IRC chat logs for #ltsp on irc.freenode.net (webchat)


Channel log from 28 July 2013   (all times are UTC)

01:34Parker955_Away is now known as Parker955
01:53Parker955 is now known as Parker955_Away
02:32yalu has left IRC (yalu!~yalu@89.73-64-87.adsl-dyn.isp.belgacom.be, Ping timeout: 268 seconds)
02:34yalu has joined IRC (yalu!~yalu@91.180.67.99)
02:52FrozenZia has joined IRC (FrozenZia!pbrown@evo.paivola.fi)
07:00vmlintu has joined IRC (vmlintu!~vmlintu@nblzone-240-143.nblnetworks.fi)
07:34Phantomas has joined IRC (Phantomas!~Phantomas@ubuntu/member/phantomas)
07:57Phantomas1 has joined IRC (Phantomas1!~Phantomas@ubuntu/member/phantomas)
07:58Phantomas has left IRC (Phantomas!~Phantomas@ubuntu/member/phantomas, Ping timeout: 264 seconds)
10:24freedomrun has joined IRC (freedomrun!~freedomru@unaffiliated/freedomrun)
10:27bitcheker has joined IRC (bitcheker!~bitchecke@dynamic-adsl-62-10-100-173.clienti.tiscali.it)
10:37Patina has left IRC (Patina!~tomas@1385158770.dhcp.dbnet.dk, Read error: Operation timed out)
10:38Patina has joined IRC (Patina!~tomas@1385158770.dhcp.dbnet.dk)
10:54bitcheker has left IRC (bitcheker!~bitchecke@dynamic-adsl-62-10-100-173.clienti.tiscali.it, Quit: {exiting})
12:37monteslu has left IRC (monteslu!~monteslu@ip68-109-166-101.ph.ph.cox.net, Read error: Connection reset by peer)
15:27bobby_C has joined IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at)
15:32freedomrun has left IRC (freedomrun!~freedomru@unaffiliated/freedomrun, Read error: Operation timed out)
15:47freedomrun has joined IRC (freedomrun!~freedomru@unaffiliated/freedomrun)
15:52freedomrun has left IRC (freedomrun!~freedomru@unaffiliated/freedomrun, Excess Flood)
15:54bobby_C has left IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at, Read error: Operation timed out)
15:55freedomrun has joined IRC (freedomrun!~freedomru@unaffiliated/freedomrun)
15:59freedomrun has left IRC (freedomrun!~freedomru@unaffiliated/freedomrun, Excess Flood)
16:05joshu has left IRC (joshu!~joshu@62-20-176-238-no28.tbcn.telia.com, Quit: Computer has gone to sleep.)
16:08Phantomas1 is now known as Phantomas
16:09joshu has joined IRC (joshu!~joshu@62-20-176-238-no28.tbcn.telia.com)
16:18freedomrun has joined IRC (freedomrun!~freedomru@unaffiliated/freedomrun)
16:25freedomrun has left IRC (freedomrun!~freedomru@unaffiliated/freedomrun, Max SendQ exceeded)
16:28freedomrun has joined IRC (freedomrun!~freedomru@unaffiliated/freedomrun)
16:39freedomrun has left IRC (freedomrun!~freedomru@unaffiliated/freedomrun, Ping timeout: 240 seconds)
16:43freedomrun has joined IRC (freedomrun!~freedomru@unaffiliated/freedomrun)
16:48freedomrun has left IRC (freedomrun!~freedomru@unaffiliated/freedomrun, Excess Flood)
16:51freedomrun has joined IRC (freedomrun!~freedomru@unaffiliated/freedomrun)
17:28freedomrun has left IRC (freedomrun!~freedomru@unaffiliated/freedomrun, Quit: So long and thanks for all the fish)
17:53
<vmlintu>
joshu: are you the same person looking for lightdm help?
17:54
<joshu>
vmlintu hi yes
17:55
<vmlintu>
did you read through the mail I sent to lightm mailing list?
18:02
<joshu>
vmlintu yes I read your reply.
18:03
One problem I'm having is that I have not been able to figure out how to pass the username and password from lightdm greeter to the desktop file Exec= which will run xfreerdp
18:03
I can get the username and password echoed to a textile by modifying /etc/pam.d/lightdm, but that's as far as I have been able to get
18:06
<vmlintu>
I don't think you can get the password to the session without writing it somewhere in pam stack
18:07
lightdm should not keep the password anywhere after passing it to pam in auth phase
18:10
<joshu>
ok so how would you do this? I have looked at this project yesterday and tried to learn from it.
18:10
https://github.com/opinsys/ltsp-lightdm
18:10
it's the same that you linked to
18:11
<vmlintu>
freerdp doesn't support kerberos if I have understood right?
18:13
ltsp-lightdm is something I was involved in creating
18:15
<joshu>
I don't think freerdp support kerberos but I'm not sure.
18:16
<vmlintu>
can you pass the password on command line to freerdp client?
18:16
<joshu>
yes like this xfreerdp /v:ip_address /u:username /p:password
18:17
I tried to put this in the desktop file Exec=xfreerdp /v:ip_address /u:$PAM_USER /p:$PAM_PASS and different variation, but no luck
18:38
<vmlintu>
PAM_USER and PAM_PASS are not available for the desktop file
18:38
I think you have to write them to a file in pam stack
18:39
Then create a script that reads the information from the file and launches xfreerdp
18:45
<joshu>
vmlintu that sounds good but I don't know how to "write them to a file in pam stack"
18:48
<vmlintu>
have you used pam_exec ?
18:50
<joshu>
vmlintu yesterday was the first time for me doing anything with PAM. i did try to use pam_exec to run a script that how I wrote the username and password to a text file in /tmp for instance
18:50
<vmlintu>
so you were able to write them to a file under /tmp?
18:50
<joshu>
I can then read from that file, but I was hoping there was a "secure" way of passing the password without writing to a text file
18:50
yes
18:52
<vmlintu>
libpam-sshauth package has binary shm_askpass that you could use for that
18:52
<joshu>
this is what I did https://gist.github.com/anonymous/6c2833ef460efed9ea64
19:01staffencasa has left IRC (staffencasa!~staffenca@8-220.ptpg.oregonstate.edu, Read error: Connection reset by peer)
19:02staffencasa has joined IRC (staffencasa!~staffenca@8-220.ptpg.oregonstate.edu)
19:06
<vmlintu>
so instead of writing the password to a file you'd call shm_askpass to store the password
19:07
do all your users have a local linux account on your laptops?
19:08
<joshu>
vmlintu at the moment they have nothing. they used to use desktop thin clients Wyse, but now things have changed and as everyone is in remote locations they need laptop thin clients. So if necessary I will create a local linux account on each laptop
19:09Kanhai has joined IRC (Kanhai!75c46975@gateway/web/freenode/ip.117.196.105.117)
19:09
<Kanhai>
HI
19:09
i want to know what kind of apps i can run on thin clients?
19:09
<vmlintu>
then you should be able to get the uid from USER env parameter when starting xfreerdp
19:12
<Kanhai>
anyone?
19:12
<vmlintu>
I don't remember what shm_askpass needs to work as I'm not using it for anything now..
19:13Kanhai has left IRC (Kanhai!75c46975@gateway/web/freenode/ip.117.196.105.117, Client Quit)
19:30
<joshu>
vmlintu I'm googling shm_askpass and trying to work out what you've suggested
19:31
<vmlintu>
shm_askpass needs PAM_USER to be set
19:32
<joshu>
so I would keep the way I modified /etc/pam.d/lightdm adding that pam_exec authtok line? just change the script that's called?
19:32
<vmlintu>
so in your pam script you should be able to just call:
19:33
shm_askpass --write
19:33
Yes, just change the script
19:34
<joshu>
the placement of my pam_exec in the lightdm file is ok? I just guessed where to put it ;)
19:34
<vmlintu>
then in your xfreerdp script call:
19:34
PASS=$(shm_askpass)
19:35
after that you should have password in PASS variable
19:35
What's in your /etc/pam.d/common-auth?
19:50Parker955_Away is now known as Parker955
19:57
<joshu>
vmlintu the default https://gist.github.com/anonymous/3d75c93ec2b75df6a593
19:59
<vmlintu>
joshu: are you going to use pam_freerdp or how do you authenticate the user against the server?
20:00
<joshu>
vmlintu I have reached out to the author of pam_freerdp to understand how to use it, but have not received any response, so I probably won't use it as I don't know how to
20:04
<vmlintu>
so you have to sync local and server passwords?
20:04
is it a windows server? Could you just use kerberos to authenticate against it?
20:06
<joshu>
yes windows server
20:07
<vmlintu>
then you should be able to use pam_krb5 if the server allows it, no need for pam_freerdp
20:08
<joshu>
at the moment I would be happy with just having the local account being setup by me when I setup each laptop and then don't allow password changes for the time being. I know not the best but these user's are in remote places and the only way they can access the windows server is once they are connected via VPN
20:10
<vmlintu>
do you use user credentials to open the vpn connections or is device specific?
20:12
<joshu>
I have L2TP/IPSec VPN server working, but there is not official L2TP/IPSec plugin for network manager, so I will switch to an OpenVPN server and use the gnome-network-manager-openvpn plugin. I haven't configure the server or client yet but I believe that certificates are used. never used OpenVPN
20:14
<vmlintu>
ok, the nm-openvpn plugin has been working nicely for me at least.. With certificates and certificates + google authenticator
20:16
<joshu>
it sounds to me like you do many of the things that I want to do
20:16
<vmlintu>
this is what we do: http://labs.opinsys.com/blog/2012/05/22/what-opinsys-does/
20:17
<joshu>
so when a user boots your OS they get the lightdm greeter like I have on mine? http://cl.ly/image/0l1O3I2J173l
20:17
<vmlintu>
yes
20:18
<joshu>
ok and they have to manual connect to the VPN, then login?
20:19
<vmlintu>
We've been using ltsp quite a while, but lately we've been working quite a bit on getting ltsp images to work on laptops. The laptops run all applications locally, so there's no need for a ltsp server for them.
20:20
<joshu>
I see.
20:20
<vmlintu>
The laptops get network-manager configuration from LDAP and they connect automatically to school wifi networks.
20:21
When they are connected to school wifi, they use ldap/kerberos servers in the local network and elsewhere they use ldap/kerberos through vpn. OpenVPN connects automatically when there's a network connection.
20:21
<joshu>
I'm undecided on whether the user should connect to the VPN by selecting the pre-configure VPN in the network-manager menu, then login to lightdm and then the xfreerdp session is started. Or if it should happen automatically
20:21
<vmlintu>
If there's no network, users can login using sssd's offline cache
20:22
<joshu>
so when the laptop boots up, they see the lightdm greeter and the openvpn automatically connects if they have an ethernet, wifi, usb modem connection?
20:22
<vmlintu>
yes
20:22
But we don't use network-manager to handle that vpn connection.
20:23
<joshu>
how do you handle that? lightdm desktop-setup-script?
20:23
<vmlintu>
There's a separate custom openvpn upstart job that launches openvpn to connect to correct gateway
20:24
<joshu>
hmm and user certificates are on the system locally? no password prompt for the vpn?
20:24Parker955 is now known as Parker955_Away
20:25
<vmlintu>
We use device certificates for this: https://github.com/opinsys/puavo-vpn/blob/master/client/upstart/puavo-vpn-client.conf
20:25
We have also other vpn tunnels that use user certificates + google authenticator
20:26
Those tunnels are opened through network-manager as they need user interaction
20:27
<joshu>
and that puavo vpn client uses openvpn client not nm-openvpn plugin, correct?
20:28
<vmlintu>
yes, puavo-vpn-client launches the openvpn binary directly without network-manager
20:28
<joshu>
got it. and when the laptop is powered down, it closes the vpn session?
20:28
with a script as well?
20:31bobby_C has joined IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at)
20:34
<vmlintu>
yes
20:34
well, the client just exits and the server then closes the connection
20:35
<joshu>
as I was thinking of doing it
20:36
and you have some users with mobile broadband connections via usb modems? a script to detect the modem and connect to mobile broadband before the upstart openvpn script? or user manual process?
20:40
<vmlintu>
users have to do that themselves.. openvpn retries the connection until it succeeds, so it comes up quite soon after the connection
20:40
but I have to call it for the night and continue tomorrow
20:42
<joshu>
ok vmlintu thank you very much for the discussion
20:42
vmlintu I hope we might be able to continue tomorrow as I try to get this sorted by the end Friday next week
20:43
<vmlintu>
I'll be online randomly, but I can try to help
20:44
<joshu>
vmlintu thanks again vmlintu. have a good night!
20:52vmlintu has left IRC (vmlintu!~vmlintu@nblzone-240-143.nblnetworks.fi, Ping timeout: 264 seconds)
21:47bobby_C has left IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at, Ping timeout: 276 seconds)
21:56Parker955_Away is now known as Parker955
22:05Parker955 is now known as Parker955_Away
22:24Phantomas has left IRC (Phantomas!~Phantomas@ubuntu/member/phantomas, Ping timeout: 246 seconds)
22:52Parker955_Away is now known as Parker955
22:55Parker955 is now known as Parker955_Away