projectz

Tech, Gadgets, Photography, Social Media and Poor Spelling

Setting up an Ubuntu Thin Client Server

ltsp_logo

With austerity being the watchword of our times being able to get as much out of that IT hardware you have is as important as ever, more so  when the industry is in shift at an OS level and maybe the hardware you have isn’t quite up to the task of Windows 8?

I have put this post together for a personal reference, it it helps someone else then that’s a good thing. 

Thin Client computing is a good example of how the IT world goes round in a circle, 30 or so years ago computers were huge beasts filling rooms the size of offices. To attach to them you had a termina, that terminal had no hard disk and everything you did was done directly on the “mainframe” While examples of this style of computing never died they were quickly outpaced by the computers we know today where the processing and computing is done at your desk and the files then saved to a server. (The client server model).

However as networks have become spedier, and servers more powerful the recycling of that old Idea has gone full circle and in this article i’m going to show you how to install an Ubuntu LTSP server which will deliver a complete Ubuntu desktop to a machine with no hard disk over your network. And if you are doing this in an office with an existing AD Infrastructure make use of this so users can use their AD login credentials to access the OS.

LTSP

The Linux Terminal Server Project is not new and has been around for a very long time which has a few key things which are a positive to anyone who wants to implement it. There is a lost of support available online for the projects assisting in many areas which the project developers may not have envisaged the project going. It is well supported and still very much in development and important factor for any technology which you may be looking to integrate into a commercial or educational infrastructure. It has also been integrated into many popular distributions which again provides good backing and help when needed.

Originally, LTSP was a stand-alone package. LTSP had to be installed on top of the Linux distribution you were using, and then configured. As time progressed major Open Source Linux distributions like Ubuntu (Canonical Ltd.), Fedora (Red Hat Inc.), OpenSuSE (Novell), and more began integrating LTSP directly into their distribution releases. At present, LTSP can be installed automatically using the Linux distributions mentioned above. LTSP’s current version is: 5. LTSP 5 addresses many key issues regarding network bandwidth with the implementation of Local Applications. LTSP 5 greatly improves multimedia, and network intensive applications on LTSP Thin Clients.

Installing LTSP

Starting with the Hardy Heron (8.04) release the LTSP installer functionality was moved to the Ubuntu alternate CD. All future releases follow this format.

Using 12.04 provides you with a stable 4 year supported version of Ubuntu.

iso.png Get the Precise Pangolin alternate CD iso from http://releases.ubuntu.com/releases/12.04.

The installer will set up an out of the box working LTSP install for you if your server has two network cards built in.

If that is not the case it will tell you what to modify to run with a single network card.

LTSP installer warns you about a single NIC server

Once you boot up the CD, hit F4. The “Modes” menu will pop up. Select “Install an LTSP Server”. Now just move on with the install.

Modes menu, selecting "Install an LTSP Server"

Towards the end of the install the installer will start to build the client environment from the packages on the CD. When it gets to the 50% mark it might look like it has hung, it’s not it will just take a while to do the last stage.

Installer builds the thin client environment

Which then will be compressed into an image…

Installer compresses the client's NBD image

If the installer is done and has rebooted into your new system you will be able to boot your first Thin Client right away. However it’s useful to know what is happening under the hood and you may want to do some changes.

1. Change your available network adaptor IP to a fixed entry.

  • Most local network already use the 192.168.0.xx range of IP addresses, but the default install of LTSP relies on this range being available. In this tutorial we will set up the LTSP network on the 192.168.1.xx range.
  • You also need a separate network adaptor with internet access during the install process.
  • The LTSP server install wants to install it’s own DHCP server, so if you have a router with it’s own DHCP server it could cause conflicts if in the same network IP range.
  • So what to do is change your unused LAN port’s IP address to a fixed IP in another IP range. For example my setup has a router with a DHCP server running on 192.168.0.1, and provides the Internet access on the system.  I changed my other LAN adaptor’s IP to 192.168.1.1 , this will be used for the LTSP network.
  • NOTE: For some reason the DHCP server does not want to start correctly on system startup if the network adaptor’s IP is not set in the network interfaces config file. (see 1d. below)

1a. Go to Network Connections and select the LAN network adaptor you intend to use for your thin client network and click edit.

1b. Change your adaptor to use Manual IP and set a new fixed IP for the adaptor and save.

This will be your LTSP server IP.

1c. Set the fixed IP for the network adaptor the classic way to ensure the DHCP server starts correctly.

  • Add the information for your network adaptor that you selected in 1c. as shown below.
  • We added eth0 with a static IP of 192.168.1.1
  • Open the Terminal Window and enter :
sudo gedit /etc/network/interfaces

1d. Change the Network Manager config file to allow control of your network adaptor with fixed IP.

  • For some mysterious reason if you enter the IP manually in the interfaces file, Network Manager ignores them and you cannot use the Network Manager to control the adaptor any more. So we have to enable it.
  • Change the “managed=false” to “managed=true” as seen below.
  • Open the Terminal Window and enter :
sudo gedit /etc/NetworkManager/NetworkManager.conf

2. Install the LTSP server.

If you have followed the instructions above you can skip this and head to step 3. If you’ve got a dual nic stock Ubuntu Desktop or Server install you can install LTSP as a package.

  • Open the Terminal Window and enter :
sudo apt-get install ltsp-server-standalone openssh-server

3. Edit the DHCP configuration for your LTSP server to match your chosen IP range.

  • In this case 192.168.0.xx changes to 192.168.1.xx.
  • Open the Terminal Window and enter :
sudo gedit /etc/ltsp/dhcpd.conf

​4. Select the network interface/s for the DHCP server

  • Add the network devices you would like the DHCP server to run on. In this case we changed the value of INTERFACES to include eth0
  • Open the Terminal Window and enter :
sudo gedit /etc/default/isc-dhcp-server

​5. Restart the DHCP server

  • Open the Terminal Window and enter :
sudo /etc/init.d/isc-dhcp-server restart

Tip: previous ubuntu versions need to use : sudo /etc/init.d/dhcp3-server restart 

6a. Optional step to configure a Fat Client not a Thin Client before build

  • This step is only needed if you intend to use your LTSP server for Fat clients, rather than Thin clients or both. For more information between the differences between Thin and Fat clients and configuration see UbuntuLTSPFatClients 
  • This step edits the LTSP build client configuration file to install Ubuntu desktop and create LTSP Fat client image.
  • NOTE: only software installed in the Fat client image will be available to the client, and internet access for each client needs to be configured as the clients will not share the server network connection to the internet as is the case with the thin clients.
  • Open the Terminal Window and enter :
sudo gedit /etc/ltsp/ltsp-build-client.conf
  • Here you can customize your installation image for Fat clients.
  • We will only install the standard Ubuntu Desktop system to run on the client side for now. We can install more software to the image later, this is to get a basic Fat client image built.
  • Add the following to the file and save.
# ltsp-build-client.conf - many other options available 
# The chroot architecture.
ARCH=i386

# ubuntu-desktop and edubuntu-desktop are tested.
# Ubuntu 12.04 LTS working perfectly with Unity and Unity 2D.
FAT_CLIENT_DESKTOPS="ubuntu-desktop"

6b. Optional step to disable NBD compression

  • NDB compression is enabled by default in Ubuntu 12.04 to speed up client disk access and boot times, but takes a much longer to generate a compressed image file. During development work is might be easier to disable this feature and re-enable it when the setup of the client image is complete.
  • Open the Terminal Window and enter :
sudo gedit /etc/ltsp/ltsp-update-image.conf
  • Add NO_COMP=”-noF -noD -noI -no-exports” line to disable compression. Enable the compressing by adding the # symbol, or delete the line completely
  • Make sure the file now looks like this example below and save.
# Configuration file for ltsp-update-image
# Do not compress the client image. Comment out the line below to enable again.
NO_COMP="-noF -noD -noI -no-exports"

6c. Build the i386 (32bit)  LTSP Thin/Fat Client

  • This step builds the 32bit Thin Client Ubuntu 11.04 image needed to boot the thin clients on the network.
  • This step downloads and installs all the 32bit Ubuntu client elements. Could take a while.
  • Open the Terminal Window and enter :
sudo ltsp-build-client --arch i386

​​Tip: to set up 64bit thin clients  leave out the ‘–arch i386’ part and enter: sudo ltsp-build-client 

7. Reboot your new LTSP server to complete LTSP server install

  • At this point your Ubuntu LTSP server should be up and running.
  • You should be able to boot a Thin Client via the network.
  • You could also set up a Virtual Machine to act as a thin client for testing your server. See: How to create a VirtualBox Ubuntu LTSP Thin Client.

Tip: After reboot make sure that the DHCP is running correctly. Open a Terminal Window and enter:

sudo /etc/init.d/isc-dhcp-server status

Tip: If after this point you change your IP address on the LTSP  server you need to enter the following :

sudo ltsp-update-sshkeys
sudo ltsp-update-image --arch i386

8. Set up Thin Client Admin user

  • Replace the adminname with your admin user name.
sudo -s -H
chroot /opt/ltsp/i386
useradd -m adminname -G sudo
passwd adminname
exit
exit
  • Lock the admin account’s password
sudo chroot /opt/ltsp/i386 passwd -l adminname
  • Update the client image
sudo ltsp-update-image --arch i386

 If you are wanting to like the Thin Client login to your existing AD infrastructure then you may not want to setup these local user accounts.  I have included instructions on how to do this at the end as a section 11 

9. Set up a Thin Client User Account

9a. Open Users and Groups

  • Make sure you have gnome system tools installed as this has been removed in Ubuntu 12.04.
sudo apt-get install gnome-system-tools
  • In Ubuntu 12.04 search for Users and Groups under applications after installation.

9b. Click Add to add new user account

9c. Add new username details

9d. Add new user password

9e. Change User Advanced Settings -> User Privileges

10. Boot your Thin Client from the Ubuntu LTSP server

  • Connect your Thin Client computer or Virtual Machine to your LTSP network Switch/Hub.
  • Alter the Thin Client Machine BIOS Boot settings to boot from LAN / Network / Pxe.
  • Boot the machine.
  • If all is set up correctly you should see the following Ubuntu LDM login screen on your Thin Client.
  • You will be able to login with your newly created Thin Client username and password.

11. Active Directory Login

Assumptions

It is assumed that you have a Windows 2008 Active Directory Domain setup and working properly along with a DHCP server. Your domain controller can be your DHCP server or you can setup a different box to distribute the DHCP leases. If your domain controller or DHCP server are not setup, please set these up first. It is also assumed that the reader has some basic Linux experience. You will need to know how to move around in the Linux terminal, install applications, and edit files using vi or nano.

Network Layout

For the purpose of this tutorial, this is the layout of the domain.internal network on the 10.0.0.0/24 subnet.

Network Layout

Click to enlarge
dc.domain.internal

Windows 2008 Server running Active Directory and DNS

server.domain.internal

Windows 2003 Server hosting user home directories and file shares

thinserver.domain.internal

Ubuntu 12.04 server with LTSPv5

dhcp.domain.internal

Add thinserver to the Windows Domain

Before we add thinserver to the domain, we’re going to have to install Samba along with some other packages.

sudo apt-get install samba smbclient winbind libpam-cracklib krb5-user

Make sure that thinserver is named correctly.

hostname

If the hostname command doesn’t return thinserver.domain.internal, rename it to thinserver.domain.internal.

hostname thinserver.domain.internal

Edit the /etc/resolv.conf to use dc.domain.internal as the primary DNS server.

search domain.internal

nameserver 10.0.0.10

On your domain controller create a host (A) record in your DNS for thinserver.

Verify that thinserver can resolve domain.internal:

nslookup domain.internal

The results should look something like this:

test@thinserver:~$ nslookup domain.internal
Server:        10.0.0.10
Address:    10.0.0.10

Name:    domain.internal
Address: 10.0.0.10

Make sure that Samba and Winbind are not running:

/etc/init.d/smbd stop
/etc/init.d/winbind stop

Just to be safe lets backup the smb.conf, krb5.conf, and PAM common files. I like to append the date when I make a backup of a file so that I know when the changes were made.

d=`date "+%m%d%y"`
cp /etc/samba/smb.conf{,.$d}
cp /etc/krb5.conf{,.$d}
mkdir /etc/pam.d/backup
cd /etc/pam.d/
for file in `ls`;do cp $file{,.$d}; done
mv *.$d backup/

Edit the /etc/krb5.conf file to look like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.INTERNAL
 default_keytab_name = FILE:/etc/krb5.keytab
 default_tgs_entypes = rc4-hmac des-cbc-md5
 default_tkt_entypes = rc4-hmac des-cbc-md5
 permitted_entypes = rc4-hmac des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]

 DOMAIN.INTERNAL = {
  kdc = DC.DOMAIN.INTERNAL:88
  default_domain = DOMAIN.INTERNAL 
 }

[domain_realm]

 domain.internal = DOMAIN.INTERNAL
 .domain.internal = DOMAIN.INTERNAL
[appdefaults]
 forwardable = true
 pam = {
   minimum_uid = 16777216
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   krb4_convert = false
   DOMAIN.INTERNAL = {
	ignore_k5login = true
	}
 }

Edit the /etc/samba/smb.conf file to look like this:

[global]
   workgroup = DOMAIN
   password server = *
   realm = DOMAIN.INTERNAL
   local master = no
   security = ads
   idmap backend = tdb
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   idmap config DOMAIN : backend = rid
   idmap config DOMAIN : range = 16777216-33554431
   idmap cache time = 60	
   template homedir = /home/%u
   template shell = /bin/bash
   kerberos method = secrets and keytab
   dedicated keytab file = /etc/krb5.keytab
   winbind separator = +
   winbind use default domain = yes
   winbind refresh tickets = true
   winbind cache time = 10
   winbind offline logon = true
   winbind enum users = Yes
   winbind enum groups = Yes
   passdb backend = tdbsam

   server string = Samba Server Version %v
   log file = /var/log/samba/%m.log
   max log size = 50

Moving forward it’s advisable to have a second root terminal open just in case something doesn’t work as expected. Happens to the best of us :o)

I would recommend creating a “linux_admins” group in Active Directory and adding it to the /etc/sudoers file. An alternative is to add the “domain admins” group and to login using the administrator account.

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%linux_admins ALL=(ALL) ALL

Edit the PAM common file /etc/pam.d/common-account:

account     sufficient	  pam_winbind.so use_first_pass cached_login 
account     required      pam_unix.so broken_shadow

Edit the PAM common file /etc/pam.d/common-auth:

auth	[success=2 default=ignore]	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so

Edit the PAM common file /etc/pam.d/common-password:

password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3
password	[success=2 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
password	[success=1 default=ignore]	pam_winbind.so use_authtok try_first_pass
password	requisite			pam_deny.so
password	required			pam_permit.so
password	optional			pam_gnome_keyring.so

Edit the PAM common file /etc/pam.d/common-session:

session	    required	  		pam_env.so
session     required      		pam_unix.so
session     required      		pam_winbind.so use_first_pass 
session     required      		pam_limits.so
session     required      		pam_mkhomedir.so
session     [success=1 default=ignore] 	pam_succeed_if.so service in crond quiet use_uid

Edit the PAM common file /etc/pam.d/common-session-noninteractive:

session		[default=1]		pam_permit.so
session		requisite		pam_deny.so
session		required		pam_permit.so
session		optional		pam_winbind.so cached_login
session		required		pam_unix.so

Make sure that /etc/nsswitch.conf has the winbind entries for login.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Now we’re ready to add thinserver to the Windows Domain.

kinit administrator@DOMAIN.INTERNAL
net ads join -U administrator
net ads keytab create -U administrator
/etc/init.d/smbd start
/etc/init.d/winbind start

Verify that you are on the domain and that you can see all the users and groups in the domain.

wbinfo -u
wbinfo -g
getent passwd

You should now be able to log onto the server with your domain username and password. Verify that you’re getting a Kerberos ticket.

klist

Reboot the Network Workstation and you will be provided with the login prompt, this time instead of using the local Ubuntu users you should be able to login using an AD login

12. Configuring FAT Clients

1. Disable root login on fat clients.

  • To disable root login from thin clients edit the ssh_config file .
  • Open the Terminal Window and enter :
sudo gedit /opt/ltsp/i386/etc/ssh/ssh_config
  • Change the following if set or add to the bottom of the config file :
PermitRootLogin no

2. Copy DNS and Repository information from server to fat client to sync updates.

  • To update the DNS information on the fat client image simply copy your LTSP server DNS details to the client image.
  • Open the Terminal Window and enter :
sudo cp /etc/resolv.conf /opt/ltsp/i386/etc/resolv.conf
  • An easy way to install software sources for fat clients is to install the repositories on the LTSP server and then copy the software sources to the fat client image.
  • Open the Terminal Window and enter :
sudo cp /etc/apt/sources.list /opt/ltsp/i386/etc/apt/sources.list
sudo cp /etc/apt/sources.list.d/* /opt/ltsp/i386/etc/apt/sources.list.d/

3. Update & Upgrade fat client installation.

  • For normal updates open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get update 
sudo chroot /opt/ltsp/i386 apt-get upgrade
  • When done, update the client image
sudo ltsp-update-image --arch i386
  • For Kernel updates do the following from the Terminal :
export LTSP_HANDLE_DAEMONS=false
sudo mount --bind /dev /opt/ltsp/i386/dev
sudo chroot /opt/ltsp/i386
mount -t proc proc /proc
apt-get update && apt-get dist-upgrade
exit
sudo ltsp-update-kernels
sudo umount /opt/ltsp/i386/proc
sudo umount /opt/ltsp/i386/dev
  • When done, update the client image
sudo ltsp-update-image --arch i386

4. Install additional fat client software.

  • If you have added the Google Chrome PPA’s details to your software sources, and copied these sources in step 2. you will be able to install Google-Chrome, open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get install google-chrome-stable
  • To install the Flash Plugin for your thin/fat clients, open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get install flashplugin-installer
  • To replace Gnome-Screensaver (Black screen only) with XScreensaver, open the Terminal Window and enter :
sudo chroot /opt/ltsp/i386 apt-get remove --purge gnome-screensaver 
sudo chroot /opt/ltsp/i386 apt-get install xscreensaver xscreensaver-gl
  • When done, update the client image
sudo ltsp-update-image --arch i386

5. Autostart software on all fat clients.

  • To autostart a program for all fat client users is fairly easy, simply copy the .desktop shortcut of the application to the /etc/xdg/autostart folder.
  • If you want to start google-chrome and xscreensaver for all fat client users open the Terminal Window and enter :
sudo cp /opt/ltsp/i386/usr/share/applications/google-chrome.desktop /opt/ltsp/i386/etc/xdg/autostart/
sudo cp /opt/ltsp/i386/usr/share/applications/xscreensaver-properties.desktop /opt/ltsp/i386/etc/xdg/autostart/xscreensaver.desktop
  • Tip: To autostart Google Chrome in full screen mode on a specific webpage, edit the new autostart google-chrome.desktop file and add –kiosk and you site URL as shown below :
[Desktop Entry]
X-AppInstall-Package=google chrome
X-AppInstall-Popcon=39584
X-AppInstall-Section=universe
Version=1.0
Name=Google Chrome
GenericName=Web Browser
Comment=Access the Internet
Exec=/opt/google/chrome/google-chrome --incognito --kiosk http://www.google.com
Terminal=false
X-MultipleArgs=false
Icon=google-chrome
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
X-Ayatana-Desktop-Shortcuts=NewWindow;NewIncognito

[NewWindow Shortcut Group]
Name=New Window
Exec=/opt/google/chrome/google-chrome
TargetEnvironment=Unity

[NewIncognito Shortcut Group]
Name=New Incognito Window
Exec=/opt/google/chrome/google-chrome --incognito
TargetEnvironment=Unity
  • Now edit the new autostart xscreensaver file and replace “-demo” with “-nosplash” :
sudo gedit /opt/ltsp/i386/etc/xdg/autostart/xscreensaver.desktop

6. Auto login fat clients based on IP address.

  • To auto login clients you need to supply the usernames and passwords for each user based on the IP address of the client machine.
  • For the Terminal Window and enter :
sudo gedit /var/lib/tftpboot/ltsp/i386/lts.conf
  • Replace the usernameX and passwordX with the username and password for each user  :
[Default] 
# Local Apps 
LOCAL_APPS = True 
LOCAL_APPS_MENU = True 
LOCAL_APPS_MENU_ITEMS = firefox, google-chrome 

# Network settings 
DNS_SERVER = 192.168.1.1 
LDM_DIRECTX = True 

# Theme Settings 
LDM_THEME = ubuntu 

# Restrictions 
LOCALDEV_DENY_CD = True 
LOCALDEV_DENY_USB = True 
LOCALDEV_DENY_INTERNAL_DISKS = True 

# Auto Login 
LDM_AUTOLOGIN = True 

[192.168.1.21] 
LDM_USERNAME = username1 
LDM_PASSWORD = password1

[192.168.1.22] 
LDM_USERNAME = username2 
LDM_PASSWORD = password2 

[192.168.1.23] 
LDM_USERNAME = username3 
LDM_PASSWORD = password3

[192.168.1.24] 
LDM_USERNAME = username4 
LDM_PASSWORD = password4 

[192.168.1.25] 
LDM_USERNAME = username5 
LDM_PASSWORD = password5

Post Install

Post install there may be some things you want to do some of these are covered here.

Mounting Windows Shares at Login

There are a couple of ways to do this in Linux but I finally decided on using Bash and Perl scripts in conjunction with Ubuntu’s “Startup Applications” to handle the mounting of Windows shares. I will include all scripts in this tutorial so that you can modify them to fit your environment and improve them as you see fit.

Before we continue, make sure that the NETLOGON share from dc.domain.internal is mounted on thinserver.domain.internal. I created a generic domain account that has permissions to only list the contents of the AD. For the sake of this example that account name is “public” with the password of “password”.

Create a folder to mount the share to.

sudo mkdir /mnt/logon

Mount the NETLOGON share by adding this entry into your /etc/fstab file.

//dc.domain.internal/netlogon      /mnt/logon           cifs   username=public,password=password 0 	0

Mount the share.

sudo mount -a

The scripts used depend on each user having their own login batch file in the NETLOGON share and their own share on server.domain.internal. Here is a batch file for user “John Doe” with username “jdoe”. The batch file name is jdoe.bat. You can use just one batch file and hardcode the name into the script.

@echo off
NET USE S: \\server\common
NET USE T: \\server\IT

Create the win_share.sh script and save it to /usr/local/bin/. The win_share.sh script checks to see if the .mount.sh and .umount.sh scripts for the user logging in exist and if they do delete them. It then creates new .mount.sh and .umount.sh scripts by running the/usr/local/bin/mount.pl Perl script. Finally it mounts the users shares by running the .mount.sh script. The user shouldn’t get prompted for a password since the script uses Kerberos to authenticate on server.domain.internal.

#!/bin/sh
# Check to see if .mount.sh and .umount.sh exist, if so delete them!

if [ -f /home/$USER/.mount.sh ]; then
   rm /home/$USER/.mount.sh
fi

if [ -f /home/$USER/.umount.sh ]; then
   rm /home/$USER/.umount.sh
fi

# Create the .mount.sh and .umount.sh scripts from users batch file

/usr/local/bin/mount.pl $USER

# Mount network shares when logging on.
/home/$USER/.mount.sh

Create the mount.pl script in /usr/local/bin/.

#!/usr/bin/perl
# Build dynamic ~user/.mount.sh based on logon.bat

$user = $ARGV[0];
$file = "/mnt/logonbat/$user.bat";  # <-- Change this from $user to the name of the batch script if you only use one.

die if ! $user;
die if ! -e $file;

open (PAM_CONF, ">/home/$user/.mount.sh");
open (LOGOFF, ">/home/$user/.umount.sh");

print PAM_CONF qq{#!/bin/sh
if [ ! -d /home/$user/Home ]; then
mkdir /home/$user/Home
fi
mount.cifs //server/$user /home/$user/Home -o username=$user,sec=krb5
};

print LOGOFF qq{#!/bin/sh
if [ "`cat /proc/mounts | grep /home/$user/Home | wc -l`" -ge "1" ]; then 
umount.cifs /home/$user/Home 
fi \n};

my(@arr)=`cat /mnt/logonbat/$user.bat`;
$mounts = parse_batfile(\@arr);
foreach $mount (@$mounts) {
  chomp($mount);
  ($server,$share) = $mount =~ /\\\\(.*)\\(.*)/;
  $share =~ tr/\cM//d;
  $mnt = $share;

  # skip AUDIT.  It's for PCs only
  next if $mnt =~ /AUDIT/;

  # skip personal shares.  
  next if lc("$mnt") eq lc("$user");
  next if ! $mnt;

  #strip dollar sign from mount point
  $mnt =~ s/\$$//;

  # make sure mount point is unique
  $mnt .= "-$server"  if $seen{$mnt}++;

  # upshift first letter of mnt point
  $mnt =~ s/^(.)(.*)/\u$1$2/g;

#  print PAM_CONF "volume $user cifs $server $share  /home/$user/$mnt  - - -\n";
  print PAM_CONF qq{if [ ! -d /home/$user/$mnt ]; then
mkdir /home/$user/$mnt
fi
mount.cifs //$server/$mnt /home/$user/$mnt -o username=$user,sec=krb5 \n};

  print LOGOFF qq{if [ "`cat /proc/mounts | grep /home/$user/$mnt | wc -l`" -ge "1" ]; then 
umount.cifs /home/$user/$mnt 
fi \n};
}

close PAM_CONF;
close LOGOFF;
system ("chown $user:16777729 /home/$user/.mount.sh");   #  16777729 is my GID for "Domain Users"
system ("chown $user:16777729 /home/$user/.umount.sh");  #  16777729 is my GID for "Domain Users"
system ("chmod +x /home/$user/.mount.sh");
system ("chmod +x /home/$user/.umount.sh");

# All done

sub parse_batfile {
  my($file) = @_;
  my(@mounts);
  foreach $line (@$file) {
    (@val) = split / /,$line;
    if (uc($val[0]) eq "NET" && uc($val[1]) eq "USE") {
       push (@mounts,$val[3]);
    }
    if ($val[0] eq "CALL") {
      my($match) = $val[1]  =~ /\\\\.*\\NETLOGON\\(.*)/ ;
      if ($match) {
        chop($match);
        my(@arr)=`cat /mnt/logonbat/$match`;
        $mounts = parse_batfile(\@arr);
        unshift @mounts, @$mounts;
      }
    }
  }
  return \@mounts;
}

This is what the .mount.sh script looks like for jdoe.

#!/bin/sh
if [ ! -d /home/jdoe/Home ]; then
mkdir /home/jdoe/Home
fi
mount.cifs //server/jdoe /home/jdoe/Home -o username=jdoe,sec=krb5
if [ ! -d /home/jdoe/common ]; then
mkdir /home/jdoe/common
fi
mount.cifs //server/common /home/jdoe/common -o username=jdoe,sec=krb5 
if [ ! -d /home/jdoe/IT ]; then
mkdir /home/jdoe/IT
fi
mount.cifs //server/IT /home/jdoe/IT -o username=jdoe,sec=krb5

Once you have win_share.sh and mount.pl scripts in place, create the “Startup Application” to run it at login. To create the “Startup Application” go to “Preferences/Startup Applications”.

Startup Applications

Passwordless SSH with Kerberos

One of the benefits of having a Kerberos enabled server is that you can now enable passwordless login via SSH. To make this work you need to have both your Linux workstation and server on the domain with Kerberos configured correctly.

Make these changes in the /etc/ssh/sshd_config file on thinserver:

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UseDNS yes

Make these changes in the /etc/ssh/ssh_config file on your Linux workstation:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Test ssh to make sure that authentication is working with Kerberos. Try to login to thinserver from your workstation.

ssh -v thinserver

If authentication with Kerberos succeeded you shouldn’t be promted for a password and you should see the “debug1: Authentication Succeeded (gssapi-with-mic) message:

debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).

Problems and Solutions

These are some of the other issues that I came accross. Hopefully they’ll help someone.

PROBLEM : LTSP client authenticates but logs out immediately
SOLUTION: gconftool-2 –direct –config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory –type string –set /desktop/gnome/session/required_components/windowmanager metacity

PROBLEM: You get a Pae error on your thin client on boot

SOLUTION:

change this file: ‘/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/020-kernel-selection’. I removed 2 times ‘-pae’ in the kernel selection. Seems to install by default the pae kernel. Removing this ended with an install of non-pae kernel for the thin clients.

PROBLEM : No VNC on thin clients
SOLUTION: http://bootpolish.net/home_ltsp_installx11vnconltsp5

PROBLEM : Change the default login screen to a custom one
SOLUTION: https://help.ubuntu.com/community/EdubuntuFAQ

PROBLEM : How to setup root password on thin client
SOLUTION: https://help.ubuntu.com/community/EdubuntuFAQ

PROBLEM : No logout icon
SOLUTION: http://ubuntuforums.org/archive/index.php/t-815188.html

Sources:

Advertisements

34 comments on “Setting up an Ubuntu Thin Client Server

  1. Pingback: Links 9/1/2013: Valve’s GNU/Linux Gaming PC, Android Massive at CES | Techrights

  2. zfs
    January 9, 2013

    checkout x2go, it has thin client support..

  3. Ramon Sagullo
    March 3, 2013

    Hi. I would like to thank you for the way you presented the steps. This is actually the first site that I felt, “I just might actually pull this off!” 🙂

    Most of what you wrote is *almost* clear to my being “far-from-being-proficient-Linux-user.” Though I am comfortable enough in using the terminal.

    Here are more than a few points with my questions.

    1. I have not used an Active Directory. Do I need this to set-up thick/thin clients?

    2. Before trying this out with our computers in the lab, I plan to “play” with it with our computers in the library. Going the direction of a thick client, what specs are we talking here for the server to host 8,10 thick clients?

    3. I have tried the DRBL LiveCD. It worked fine. But I got lost after half-way through with the instruction from its “how-to. I was doing this my Ubuntu 12.04 and three clients.

    Your instructions (before #11) are more digestible to my limited abilities and limited understanding. I really thank you for this.

    Now, in “6a” above that goes – “:NOTE: only software installed in the Fat client image will be available to the client” – am I wrong to think the the image resides in the server? If not, then my fat clients will still be using their hard disk?

    The reason I need your indulgence and patience is – I am exploring this path, like any one-man IT dept., to save on electricity and generated heat, not to mention, less parts to break/replace.

    Though from my cursory readings around the web, it appears to me that having thin clients needs less maintenance but route requires beefier and more expensive server/s.

    If all I nrrf is to have clients run LibreOffice and of course, the ability to browse the Internet, with some educational package like Tux Type for the young kids who are to use the clients which route should I take – thin or thick client?

    My other prayer when I tried DRBL is that, the long nights of updating the computers under my care was to be history. But I lack the intelligence and training to understand all the listed instructions. Your presentation at least did not make feel so hopeless 🙂

    Thank you and best regards.
    Mon

    • projectzme
      March 3, 2013

      Tell you what, if you reply to this with an exact outline of what you wish to achive, the specs of the desktops, server etc I will do a complete blog post on your behalf and we will get you working. I am a HUGE advocate of the Linux terminal server project LTSP. It has saved my bacon many times.. I am more than happy to assist a fellow understaffed it guy.. 🙂

  4. Mon Sagullo
    March 4, 2013

    Hello David.

    Understaffed would be an improvement! I am the “head” & the “staff” tightly rolled into one “department” on a very 🙂

    Aiming for –

    LTSP to serve 52 desktops in the high school lab.

    This lab has 4-yr old desktops of mostly Intel E4600 and a dozen of Dual-core Atoms. The Atoms are now geared to be added in the library.

    I have the approval to get 25 new “550” Celerons. All will be on an Asus mobo, 4Gig DDR3, on-board gigabit Lan. Hopefully, these will be w/o hard drives after you teach me how to make that happen 🙂

    My “desktop learning tool” is an E4600 w/ 4Gig DDR2, dedicated Nvidia Gforce 7300 w/ on board fast and add-on gigabit Lan card, 3

    This machine has Ubuntu 12.04 64-bit.

    Bandwidth is quite expensive here. So, utmost, half of these desktops in the lab are meant to have dedicated access to the internet.

    Currently, our subscribed bandwidth for the lab from our ISP and the DD-WRTed Linksys only allow 12 to 15 desktops to simultaneously browse the net.

    The few desktops in the library have full wi-fi access though, using a separate subscription on its own WRT54g.

    Our budget will limit my choice with the relatively inexpensive D-Link and Linksys switches.

    Once I have this running and I have better understanding of this project, I can go out for the suggested “server.” ” I can push for two *if needed.*

    Lastly, our kids here in school mainly use LibreOffice. The younger ones like Tux Type and Tux Paint 🙂

    Thank you so much.

    • projectzme
      March 7, 2013

      Cheers for this, I will set about this weekend putting something together. Impossible mon to Friday I have similar issues at work. 😉 I feel your pain…

  5. Nico Vlachakis
    March 9, 2013

    Nice tutorial. I’m definitely going to try this one out but instead of using active directory I will try to use Openldap.

    • Mon Sagullo
      March 11, 2013

      David, I know it’s getting redundant, but, thank you just the same. I am looking forward to your version of “LTSP for Dummies” 🙂

  6. Hi, David.
    We have 2 Digital labs in our Institute built around LTSP networks using Ubuntu 11.1. We now want to upgrade to Ubuntu 12.04. After a lot of research, we settled on your tutorial as the most detailed and easy to follow.

    We followed your tutorial steps to the letter, up the point where we tried to connect a Thin Client. The thin client is a hp compaq t5525 with a 800MHz.

    Unfortunately, it started to boot, picked up a DHCP IP from the server, but suddenly hung up and gave this 2-line error :

    “This kernel requires the following features not on the CPU: pae cx8”
    “Unable to boot – please use a kernel appropriate for your CPU”

    Can you please advise how we can get around this.

    Patrick

    • projectzme
      March 25, 2013

      Being a bit lazy here as I am not googling the compaq Spec (on a train..) did you use the i386 version of the OS, first glance it looks like you might have used the 64 bit OS.. Also if you did build from the I386 version you may have downloaded the x64 LTSP files which you are pre booting from…

      • Patrick Unisa Tay
        March 26, 2013

        David ,
        Actually used the alternate version cd and it is i386. It’s 2am and home but I’ll try to build the ltsp from i386 archive when I get to campus in morning and report. Thanks.

      • projectzme
        March 26, 2013

        It appears you might have to use a custom non Pae kernel for that hardware, I can assist but might take a while to google how, would be useful however so I can add it as a note to the guide..

      • projectzme
        March 26, 2013

        Little bit of reading up on this, it seems you may need to use the Ubuntu desktop edition as your base OS, as this will install the generic kernel, if you use the other versions of Ubuntu you are possibly installing the -generic-pae version of the kernel, what you might be able to do is on your existing server use apt-get to install the generic kernel with no Pae support then reboot using that kernel, remove using apt-get the original kernel and then rebuild the LTSP image..

        Basically it seems that whatever kernel you have on your server is being used to build the LTSP image..

        A command which you may want to google is

        http://bootpolish.net/home_ltsp_ltsp5commands_ltspupdatekernels

        Sorry you are having problems, I’m hoping we can solve them and add the resolution to the guide

    • projectzme
      March 25, 2013

      This might also help

      Power off Machine
      Reboot into bios
      Check Enable if exists PAE/NX
      Click OK

      The steps might be different, can you confirm is it a 386 or 64bit processor..?

      • Rudy
        April 2, 2013

        Hi. I have the same problem:
        “This kernel requires the following features not on the CPU: pae cx8″
        “Unable to boot – please use a kernel appropriate for your CPU”

        Server has 386 arch installed (machine is actually 64-bit), and client is 386 arch with non-pae processor. Seems that building the client installs automatically the pae kernels…

        Strange….

        Best regards
        Rudy

      • projectzme
        April 2, 2013

        As the last comment if you used the desktop version of Ubuntu this is to be expected as it on the desktop 12.04 and 12.10 only Pae kernels are supported.

    • Patrick
      May 8, 2013

      Hi David,
      I tried Rudy’s syggestion and I have posted on that. While we continue to look for a way out of the “pae” error on 12.04, we have had to had to install 10.04 to keep the labs open to students.

      However, the Thin Clients on 10.04 would freeze and hang after some time and randomly. At times some of them just reboot right in the middle of browsing. We tried apt-get update as was recommended but the problem still persists.

      Could you please advise.

      Regards.

      Patrick.

      • projectzme
        May 9, 2013

        Ubuntu 12.04 (as well as Kubuntu 12.04 and newer Ubuntu versions) uses the PAE Linux kernel by default for 32bit ISOs so old computers that don’t support PAE can’t boot the latest Ubuntu version. But there is a way to install Ubuntu 12.04 LTS Precise Pangolin on computers without PAE support: using the non-PAE netboot Minimal ISO (there are also some alternatives, see below).

        The non-PAE netboot mini ISO lets you install the non-PAE kernel and the desktop environment you want: you can select to install Ubuntu Desktop (with Unity), Kubuntu Desktop and so on. One note though: since the minimal CD will download packages from online archives at installation time instead of providing them on the install CD itself, you need a working Internet connection during the installation.

        Have a read of this article http://www.webupd8.org/2012/05/how-to-install-ubuntu-1204-on-non-pae.html

        It also suggests how to use xubuntu or lubuntu however the minimal iso seems a good way to go as it allows you to install just what you want.

      • projectzme
        May 9, 2013

        If you are having the same issue on 12.10 go to http://www.webupd8.org/2012/11/how-to-install-ubuntu-1210-on-non-pae.html

  7. Rudy
    April 3, 2013

    Hi, I used the 12.04 desktop version (386). In mean time I found the solution: I had to change this file: ‘/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/020-kernel-selection’. I removed 2 times ‘-pae’ in the kernel selection. Seems to install by default the pae kernel. Removing this ended with an install of non-pae kernel for the thin clients.
    Best regards
    Rudy

    • projectzme
      April 3, 2013

      Thank you so much for getting back to me, I will add this information to the post…

    • Rudy
      April 3, 2013

      Sorry, I used Xubuntu 12.04 desktop version (386). Don’t know if same will solve the problem for Ubuntu…

    • Nico Vlachakis
      April 4, 2013

      Thanks for this info Rudy.

    • Patrick
      May 8, 2013

      Hi, Rudy, just got chance to try. In my case it didn’t work but came up with an error saying “trying to load pxelinux/default” and hangs. It also pointed to kernel problem with “pae”.

  8. Rajesh
    July 20, 2013

    Hi, Thanku yout for the post how to install ltsp clearly. I had installed the LTSP on my ubuntu server but my thin clients are not get connecting with the ubuntu server..

    • projectzme
      July 20, 2013

      Two things,

      1 I can’t help with no information
      2 try some troubleshooting

      Error messages? Network? Pxe boot?

  9. Wiryono Lauw
    July 23, 2013

    Hi, for mounting cifs on login. Could you give more specific information ?
    Do I need to put the script inside the chroot /opt/ltsp/i386 ?

    For adding it to the application startup means I have to do it manually ( login to each user and add it to their startup settings )

    Is there a way to do it from the server ?

    My mount.cifs doesn’t work but smbfs ok, Is there any advantage from each of them ?

    • projectzme
      July 23, 2013

      The comments are moderated, that’s why it dirt turn up immediately..

      I’m afraid you might have to resort to google for a bit more help, the ltsp project forums might have more advice. I did put the scripts inside the chroot.

      • wpsdryono
        July 23, 2013

        Ah ok, thanks. I got a problem though after adding that suddenly my client always get TFTP open timeout and cannot connect again even if I revert all the settings back ( remove everything ) strange… could be windows dhcp server …

        I got to ask in the ltsp forum, everytime I make a tiny change my client get TFTP open timeout and I can’t find a way back to restore it -_-!

  10. wpsd
    July 23, 2013

    Ah ok, thanks. I got a problem though after adding that suddenly my client always get TFTP open timeout and cannot connect again even if I revert all the settings back ( remove everything ) strange… could be windows dhcp server …

    I got to ask in the ltsp forum, everytime I make a tiny change my client get TFTP open timeout and I can’t find a way back to restore it -_-!

    • wpsd
      July 23, 2013

      found the problem, forget that I have two nic it’s connect to the other one how foolish…

      • projectzme
        July 23, 2013

        No such thing as a fool who asks questions

  11. kumar ullal
    August 19, 2013

    I have a question about auto mounting the network shares based of the AD credentials.
    First
    Mount the NETLOGON share by adding this entry into your /etc/fstab file.

    //dc.domain.internal/netlogon /mnt/logon
    You have said, you created an account called public with password of password in windows AD.
    However,in the fstab entry, there is no mention of user credentials.
    Next,
    in mount.pl
    #strip dollar sign from mount point
    $mnt =~ s/\$$//;
    What do you replace the $$ sign with?
    Thanks and Regards

    • projectzme
      August 20, 2013

      Credentials, sorry use a .credentials file and refer to it in ftab its documented on many an Ubuntu site 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: