Thinlinc configuration

Only for Ctrls SL6 and thinlinc 4.5
pay attentions to CL7 and thinlinc 4.8 changes

Remember to modify:


/etc/init.d/vsmagent restart

15.4. Indicating that Shadowing is in Progress

In some cases, the user being shadowed need to be aware that their session is being monitored. By running the tl-shadow-notify program during the session lifetime, a window will pop up with information about the shadowing whenever shadowing starts or stops.

To start tl-shadow-notify automatically during session startup, a symbolic link must be created in /opt/thinlinc/etc/xstartup.d:
# ln -s /opt/thinlinc/bin/tl-shadow-notify /opt/thinlinc/etc/xstartup.d/15-tl-shadow-notify

To deactivate tl-shadow-notify, remove the symbolic link from /opt/thinlinc/etc/xstartup.d.
# rm /opt/thinlinc/etc/xstartup.d/15-tl-shadow-notify

#> ls -al /opt/thinlinc/etc/xstartup.d
lrwxrwxrwx  1 root root   25 Nov 11  2015 → ../../libexec/
lrwxrwxrwx 1 root root 31 Nov 11 2015 → ../../libexec/
lrwxrwxrwx 1 root root 33 Nov 11 2015 10-tl-clipboard-helper → ../../libexec/tl-clipboard-helper
lrwxrwxrwx 1 root root 26 Nov 11 2015 11-tl-set-title → ../../libexec/tl-set-title
lrwxrwxrwx 1 root root 33 Nov 11 2015 12-tl-default-keyboard → ../../libexec/tl-default-keyboard
-rwxr-xr-x 1 root root 322 Sep 20 2016

15-tl-shadow-notify → /opt/thinlinc/bin/tl-shadow-notify

-rwxr-xr-x 1 root root 1321 Sep 20 2016

lrwxrwxrwx 1 root root 30 Nov 11 2015 30-tl-xdg-user-dirs → ../../libexec/tl-xdg-user-dirs
lrwxrwxrwx 1 root root 40 Dec 24 2016 → /opt/thinlinc/bin/
-rwxr-xr-x 1 root root 823 Dec 10 2016
lrwxrwxrwx 1 root root 32 Nov 11 2015 41-tl-lp-redir-launch → ../../libexec/tl-lp-redir-launch
lrwxrwxrwx 1 root root 27 Nov 11 2015 50-tl-wait-smartcard → ../../bin/tl-wait-smartcard
-rwxr-xr-x 1 root root 320 Sep 13 2016

I file da modificare sono:
  • 15-tl-shadow-notify con il link simbolico

# -*- mode: shell-script; coding: utf-8 -*-
# Copyright 2002-2014 Cendio AB.
# For more information, see
# action: Choosing a profile

# Modificato, altrimenti chiede all'utente di scegliere un profilo anche
# in caso di single-command

# Display the profile selection menu

if [ -z "$TLCOMMAND" ] ; then
if [ $? -ne 0 ] ; then # User pressed cancel
exit 0
# Individuazione del pid della sessione sshd corrispondendete alla tlsession
# rendendolo disponibile nella variabile TLSSHPID
# Il pid puo' essere usato per chiudere la tlsession o fare altre azioni
# quando il tlclient si disconnette (cosa non prevista da Cendio)
# Attenzione: perche' funzioni deve essere permessa l'assenza di tty nella regola
# sudo corrispondente al comando netstat , con !requiretty

if [[ "$TLCOMMAND" =~ openbox ]] ; then
sn=`/bin/basename $TLSESSIONDATA`
myvncport=`expr 5900 + $sn`
TLSSHPID=`SUDO_ASKPASS="${TLPREFIX}/bin/tl-sso-password" /usr/bin/sudo -A /bin/netstat -tnp | /bin/egrep ":"${myvncport}"[[:blank:]]+ESTABLISHED [0-9]+\/sshd[[:blank:]]+$" | awk '{gsub("/sshd","",$NF) ; print $NF}'`

# -*- mode: shell-script; coding: utf-8 -*-
# Mount dei local drives, ma non in caso di single-command

if [ -z "$TLCOMMAND" ] ; then

# prova di isolamento dei mount points per i thinlinc drives
# per fare in modo che vengano visti solo dai processi nella
# sessione thinlinc dell'utente e non dagli altri processi di
# sistema in modo che in caso di NFS stale handle per indisponibilita'
# del thinlinc client remoto:
# - il browsing delle directory in /var/opt/thinlinc non vada in hang
# - il mount non funzionante venga pulito quando la sessione viene
# chiusa senza necessita' di un reboot del sistema

#SUDO_ASKPASS=/opt/thinlinc/bin/tl-sso-password /usr/bin/sudo -A /usr/bin/unshare -m


# -*- mode: shell-script; coding: utf-8 -*-
# Cancellazione di default della sso password in plain text
# tranne che per alcune eccezioni in cui e' utile (per es.
# per lo shadowing da ctrlop)

if [ -z "$TLCOMMAND" ] ; then
[ -c /dev/null ] && /opt/thinlinc/bin/tl-sso-password --remove >> /dev/null

Allow change password

$ :


This command is used to let the user change their password, both in the underlying authentication mechanism and in the ThinLinc Single Sign-On mechanism.
In order for this to work, any user must be able to read the file /etc/pam.d/sshd (or, more correct, the file that the symbolic link /etc/pam.d/thinlinc points at.
Also, in the case where the underlying authentication mechanism is LDAP or eDirectory, make sure that the parameter pam_password in /etc/ldap.conf is set to a value that is
appropriate for your environment. If you're authenticating against eDirectory servers, it must be set to nds. See the comments in ldap.conf for more information.

Crashing Firefox tabs

On some systems a bug in the default policy settings prevent Firefox 52 ESR from working correctly. All tabs will simply show Gah. Your tab just crashed.. Either a newer version of Firefox must be used, or the local policy must be set to be less restrictive:
$ sudo setsebool -P unconfined_mozilla_plugin_transition off
Topic revision: r1 - 06 Apr 2021, Dibiase
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki_Virgo_LSC? Send feedback