Copyright (C) 2008-2020 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
This is a Howto which describes how you can extend your Thinclient to a Thinclient-Server.
For easier administrative handling I decided to use LDAP for Services like DHCP and DNS.
After emerging the packages copy the default configurations to the Server Profile:
cp /etc/openldap/slapd.conf /etc/thinclient/server-profile/etc/openldap/slapd.conf
cp /usr/share/webapps/phpldapadmin/*/htdocs/config/config.php /etc/thinclient/server-profile/etc/phpldapadmin.conf
cp /etc/conf.d/nfs /etc/thinclient/server-profile/etc/conf.d/nfs
cp /etc/conf.d/in.tftpd /etc/thinclient/server-profile/etc/conf.d/in.tftpd
cp /etc/conf.d/apache2 /etc/thinclient/server-profile/etc/conf.d/apache2
cp /etc/bind/named.conf /etc/thinclient/server-profile/etc/bind/named.conf
If you want to use this solution you need the following howto(s) finished:
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/nfs-utils' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge sys-boot/syslinux' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-ftp/tftp-hpa' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-misc/dhcp' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-dns/bind' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-dns/bind-tools' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-nds/openldap' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/samba' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-nds/phpldapadmin' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge www-servers/apache'
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
The Webserver configuration fpr the GTC-Server
# Some default settings Listen 80 Listen 443 NameVirtualHost *:80 NameVirtualHost *:443 # ServerName ServerName localhost # Directory Index DirectoryIndex index.html # Some security settings Timeout 60 # Allow a maximum of 100MB for upload. LimitRequestBody 104857600 # Mallow a maximum of 50 headersites LimitRequestFields 50 # Sets maximum length of the from client sent HTTP-Request-Headers LimitRequestFieldsize 4094 # Maximum leght of HTTP request line LimitRequestLine 8190 # Allow a maximum of 100MB for upload. per webdav LimitXMLRequestBody 104857600 # VHost logging CustomLog /var/log/apache2/access_log vhost # Load LDAP Auth modules LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so Loadmodule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so <Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory> <Directory /var/www> Order Allow,Deny Allow from all Options None AllowOverride None </Directory> ServerSignature Off TraceEnable off # The default vHost <VirtualHost *:80> ServerName default ServerAdmin gtc DocumentRoot /var/www/default/htdocs </VirtualHost> <VirtualHost *:443> ServerName default ServerAdmin gtc DocumentRoot /var/www/default/htdocs SSLEngine on SSLCertificateFile /etc/ssl/apache2/server.crt SSLCertificateKeyFile /etc/ssl/apache2/server.key </VirtualHost>
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Listen on localhost and the LAN and forward requests if they are not known by this DNS (for internet name resolution).
listen-on { 127.0.0.1; };After change
// Listen listen-on { 127.0.0.1/8; 0.0.0.0/0; }; // The way to the Internet allow-recursion { 127.0.0.1/8; 0.0.0.0/0; }; // Local zones allow-query { 127.0.0.1/8; 0.0.0.0/0; }; allow-notify { none; }; allow-transfer { none; };
Zone definitions for some domains
# This is an entry for an LDAP Zone. Use this only if you want to use Bind with LDAP zone "gtc" IN { type master; database "ldap ldap://127.0.0.1/cn=Computers,dc=gtc 172800"; allow-update { none; }; }; zone "in-addr.arpa" { type master; database "ldap ldap://127.0.0.1/cn=Computers,dc=gtc 172800"; allow-update { none; }; };
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Apache startoptions for enabling PHP5 and SSL
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5"After change
APACHE2_OPTS="-D SSL -D PHP5"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Thist starts the rpc.idmapd for UID/GID Mapping on NFSv4. It hast to be startet at the clientside too. If this Service is not started all UIDs/GIDs are mapped to ID 4294967294. The Configurationfile /etc/idmapd.conf should be the same on Client and Server
NFS_NEEDED_SERVICES=""After change
NFS_NEEDED_SERVICES="rpc.idmapd"
Allow a maximum of 20 Clients at the same time on your NFS Server
#OPTS_RPC_NFSD="8"After change
OPTS_RPC_NFSD="20"
The rpc mountd should listen on port 32767 (needed for some firewall settings).
#OPTS_RPC_MOUNTD=""After change
OPTS_RPC_MOUNTD="-p 32767"
The rpc statd should listen on port 32765 and send outgoing connections over port 32766 (needed for some firewall settings).
#OPTS_RPC_STATD=""After change
OPTS_RPC_STATD="-p 32765 -o 32766"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
This are the DHCP settings for connecting to the LDAP Server.
ldap-server "127.0.0.1"; ldap-port 389; ldap-username ""; ldap-password ""; ldap-base-dn "ou=DHCP-Servers,dc=gtc"; ldap-dhcp-server-cn "gtc-server"; ldap-method dynamic; ldap-debug-file "/tmp/dhcp-ldap-startup-config";
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
This is the schema for using nested groups (groups in groups)
objectclass ( 1.3.6.1.4.1.35312.1 NAME 'gaboshGroup' DESC 'adds uniqueMember attribut for groups' SUP top AUXILIARY MAY ( uniqueMember ) )
This is for having DHCP and DNS in one ObjecClass.
objectclass ( 1.3.6.1.4.1.35312.2 NAME 'gaboshComputer' DESC 'for Computer DHCP and DNS entries' SUP top AUXILIARY MAY ( DNSTTL $ DNSClass $ ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord $ zoneName $ relativeDomainName ) )
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Include basic schamas
include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/dnszone.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/dhcp.schema include /etc/openldap/schema/gabosh.schema
Certificates for using TLS.
TLSCertificateFile /etc/openldap/ssl/ldap.crt TLSCertificateKeyFile /etc/openldap/ssl/ldap.key
Set the search path for LDAP modules
# modulepath /usr/lib/openldap/openldapAfter change
modulepath /usr/lib/openldap/openldap
Load the hdb-LDAP module for HDB storage-backend
You should create the HDB-configfile:
cp /var/lib/openldap-data/DB_CONFIG.example /var/lib/openldap-data/DB_CONFIG
# moduleload back_hdb.soAfter change
moduleload back_hdb.so
Set ACLs on the encrypted User password. This disables to get the encrypted passwords with e.g. "getent passwd shadow" for shadow-accounts or with ldapsearch. If you don't want so use LDAP-Auth for Samba you can leave the samba* attributes and line with smbadmin out.
access to attrs=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaAcctFlags,shadowLastChange by dn="cn=smbadmin,ou=People,dc=gtc" write by dn="cn=replicator,ou=People,dc=gtc" read by anonymous auth by self write by * none access to * by * read
LDAP Base DN
suffix "dc=my-domain,dc=com"After change
suffix "dc=gtc"
LDAP Root DN
rootdn "cn=Manager,dc=my-domain,dc=com"After change
rootdn "cn=Manager,dc=gtc"
Encrypted LDAP Root password from slappasswd
rootpw secretAfter change
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX
Define slapd indexes for LDAP tuning and for getting rid of the "bdb_equality_candidates: (uid) not indexed" log entrys. Don't forget to run slapindex. I put it in a weekly cron job.
#index objectClass eqAfter change
index objectclass,entryCSN,entryUUID eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index uniqueMember eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index zoneName eq index relativeDomainName eq
This is only for LDAP Replication. If you don't want to use replication, do not insert this lines.
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Basedn for phpldapadmin
// $servers->setValue('server','base',array(''));After change
$servers->setValue('server','base',array('dc=gtc'));
Login for phpldapadmin
# $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');After change
$servers->setValue('login','bind_id','cn=Manager,dc=gtc');
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/start.sh
Changed on 23.04.10Create data and start the Services
#!/bin/bash # Get network informations IP=`cat /proc/cmdline | perl -pe 's/^.+ip=//; s/ .+$//'` SRV_IP=`echo $IP | cut -d: -f1` SRV_GATEWAY=`echo $IP | cut -d: -f3` SRV_SUBNET=`echo $IP | cut -d: -f4` SRV_NETWORK=`ipcalc $SRV_IP/$SRV_SUBNET -b -n | grep Network | perl -pe 's/ +/ /g' | cut -d" " -f2 | cut -d"/" -f1` SRV_BROADCAST=`ipcalc $SRV_IP/$SRV_SUBNET -b -n | grep Broadcast | perl -pe 's/ +/ /g' | cut -d" " -f2` # Setup pxelinux-Bootloader-Files mkdir -p /srv/pxe/pxelinux.cfg cp /usr/share/syslinux/pxelinux.0 /srv/pxe/ cp /usr/share/syslinux/menu.c32 /srv/pxe/ cp /boot/kernel-genkernel-x86-`uname -r` /srv/pxe/ cp /boot/initramfs-genkernel-x86-`uname -r` /srv/pxe/ # LDAP if [ -d "/srv/ldap" ] then rm -r /var/lib/openldap-data ln -sf /srv/ldap /var/lib/openldap-data /etc/init.d/slapd start else echo "Creating initial LDAP Database" SRV_REVIP=`echo "$SRV_IP" | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}' | sed 's/\.$//'` echo " # Create LDAP DB and start it # The basic structure dn: dc=gtc dc: gtc objectClass: top objectClass: domain # The DHCP Object with some default settings. filename and next-server are only needed if you want to boot with PXE. # The entriees for your DHCP-Server(s) dn: ou=DHCP-Servers,dc=gtc objectClass: organizationalUnit objectClass: top ou: DHCP-Servers dn: cn=gtc-server,ou=DHCP-Servers,dc=gtc objectClass: top objectClass: dhcpServer cn: gtc-server dhcpServiceDN: cn=Computers,dc=gtc dhcpStatements: next-server $SRV_IP dhcpOption: routers $SRV_GATEWAY dhcpOption: domain-name-servers $SRV_IP dhcpOption: ntp-servers $SRV_IP # The global settings for all your DHCP-Server(s) dn: cn=Computers,dc=gtc cn: Computers dhcpOption: subnet-mask $SRV_SUBNET dhcpOption: broadcast-address $SRV_BROADCAST dhcpOption: domain-name \"gtc\" dhcpStatements: ddns-update-style none dhcpStatements: get-lease-hostnames true dhcpStatements: use-host-decl-names true dhcpStatements: filename \"/pxelinux.0\" dhcpStatements: default-lease-time 7200 dhcpStatements: max-lease-time 14400 objectClass: dhcpService objectClass: top dhcpSecondaryDN: cn=gtc-server,ou=DHCP-Servers,dc=gtc # The DHCP-Subnet entry: dn: cn=$SRV_NETWORK,cn=Computers,dc=gtc objectClass: top objectClass: dhcpSubnet objectClass: dhcpOptions dhcpNetMask: 24 #dhcpRange: XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX cn: $SRV_NETWORK # The GTC/DHCP-Server dn: pTRRecord=gtc-server.gtc.,cn=Computers,dc=gtc aRecord: $SRV_IP pTRRecord: gtc-server.gtc. zoneName: gtc zoneName: in-addr.arpa objectClass: dNSZone objectClass: top sOARecord: gtc hostmaster 2010033001 8H 4H 4W 3H nSRecord: localhost. relativeDomainName: $SRV_REVIP relativeDomainName: @ # Gouups dn: ou=Group,dc=gtc objectclass: top objectclass: organizationalUnit ou: Group # Admin group dn: cn=admins,ou=Group,dc=gtc cn: admins gidnumber: 12345 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=Ad min,ou=Users,ou=People,dc=gtc # System groups dn: cn=audio,ou=Group,dc=gtc cn: audio gidnumber: 18 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=cdrom,ou=Group,dc=gtc cn: cdrom gidnumber: 19 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=cdrw,ou=Group,dc=gtc cn: cdrw gidnumber: 80 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=disk,ou=Group,dc=gtc cn: disk gidnumber: 6 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=games,ou=Group,dc=gtc cn: games gidnumber: 35 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=root,ou=Group,dc=gtc cn: root gidnumber: 0 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=admins,ou=Group,dc=gtc dn: cn=usb,ou=Group,dc=gtc cn: usb gidnumber: 85 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=vboxusers,ou=Group,dc=gtc cn: vboxusers gidnumber: 1008 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=video,ou=Group,dc=gtc cn: video gidnumber: 27 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=users,ou=Group,dc=gtc dn: cn=wheel,ou=Group,dc=gtc cn: wheel gidnumber: 10 objectclass: posixGroup objectclass: top objectclass: gaboshGroup uniquemember: cn=admins,ou=Group,dc=gtc # Users group dn: cn=users,ou=Group,dc=gtc cn: users gidnumber: 100 objectclass: gaboshGroup objectclass: posixGroup objectclass: top uniquemember: cn=Ad min,ou=Users,ou=People,dc=gtc uniquemember: cn=Te St,ou=Users,ou=People,dc=gtc # Users section: dn: ou=People,dc=gtc objectclass: top objectclass: organizationalUnit ou: People dn: ou=SystemUsers,ou=People,dc=gtc objectclass: organizationalUnit objectclass: top ou: SystemUsers dn: ou=Users,ou=People,dc=gtc objectclass: organizationalUnit objectclass: top ou: Users # Admin User dn: cn=Ad Min,ou=Users,ou=People,dc=gtc cn: Ad Min gidnumber: 100 givenname: Ad homedirectory: /home/admin loginshell: /bin/bash objectclass: inetOrgPerson objectclass: sambaSamAccount objectclass: posixAccount objectclass: top sambaacctflags: [U ] sambalmpassword: 69B3E05FE457CAAAAAD3B435B51404EE sambantpassword: 8F6D7AB8FE0B9B159A50FE4F1174AFAF sambapasswordhistory: 000000000000000000000000000000000000000000000000000000 0000000000 sambaprimarygroupsid: S-1-5-21-130334517-3066763751-205333941-3002- sambapwdlastset: 1243432646 sambasid: S-1-5-21-130334517-3066763751-205333941-3004 sn: Min uid: admin uidnumber: 1000 userpassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX # Test User dn: cn=Te St,ou=Users,ou=People,dc=gtc cn: Te St gidnumber: 100 givenname: Te homedirectory: /home/test loginshell: /bin/false objectclass: inetOrgPerson objectclass: sambaSamAccount objectclass: posixAccount objectclass: top sambaacctflags: [U ] sambalmpassword: 69B3E05FE457CAAAAAD3B435B51404EE sambantpassword: 8F6D7AB8FE0B9B159A50FE4F1174AFAF sambapasswordhistory: 000000000000000000000000000000000000000000000000000000 0000000000 sambaprimarygroupsid: S-1-5-21-130334517-3066763751-205333941-3002- sambapwdlastset: 1243432646 sambasid: S-1-5-21-130334517-3066763751-205333941-3005 sn: St uid: test uidnumber: 1001 userpassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX # Sambadomain dn: sambaDomainName=GTCSERVER,dc=gtc objectclass: sambaDomain sambaalgorithmicridbase: 1000 sambadomainname: GTC sambaforcelogoff: -1 sambalockoutduration: 30 sambalockoutobservationwindow: 30 sambalockoutthreshold: 0 sambalogontochgpwd: 0 sambamaxpwdage: -1 sambaminpwdage: 0 sambaminpwdlength: 5 sambanextuserrid: 1000 sambapwdhistorylength: 0 sambarefusemachinepwdchange: 0 sambasid: S-1-5-21-130334517-3066763751-205333941 " > /tmp/ldapinit.ldif mv /var/lib/openldap-data /srv/ldap ln -sf /srv/ldap /var/lib/openldap-data mv /srv/ldap/DB_CONFIG.example /srv/ldap/DB_CONFIG /etc/init.d/slapd start /etc/init.d/slapd stop slapadd < /tmp/ldapinit.ldif chown -R ldap:ldap /srv/ldap /etc/init.d/slapd start fi cp /etc/nsswitch.conf /tmp/nsswitch.conf.tcorig cat /tmp/nsswitch.conf.tcorig | \ sed 's/^passwd:.*/passwd: ldap compat/' | \ sed 's/^shadow:.*/shadow: ldap compat/' | \ sed 's/^group:.*/group: ldap compat/' > /etc/nsswitch.conf /etc/init.d/nscd restart # Copy up-to-date default configs if [ -d "/srv/config" ] then rsync -a --exclude=thinclient.conf.local --exclude=profiles --exclude=global-profile --delete /etc/thinclient/ /srv/config/ else mkdir -p /srv/config rsync -a /etc/thinclient/ /srv/config/ fi # Prepare Server gtcroot mkdir -p /opt/gtcroot mount -B /_gtcroot /opt/gtcroot mount -B /srv/config /opt/gtcroot/etc/thinclient mkdir -p /opt/gtcroot/etc/thinclient/profiles mkdir -p /srv/profiles mount -B /srv/profiles /opt/gtcroot/etc/thinclient/profiles mkdir -p /srv/global-profile mount -B /srv/profiles /opt/gtcroot/etc/thinclient/global-profile # Configure phpldapadmin mkdir -p /var/www/default/htdocs/phpldapadmin rsync -a --delete /usr/share/webapps/phpldapadmin/*/htdocs/ /var/www/default/htdocs/phpldapadmin cp /etc/phpldapadmin.conf /var/www/default/htdocs/phpldapadmin/config/config.php chown -R apache:apache /var/www/default/htdocs # DNS echo "nameserver 127.0.0.1 search gtc" >/etc/resolv.conf chmod 644 /etc/resolv.conf # Start the other Services /etc/init.d/named start /etc/init.d/dhcpd start killall -9 portmap 2>/dev/null umount -lf /var/lib/nfs/rpc_pipefs 2>/dev/null sleep 5 /etc/init.d/portmap start /etc/init.d/rpc.statd start /etc/init.d/nfs start /etc/init.d/atftp start /etc/init.d/apache2 start mkdir -p /srv/log /srv/share/home/test /srv/share/home/admin chown test:users /srv/share/home/test chown admin:admins /srv/share/home/admin chmod 750 /srv/share/home/test chmod 750 /srv/share/home/admin mount -B /srv/share/home /home /etc/init.d/samba start # Write the Bootmanager-Config mkdir -p /srv/pxe/pxelinux.cfg echo " default menu.c32 prompt 0 menu title GTC Boot Menu NOESCAPE 1 ALLOWOPTIONS 0 MENU AUTOBOOT Starting Gentoo Stable Thinclient in # seconds label gtc menu default menu label ^GTC timeout 100 kernel /kernel-genkernel-x86-`uname -r` append initrd=/initramfs-genkernel-x86-`uname -r` root=/dev/nfs nfsroot=$SRV_IP:/opt/gtcroot ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs ipappend 3 label bootlocal menu label ^Boot from local Disk localboot 0 " > /srv/pxe/pxelinux.cfg/default
Please send a feedback to: doc<at>gabosh.net
Howto listingHere you can find the official Gentoo Linux Forums where you can find a lot of answers.
Here a link to the official Gentoo Linux Homepage.