[LightDM] Is lightdm suitable for my thin client project?
Veli-Matti Lintu
veli-matti.lintu at opinsys.fi
Sun Jul 28 10:37:54 PDT 2013
Hi,
I have been involved in creating a bit similar setup to what you are looking for. We have based our setup on LTSP, but we have replaced ldm with lightdm. We have also modified the LTSP bits quite a bit to get laptop support using the same image as thin clients and fat clients are using. So the image on disk is always read-only and all modifications done on the overlayfs disappear on reboot. The image is updated using an automatic background mechanism.
For laptops and netbooted fat clients we run a local session, but for thin clients we launch the session on the LTSP server though ssh with kerberos authentication. We are not using the "Remote login" feature to launch the remote LTSP sessions, but we have a custom setup that authenticates the user first locally and then connects to the server with the same credentials. You could use a similar mechanism to launch a freerdp session, but as I haven't used it, I don't know what is needed exactly.
So using a similar approach to one we are using, a hybrid laptop / thin client setup would work something like this:
1. Start lightdm using unity-greeter to get nm-applet accessible by users
Network-manager has plugins that can be used to open VPN tunnels before login
Placing configurations here should be enough: /etc/NetworkManager/system-connections
2. Lightdm authenticates using a custom PAM stack, with pam_freerdp the documentation gives an example:
----------------------------------------------------------------------
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_freerdp.so
session required pam_limits.so
session required pam_freerdp.so
----------------------------------------------------------------------
Here you could also check that a connection exists before trying to authenticate and show the user a proper error message.
Here's the PAM stack we are using for thin clients:
https://github.com/opinsys/puavo-ltsp/blob/master/client/templates/etc/pam.d/lightdm-thinclient
----------------------------------------------------------------------
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
auth required pam_krb5.so minimum_uid=10000 use_first_pass
auth optional pam_exec.so /usr/sbin/puavo-ltsp-login
auth required pam_exec.so /usr/share/ltsp-lightdm/puavo-ltsp-session
----------------------------------------------------------------------
In our solution the LTSP session is started from PAM stack, but it should be possible to start it as an xsession also:
https://github.com/opinsys/puavo-ltsp/blob/master/client/templates/etc/pam.d/lightdm-thinclient#L12
https://github.com/opinsys/ltsp-lightdm/blob/master/puavo-ltsp-session
puavo-ltsp-session does not handle user password at all, because it uses kerberos tickets written by pam_krb5. If you want to code your own pam_exec that does authentication, you probably need to specify expose_authtok parameter for pam_exec.so in PAM stack (man pam_exec).
3. When PAM authentication finishes, a custom xsession could be started that starts the FreeRDP client with required parameters. Some of the stuff could be already initialised in PAM stack - like writing configuration files etc. gnome-fallback-session or xfce might fit here better than unity.
We forced lightdm to use our custom session and disabled the user options with a lightdm.conf similar to this:
[LightDM]
user-authority-in-system-dir=true
xsessions-directory=/usr/share/ltsp-lightdm/xsessions
[SeatDefaults]
greeter-hide-users=true
greeter-session=unity-greeter
greeter-show-remote-login=false
user-session=ltsp-session
xserver-allow-tcp=true
In our setup the xsession only waits for the ssh connection to close:
https://github.com/opinsys/ltsp-lightdm/blob/master/xsessions/ltsp-session.desktop
https://github.com/opinsys/ltsp-lightdm/blob/master/xsession-stub
In our case, the custom PAM stack authenticates users using kerberos and offline support for laptops is done using sssd. User information is fetched from LDAP using a custom script:
https://github.com/opinsys/puavo-ltsp/blob/master/client/puavo-ltsp-login
For user management we are using Puavo which manages user/device information in LDAP/kerberos: https://github.com/opinsys/puavo-users
I hope this helps a bit.
Happy hacking!
Veli-Matti
----- Alkuperäinen viesti -----
From: "Jonathan" <dev at puppeq.com>
To: "Robert Ancell" <robert.ancell at gmail.com>
Cc: lightdm at lists.freedesktop.org
Sent: July 24, 2013 10:36:22
Subject: Re: [LightDM] Is lightdm suitable for my thin client project?
Robert,
I've subscribed to the lightdm mailing list as you suggested.
So what you're saying is that the "Remote Login" feature works without a UCCS account. I can't find anything online on how to make this work. Eventhough it had been developed by another team do you have any idea or information about the configuration of this feature? If not how can I get in touch with the developers?
If the "Remote Login" feature doesn't work, what do I need to do to get a FreeRDP session working from a "regular" login at the lightdm greeter screen? Again from hours of googling the information I'm finding is to create that xsession desktop file which I've done, but other than that I don't know what to do.
-- Jonathan
----- Original Message -----
From: "Robert Ancell" <robert.ancell at gmail.com>
To: "Jonathan" <dev at puppeq.com>
Cc: "LightDM Mailing List" <lightdm at lists.freedesktop.org>
Sent: Wednesday, July 24, 2013 12:05:53 PM
Subject: Re: Is lightdm suitable for my thin client project?
Hi Jonathan,
The "Remote Login" entry in Unity Greeter is access to any of the remote login sessions that are installed on your machine. There are two that I know of; lightdm-remote-session-uccsconfigure which requires the UCCS account and lightdm-remote-session-freerdp which does not. Both are packaged in Ubuntu. I don't know everything about these systems as they were developed by another team in Canonical, but I think you should be able to get the FreeRDP system to do what you want.
In terms of diagnosing what you've done - first look at /var/log/lightdm/lightdm.log and that will point you to other logs in that directory showing errors in what has happened. The difficult part to diagnose is PAM, since the modules generally don't provide easy logging.
--Robert
On 24 July 2013 21:54, Jonathan < dev at puppeq.com > wrote:
Hi Robert,
Thank you for your reply.
Yes, I've looked at LTSP and asked questions on #ltsp, but my understanding is that it requires an Ubuntu LTSP server and I don't think that is really what I want.
I have been working on this non-stop and this is what I have so far,
- I start with Ubuntu Mini 13.04 and do a command line install.
- I install the following packages,
sudo apt-get install
xserver-xorg
lightdm
notify-osd
light-themes
This is where I am currently.
The "Remote Login" feature if I understand correctly requires a UCCS account and cannot work independently of that. If that is the case the I'd rather not use this feature.
Right now I'm trying to figure out how to start a FreeRDP session when a user logs in at the lightdm greeter. I created an xsession at /usr/share/xsessions/freerdp-test.desktop with the following contents:
[Desktop Entry]
Name=FreeRDP Test
Exec=xfreerdp /v:<IP_ADDRESS>
Type=Application
But when user "test" logs in the screen goes black for a few seconds and then the lightdm greeter reappears. I have no idea how to get this to work.
I have no problem discussing this on the LightDM mailing list and I will make my thin-client solution open-source on Github when I have it working as I think there is a need for something like this. It is just that I'm really tight on time to complete this by the end of this week, so if there's any way that you can help me directly I would be very grateful. We can discuss compensation if you like.
I look forward to hearing from you.
-- Jonathan
On 24 Jul 2013, at 11:39, Robert Ancell wrote:
Hi Jonathan,
Interesting project!
Have you seen LTSP [1] - it might be an off the shelf solution to your needs.
If not, there are some options you can do with LightDM. You can log into remote sessions from LightDM, for example by using FreeRDP [2]. Depending on your requirements, it might just be enough to install this and log in using the standard Ubuntu greeter (unity-greeter).
If this doesn't fill what you need, the other options with LightDM are:
- Writing your own remote session module:
- Writing PAM configuration that provides the authentication you want
- Writing a session that provides the remote access using the protocols you want
- Writing a greeter that has the UI you want
Hope this helps,
--Robert
p.s. Are you OK continuing this discussion on the LightDM mailing list [3]? It would be useful for others interested in similar requirements,
[1] http://www.ltsp.org/
[2] https://launchpad.net/lightdm-remote-session-freerdp
[3] http://lists.freedesktop.org/mailman/listinfo/lightdm
On 17 July 2013 23:17, Jonathan < dev at puppeq.com > wrote:
Hi Robert,
I'm working on a project for my father's accountancy firm which is to develop a laptop thin client solution for 5 employees. The reason I've decided to build my own solution is that there are very few commercial laptop thin clients on the market. I have even tried a commercial product to re-purpose a laptop such as IGEL Universal Desktop Converter (UDC), but the lack of essential features (e.g. usb modem support and full laptop hardware support) makes it unsuitable for our purposes.
I am considering the HP 655 laptop as it has the most barebones features (on the Ubuntu hardware certified list) I've seen of a laptop and the employees don't need anything fancy. In terms of the requirements/ features I need of the thin client solution they are as follows:
- Laptop hardware is fully supported, e.g. graphics, wifi, ethernet, display brightness. I know that Ubuntu has this covered out of the box.
- UTMS USB modem support
- RDP client, e.g. FreeRDP
- VPN client, e.g. L2TP/ IPsec
- Printer support
- Read-only OS that the user cannot modify
- Remote VNC shadowing for employee support
- Remote OS image updating
- Remote configuration updating
Essentially I would like the thin client solution to be as intuitive as possible for users and I envision the following user workflow.
1. When a user powers on the laptop he/she is presented with a login prompt.
2. The user must be connected via either LAN or a UTMS usb modem.
3. When the user logs in, a connectivity check is performed to determine whether LAN or USB modem connected.
4. If a USB modem is detected, the 3G connection is established.
5. Once the laptop has an internet connection (LAN or 3G), a VPN session is established.
6. Finally an RDP session to a terminal server is established.
All the user has had to do is power on the laptop, connect an ethernet or USB modem and supply his/ her login details. A printer connected via USB is forwarded to the Windows terminal server and local printing is possible.
>From an administration perspective I need to be able to VNC to the laptop to help the user with any potential problems relating to the laptop OS itself. I also need to be able to update the OS image if possible or at least update the OS configuration such as VPN settings via the updating of a configuration file. This could be done automatically with the thin client pulling the updated config file from say a private Github repo or similar.
I have experience with Ubuntu server although I'm far from an expert, but my Ubuntu desktop experience is limited. Nonetheless, after a lot of googling and a couple of discussions on #Ubuntu someone suggested that Ubuntu mini and lightdm might be a solution to investigate.
Any advice and help you can offer is greatly appreciate as I'm unsure of how to actually build my proposed solution using Ubuntu mini and lightdm.
I look forward to hearing from you.
-- Jonathan
_______________________________________________
LightDM mailing list
LightDM at lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/lightdm
More information about the LightDM
mailing list