Thinlinc configuration
Only for Ctrls SL6 and thinlinc 4.5
pay attentions to CL7 and thinlinc 4.8 changes
Remember to modify:
/opt/thinlinc/etc/conf.d/vsmagent.hconf
Make_homedir=0
/etc/init.d/vsmagent restart
15.4. Indicating that Shadowing is in Progress
In some cases, the user being shadowed need to be aware that their session is being monitored. By running the
tl-shadow-notify program during the session lifetime, a window will pop up with information about the shadowing whenever shadowing starts or stops.
To start
tl-shadow-notify automatically during session startup, a symbolic link must be created in /opt/thinlinc/etc/xstartup.d:
# ln -s /opt/thinlinc/bin/tl-shadow-notify /opt/thinlinc/etc/xstartup.d/15-tl-shadow-notify
To deactivate
tl-shadow-notify, remove the symbolic link from /opt/thinlinc/etc/xstartup.d.
# rm /opt/thinlinc/etc/xstartup.d/15-tl-shadow-notify
#> ls -al /opt/thinlinc/etc/xstartup.d
lrwxrwxrwx 1 root root 25 Nov 11 2015 01-tl-kinit.sh → ../../libexec/tl-kinit.sh
lrwxrwxrwx 1 root root 31 Nov 11 2015 02-tl-dbus-launch.sh → ../../libexec/tl-dbus-launch.sh
lrwxrwxrwx 1 root root 33 Nov 11 2015 10-tl-clipboard-helper → ../../libexec/tl-clipboard-helper
lrwxrwxrwx 1 root root 26 Nov 11 2015 11-tl-set-title → ../../libexec/tl-set-title
lrwxrwxrwx 1 root root 33 Nov 11 2015 12-tl-default-keyboard → ../../libexec/tl-default-keyboard
-rwxr-xr-x 1 root root 322 Sep 20 2016
15-tl-shadow-notify → /opt/thinlinc/bin/tl-shadow-notify
-rwxr-xr-x 1 root root 1321 Sep 20 2016
20-tl-select-profile.sh
lrwxrwxrwx 1 root root 30 Nov 11 2015 30-tl-xdg-user-dirs → ../../libexec/tl-xdg-user-dirs
lrwxrwxrwx 1 root root 40 Dec 24 2016 35-tl-desktop-activate.sh → /opt/thinlinc/bin/tl-desktop-activate.sh
-rwxr-xr-x 1 root root 823 Dec 10 2016
40-tl-mount-localdrives.sh
lrwxrwxrwx 1 root root 32 Nov 11 2015 41-tl-lp-redir-launch → ../../libexec/tl-lp-redir-launch
lrwxrwxrwx 1 root root 27 Nov 11 2015 50-tl-wait-smartcard → ../../bin/tl-wait-smartcard
-rwxr-xr-x 1 root root 320 Sep 13 2016
60-tl-clear-sso-password.sh
I file da modificare sono:
- 15-tl-shadow-notify con il link simbolico
- 20-tl-select-profile.sh
- 40-tl-mount-localdrives.sh
- 60-tl-clear-sso-password.sh
20-tl-select-profile.sh
#!/bin/bash
# -*- mode: shell-script; coding: utf-8 -*-
#
# Copyright 2002-2014 Cendio AB.
# For more information, see http://www.cendio.com
#
# action: Choosing a profile
#
# Modificato, altrimenti chiede all'utente di scegliere un profilo anche
# in caso di single-command
# Display the profile selection menu
if [ -z "$TLCOMMAND" ] ; then
TLPROFILE=`"${TLPREFIX}/libexec/tl-select-profile"`
if [ $? -ne 0 ] ; then # User pressed cancel
exit 0
fi
export TLPROFILE
else
TLPROFILE=""
# Individuazione del pid della sessione sshd corrispondendete alla tlsession
# rendendolo disponibile nella variabile TLSSHPID
# Il pid puo' essere usato per chiudere la tlsession o fare altre azioni
# quando il tlclient si disconnette (cosa non prevista da Cendio)
# Attenzione: perche' funzioni deve essere permessa l'assenza di tty nella regola
# sudo corrispondente al comando netstat , con !requiretty
if [[ "$TLCOMMAND" =~ openbox ]] ; then
sn=`/bin/basename $TLSESSIONDATA`
myvncport=`expr 5900 + $sn`
TLSSHPID=`SUDO_ASKPASS="${TLPREFIX}/bin/tl-sso-password" /usr/bin/sudo -A /bin/netstat -tnp | /bin/egrep ":"${myvncport}"[[:blank:]]+ESTABLISHED [0-9]+\/sshd[[:blank:]]+$" | awk '{gsub("/sshd","",$NF) ; print $NF}'`
export TLSSHPID
#SHELL="/bin/sh"
fi
fi
40-tl-mount-localdrives.sh
#!/bin/bash
# -*- mode: shell-script; coding: utf-8 -*-
#
# Mount dei local drives, ma non in caso di single-command
if [ -z "$TLCOMMAND" ] ; then
# prova di isolamento dei mount points per i thinlinc drives
# per fare in modo che vengano visti solo dai processi nella
# sessione thinlinc dell'utente e non dagli altri processi di
# sistema in modo che in caso di NFS stale handle per indisponibilita'
# del thinlinc client remoto:
# - il browsing delle directory in /var/opt/thinlinc non vada in hang
# - il mount non funzionante venga pulito quando la sessione viene
# chiusa senza necessita' di un reboot del sistema
#SUDO_ASKPASS=/opt/thinlinc/bin/tl-sso-password /usr/bin/sudo -A /usr/bin/unshare -m
../../libexec/tl-mount-localdrives
fi
60-tl-clear-sso-password.sh
#!/bin/bash
# -*- mode: shell-script; coding: utf-8 -*-
#
# Cancellazione di default della sso password in plain text
# tranne che per alcune eccezioni in cui e' utile (per es.
# per lo shadowing da ctrlop)
#
if [ -z "$TLCOMMAND" ] ; then
[ -c /dev/null ] && /opt/thinlinc/bin/tl-sso-password --remove >> /dev/null
fi
Allow change password
$ :
tl-passwd
This command is used to let the user change their password, both in the underlying authentication mechanism and in the ThinLinc Single Sign-On mechanism.
In order for this to work, any user must be able to read the file /etc/pam.d/sshd (or, more correct, the file that the symbolic link /etc/pam.d/thinlinc points at.
Also, in the case where the underlying authentication mechanism is LDAP or eDirectory, make sure that the parameter pam_password in /etc/ldap.conf is set to a value that is
appropriate for your environment. If you're authenticating against eDirectory servers, it must be set to nds. See the comments in ldap.conf for more information.
Crashing Firefox tabs
On some systems a
bug in the default policy settings prevent Firefox 52 ESR from working correctly. All tabs will simply show Gah. Your tab just crashed.. Either a newer version of Firefox must be used, or the local policy must be set to be less restrictive:
$ sudo setsebool -P unconfined_mozilla_plugin_transition off