Cool Solution - ThinLinc

From Univention Wiki

Revision as of 14:06, 8 September 2017 by Hpeter (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This article describe the setup of a ThinLinc server Master. ThinLinc is an remote desktop server built on open source technology by Cendio. It is strongly advised to install ThinLinc server on the system that shall provide the desktop environments later on aswell. ThinLinc also allows to install two different types of servers: Master and Agent. The Master server is the actual ThinLinc server while the Agents are used to spread the load across other systems, if necessary. Both roles are installed with the same package and get their role during setup. This cool solution was created with ThinLinc version 4.5.0.


ThinLinc server needs various packages, so you have to install these first.

Add the unmaintained Univention repository:

ucr set repository/online/unmaintained=yes

Install the necessary packages

univention-install python-gtk2 python-ldap python-glade2 libgd2-xpm printer-driver-cjet libdpkg-perl rpm2cpio libgutenprint2 printer-driver-foo2zjs libcupsppdc1 libunistring0 libgphoto2-port0 debhelper libnss3 libsane-hpaio libcupscgi1 libqtdbus4 poppler-utils libcupsdriver1 printer-driver-sag-gdi python-reportlab libsane printer-driver-escpr libcupsfilters1 libqt4-network ghostscript-cups foomatic-filters cups-client printer-driver-postscript-hp hplip m4 dc librpmio3 librpm3 rpm-common libescpr1 po-debconf printer-driver-splix lsb-security printer-driver-gutenprint intltool-debian printer-driver-all libqt4-opengl libcolord1 libv4lconvert0 gcc printer-driver-pnm2ppa libc6 cups-ppdc libck-connector0 dbus gettext time cups-common libhpmud0 libqtcore4 printer-driver-ptouch python-dbus-dev python-dbus cups pax printer-driver-min12xxw libqt4-sql libsane-common libqt4-svg libnspr4 build-essential rpm librpmbuild3 libqt4-xml libgettextpo0 cups-bsd libjpeg62 printer-driver-hpcups libqtgui4 printer-driver-c2esp libsystemd-login0 libitm1 python-pexpect html2text lib32z1 librpmsign1 libqt4-sql-mysql libexif12 printer-driver-m2300w libglu1-mesa printer-driver-pxljr libcupsmime1 lsb-core libaudio2 binutils alien libsys-hostname-long-perl cups-filters libnss3 libmng1 printer-driver-c2050 make printer-driver-hpijs hplip-data consolekit


Download ThinLinc server from Cendio's homepage. You will have to register with an e-mail address and get a download link afterwards. Copy the link and download the file:

wget <download link>

Extract the archive


Switch to ThinLinc server's folder and start the install script:

cd tl-4.5.0-server

Since the setup process prompts you rather often, we will only explain those steps, where it is necessary to do something else than just "Enter".

When asked if you want to start tl-setup, answer "yes".

Answer "yes" when asked if you accept the license agreement.

Choose which server type this installation is supposed to be. You can choose between Master and Agent. As explained above, the Master is the actual ThinLinc server while the Agents can be used to spread load across different systems.

The setup will install a few missing dependencies, accept with "yes".

To continue with installing the packages, answer "yes".

Enter the admin's mail address and press enter.

Set a password for the web administration tool. This is required to login to the admin tool with the default user "admin".

Client based printer queue Local Printer support allows users to print documents on a printer that is connected to their terminal from applications running on the ThinLinc server.

'Location based printer queue Nearest Printer is a feature that simplifies the printing process for the user by automatically printing to a printer that is located at the terminal the user is currently using. Users only need to know that they should always print to the nearest printer - the system will figure out the rest based on a database of terminals, printers and locations, eliminating the need to learn the names of printers at different locations. This decreases the need for support.

Answer "yes" to activate location based printer queue, if you want the queue to be configured as described above. You need to have CUPS installed on the system in order to make printers work.

Answer "yes" to configure client-side printers queue, if you want the queue to be configured as described above. You need to have CUPS installed on the system in order to make printers work.

Now the setup asks if it should setup web access aswell. If you want users to be able to use ThinLinc via a web browser, answer "yes".

After having finished the installation and setup of ThinLinc server, a few changes to the firewall are in order, to allow access to the web access and web administration panels. If you did not install web access, don't apply the rules for port 300. The following commands will open ports 300 and 1010 for all HTTPS requests.

ucr set \
security/packetfilter/package/univention-apache/tcp/300/all/en=HTTPS \
security/packetfilter/package/univention-apache/tcp/300/all=ACCEPT \
security/packetfilter/package/univention-apache/tcp/1010/all/en=HTTPS \

Restart univention-firewall for the changes to take effect.

service univention-firewall restart

You can change the ports used by web access and web administration in /opt/thinlinc/etc/conf.d/tlwebadm.conf and /opt/thinlinc/etc/conf.d/webaccess.hconf by changing listen_port to a port of your desire (that is not already taken). You have to restart tlwebadm/tlwebaccess when having applied changes.

service tlwebadm restart
service tlwebaccess restart

ThinLinc client installation on UCC/Linux desktop

Download ThinLinc client debian package and install it on the client. "ThinLinc Client" will appear in the "Internet" category in the Kickoff application starter.


sudo dpkg -i thinlinc-client_4.5.0-4930_i386.deb

LDAP authentication

Login with accounts present in the LDAP is already setup by default. However, only users with SSH access to the machine running ThinLinc server can login to ThinLinc with LDAP credentials. To give "normal" non-admin users such access one has to give each user or a specific group rights to SSH on the machine. You could either give the group "Domain Users" those rights or create a new one just for ThinLinc and put all users requiring access in it (recommended). Creating a new group also does not give all users in the entire domain access to ThinLinc (and ssh) at once, since you might not want anyone to be able to access it and it allows you to restrict the given rights in different ways to limit the dangers of users having ssh access to your machine running ThinLinc server, without having to bear the possibility of running into other problems when restricting the default "Domain Users" group.

To create a new group go to the UMC and open the "Groups" module. Click on "Add" and give the group a name and add all users, that you want to have ThinLinc access, and save it.

Now let's give that group SSH access:

ucr set auth/sshd/group/<ThincLinc Users Group>="yes"

Web administration

ThinLinc provides users with a web administration solution, which is accessible on "https://<HOSTNAME OR IP>:1010" with the credentials set during the initial setup by default.

The official ThinLinc documentation is a good resource for anything related to administrating ThinLinc.

However, we will adress some basic topics here, to cover all steps to set up a basic environment.

Setup servers to connect to

Go to Application servers and select whether you want to add a Windows RDP or a Unix X11 server. Then click on "Add new group". This might be a bit confusing first, every server (also single ones) has to be in a group. You can specify different server separated with commas in the creation. If only one server is set, users will be automatically connect to that one. The group creation page offers various other settings like Extra arguments or keyboard layout, those are rather self-explanatory.

Change programs seen by users

Go to "Desktop Customizer". In this category you can specify which programs shall be seen by users and which commands the icons shall actually trigger. You could for example specify that Firefox shall always be started in private mode by adding the start parameter "-private" to the executed command in Desktop Customizer -> Applications (System). "Applications (Manual)" allows you to do that for non-system programs and "Application Groups" lets you change where applications are presented in the launcher/start menu. The desktop customizer is rather self-explanatory, to discover more about it consult this support article Custom desktops only apply for non-root users. And don't forget to enable the custom desktop for users!

Enable custom desktops for users

To enable desktop settings made in the desktop customizer execute the following commands:

cd /opt/thinlinc/etc/xstartup.d/
ln -s /opt/thinlinc/bin/
ln -s /opt/thinlinc/etc/xstartup.d/

Disable the introduction message

Every time a user logs in, he is prompted with an introduction message. To disable it go to Profiles -> Introductions Texts, untick the checkbox "Yes, show introduction" and Save. You can also change the basic introduction messages here.

See running sessions

To see unique users running sessions, go to Status -> Sessions. You can also see load and license statistics here.

Installing desktop environments

The Univention repository offers different desktop environments to install on your UCS system. Cendio strongly advises users to install desktop environments on the same machine as the ThinLinc server Master.


To install KDE, open the UMC, open the App Center module and install the app "Desktop environment (KDE)" on the machine.


To install XFCE execute this:

univention-install xfce4

Adding ThinLinc to UCS Web services

Copy ThinLinc icon to webserver directory

cp /opt/thinlinc/share/tlwebaccess/www/images/tlclient_72.png /var/www

Create UCR keys for ThinLinc web access

ucr set \
ucs/web/overview/entries/service/thinlinc-web-access/description="ThinLinc remote desktop web access" \
ucs/web/overview/entries/service/thinlinc-web-access/description/de="ThinLinc Remote-Desktop Web-Zugriff" \
ucs/web/overview/entries/service/thinlinc-web-access/icon="/tlclient_72.png" \
ucs/web/overview/entries/service/thinlinc-web-access/label/de="ThinLinc Web-Zugriff" \
ucs/web/overview/entries/service/thinlinc-web-access/label="ThinLinc web access" \
ucs/web/overview/entries/service/thinlinc-web-access/link="https://$(hostname -f):300"

Create UCR keys for ThinLinc web administration

ucr set \
ucs/web/overview/entries/service/thinlinc-web-administration/description="ThinLinc web administration" \
ucs/web/overview/entries/service/thinlinc-web-administration/description/de="ThinLinc Administrationsoberfläche" \
ucs/web/overview/entries/service/thinlinc-web-administration/icon="/tlclient_72.png" \
ucs/web/overview/entries/service/thinlinc-web-administration/label/de="ThinLinc Web-Administration" \
ucs/web/overview/entries/service/thinlinc-web-administration/label="ThinLinc web administration" \
ucs/web/overview/entries/service/thinlinc-web-administration/link="https://$(hostname -f):1010"

Hint: Change $(hostname -f) to the server you installed ThinLinc server Master on, if it's not the machine you are creating the web service entry on.

Personal tools