhcp-server status
Tip: If after this point you change your IP address on the LTSP server you need to enter the following :
sudo ltsp-update-sshkeys
sudo ltsp-update-image --arch i386
8. Set up Thin Client Admin user
- Replace the adminname with your admin user name.
sudo -s -H chroot /opt/ltsp/i386 useradd -m adminname -G sudo passwd adminname exit exit
- Lock the admin account’s password
sudo chroot /opt/ltsp/i386 passwd -l adminname
- Update the client image
sudo ltsp-update-image --arch i386
If you are wanting to like the Thin Client login to your existing AD infrastructure then you may not want to setup these local user accounts. I have included instructions on how to do this at the end as a section 11
9. Set up a Thin Client User Account
9a. Open Users and Groups
- Make sure you have gnome system tools installed as this has been removed in Ubuntu 12.04.
sudo apt-get install gnome-system-tools
- In Ubuntu 12.04 search for Users and Groups under applications after installation.
9b. Click Add to add new user account
9c. Add new username details
9d. Add new user password
9e. Change User Advanced Settings -> User Privileges
10. Boot your Thin Client from the Ubuntu LTSP server
- Connect your Thin Client computer or Virtual Machine to your LTSP network Switch/Hub.
- Alter the Thin Client Machine BIOS Boot settings to boot from LAN / Network / Pxe.
- Boot the machine.
- If all is set up correctly you should see the following Ubuntu LDM login screen on your Thin Client.
- You will be able to login with your newly created Thin Client username and password.
11. Active Directory Login
Assumptions
It is assumed that you have a Windows 2008 Active Directory Domain setup and working properly along with a DHCP server. Your domain controller can be your DHCP server or you can setup a different box to distribute the DHCP leases. If your domain controller or DHCP server are not setup, please set these up first. It is also assumed that the reader has some basic Linux experience. You will need to know how to move around in the Linux terminal, install applications, and edit files using vi or nano.
Network Layout
For the purpose of this tutorial, this is the layout of the domain.internal network on the 10.0.0.0/24 subnet.
dc.domain.internal
Windows 2008 Server running Active Directory and DNS
server.domain.internal
Windows 2003 Server hosting user home directories and file shares
thinserver.domain.internal
Ubuntu 12.04 server with LTSPv5
dhcp.domain.internal
Add thinserver to the Windows Domain
Before we add thinserver to the domain, we’re going to have to install Samba along with some other packages.
sudo apt-get install samba smbclient winbind libpam-cracklib krb5-user
Make sure that thinserver is named correctly.
hostname
If the hostname command doesn’t return thinserver.domain.internal, rename it to thinserver.domain.internal.
hostname thinserver.domain.internal
Edit the /etc/resolv.conf to use dc.domain.internal as the primary DNS server.
search domain.internal
nameserver 10.0.0.10
On your domain controller create a host (A) record in your DNS for thinserver.
Verify that thinserver can resolve domain.internal:
nslookup domain.internal
The results should look something like this:
test@thinserver:~$ nslookup domain.internal
Server: 10.0.0.10
Address: 10.0.0.10Name: domain.internal
Address: 10.0.0.10
Make sure that Samba and Winbind are not running:
/etc/init.d/smbd stop /etc/init.d/winbind stop
Just to be safe lets backup the smb.conf, krb5.conf, and PAM common files. I like to append the date when I make a backup of a file so that I know when the changes were made.
d=`date "+%m%d%y"`
cp /etc/samba/smb.conf{,.$d}
cp /etc/krb5.conf{,.$d}
mkdir /etc/pam.d/backup
cd /etc/pam.d/
for file in `ls`;do cp $file{,.$d}; done
mv *.$d backup/
Edit the /etc/krb5.conf file to look like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.INTERNAL
default_keytab_name = FILE:/etc/krb5.keytab
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt_entypes = rc4-hmac des-cbc-md5
permitted_entypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.INTERNAL = {
kdc = DC.DOMAIN.INTERNAL:88
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
domain.internal = DOMAIN.INTERNAL
.domain.internal = DOMAIN.INTERNAL
[appdefaults]
forwardable = true
pam = {
minimum_uid = 16777216
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
krb4_convert = false
DOMAIN.INTERNAL = {
ignore_k5login = true
}
}
Edit the /etc/samba/smb.conf file to look like this:
[global] workgroup = DOMAIN password server = * realm = DOMAIN.INTERNAL local master = no security = ads idmap backend = tdb idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 16777216-33554431 idmap cache time = 60 template homedir = /home/%u template shell = /bin/bash kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind separator = + winbind use default domain = yes winbind refresh tickets = true winbind cache time = 10 winbind offline logon = true winbind enum users = Yes winbind enum groups = Yes passdb backend = tdbsam server string = Samba Server Version %v log file = /var/log/samba/%m.log max log size = 50
Moving forward it’s advisable to have a second root terminal open just in case something doesn’t work as expected. Happens to the best of us 
)
I would recommend creating a “linux_admins” group in Active Directory and adding it to the /etc/sudoers file. An alternative is to add the “domain admins” group and to login using the administrator account.
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL %linux_admins ALL=(ALL) ALL
Edit the PAM common file /etc/pam.d/common-account:
account sufficient pam_winbind.so use_first_pass cached_login account required pam_unix.so broken_shadow
Edit the PAM common file /etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so
Edit the PAM common file /etc/pam.d/common-password:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so
Edit the PAM common file /etc/pam.d/common-session:
session required pam_env.so session required pam_unix.so session required pam_winbind.so use_first_pass session required pam_limits.so session required pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
Edit the PAM common file /etc/pam.d/common-session-noninteractive:
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_winbind.so cached_login session required pam_unix.so
Make sure that /etc/nsswitch.conf has the winbind entries for login.
passwd: compat winbind group: compat winbind shadow: compat
Now we’re ready to add thinserver to the Windows Domain.
kinit administrator@DOMAIN.INTERNAL net ads join -U administrator net ads keytab create -U administrator /etc/init.d/smbd start /etc/init.d/winbind start
Verify that you are on the domain and that you can see all the users and groups in the domain.
wbinfo -u wbinfo -g getent passwd
You should now be able to log onto the server with your domain username and password. Verify that you’re getting a Kerberos ticket.
klist
Reboot the Network Workstation and you will be provided with the login prompt, this time instead of using the local Ubuntu users you should be able to login using an AD login
12. Configuring FAT Clients
1. Disable root login on fat clients.
- To disable root login from thin clients edit the ssh_config file .
- Open the Terminal Window and enter :
sudo gedit /opt/ltsp/i386/etc/ssh/ssh_config
- Change the following if set or add to the bottom of the config file :
PermitRootLogin no
2. Copy DNS and Repository information from server to fat client to sync updates.
- To update the DNS information on the fat client image simply copy your LTSP server DNS details to the client image.
- Open the Terminal Window and enter :
sudo cp /etc/resolv.conf /opt/ltsp/i386/etc/resolv.conf
- An easy way to install software sources for fat clients is to install the repositories on the LTSP server and then copy the software sources to the fat client image.
- Open the Terminal Window and enter :
sudo cp /etc/apt/sources.list /opt/ltsp/i386/etc/apt/sources.list sudo cp /etc/apt/sources.list.d/* /opt/ltsp/i386/etc/apt/sources.list.d/
3. Update & Upgrade fat client installation.
- For normal updates open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get update sudo chroot /opt/ltsp/i386 apt-get upgrade
- When done, update the client image
sudo ltsp-update-image --arch i386
- For Kernel updates do the following from the Terminal :
export LTSP_HANDLE_DAEMONS=false sudo mount --bind /dev /opt/ltsp/i386/dev sudo chroot /opt/ltsp/i386 mount -t proc proc /proc apt-get update && apt-get dist-upgrade exit sudo ltsp-update-kernels sudo umount /opt/ltsp/i386/proc sudo umount /opt/ltsp/i386/dev
- When done, update the client image
sudo ltsp-update-image --arch i386
4. Install additional fat client software.
- If you have added the Google Chrome PPA’s details to your software sources, and copied these sources in step 2. you will be able to install Google-Chrome, open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get install google-chrome-stable
- To install the Flash Plugin for your thin/fat clients, open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get install flashplugin-installer
- To replace Gnome-Screensaver (Black screen only) with XScreensaver, open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get remove --purge gnome-screensaver sudo chroot /opt/ltsp/i386 apt-get install xscreensaver xscreensaver-gl
- When done, update the client image
sudo ltsp-update-image --arch i386
5. Autostart software on all fat clients.
- To autostart a program for all fat client users is fairly easy, simply copy the .desktop shortcut of the application to the /etc/xdg/autostart folder.
- If you want to start google-chrome and xscreensaver for all fat client users open the Terminal Window and enter :
sudo cp /opt/ltsp/i386/usr/share/applications/google-chrome.desktop /opt/ltsp/i386/etc/xdg/autostart/ sudo cp /opt/ltsp/i386/usr/share/applications/xscreensaver-properties.desktop /opt/ltsp/i386/etc/xdg/autostart/xscreensaver.desktop
- Tip: To autostart Google Chrome in full screen mode on a specific webpage, edit the new autostart google-chrome.desktop file and add –kiosk and you site URL as shown below :
[Desktop Entry] X-AppInstall-Package=google chrome X-AppInstall-Popcon=39584 X-AppInstall-Section=universe Version=1.0 Name=Google Chrome GenericName=Web Browser Comment=Access the Internet Exec=/opt/google/chrome/google-chrome --incognito --kiosk http://www.google.com Terminal=false X-MultipleArgs=false Icon=google-chrome Type=Application Categories=Network;WebBrowser; MimeType=text/html;text/xml;application/xhtml_xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp; X-Ayatana-Desktop-Shortcuts=NewWindow;NewIncognito [NewWindow Shortcut Group] Name=New Window Exec=/opt/google/chrome/google-chrome TargetEnvironment=Unity [NewIncognito Shortcut Group] Name=New Incognito Window Exec=/opt/google/chrome/google-chrome --incognito TargetEnvironment=Unity
- Now edit the new autostart xscreensaver file and replace “-demo” with “-nosplash” :
sudo gedit /opt/ltsp/i386/etc/xdg/autostart/xscreensaver.desktop
6. Auto login fat clients based on IP address.
- To auto login clients you need to supply the usernames and passwords for each user based on the IP address of the client machine.
- For the Terminal Window and enter :
sudo gedit /var/lib/tftpboot/ltsp/i386/lts.conf
- Replace the usernameX and passwordX with the username and password for each user :
[Default] # Local Apps LOCAL_APPS = True LOCAL_APPS_MENU = True LOCAL_APPS_MENU_ITEMS = firefox, google-chrome # Network settings DNS_SERVER = 192.168.1.1 LDM_DIRECTX = True # Theme Settings LDM_THEME = ubuntu # Restrictions LOCALDEV_DENY_CD = True LOCALDEV_DENY_USB = True LOCALDEV_DENY_INTERNAL_DISKS = True # Auto Login LDM_AUTOLOGIN = True [192.168.1.21] LDM_USERNAME = username1 LDM_PASSWORD = password1 [192.168.1.22] LDM_USERNAME = username2 LDM_PASSWORD = password2 [192.168.1.23] LDM_USERNAME = username3 LDM_PASSWORD = password3 [192.168.1.24] LDM_USERNAME = username4 LDM_PASSWORD = password4 [192.168.1.25] LDM_USERNAME = username5 LDM_PASSWORD = password5
Post Install
Post install there may be some things you want to do some of these are covered here.
Mounting Windows Shares at Login
There are a couple of ways to do this in Linux but I finally decided on using Bash and Perl scripts in conjunction with Ubuntu’s “Startup Applications” to handle the mounting of Windows shares. I will include all scripts in this tutorial so that you can modify them to fit your environment and improve them as you see fit.
Before we continue, make sure that the NETLOGON share from dc.domain.internal is mounted on thinserver.domain.internal. I created a generic domain account that has permissions to only list the contents of the AD. For the sake of this example that account name is “public” with the password of “password”.
Create a folder to mount the share to.
sudo mkdir /mnt/logon
Mount the NETLOGON share by adding this entry into your /etc/fstab file.
//dc.domain.internal/netlogon /mnt/logon cifs username=public,password=password 0 0
Mount the share.
sudo mount -a
The scripts used depend on each user having their own login batch file in the NETLOGON share and their own share on server.domain.internal. Here is a batch file for user “John Doe” with username “jdoe”. The batch file name is jdoe.bat. You can use just one batch file and hardcode the name into the script.
@echo off NET USE S: \\server\common NET USE T: \\server\IT
Create the win_share.sh script and save it to /usr/local/bin/. The win_share.sh script checks to see if the .mount.sh and .umount.sh scripts for the user logging in exist and if they do delete them. It then creates new .mount.sh and .umount.sh scripts by running the/usr/local/bin/mount.pl Perl script. Finally it mounts the users shares by running the .mount.sh script. The user shouldn’t get prompted for a password since the script uses Kerberos to authenticate on server.domain.internal.
#!/bin/sh # Check to see if .mount.sh and .umount.sh exist, if so delete them! if [ -f /home/$USER/.mount.sh ]; then rm /home/$USER/.mount.sh fi if [ -f /home/$USER/.umount.sh ]; then rm /home/$USER/.umount.sh fi # Create the .mount.sh and .umount.sh scripts from users batch file /usr/local/bin/mount.pl $USER # Mount network shares when logging on. /home/$USER/.mount.sh
Create the mount.pl script in /usr/local/bin/.
#!/usr/bin/perl
# Build dynamic ~user/.mount.sh based on logon.bat
$user = $ARGV[0];
$file = "/mnt/logonbat/$user.bat"; # <-- Change this from $user to the name of the batch script if you only use one.
die if ! $user;
die if ! -e $file;
open (PAM_CONF, ">/home/$user/.mount.sh");
open (LOGOFF, ">/home/$user/.umount.sh");
print PAM_CONF qq{#!/bin/sh
if [ ! -d /home/$user/Home ]; then
mkdir /home/$user/Home
fi
mount.cifs //server/$user /home/$user/Home -o username=$user,sec=krb5
};
print LOGOFF qq{#!/bin/sh
if [ "`cat /proc/mounts | grep /home/$user/Home | wc -l`" -ge "1" ]; then
umount.cifs /home/$user/Home
fi \n};
my(@arr)=`cat /mnt/logonbat/$user.bat`;
$mounts = parse_batfile(\@arr);
foreach $mount (@$mounts) {
chomp($mount);
($server,$share) = $mount =~ /\\\\(.*)\\(.*)/;
$share =~ tr/\cM//d;
$mnt = $share;
# skip AUDIT. It's for PCs only
next if $mnt =~ /AUDIT/;
# skip personal shares.
next if lc("$mnt") eq lc("$user");
next if ! $mnt;
#strip dollar sign from mount point
$mnt =~ s/\$$//;
# make sure mount point is unique
$mnt .= "-$server" if $seen{$mnt}++;
# upshift first letter of mnt point
$mnt =~ s/^(.)(.*)/\u$1$2/g;
# print PAM_CONF "volume $user cifs $server $share /home/$user/$mnt - - -\n";
print PAM_CONF qq{if [ ! -d /home/$user/$mnt ]; then
mkdir /home/$user/$mnt
fi
mount.cifs //$server/$mnt /home/$user/$mnt -o username=$user,sec=krb5 \n};
print LOGOFF qq{if [ "`cat /proc/mounts | grep /home/$user/$mnt | wc -l`" -ge "1" ]; then
umount.cifs /home/$user/$mnt
fi \n};
}
close PAM_CONF;
close LOGOFF;
system ("chown $user:16777729 /home/$user/.mount.sh"); # 16777729 is my GID for "Domain Users"
system ("chown $user:16777729 /home/$user/.umount.sh"); # 16777729 is my GID for "Domain Users"
system ("chmod +x /home/$user/.mount.sh");
system ("chmod +x /home/$user/.umount.sh");
# All done
sub parse_batfile {
my($file) = @_;
my(@mounts);
foreach $line (@$file) {
(@val) = split / /,$line;
if (uc($val[0]) eq "NET" && uc($val[1]) eq "USE") {
push (@mounts,$val[3]);
}
if ($val[0] eq "CALL") {
my($match) = $val[1] =~ /\\\\.*\\NETLOGON\\(.*)/ ;
if ($match) {
chop($match);
my(@arr)=`cat /mnt/logonbat/$match`;
$mounts = parse_batfile(\@arr);
unshift @mounts, @$mounts;
}
}
}
return \@mounts;
}
This is what the .mount.sh script looks like for jdoe.
#!/bin/sh if [ ! -d /home/jdoe/Home ]; then mkdir /home/jdoe/Home fi mount.cifs //server/jdoe /home/jdoe/Home -o username=jdoe,sec=krb5 if [ ! -d /home/jdoe/common ]; then mkdir /home/jdoe/common fi mount.cifs //server/common /home/jdoe/common -o username=jdoe,sec=krb5 if [ ! -d /home/jdoe/IT ]; then mkdir /home/jdoe/IT fi mount.cifs //server/IT /home/jdoe/IT -o username=jdoe,sec=krb5
Once you have win_share.sh and mount.pl scripts in place, create the “Startup Application” to run it at login. To create the “Startup Application” go to “Preferences/Startup Applications”.
Passwordless SSH with Kerberos
One of the benefits of having a Kerberos enabled server is that you can now enable passwordless login via SSH. To make this work you need to have both your Linux workstation and server on the domain with Kerberos configured correctly.
Make these changes in the /etc/ssh/sshd_config file on thinserver:
# GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes UseDNS yes
Make these changes in the /etc/ssh/ssh_config file on your Linux workstation:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Test ssh to make sure that authentication is working with Kerberos. Try to login to thinserver from your workstation.
ssh -v thinserver
If authentication with Kerberos succeeded you shouldn’t be promted for a password and you should see the “debug1: Authentication Succeeded (gssapi-with-mic) message:
debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic).
Problems and Solutions
These are some of the other issues that I came accross. Hopefully they’ll help someone.
PROBLEM : LTSP client authenticates but logs out immediately
SOLUTION: gconftool-2 –direct –config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory –type string –set /desktop/gnome/session/required_components/windowmanager metacity
PROBLEM: You get a Pae error on your thin client on boot
SOLUTION:
change this file: ‘/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/020-kernel-selection’. I removed 2 times ‘-pae’ in the kernel selection. Seems to install by default the pae kernel. Removing this ended with an install of non-pae kernel for the thin clients.
PROBLEM : No VNC on thin clients
SOLUTION: http://bootpolish.net/home_ltsp_installx11vnconltsp5
PROBLEM : Change the default login screen to a custom one
SOLUTION: https://help.ubuntu.com/community/EdubuntuFAQ
PROBLEM : How to setup root password on thin client
SOLUTION: https://help.ubuntu.com/community/EdubuntuFAQ
PROBLEM : No logout icon
SOLUTION: http://ubuntuforums.org/archive/index.php/t-815188.html
Sources:
- https://help.ubuntu.com/community/UbuntuLTSP/LTSPQuickInstall
- http://www.ltsp.org/
- http://www.thefanclub.co.za/how-to/how-create-ubuntu-1104-x64-ltsp-server-32bit-thin-clients
- http://www.howtoforge.com/how-to-set-up-and-integrate-an-ubuntu-10.04-ltspv5-server-into-a-windows-2008-active-directory-domain
- http://www.thefanclub.co.za/how-to/configure-update-auto-login-ubuntu-12-04-ltsp-fat-clients
Pingback: Links 9/1/2013: Valve’s GNU/Linux Gaming PC, Android Massive at CES | Techrights
checkout x2go, it has thin client support..
Hi. I would like to thank you for the way you presented the steps. This is actually the first site that I felt, “I just might actually pull this off!”
Most of what you wrote is *almost* clear to my being “far-from-being-proficient-Linux-user.” Though I am comfortable enough in using the terminal.
Here are more than a few points with my questions.
1. I have not used an Active Directory. Do I need this to set-up thick/thin clients?
2. Before trying this out with our computers in the lab, I plan to “play” with it with our computers in the library. Going the direction of a thick client, what specs are we talking here for the server to host 8,10 thick clients?
3. I have tried the DRBL LiveCD. It worked fine. But I got lost after half-way through with the instruction from its “how-to. I was doing this my Ubuntu 12.04 and three clients.
Your instructions (before #11) are more digestible to my limited abilities and limited understanding. I really thank you for this.
Now, in “6a” above that goes – “:NOTE: only software installed in the Fat client image will be available to the client” – am I wrong to think the the image resides in the server? If not, then my fat clients will still be using their hard disk?
The reason I need your indulgence and patience is – I am exploring this path, like any one-man IT dept., to save on electricity and generated heat, not to mention, less parts to break/replace.
Though from my cursory readings around the web, it appears to me that having thin clients needs less maintenance but route requires beefier and more expensive server/s.
If all I nrrf is to have clients run LibreOffice and of course, the ability to browse the Internet, with some educational package like Tux Type for the young kids who are to use the clients which route should I take – thin or thick client?
My other prayer when I tried DRBL is that, the long nights of updating the computers under my care was to be history. But I lack the intelligence and training to understand all the listed instructions. Your presentation at least did not make feel so hopeless
Thank you and best regards.
Mon
Tell you what, if you reply to this with an exact outline of what you wish to achive, the specs of the desktops, server etc I will do a complete blog post on your behalf and we will get you working. I am a HUGE advocate of the Linux terminal server project LTSP. It has saved my bacon many times.. I am more than happy to assist a fellow understaffed it guy..
Hello David.
Understaffed would be an improvement! I am the “head” & the “staff” tightly rolled into one “department” on a very
Aiming for -
LTSP to serve 52 desktops in the high school lab.
This lab has 4-yr old desktops of mostly Intel E4600 and a dozen of Dual-core Atoms. The Atoms are now geared to be added in the library.
I have the approval to get 25 new “550″ Celerons. All will be on an Asus mobo, 4Gig DDR3, on-board gigabit Lan. Hopefully, these will be w/o hard drives after you teach me how to make that happen
My “desktop learning tool” is an E4600 w/ 4Gig DDR2, dedicated Nvidia Gforce 7300 w/ on board fast and add-on gigabit Lan card, 3
This machine has Ubuntu 12.04 64-bit.
Bandwidth is quite expensive here. So, utmost, half of these desktops in the lab are meant to have dedicated access to the internet.
Currently, our subscribed bandwidth for the lab from our ISP and the DD-WRTed Linksys only allow 12 to 15 desktops to simultaneously browse the net.
The few desktops in the library have full wi-fi access though, using a separate subscription on its own WRT54g.
Our budget will limit my choice with the relatively inexpensive D-Link and Linksys switches.
Once I have this running and I have better understanding of this project, I can go out for the suggested “server.” ” I can push for two *if needed.*
Lastly, our kids here in school mainly use LibreOffice. The younger ones like Tux Type and Tux Paint
Thank you so much.
Cheers for this, I will set about this weekend putting something together. Impossible mon to Friday I have similar issues at work.
I feel your pain…
Nice tutorial. I’m definitely going to try this one out but instead of using active directory I will try to use Openldap.
David, I know it’s getting redundant, but, thank you just the same. I am looking forward to your version of “LTSP for Dummies”
Hi, David.
We have 2 Digital labs in our Institute built around LTSP networks using Ubuntu 11.1. We now want to upgrade to Ubuntu 12.04. After a lot of research, we settled on your tutorial as the most detailed and easy to follow.
We followed your tutorial steps to the letter, up the point where we tried to connect a Thin Client. The thin client is a hp compaq t5525 with a 800MHz.
Unfortunately, it started to boot, picked up a DHCP IP from the server, but suddenly hung up and gave this 2-line error :
“This kernel requires the following features not on the CPU: pae cx8″
“Unable to boot – please use a kernel appropriate for your CPU”
Can you please advise how we can get around this.
Patrick
Being a bit lazy here as I am not googling the compaq Spec (on a train..) did you use the i386 version of the OS, first glance it looks like you might have used the 64 bit OS.. Also if you did build from the I386 version you may have downloaded the x64 LTSP files which you are pre booting from…
David ,
Actually used the alternate version cd and it is i386. It’s 2am and home but I’ll try to build the ltsp from i386 archive when I get to campus in morning and report. Thanks.
It appears you might have to use a custom non Pae kernel for that hardware, I can assist but might take a while to google how, would be useful however so I can add it as a note to the guide..
Little bit of reading up on this, it seems you may need to use the Ubuntu desktop edition as your base OS, as this will install the generic kernel, if you use the other versions of Ubuntu you are possibly installing the -generic-pae version of the kernel, what you might be able to do is on your existing server use apt-get to install the generic kernel with no Pae support then reboot using that kernel, remove using apt-get the original kernel and then rebuild the LTSP image..
Basically it seems that whatever kernel you have on your server is being used to build the LTSP image..
A command which you may want to google is
http://bootpolish.net/home_ltsp_ltsp5commands_ltspupdatekernels
Sorry you are having problems, I’m hoping we can solve them and add the resolution to the guide
This might also help
Power off Machine
Reboot into bios
Check Enable if exists PAE/NX
Click OK
The steps might be different, can you confirm is it a 386 or 64bit processor..?
Hi. I have the same problem:
“This kernel requires the following features not on the CPU: pae cx8″
“Unable to boot – please use a kernel appropriate for your CPU”
Server has 386 arch installed (machine is actually 64-bit), and client is 386 arch with non-pae processor. Seems that building the client installs automatically the pae kernels…
Strange….
Best regards
Rudy
As the last comment if you used the desktop version of Ubuntu this is to be expected as it on the desktop 12.04 and 12.10 only Pae kernels are supported.
Hi David,
I tried Rudy’s syggestion and I have posted on that. While we continue to look for a way out of the “pae” error on 12.04, we have had to had to install 10.04 to keep the labs open to students.
However, the Thin Clients on 10.04 would freeze and hang after some time and randomly. At times some of them just reboot right in the middle of browsing. We tried apt-get update as was recommended but the problem still persists.
Could you please advise.
Regards.
Patrick.
Ubuntu 12.04 (as well as Kubuntu 12.04 and newer Ubuntu versions) uses the PAE Linux kernel by default for 32bit ISOs so old computers that don’t support PAE can’t boot the latest Ubuntu version. But there is a way to install Ubuntu 12.04 LTS Precise Pangolin on computers without PAE support: using the non-PAE netboot Minimal ISO (there are also some alternatives, see below).
The non-PAE netboot mini ISO lets you install the non-PAE kernel and the desktop environment you want: you can select to install Ubuntu Desktop (with Unity), Kubuntu Desktop and so on. One note though: since the minimal CD will download packages from online archives at installation time instead of providing them on the install CD itself, you need a working Internet connection during the installation.
Have a read of this article http://www.webupd8.org/2012/05/how-to-install-ubuntu-1204-on-non-pae.html
It also suggests how to use xubuntu or lubuntu however the minimal iso seems a good way to go as it allows you to install just what you want.
If you are having the same issue on 12.10 go to http://www.webupd8.org/2012/11/how-to-install-ubuntu-1210-on-non-pae.html
Hi, I used the 12.04 desktop version (386). In mean time I found the solution: I had to change this file: ‘/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/020-kernel-selection’. I removed 2 times ‘-pae’ in the kernel selection. Seems to install by default the pae kernel. Removing this ended with an install of non-pae kernel for the thin clients.
Best regards
Rudy
Thank you so much for getting back to me, I will add this information to the post…
Sorry, I used Xubuntu 12.04 desktop version (386). Don’t know if same will solve the problem for Ubuntu…
Thanks for this info Rudy.
Hi, Rudy, just got chance to try. In my case it didn’t work but came up with an error saying “trying to load pxelinux/default” and hangs. It also pointed to kernel problem with “pae”.