Thinlinc configuration

Only for Ctrls SL6 and thinlinc 4.5
pay attentions to CL7 and thinlinc 4.8 changes

Remember to modify:

/opt/thinlinc/etc/conf.d/vsmagent.hconf

Make_homedir=0

/etc/init.d/vsmagent restart

15.4. Indicating that Shadowing is in Progress

In some cases, the user being shadowed need to be aware that their session is being monitored. By running the tl-shadow-notify program during the session lifetime, a window will pop up with information about the shadowing whenever shadowing starts or stops.

To start tl-shadow-notify automatically during session startup, a symbolic link must be created in /opt/thinlinc/etc/xstartup.d:

# ln -s /opt/thinlinc/bin/tl-shadow-notify /opt/thinlinc/etc/xstartup.d/15-tl-shadow-notify

To deactivate tl-shadow-notify, remove the symbolic link from /opt/thinlinc/etc/xstartup.d.

# rm /opt/thinlinc/etc/xstartup.d/15-tl-shadow-notify

#> ls -al /opt/thinlinc/etc/xstartup.d

lrwxrwxrwx  1 root root   25 Nov 11  2015 01-tl-kinit.sh → ../../libexec/tl-kinit.sh
lrwxrwxrwx  1 root root   31 Nov 11  2015 02-tl-dbus-launch.sh → ../../libexec/tl-dbus-launch.sh
lrwxrwxrwx  1 root root   33 Nov 11  2015 10-tl-clipboard-helper → ../../libexec/tl-clipboard-helper
lrwxrwxrwx  1 root root   26 Nov 11  2015 11-tl-set-title → ../../libexec/tl-set-title
lrwxrwxrwx  1 root root   33 Nov 11  2015 12-tl-default-keyboard → ../../libexec/tl-default-keyboard
-rwxr-xr-x  1 root root  322 Sep 20  2016 

15-tl-shadow-notify → /opt/thinlinc/bin/tl-shadow-notify

-rwxr-xr-x  1 root root 1321 Sep 20  2016 

20-tl-select-profile.sh

lrwxrwxrwx  1 root root   30 Nov 11  2015 30-tl-xdg-user-dirs → ../../libexec/tl-xdg-user-dirs
lrwxrwxrwx  1 root root   40 Dec 24  2016 35-tl-desktop-activate.sh → /opt/thinlinc/bin/tl-desktop-activate.sh
-rwxr-xr-x  1 root root  823 Dec 10  2016 

40-tl-mount-localdrives.sh

 
lrwxrwxrwx  1 root root   32 Nov 11  2015 41-tl-lp-redir-launch → ../../libexec/tl-lp-redir-launch
lrwxrwxrwx  1 root root   27 Nov 11  2015 50-tl-wait-smartcard → ../../bin/tl-wait-smartcard
-rwxr-xr-x  1 root root  320 Sep 13  2016 

60-tl-clear-sso-password.sh

I file da modificare sono:

• 15-tl-shadow-notify con il link simbolico
  
• 20-tl-select-profile.sh
  
• 40-tl-mount-localdrives.sh
  
• 60-tl-clear-sso-password.sh

20-tl-select-profile.sh

#!/bin/bash
# -*- mode: shell-script; coding: utf-8 -*-
#
# Copyright 2002-2014 Cendio AB.
# For more information, see http://www.cendio.com
#
# action: Choosing a profile
#

# Modificato, altrimenti chiede all'utente di scegliere un profilo anche
# in caso di single-command

# Display the profile selection menu

if [ -z "$TLCOMMAND" ] ; then
  TLPROFILE=`"${TLPREFIX}/libexec/tl-select-profile"`
  if [ $? -ne 0 ] ; then # User pressed cancel
      exit 0
  fi
  export TLPROFILE
 else
  TLPROFILE=""
  # Individuazione del pid della sessione sshd corrispondendete alla tlsession
  # rendendolo disponibile nella variabile TLSSHPID
  # Il pid puo' essere usato per chiudere la tlsession o fare altre azioni
  # quando il tlclient si disconnette (cosa non prevista da Cendio)
  # Attenzione: perche' funzioni deve essere permessa l'assenza di tty nella regola
  #             sudo corrispondente al comando netstat , con !requiretty
  if [[ "$TLCOMMAND" =~ openbox ]] ; then
     sn=`/bin/basename $TLSESSIONDATA`
     myvncport=`expr 5900 + $sn`
     TLSSHPID=`SUDO_ASKPASS="${TLPREFIX}/bin/tl-sso-password" /usr/bin/sudo -A /bin/netstat -tnp | /bin/egrep ":"${myvncport}"[[:blank:]]+ESTABLISHED [0-9]+\/sshd[[:blank:]]+$" | awk '{gsub("/sshd","",$NF) ; print $NF}'`
     export TLSSHPID
     #SHELL="/bin/sh"
  fi
fi

40-tl-mount-localdrives.sh

#!/bin/bash
# -*- mode: shell-script; coding: utf-8 -*-
#
# Mount dei local drives, ma non in caso di single-command

if [ -z "$TLCOMMAND" ] ; then

        # prova di isolamento dei mount points per i thinlinc drives
        # per fare in modo che vengano visti solo dai processi nella
        # sessione thinlinc dell'utente e non dagli altri processi di
        # sistema in modo che in caso di NFS stale handle per indisponibilita'
        # del thinlinc client remoto:
        # - il browsing delle directory in /var/opt/thinlinc non vada in hang
        # - il mount non funzionante venga pulito quando la sessione viene 
        #   chiusa senza necessita' di un reboot del sistema

        #SUDO_ASKPASS=/opt/thinlinc/bin/tl-sso-password /usr/bin/sudo -A /usr/bin/unshare -m

        ../../libexec/tl-mount-localdrives
fi

60-tl-clear-sso-password.sh

#!/bin/bash
# -*- mode: shell-script; coding: utf-8 -*-
#
# Cancellazione di default della sso password in plain text
# tranne che per alcune eccezioni in cui e' utile (per es.
# per lo shadowing da ctrlop)
#

if [ -z "$TLCOMMAND" ] ; then
        [ -c /dev/null ] && /opt/thinlinc/bin/tl-sso-password --remove >> /dev/null
fi

Allow change password

$ :

tl-passwd

This command is used to let the user change their password, both in the underlying authentication mechanism and in the ThinLinc Single Sign-On mechanism.
In order for this to work, any user must be able to read the file /etc/pam.d/sshd (or, more correct, the file that the symbolic link /etc/pam.d/thinlinc points at.
Also, in the case where the underlying authentication mechanism is LDAP or eDirectory, make sure that the parameter pam_password in /etc/ldap.conf is set to a value that is
appropriate for your environment. If you're authenticating against eDirectory servers, it must be set to nds. See the comments in ldap.conf for more information.
        

Crashing Firefox tabs

On some systems a bug in the default policy settings prevent Firefox 52 ESR from working correctly. All tabs will simply show Gah. Your tab just crashed.. Either a newer version of Firefox must be used, or the local policy must be set to be less restrictive:

$ sudo setsebool -P unconfined_mozilla_plugin_transition off