HowTos for networked clients
Contents
Introduction to thin clients and diskless workstations
One generic term for both thin clients and diskless workstations is LTSP client.
Starting with Bullseye, LTSP is quite different from the previous versions. This concerns both setup and maintenance.
- As one main difference, the SquashFS image for diskless workstations is now generated from the LTSP server file system by default. This happens on a combined server at first boot, taking some time.
Thin clients are no longer part of LTSP. Debian Edu uses X2Go to still support thin client usage.
- In case of a separate or an additional LTSP server, required information for setting up the LTSP client environment isn't complete at installation time. Setup can be done once the system has been added with GOsa².
For information about LTSP in general, see the LTSP homepage. On systems with LTSP server profile, man ltsp provides more information.
Please note that the ltsp tool from LTSP has to be used carefully. For example, ltsp image / would fail to generate the SquashFS image in case of Debian machines (these have a separate /boot partition by default), ltsp ipxe would fail to generate the iPXE menu correctly (due to Debian Edu's thin client support), and ltsp initrd would mess up LTSP client boot completely.
The debian-edu-ltsp-install tool is a wrapper script for ltsp image, ltsp initrd and ltsp ipxe. It is used to setup and configure diskless workstation and thin client support (both 64-Bit and 32-Bit PC). See man debian-edu-ltsp-install or the script content to see how it works. All configuration is contained in the script itself (HERE documents) to facilitate site specific adjustments.
Examples how to use the wrapper script debian-edu-ltsp-install:
debian-edu-ltsp-install --diskless_workstation yes updates the diskless workstation SquashFS image (server filesystem).
debian-edu-ltsp-install --diskless_workstation yes --thin_type bare creates diskless workstation and 64-bit thin client support.
debian-edu-ltsp-install --arch i386 --thin_type bare creates additional 32-bit thin client support (chroot and SquashFS image).
Besides bare (smallest thin client system), also display and desktop are available options. The display type offers a shutdown button, the desktop type runs Firefox ESR in kiosk mode on the client itself (more local RAM and CPU power required, but server load reduced).
The debian-edu-ltsp-ipxe tool is a wrapper script for ltsp ipxe. It makes sure that the /srv/tftp/ltsp/ltsp.ipxe file is Debian Edu specific. The command needs to be run after iPXE menu related items (like menu timeout or default boot settings) in the /etc/ltsp/ltsp.conf [server] section have been modified.
The debian-edu-ltsp-initrd tool is a wrapper script for ltsp initrd. It makes sure that a use case specific initrd (/srv/tftp/ltsp/ltsp.img) is generated and then moved to the use case related directory. The command needs to be run after the /etc/ltsp/ltsp.conf [clients] section has been modified.
The debian-edu-ltsp-chroot tool is a replacement for the ltsp-chroot tool shipped with LTSP5. It is used to execute commands in a specified LTSP chroot (like e.g. install, upgrade and remove packages).
Diskless workstation
A diskless workstation runs all software locally. The client machines boot directly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but runs on the diskless workstations. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing older (but powerful) hardware with the same low maintenance costs as with thin clients.
Unlike workstations diskless workstations run without any need to add them with GOsa².
Thin client
A thin client setup enables an ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots via PXE without using a local client hard drive and that the LTSP server needs to be a powerful machine.
Debian Edu still supports the use of thin clients to enable the use of very old hardware.
Since Thin clients use X2Go, users should disable compositing to avoid display artefacts. In the default case (Xfce desktop environment): Settings -> Window Manager Tweaks -> Compositor.
LTSP client firmware
LTSP client boot will fail if the client's network interface requires a non-free firmware. A PXE installation can be used for troubleshooting problems with netbooting a machine; if the Debian Installer complains about a missing XXX.bin file then non-free firmware has to be added to the LTSP server's initrd.
Proceed like this on the LTSP server:
- First get information about firmware packages, run:
apt update && apt search ^firmware-
- Decide which package has to be installed for the network interface(s), most probably this will be firmware-linux, run:
apt -y -q install firmware-linux
- Update the SquashFS image for diskless workstations, run:
debian-edu-ltsp-install --diskless_workstation yes
In case X2Go thin clients are used, run:
/usr/share/debian-edu-config/tools/ltsp-addfirmware -h
- and proceed according to the usage information.
Then update the SquashFS image; e.g. for the /srv/ltsp/x2go-bare-amd64 chroot, run:
ltsp image x2go-bare-amd64
LTSP client type selection
Each LTSP server has two ethernet interfaces: one configured in the main 10.0.0.0/8 subnet (which is shared with the main server), and another forming a local subnet (a separate subnet for each LTSP server).
In both cases diskless workstation or thin client can be chosen from the iPXE menu. After waiting for 5 seconds, the machine will boot as diskless workstation.
The default iPXE boot menu item and it's default timeout can both be configured in /etc/ltsp/ltsp.conf. A timeout value of -1 is used to hide the menu. Run debian-edu-ltsp-ipxe for the changes to take effect.
Use a different LTSP client network
192.168.0.0/24 is the default LTSP client network if a machine is installed using the LTSP profile. If lots of LTSP clients are used or if different LTSP servers should serve both i386 and amd64 chroot environments the second preconfigured network 192.168.1.0/24 could be used as well. Edit the file /etc/network/interfaces and adjust the eth1 settings accordingly. Use ldapvi or any other LDAP editor to inspect DNS and DHCP configuration.
Add LTSP chroot to support 32-bit-PC clients
To create chroot and SquashFS image, run:
debian-edu-ltsp-install --arch i386 --thin_type bare
See man debian-edu-ltsp-install for details about thin client types.
LTSP client configuration
Run man ltsp.conf to have a look at available configuration options. Or read it online: https://ltsp.org/man/ltsp.conf/
Add configuration items to the /etc/ltsp/ltsp.conf [clients] section. For the changes to take effect, run:
debian-edu-ltsp-initrd
Sound with LTSP clients
LTSP thin clients use networked audio to pass audio from the server to the clients.
LTSP diskless workstations handle audio locally.
Access to USB drives and CD-ROMs/DVDs
When users insert a USB drive or DVD / CD-ROM into a Diskless Workstation, a corresponding icon appears on the desktop, allowing access to the content as on a workstation.
When users insert a USB drive into an X2Go thin client of type bare (default combined server installation), the media is mounted as soon as the existing folder icon on the Xfce desktop is double-clicked. Depending on the media content it might take some time until the content shows up in the file manager.
A warning about removable media on LTSP servers
When inserted into an LTSP server, USB drives and other removable media cause the related folder icon to appear on LTSP thin client desktops. Remote users can access the files.
Use printers attached to LTSP clients
- Attach the printer to the LTSP client machine (both USB and parallel port are supported).
- Configure the LTSP client with GOsa² to use a fixed IP address.
Configure the printer using the web interface https://www.intern:631 on the main server; choose network printer type AppSocket/HP JetDirect (for all printers regardless of brand or model) and set socket://<LTSP client ip>:9100 as connection URI.
Modifying the PXE setup
PXE stands for Preboot eXecution Environment. Debian Edu now uses the iPXE implementation for easier LTSP integration.
Configuring the PXE menu
The iPXE menu item concerning system installations is generated using the script debian-edu-pxeinstall. It allows some settings to be overridden using the file /etc/debian-edu/pxeinstall.conf with replacement values.
Configuring the PXE installation
The PXE installation will inherit the language, keyboard layout and mirror settings from the settings used when installing the main server, and the other questions will be asked during installation (profile, popcon participation, partitioning and root password). To avoid these questions, the file /etc/debian-edu/www/debian-edu-install.dat can be modified to provide preselected answers to debconf values. Some examples of available debconf values are already commented in /etc/debian-edu/www/debian-edu-install.dat. Your changes will be lost as soon as debian-edu-pxeinstall is used to recreate the PXE-installation environment. To append debconf values to /etc/debian-edu/www/debian-edu-install.dat during recreation with debian-edu-pxeinstall, add the file /etc/debian-edu/www/debian-edu-install.dat.local with your additional debconf values.
More information about modifying PXE installations can be found in the Installation chapter.
Adding a custom repository for PXE installations
For adding a custom repository add something like this to /etc/debian-edu/www/debian-edu-install.dat.local:
d-i apt-setup/local1/repository string http://example.org/debian stable main contrib non-free d-i apt-setup/local1/comment string Example Software Repository d-i apt-setup/local1/source boolean true d-i apt-setup/local1/key string http://example.org/key.asc
and then run /usr/sbin/debian-edu-pxeinstall once.
Changing network settings
The debian-edu-config package comes with a tool which helps in changing the network from 10.0.0.0/8 to something else. Have a look at /usr/share/debian-edu-config/tools/subnet-change. It is intended for use just after installation on the main server, to update LDAP and other files that need to be edited to change the subnet.
Note that changing to one of the subnets already used elsewhere in Debian Edu will not work. 192.168.0.0/24 and 192.168.1.0/24 are already set up as LTSP client networks. Changing to these subnets will require manual editing of configuration files to remove duplicate entries.
There is no easy way to change the DNS domain name. Changing it would require changes to both the LDAP structure and several files in the main server file system. There is also no easy way to change the host and DNS name of the main server (tjener.intern). To do so would also require changes to LDAP and files in the main server and client file system. In both cases the Kerberos setup would have to be changed, too.
Remote Desktop
Choosing the LTSP server profile or the combined server profile also installs the xrdp and x2goserver packages.
Xrdp
Xrdp uses the Remote Desktop Protocol to present a graphical login to a remote client. Microsoft Windows users can connect to the LTSP server running xrdp without installing additional software - they simply start a Remote Desktop Connection on their Windows machine and connect.
Additionally, xrdp can connect to a VNC server or another RDP server.
Xrdp comes without sound support; to compile (or re-compile) the required modules this script could be used. Please note: The caller needs to be root or a member of the sudo group. Also, /etc/apt/sources.list must contain a valid deb-src line.
#!/bin/bash set -e if [[ $UID -ne 0 ]] ; then if ! groups | egrep -q sudo ; then echo "ERROR: You need to be root or a sudo group member." exit 1 fi fi if ! egrep -q ^deb-src /etc/apt/sources.list ; then echo "ERROR: Make sure /etc/apt/sources.list contains a deb-src line." exit 1 fi TMP=$(mktemp -d) PULSE_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' pulseaudio)" XRDP_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' xrdp)" sudo apt -q update sudo apt -q install dpkg-dev cd $TMP apt -q source pulseaudio xrdp sudo apt -q build-dep pulseaudio xrdp cd pulseaudio-$PULSE_UPSTREAM_VERSION/ ./configure cd $TMP/xrdp-$XRDP_UPSTREAM_VERSION/sesman/chansrv/pulse/ sed -i 's/^PULSE/#PULSE/' Makefile sed -i "/#PULSE_DIR/a \ PULSE_DIR = $TMP/pulseaudio-$PULSE_UPSTREAM_VERSION" Makefile make sudo cp *.so /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/ sudo chmod 644 /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/module-xrdp* sudo service xrdp restart
X2Go
X2Go enables you to access a graphical desktop on the LTSP server over both low bandwidth and high bandwidth connections from a PC running Linux, Windows or macOS. Additional software is needed on the client side, see the X2Go wiki for more information.
Please note that the killer package should best be removed on the LTSP server if X2Go is used, see 890517.
Available Remote Desktop clients
freerdp-x11 is installed by default and is capable of RDP and VNC.
RDP - the easiest way to access Windows terminal server. An alternative client package is rdesktop.
VNC client (Virtual Network Computer) gives access to Skolelinux remotely. An alternative client package is xvncviewer.
x2goclient is a graphical client for the X2Go system (not installed by default). You can use it to connect to running sessions and start new ones.
Wireless clients
The freeRADIUS server could be used to provide secure network connections. For this to work, install the freeradius and winbind packages on the main server and run /usr/share/debian-edu-config/tools/setup-freeradius-server to generate a basic, site specific configuration. This way, both EAP-TTLS/PAP and PEAP-MSCHAPV2 methods are enabled. All configuration is contained in the script itself to facilitate site specific adjustments. See the freeRADIUS homepage for details.
Additional configuration is needed to
enable/disable access points via a shared secret (/etc/freeradius/3.0/clients.conf).
- allow/deny wireless access using LDAP groups (/etc/freeradius/3.0/users).
- combine access points into dedicated groups (/etc/freeradius/3.0/huntgroups)
End user devices need to be configured properly, these devices need to be PIN protected for the use of EAP (802.1x) methods. Users should also be educated to install the freeradius CA certificate on their devices to be sure to connect to the right server. This way their password can't be catched in case of a malicious server. The site specific certificate is available on the internal network.
https://www.intern/freeradius-ca.pem (for end user devices running Linux)
https://www.intern/freeradius-ca.crt (Linux, Android)
https://www.intern/freeradius-ca.der (macOS, iOS, iPadOS, Windows)
Please note that configuring end user devices will be a real challenge due to the variety of devices. For Windows devices an installer script could be created, for Apple devices a mobileconfig file. In both cases the freeRADIUS CA certificate can be integrated, but OS specific tools are needed to create the scripts.
Authorize Windows machine with Debian Edu credentials using pGina LDAP plugin
Adding pGina user in Debian Edu
To have an ability to use pGina (or any else 3rd party auth-service-application) you should have a special user account used in search inside of LDAP.
Add a special user, eg pguser with password pwd.777, on https://www/gosa website.
Install pGina fork
Download and install pGina 3.9.9.12 as usual software. Take an attention that LDAP plugin persists in pGina plugin folder:
C:\Program Files\pGina.fork\Plugins\pGina.Plugin.Ldap.dll
Configure pGina
Considering to Debian Edu settings the connection to LDAP uses SSL by port 636.
So necessary settings in a pGina LDAP plugin are below
(these are stored in HKEY_LOCAL_MACHINE\SOFTWARE\pGina3.fork\Plugins\0f52390b-c781-43ae-bd62-553c77fa4cf7).
LDAP Plugin main section
LDAP Host(s): 10.0.2.2 (or any else with "space" as a separator)
LDAP Port: 636 (for SSL connection)
- Timeout: 10
Use SSL: YES (tick checkbox)
Start TLS: NO (don't tick checkbox)
Validate Server Certificate: NO (don't tick checkbox)
Search DN: uid=pguser,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no
- ("pguser" is a user to authenticate in LDAP to search users in a login session)
- Search Password: pwd.777 (this is the "pguser" password)
Authentication block
Bind Tab:
Allow Empty Passwords: NO
Search for DN: YES (tick checkbox)
Search Filter: (&(uid=%u)(objectClass=person))
Authorization block
Default: Allow
Deny when LDAP authentication fails: YES (tick checkbox)
Allow when server is unreachable: NO (don't tick checkbox, optional)
Plugin Selection
- LDAP: Authentication [v], Authorization [v], Gateway[v], Change Password [_]
- Local Machine: Authentication [v], Gateway [v] (tick only two checkboxes)
Plugin Order
- Authentication: LDAP, Local Machine
- Gateway: LDAP, Local Machine
Sources: