Hjælp for netværksklienter

One generic term for both thin clients and diskless workstations is LTSP client.

(!) Starting with Bullseye, LTSP is quite different from the previous versions. This concerns both setup and maintenance.

For information about LTSP in general, see the LTSP homepage. On systems with LTSP server profile, man ltsp provides more information.

Please note that the ltsp tool from LTSP has to be used carefully. For example, ltsp image / would fail to generate the SquashFS image in case of Debian machines (these have a separate /boot partition by default), ltsp ipxe would fail to generate the iPXE menu correctly (due to Debian Edu's thin client support), and ltsp initrd would mess up LTSP client boot completely.

The debian-edu-ltsp-install tool is a wrapper script for ltsp image, ltsp initrd and ltsp ipxe. It is used to setup and configure diskless workstation and thin client support (both 64-Bit and 32-Bit PC). See man debian-edu-ltsp-install or the script content to see how it works. All configuration is contained in the script itself (HERE documents) to facilitate site specific adjustments.

Examples how to use the wrapper script debian-edu-ltsp-install:

  • debian-edu-ltsp-install --diskless_workstation yes updates the diskless workstation SquashFS image (server filesystem).

  • debian-edu-ltsp-install --diskless_workstation yes --thin_type bare creates diskless workstation and 64-bit thin client support.

  • debian-edu-ltsp-install --arch i386 --thin_type bare creates additional 32-bit thin client support (chroot and SquashFS image).

Besides bare (smallest thin client system), also display and desktop are available options. The display type offers a shutdown button, the desktop type runs Firefox ESR in kiosk mode on the client itself (more local RAM and CPU power required, but server load reduced).

The debian-edu-ltsp-ipxe tool is a wrapper script for ltsp ipxe. It makes sure that the /srv/tftp/ltsp/ltsp.ipxe file is Debian Edu specific. The command needs to be run after iPXE menu related items (like menu timeout or default boot settings) in the /etc/ltsp/ltsp.conf [server] section have been modified.

The debian-edu-ltsp-initrd tool is a wrapper script for ltsp initrd. It makes sure that a use case specific initrd (/srv/tftp/ltsp/ltsp.img) is generated and then moved to the use case related directory. The command needs to be run after the /etc/ltsp/ltsp.conf [clients] section has been modified.

The debian-edu-ltsp-chroot tool is a replacement for the ltsp-chroot tool shipped with LTSP5. It is used to execute commands in a specified LTSP chroot (like e.g. install, upgrade and remove packages).

Diskløs arbejdsstation

A diskless workstation runs all software locally. The client machines boot directly from the LTSP server without a local hard drive. Software is administered and maintained on the LTSP server, but runs on the diskless workstations. Home directories and system settings are stored on the server too. Diskless workstations are an excellent way of reusing older (but powerful) hardware with the same low maintenance costs as with thin clients.

Unlike workstations diskless workstations run without any need to add them with GOsa².

Tynd klient

A thin client setup enables an ordinary PC to function as an (X-)terminal, where all software runs on the LTSP server. This means that this machine boots via PXE without using a local client hard drive and that the LTSP server needs to be a powerful machine.

Debian Edu still supports the use of thin clients to enable the use of very old hardware.

LTSP-klientfirmware

LTSP client boot will fail if the client's network interface requires a non-free firmware. A PXE installation can be used for troubleshooting problems with netbooting a machine; if the Debian Installer complains about a missing XXX.bin file then non-free firmware has to be added to the LTSP server's initrd.

Proceed like this on the LTSP server:

  • First get information about firmware packages, run:

apt update && apt search ^firmware-
  • Decide which package has to be installed for the network interface(s), most probably this will be firmware-linux, run:

apt -y -q install firmware-linux
  • Update the SquashFS image for diskless workstations, run:

debian-edu-ltsp-install --diskless_workstation yes
  • In case X2Go thin clients are used, run:

/usr/share/debian-edu-config/tools/ltsp-addfirmware -h
  • and proceed according to the usage information.

    Then update the SquashFS image; e.g. for the /srv/ltsp/x2go-bare-amd64 chroot, run:

ltsp image x2go-bare-amd64

Run man ltsp.conf to have a look at available configuration options. Or read it online: https://ltsp.org/man/ltsp.conf/

Add configuration items to the /etc/ltsp/ltsp.conf [clients] section. For the changes to take effect, run:

debian-edu-ltsp-initrd

PXE stands for Preboot eXecution Environment. Debian Edu now uses the iPXE implementation for easier LTSP integration.

Pakken debian-edu-config indeholder et værktøj, som hjælper med at ændre netværket 10.0.0.0/8 til noget andet. Se eventuelt /usr/share/debian-edu-config/tools/subnet-change. Det er lavet for brug lige efter installationen på hovedserveren, for at opdatere LDAP og andre filer, som skal redigeres for at ændre undernettet.

/!\ Note that changing to one of the subnets already used elsewhere in Debian Edu will not work. 192.168.0.0/24 and 192.168.1.0/24 are already set up as LTSP client networks. Changing to these subnets will require manual editing of configuration files to remove duplicate entries.

Der er ingen nem måde at ændre DNS-domænenavnet. Ændring af navnet vil kræve ændringer til både LDAP-strukturen og flere filer i filsystemet for hovedserveren (tjener.intern). At gøre dette vil også kræve ændringer til LDAP og filer i hovedserveren og filsystemet for klienten. I begge tilfælde skal Kerberosopsætningen også ændres.

Choosing the LTSP server profile or the combined server profile also installs the xrdp and x2goserver packages.

Xrdp uses the Remote Desktop Protocol to present a graphical login to a remote client. Microsoft Windows users can connect to the LTSP server running xrdp without installing additional software - they simply start a Remote Desktop Connection on their Windows machine and connect.

Derudover kan xrdp forbinde til en VNC-server eller en anden RDP-server.

Xrdp har ikke lydunderstøttelse; for at kompilere de krævede moduler kan dette skript bruges.

 #!/bin/bash
 # Skript til at kompilere/genkompilere xrdp PulseAudio-moduler.
 # Kalderen skal være root eller medlem af sudo-gruppen.
 # /etc/apt/sources.list skal også indeholde en gyldig deb-src-linje.
 set -e
  if [[ $UID -ne 0 ]] ; then  
     if ! groups | egrep -q sudo ; then
         echo "ERROR: You need to be root or a sudo group member."
         exit 1
     fi
 fi
 if ! egrep -q  ^deb-src /etc/apt/sources.list ; then
     echo "ERROR: Make sure /etc/apt/sources.list contains a deb-src line."
     exit 1
 fi
 TMP=$(mktemp -d)
 PULSE_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' pulseaudio)"
 XRDP_UPSTREAM_VERSION="$(dpkg-query -W -f='${source:Upstream-Version}' xrdp)"
 sudo apt -q update
 # Hent kilder og byggeafhængigheder:
 sudo apt -q install dpkg-dev
 cd $TMP
 apt -q source pulseaudio xrdp
 sudo apt -q build-dep pulseaudio xrdp
 # For pulseaudio 'configure' is all what is needed:
 cd pulseaudio-$PULSE_UPSTREAM_VERSION/
 ./configure
 # Juster pulseaudio-modulers Makefile (kræver absolut sti)
 # og byg pulseaudio-modulerne.
 cd $TMP/xrdp-$XRDP_UPSTREAM_VERSION/sesman/chansrv/pulse/
 sed -i 's/^PULSE/#PULSE/' Makefile
 sed -i "/#PULSE_DIR/a \
 PULSE_DIR = $TMP/pulseaudio-$PULSE_UPSTREAM_VERSION" Makefile
 make
 # Kopier moduler til Pulseaudio modules-mappen, juster rettigheder.
 sudo cp *.so /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/
 sudo chmod 644 /usr/lib/pulse-$PULSE_UPSTREAM_VERSION/modules/module-xrdp*
 # Genstart xrdp, nu med lyd aktiveret.
 sudo service xrdp restart

The freeRADIUS server could be used to provide secure network connections. For this to work, install the freeradius and winbind packages on the main server and run /usr/share/debian-edu-config/setup-freeradius-server to generate a basic, site specific configuration. This way, both EAP-TTLS/PAP and PEAP-MSCHAPV2 methods are enabled. All configuration is contained in the script itself to facilitate site specific adjustments. See the freeRADIUS homepage for details.

Additional configuration is needed to

  • enable/disable access points via a shared secret (/etc/freeradius/3.0/clients.conf).

  • allow/deny wireless access using LDAP groups (/etc/freeradius/3.0/users).

  • combine access points into dedicated groups (/etc/freeradius/3.0/huntgroups)

(!) End user devices need to be configured properly, these devices need to be PIN protected for the use of EAP (802.1x) methods. And most important: users need to be educated to install the freeradius CA certificate on their devices to be sure to connect to the right server. This way the password can't be catched in case of a malicious server. The site specific certificate is available on the internal network.

Please note that configuring end user devices will be a real challenge due to the variety of devices. For Windows devices an installer script could be created, for Apple devices a mobileconfig file. In both cases the freeRADIUS CA certificate can be integrated, but OS specific tools are needed to create the scripts.