HowTos for networked clients

Introduction to Thin clients and Diskless workstations

One generic term for both thin clients and diskless workstations is LTSP client. LTSP is the Linux Terminal Server Project.

Thin client

A thin client setup enables a ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots from a diskette or directly from the server using network-PROM (or PXE) without using a local client hard drive.

Diskless workstation

A diskless workstation runs all software locally. The client machines boot direcly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but it runs on the diskless workstation. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing newer hardware with the same low maintanence cost as with thin clients.

Machine type selection based on the network

Each LTSP server has two ethernet cards, one is configured in the 10.0.2.0/23 subnet (which is shared with the main server) and another forming a local 192.168.0.0/24 subnet (this subnet is a seperate subnet for each LTSP server).

Diskless workstations get IP addresses assigned in the private subnet 10.0.2.0/23, while thin clients are connected in the seperate subnet 192.168.0.0/24.

Changing the PXE menu on an LTSP server

The PXE menu allows network booting of LTSP clients, the installer and other alternatives. The file /var/lib/tftpboot/pxelinux.cfg/default is used by default if no other file in that directory matches the client, and out of the box it is set to link to /var/lib/tftpboot/debian-edu/default-menu.cfg.

If one want all clients to boot as diskless workstations instead of getting the full PXE menu, this can be implemented by changing the symlink:

ln -s /var/lib/tftpboot/debian-edu/default-diskless.cfg /var/lib/tftpboot/pxelinux.cfg/default

If one want all clients to boot as thin clients instead, change the symlink like this:

ln -s /var/lib/tftpboot/debian-edu/default-thin.cfg /var/lib/tftpboot/pxelinux.cfg/default

See also the pxelinux documentation at http://syslinux.zytor.com/wiki/index.php/PXELINUX .

If one wants clients on the 192.168.x.x interface of a thin client server to boot as diskless workstations instead of thin clients, edit

/var/lib/tftpboot/ltsp/i386/pxelinux.cfg/default

and add a '3' (no quotes) to the end of the line. There is no need to add these workstations in lwat, saving you some work and some "staticxx" IP addresses (see below).

Separate main- and LTSP servers

For performace and security considerations it might be desired to set up a seperate main server which doesn't act as LTSP server.

To have ltspserver00 serve diskless workstations on the main (10.0.x.x) network, when tjener is not a combined server, one needs to follow these steps:

 DEFAULT ltsp/i386/vmlinuz initrd=ltsp/i386/initrd.img nfsroot=10.0.2.10:/opt/ltsp/i386 boot=nfs ro quiet 3

How to extend the range of static IP addresses

Out of the box Debian Edu only has 50 static addresses available on the 10.0.2.0/23 network. To extend this to 90 addresses, you can do the following.

  1. Download ext_static.ldif. The LDIF makes the following changes to the LDAP catalog:

    • It changes the 10.0.2.0/23 dynamic DHCP range from 10.0.2.100-10.0.3.242 to 10.0.2.100-10.0.3.213
    • It deletes the DNS records for dhcp370 (10.0.3.214) to dhcp399 (10.0.3.243)
    • It adds DNS records for static50 (10.0.3.214) to static90 (10.0.3.244)
  2. Apply the changes described in ext_static.ldif:

ldapmodify -x -Z -W -D cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no -f ext_static.ldif

When prompted, enter the LDAP admin password. You now have 40 extra static addresses, at the cost of 29 dynamic addresses.

LTSP in detail

lts.conf

To make special adaptations and configurations for specific thinclients, you can edit the file /opt/ltsp/i386/etc/lts.conf. Have a look at /opt/ltsp/i386/usr/share/doc/ltsp-client-core/examples/lts.conf to see some examples and see /usr/share/doc/ltsp-server/lts-parameters.txt.gz for all parameters you can specify.

The default values is defined under [default], to configure one client, specify which client using the client mac adress or ipadress like this [192.168.0.10].

Example: To make the thinclient ltsp010 use 1280x1024 resolution, add something like this:

[192.168.0.10]
X_MODE_0 = 1280x1024
X_HORZSYNC = "60-70"
X_VERTREFRESH = "59-62"

somewhere below the default settings.

Depending on what changes you make, it may be necessary to restart X on the client (by pressing alt+ctrl+backspace) or restart the client.

To use ipadresses in lts.conf you should add the client mac-address to your dhcp-server. Otherwise you should use the client mac-address directly in you lts.conf file.

Load balancing LTSP servers

Part 1

It is possible to set up the clients to connect to one of several servers for load balancing. This is done by providing /opt/ltsp/i386/usr/lib/ltsp/get_hosts as a script printing one or more servers for LDM to connect to. In addition to this, each ltsp chroot need to include the ssh host key for each of the servers.

First of all, you must choose one LTSP server to be the loadbalancing server. All the clients will PXE-boot from this server and load the Skolelinux image. After the image is loaded, LDM chooses which server to connect to by using the "get_hosts" script. How this is done you decide later on.

Now you have to move your clients from the 192.168.1.0 network to the 10.0.2.0 network. This is because when you use loadbalancing, the clients should have direct access to the server LDM chooses. If you leave your clients on the 192.168.1.0 network, all of the clients traffic will go through that server before it reaches the chosen LDM server.

To get the clients working on the 10.0.2.0 network, you have to edit /etc/dhcp3/dhcpd.conf on the main-server (tjener). Where it says:

/!\ FIXME: This need to be changed as DHCP configuration is in LDAP.

subnet 10.0.2.0 netmask 255.255.254.0 {
        range 10.0.2.100 10.0.3.242;
        }

you have to add this under "range":

filename "/var/lib/tftpboot/ltsp/i386/pxelinux.0";
next-server xxx;
option root-path "/opt/ltsp/i386";
option log-servers ltspserver01;
use-host-decl-names on;

Next-server should be the IP-address or hostname of the server you chose to be the loadbalancing server. If you use hostname you must have a working DNS. Remember to restart the dhcp service.

Part 2

Now you have to make a "get_hosts" script that prints a server for LDM to connect to. The parameter LDM_SERVER overrides this script. In consequence, this parameter must not be defined if the get_hosts is going to be used. The get_hosts script writes on the standard output each server IP address or host names, in the random order.

Edit "/opt/ltsp/i386/etc/lts.conf" and add something like this:

MY_SERVER_LIST = "xxxx xxxx xxxx"

Replace xxxx with either the IP or hostname of the servers, list must be space separated. Then, put the following script in /opt/ltsp/i386/usr/lib/ltsp/get_hosts on the server you chose to be the loadbalancing server.

# Randomize the server list contained in MY_SERVER_LIST parameter
TMP_LIST=""
SHUFFLED_LIST=""
for i in $MY_SERVER_LIST; do
rank=$RANDOM
let "rank %= 100"
TMP_LIST="$TMP_LIST\n${rank}_$i"
done
TMP_LIST=$(echo -e $TMP_LIST | sort)
for i in $TMP_LIST; do
SHUFFLED_LIST="$SHUFFLED_LIST $(echo $i | cut -d_ -f2)"
done
echo $SHUFFLED_LIST

Part 3

Now that you've made the "get_hosts" script, it's time to make the ssh host key for the ltsp chroots. This can be done by making a file containing the content of /opt/ltsp/i386/etc/ssh/ssh_known_hosts from all the ltsp servers that will be loadbalanced. Save this file as /etc/ltsp/ssh_known_hosts.extra on all loadbalance servers. The last step is very important because ltsp-update-sshkeys runs every time a server is booted, and /etc/ltsp/ssh_known_hosts.extra is included if it exists.

/!\ If you save your new host file as /opt/ltsp/i386/etc/ssh/ssh_known_hosts, it will be erased when you reboot the server.

There is some obvious weaknesses with this setup. All clients get their image from the same server, this causes high loads on the server if many clients are booted at the same time. Also the clients require that server to always be available, without it they cannot boot or get a LDM server. Therefore this setup is very dependent on one server, which isn't very good.

Your clients should now be loadbalanced!

Sound with LTSP clients

LTSP thin clients supports three different audio systems for applications, ESD, PulseAudio and ALSA. ESD and PulseAudio support networked audio and are used to pass audio from the server to the clients. ALSA is configured to redirect its sound via PulseAudio. For selected applications only supporting the OSS audio system, a wrapper is created by /usr/sbin/debian-edu-ltsp-audiodivert to redirect their sound to PulseAudio. Run this script without arguments to get a list of applications with such redirection enabled.

LTSP diskless workstations handle audio locally and have none of the special setup needed for networked audio.

Upgrading the LTSP environment

It is useful to upgrade the LTSP environment with new packages fairly often, to make sure security fixes and improvements are made available. To upgrade, run these commands as user root on each LTSP server:

chroot /opt/ltsp/i386
mount -t proc proc /proc
export LTSP_HANDLE_DAEMONS=false
aptitude update
aptitude upgrade
aptitude dist-upgrade
umount /proc
exit

Installing additional software in the LTSP environment

To install additional software for LTSP client you must perform the installation inside the chroot of the LTSP server.

chroot /opt/ltsp/i386
## optionally, edit the sources.list:
#vim /etc/apt/sources.list
mount -t proc proc /proc
export LTSP_HANDLE_DAEMONS=false
aptitude update
aptitude install $new_package
umount /proc
exit

Slow login and security

Skolelinux has added several security features on the client network preventing unauthorised super user access, stopping password sniffing and other tricks which may be used on a local network. One such security measures is secure login using ssh wich is default with LDM. This can slow down some client machines which are older than 10 years, having as little as 160 MHz processor and 32 MB RAM. Even if not recomended, you can add the "True" value in ...

LDM_DIRECTX=True

should be added to the server in the /opt/ltsp/i386/etc/lts.conf file.

/!\ Warning: Above protects initial login but all activities after that use unencrypted XDMCP. Passwords (except the initial one) will travel in cleartext over the network, as well as anything else.

Note: Since such 10 year old thin clients may also get trouble with running never versions of OpenOffice.org and Firefox/Iceweasel due to pixmap caching issues, you may consider running thin clients with at least 128 MB RAM, or upgrade to hardware, which will also give you the benefit of being able to use them as diskless workstations.

Replacing LDM with KDM

Skolelinux 3.0 is running LDM as a login manager. It uses a secure ssh tunnel to log in. When using KDM a switch to XDMCP is neccesary. XDMCP uses less CPU ressources on the clients and on the server.

/!\ Warning: XDMCP does not use encryption. Passwords will travel in cleartext over the network, as well as anything else.

/!\ Note: local devices with ltspfs will stop working without LDM.

To check if XDMCP is running, run this command from a workstation:

 X -query ltspserverXX

If you are on the thin client network, please run this command:

 X -query 192.168.0.254

The goal is to let your "real" thin client to contact the xdmcp-server on the 192.168.0.254 net (given a standard Skolelinux configuration).

If by some reason xdmcp is accessible on your server which runs KDM , please add the following to /etc/kde3/kdm/Xaccess

 * # any host can get a login window

The star before the comment '#' is important, rest is a comment of course :)

Then turn on xdmcp in kdm with the command:

 sudo update-ini-file /etc/kde3/kdm/kdmrc Xdmcp Enable true

At the end please restart kdm by running:

 sudo invoke-rc.d kdm restart

(in courtesy of Finn-Arne Johansen)

Connecting Windows machines to the network / Windows integration

Joining the domain

For Windows clients the Windows domain "SKOLELINUX" is available to be joined. A special service called Samba, installed on the main-server tjener, enables Windows clients to store profiles and userdata and also authenticates the users during the login.

In order to make Windows clients join the domain some (few) steps are required:

1. Create a user with membership in the "admins" group (if not already existing)

2. Configure the Windows client as static host

3. On the Windows client: Make sure the network and system configuration matches the data stored on tjener (hostname and ip configuration).

4. Join the domain as usual using the user added in step 1.

Windows will sync the profile of domain users on every login and logout. Depending on how much data stored in the profile this could take some time. To minimize the time needed, one should deactivate things like local cache in browsers (you could use the squid proxycache installed on tjener instead) and save file into the H: volume instead of "Own files".

User groups in Windows

Groupmaps must also be added for any other user groups you add through lwat. If you want your user groups to be available in Windows, eg for netlogon scripts or other group dependant actions, you can add them using variations of the following command. Samba will function without these groupmaps, but Windows machines won't be group aware.

/usr/bin/net groupmap add unixgroup=students \
             type=domain ntgroup="students" \
             comment="All students in the school"

FIXME: should user groups in windows better be explained with lwat first, and then with an example for the command line?

If you want to check user groups on Windows, you need to download the tool IFMEMBER.EXE from Microsoft. Then you can use this for example in the logon script which resides on tjener in /etc/samba/netlogon/LOGON.BAT.

XP home

Users bringing in their XP home laptop can still connect to Tjener using their skolelinux credentials, provided the workgroup is set to SKOLELINUX. However, they may need to disable the windows firewall before Tjener will appear in Network Neighbourhood (or whatever its called now).

Managing roaming profiles

Roaming profiles contain user work environments, which include the desktop items and settings. Some examples of these environments are personal files, desktop icons and menus, screen colors, mouse settings, window size and position, application configurations and network and printer connections. Roaming profiles are available wherever the user logs on, provided the server is available.

Since the profile is copied from the server to the machine during logon, and copied back to the server during logout, a large profile can make windows login/logout painfully slow. There can be many reasons for a large profile, but the most common problems is that users save their files on the windows desktop or in the My Documents folder instead of in their homedir. Also some badly designed programs use the profile for scratch space, and other data.

The educational approach: One way to deal with to large profiles is to explain the situation for the users. Tell them not to store huge files on the desktop and if they fail to listen it's their own fault when login is slow.

Tweaking the profile: A different way to deal with the problem is to remove parts of the profile, and redirect other parts to regular file storage. This moves the work load from the users to the administrator, while adding complexity to the installation. There are at least three ways to edit the parts that are removed from the roaming profile.

Example smb.conf's for roaming profiles

Already delivered while installation, you can find an example smb.conf hopefully in your prefered language. You can find the config example files on your tjener under /usr/share/debian-edu-config/examples/. The source file is in English and is called smb-roaming-profiles-en.conf. If it is translated to German for example, it is named smb-roaming-profiles-de.conf. So if you search a file translated to your prefered language, look at the country code part in the filename. Inside the config file are a lot of explanations, so you should have a look at.

Using machine policies

Machine policies can be edited and copied to all the other computers.

  1. Pick a freshly installed Windows computer, and run gpedit.msc
  2. Under the selection User Configuration -> Administrative Templates -> System -> User Profiles -> Exclude directories in roaming profile, you can enter a semicolon separated string of directories to exclude from the profile, the directories are internationalized and must be written in your own language the way they are in the profile. Example of directories to exclude are

    • log
    • Locale settings
    • Temporary Internet Files
    • My Documents
    • Application Data
    • Temporary Internet Files
  3. Save your changes, and exit the editor.
  4. Copy c:\windows\system32\GroupPolicy to all other windows machines.

    • It's a good idea to copy it to your windows os deployment system to have it included at install time.

Using global policies

By using the legacy windows policy editor (poledit.exe), you can can create a Policy file (NTConfig.pol) file and put it in your netlogon share on tjener. This has the advantage of working almost instantly on all windows machines.

Since some time the policy editor standalone download has been removed from the Microsoft website, but it's still available as part of the ORK Tools.

With poledit.exe you can create .pol files. If you put such a file on tjener as /etc/samba/netlogon/NTLOGON.POL it will be read by the windows machine automatically and temporarily overwrite the registry, thus applying the changes.

To make sensible use of poledit.exe you also need to download appriate .adm files for your operating system and applications, otherwise you cannot define many settings in poledit.exe.

Be aware that the new group policy tools, gpedit.msc and gpmc.msc cannot create .pol files, they either only work for the local machine or need an active directory server.

If you understand german, http://gruppenrichtlinien.de is a very good website on this topic.

Editing Windows registry

You can edit the registry of the local computer, and copy this registry key to other computers

  1. Start the Registry Editor.
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

  3. Use the menu Edit menu->New->String Value.

  4. Call it ExcludeProfileDirs

  5. Enter a semicolon sepatated string of paths to exclude. (same way as machine policy)

Now you can choose to export this registry key as a .reg file, Mark a selection, right click and select export. Save the file and you can double click it, or add it to a script to spread it to other machines.

Sources:

Redirecting parts of profile

Sometimes just removing the directory from the profile is not enough. You may experience that users loose files because they mistakenly save things into my documents, when this is not saved in the profiles. Also you may want to redirect the directories some badly programed applications use to normal network shares.

Using machine policies

Everything under Using machine policies above applies. You edit using gpedit.msc and copy the Policy to all machines The redirection should be available under User Configuration -> Windows Settings->Folder Redirection Things that can be nice to redirect are Desktop or My Documents.

One thing to remember is that if you enable folder redirection, those folders are automatically added to the syncroniced folders list. If you do not want this, you should also disable that in following

Using global policies

FIXME explain how to use profiles from global policies for windows machines in the skolelinux network

Avoiding roaming profiles

Using a local policy

Using local policies you can disable roaming profile on individual machines. This is often wanted on special machines, for instance on dedicated machines, or machines that have lower then usual bandwith.

You can use the machine policy method describe above, the key is in

Using global policies

FIXME: describe roaming profile key for the global policy editor here

altering samba config

By editing the samba config you can disable roaming profiles for the entire network. Perhaps everyone have their own dedicated machine? and nobody else is allowed to touch it. To disable the roaming profiles for the entire network you can alter the smb.conf file on tjener and unset the logon path and logon home variables, and restart samba.

logon path = ""
logon home = ""

Remote Desktops with RDP, VNC, NX or Citrix

Some municipalities provide a remote desktop solution so that students and teachers can access Skolelinux from their home computer running Windows, Mac or Linux.

HowTos from wiki.debian.org

The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

CategoryPermalink