DebianEdu/Documentation/Etch/HowTo/

---

HowTos for networked clients

Thin Clients vs Diskless workstations

Instructions on how to enable diskless workstations / stateless workstations / lowfat clients / half-thick clients are available from http://wiki.debian.org/DebianEdu/HowTo/LtspDisklessWorkstation

LTSP in detail

lts.conf

To make special adaptations and configurations for specific thinclients, you can edit the file /opt/ltsp/i386/etc/lts.conf. Have a look at /opt/ltsp/i386/usr/share/doc/ltsp-client/examples/lts.conf to see examples and what parameters you can specify.

The default values is defined under [default], to configure one client, specify which client using the client mac adress or ipadress like this [192.168.0.10].

Example: To make the thinclient ltsp010 use 1280x1024 resolution, add something like this:

[192.168.0.10]
X_MODE_0 = 1280x1024
X_HORZSYNC = "60-70"
X_VERTREFRESH = "59-62"

somewhere below the default settings.

Depending on what changes you make, it may be necessary to restart X on the client (by pressing alt+ctrl+backspace) or restart the client.

To use ipadresses in lts.conf you should add the client mac-address to your dhcp-server. Otherwise you should use the client mac-address directly in you lts.conf file.

Load balancing LTSP servers

It is possible to set up the clients to connect to one of several servers for load balancing. One way is listing several servers using LDM_SERVER in lts.conf. Another is by providing /opt/ltsp/i386/usr/lib/ltsp/get_hosts as a script printing one or more servers to connect to. In addition to this, each ltsp chroot need to include the ssh host key for each of the servers.

This feature was new in ltsp version 0.99debian12+0.0.edu.etch.8 to be included in 3.0r1.

Sound with LTSP clients

If the client has sound hardware support and alsa is used (currently, this is the default sound system in Debian), module snd-pcm-oss should be loaded by the client hardware to assure esd can find /dev/dsp. If it's not done automatically, this line:

MODULE_01 = "snd-pcm-oss"

should be added to the server in the /opt/ltsp/i386/etc/lts.conf file.

Replacing LDM with KDM

Skolelinux 3.0 is running LDM as a login manager. It uses a secure ssh tunnel to log in. When using KDM a switch to XDMCP is neccesary. XDMCP uses less CPU ressources on the clients and on the server.

Warning: XDMCP does not use encryption. Passwords will travel in cleartext over the network, as well as anything else.

Note: local devices with ltspfs will stop working without LDM.

To check if XDMCP is running, run this command from a workstation:

 X -query ltspserverXX

If you are on the thin client network, please run this command:

 X -query 192.168.0.254

The goal is to let your "real" thin client to contact the xdmcp-server on the 192.168.0.254 net (given a standard Skolelinux configuration).

If by some reason xdmcp is accessible on your server which runs KDM , please add the following to /etc/kde3/kdm/Xaccess

 * # any host can get a login window

The star before the comment '#' is important, rest is a comment of course

Then turn on xdmcp in kdm with the command:

 sudo update-ini-file /etc/kde3/kdm/kdmrc Xdmcp Enable true

At the end please restart kdm by running:

 sudo invoke-rc.d kdm restart

(in courtasy of Finn-Arne Johansen)

Connecting Windows machines to the network / Windows integration

Joining the domain

For Windows clients the Windows domain "SKOLELINUX" is available to be joined. A special service called Samba, installed on the main-server tjener, enables Windows clients to store profiles and userdata and also authenticates the users during the login.

In order to make Windows clients join the domain some (few) steps are required:

1. Create a user with membership in the "admins" group (if not already existing)

• In order to be able to join the "SKOLELINUX" domain a member of the admins group needs to authorize the process. If not yet existing a user with that membership needs to be added (for more information see <link to lwat docu>). The user "root" will not work, because there is no password for root in Samba.

2. Configure the Windows client as static host

• When joining a samba domain some special data is stored on the domain controller (tjener). This data is needed to recognize the Windows client later as being allowed to authenticate users. In order to enable Samba to store this data, Samba requires an static host configuration to be present. This could be added by using the LWAT web interface (see also <link to lwat>). When adding the static host configuration it is important to check the "Samba host" option, otherwise will lack the required data to be able to join the domain.

3. On the Windows client: Make sure the network and system configuration matches the data stored on tjener (hostname and ip configuration)

• It's really important, that the Windows hosts has the same data, otherwise Samba will not find the host added in step 2.

4. Join the domain as usual using the user added in step 1.

• Depending on the version and language of you Windows installation, you should find the configuration about the domain or workgroup of your system somewhere in the system properties. A freshly installed Windows system should belong to a default workgroup. You can join the domain by selecting "Domain" instead of "Workgroup" and entering SKOLELINUX as new domain. Pressing enter will then open a new window, where the login data of the user created in step 1. can be entered. After some time the Windows client opens a popup window with a welcome message. After the obligatory reboot the loginscreen offers a option to login into the domain.

Windows will sync the profile of domain users on every login and logout. Depending on how much data stored in the profile this could take some time. To minimize the time needed, one should deactivate things like local cache in browsers (you could use the squid proxycache installed on tjener instead) and save file into the H: volume instead of "Own files".

User groups in Windows

Groupmaps must also be added for any other user groups you add through lwat. If you want your user groups to be available in Windows eg for netlogon scripts or other group dependant actions, you can add them using variations of the following command. Samba will function without these groupmaps, but Windows machines won't be group aware.

/usr/bin/net groupmap add unixgroup=students \
             type=domain ntgroup="students" \
             comment="All students in the school"

XP home

Users bringing in their XP home laptop can still connect to Tjener using their skolelinux credentials, provided the workgroup is set to SKOLELINUX. However, they may need to disable the windows firewall before Tjener will appear in Network Neighbourhood (or whatever its called now).

Managing roaming profiles

Roaming profiles contain user work environments, which include the desktop items and settings. Some examples of these environments are personal files, desktop icons, screen colors, mouse settings, window size and position, application configurations and network and printer connections. Roaming profiles are available wherever the user logs on, provided the server is available.

Since the profile is copied from the server to the machine during logon, and copied back to the server during logout. A large profile can make windows login/logout painfully slow. There can be many reasons for a large profile, but the most common problems is that users save their files on the windows desktop or in my documents instead of in their homedir. Also some badly designed programs use the profile for scratch space, and other data.

The educational approach One way to deal with to large profiles is to explain the situation for the users. tell them not to store huge files on the desktop and if they fail to listen it's their own fault when login is slow.

Tweaking the profile A different way to deal with the problem is to remove parts of the profile, and redirect other parts to regular file storage. This moves the work load from the users to the administrator, while adding the complexity of the installation. There are atlest three ways to edit the parts that are removed from the roaming profile.

Using machine policies

you can edit the machines policy and copy it to all other computers.

1. pick a freshly installed windows computer, and run gpedit.msc

2. under the selection User Configuration -> Administrative Templates -> System -> User Profiles -> Exclude directories in roaming profile, you can enter a semicolon separated string of directories to exclude from the profile, the directories are internationalize and must be written in your own language the way they are in the profile. Example of directories to exclude are

   • log
   • Locale settings
   • Temporary Internet Files
   • My Documents
   • Application Data
   • Temporary Internet Files
3. Save your changes, and exit the editor.

4. Copy c:\windows\system32\GroupPolicy to all other windows machines.

   • It's a good idea to copy it to your windows os deployment system to have it included at install time.

Using global policies

By using the windows policy editor (poledit.exe), you can can create a Policy file (NTConfig.pol) file and put it in your netlogon share on tjener. This would have the advantage of working almost instantly on all machines. But is unfortunatly not as easy as it sounds. And you can quite easily lock yourself out of your windows machines. If you have experience with this please elaborate here... FIXME

Editing Windows registry

You can edit the registry of the local computer, and copy this registry key to other computers

1. Start the Registry Editor.

2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

3. Use the menu Edit menu->New->String Value.

4. Call it ExcludeProfileDirs

5. Enter a semicolon sepatated string of paths to exclude. (same way as machine policy)

Now you can choose to export this registry key as a .reg file, Mark a selection, right click and select export. Save the file and you can double click it, or add it to a script to spread it to other machines.

Sources:

• http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx

• http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html

• http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html

• http://www.css.taylor.edu/~nehresma/samba.html

Redirecting parts of profile

Sometimes just removing the directory from the profile is not enough. You may experience that users loose files because they mistakenly save things into my documents, when this is not saved in the profiles. Also you may want to redirect the directories some badly programed applications use to normal network shares.

Using machine policies

Everything under Using machine policies above applies. You edit using gpedit.msc and copy the Policy to all machines The redirection should be available under User Configuration -> Windows Settings->Folder Redirection Things that can be nice to redirect are Desktop or My Documents.

One thing to remember is that if you enable folder redirection, those folders are automatically added to the syncroniced folders list. If you do not want this, you should also disable that in following

• User Configuration -> Administrative Templates -> Network -> Offline Files

• Computer Configuration -> Administrative Templates -> Network -> Offline Files

Using global policies

FIXME

Avoiding roaming profiles

Using a local policy

Using local policies you can disable roaming profile on individual machines. This is often wanted on special machines, for instance on dedicated machines, or machines that have lower then usual bandwith.

You can use the machine policy method describe above, the key is in

• Administrative Templates -> system -> User Profiles -> Only allow local profiles

Using global policies

FIXME: what is the roaming profile key for the global policy editor

altering samba config

By editing the samba config you can disable roaming profiles for the entire network. Perhaps everyone have their own dedicated machine? and nobody else is allowed to touch it. To disable the roaming profiles for the entire network you can alter the smb.conf file on tjener and unset the logon path and logon home variables, and restart samba.

logon path = ""
logon home = ""

Remote Desktops with RDP, VNC, NX or Citrix

Some municipalities provide a remote desktop solution so that students and teachers can access Skolelinux from their home computer running Windows, Mac or Linux.

• RDP - the easiest way to access Windows terminal server. Just install the rdesktop package.

• VNC client (Virtual Network Computer) gives access to Skolelinux remotely. Just install the xvncviewer package.

• NX graphical client gives students and teachers access to Skolelinux remotely on Windows, Mac or Linux PC. One municipality in Norway has provided NX support to all their students since 2005. They report that the solution is stable.

• Citrix ICA client HowTo to access Windows terminal server from Skolelinux.

HowTos from wiki.debian.org

The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

• http://wiki.debian.org/DebianEdu/HowTo/LocalDeviceLtspfs

• http://wiki.debian.org/DebianEdu/HowTo/LtspDisklessWorkstation