Product Documentation

Prepare the Linux machine for VDA installation

Sep 27, 2016

Launch YaST tool

The SUSE Linux Enterprise YaST tool is used for configuring all aspects of the operating system.

To launch the text-based YaST tool:

command 複製

su -

yast

Alternatively, launch the UI-based YaST tool:

command 複製

su -

yast2 &

Configure networking

The following sections provide information on configuring the various networking settings and services used by the Linux VDA. Configuring networking should be carried out via the YaST tool, not via other methods such as Network Manager. These instructions are based on using the UI-based YaST tool; the text-based YaST tool can be used but has a different method of navigation which is not documented here.

Configure hostname and DNS

  1. Open YaST Network Settings.
  2. SLED 12 Only: On the Global Options tab, change the Network Setup Method to Wicked Service.
  3. Open the Hostname/DNS tab.
  4. Uncheck Change hostname via DHCP.
  5. Check Assign Hostname to Loopback IP.
  6. Edit the following to reflect your networking setup:
  • Hostname – Add the DNS hostname of the machine.
  • Domain Name – Add the DNS domain name of the machine.
  • Name Server – Add the IP address of the DNS server. This is typically the IP address of the AD Domain Controller.
  • Domain Search list – Add the DNS domain name.

注意

The Linux VDA currently does not support NetBIOS name truncation, therefore the hostname must not exceed 15 characters.

提示

Use a-z, 0-9 and hyphen (-) characters only. Avoid underscrore characters (_), spaces and other symbols. Do not start a hostname with a number and do not end with a hyphen.

Disable multicast DNS

On SLED only, the default settings have multicast DNS (mDNS) enabled, which can lead to inconsistent name resolution results. mDNS is not enabled on SLES by default, so no action is required. 

To disable mDNS, edit /etc/nsswitch.conf and change the line containing:

command 複製

hosts: files mdns_minimal [NOTFOUND=return] dns

To:

command 複製

hosts: files dns

Check the hostname

Verify that the hostname is set correctly:

command 複製

hostname

This should return only the machine's host name and not its fully qualified domain name (FQDN).

Verify that the FQDN is set correctly:

command 複製

hostname -f

This should return the machine's FQDN.

Check name resolution and service reachability

Verify that you can resolve the FQDN and ping the domain controller and XenDesktop Delivery Controller:

command 複製

nslookup domain-controller-fqdn

ping domain-controller-fqdn

nslookup delivery-controller-fqdn

ping delivery-controller-fqdn

If you cannot resolve the FQDN or ping either of these machines, review the steps before proceeding.

Configure NTP service

Maintaining accurate clock synchronization between the VDAs, XenDesktop Controllers and domain controllers is crucial. Hosting the Linux VDA as a virtual machine can cause clock skew problems. For this reason, maintaining time using a remote NTP service is preferred. Some changes might be required to the default NTP settings:

  1. Open YaST NTP Configuration and select the General Settings tab.
  2. In the Start NTP Daemon section, check Now and on Boot.
  3. If present, select the Undisciplined Local Clock (LOCAL) item and click Delete.
  4. Add an entry for an NTP server by clicking Add.
  5. Select the Server Type and click Next.
  6. Enter the DNS name of the NTP server in the Address field. This service is normally hosted on the Active Directory domain controller.
  7. Leave the Options field unchanged.
  8. Click Test to check that the NTP service is reachable.
  9. Click OK through the set of windows to save the changes.

注意

For SLES 12 implementations, if the NTP daemon fails to start, this might be due to a known SUSE issue with AppArmor policies. Follow the resolution here for additional information.

Install Linux VDA dependent packages

The Linux VDA software for SuSE Linux Enterprise is dependent on the following packages:

  • PostgreSQL
    • SLED/SLES 11: Version 9.1 or newer
    • SLED/SLES 12: Version 9.3 or newer
  • OpenJDK 1.7.0
  • OpenMotif Runtime Environment 2.3.1 or newer
  • Cups
    • SLED/SLES 11: Version 1.3.7 or newer
    • SLED/SLES 12: Version 1.6.0 or newer
  • Foomatic filters 
    • SLED/SLES 11: Version 3.0.0 or newer
    • SLED/SLES 12: Version 1.0.0 or newer
  • ImageMagick
    • SLED/SLES 11: Version 6.4.3.6 or newer
    • SLED/SLES 12: Version 6.8 or newer

Add respositories

Some required packages are not available in all Suse Linux Enterprise repositories:

  • SLED 11: PostgreSQL is available for SLES 11 but not SLED 11.
  • SLES 11: OpenJDK and OpenMotif are available for SLED 11 but not SLES 11.
  • SLED 12: PostgreSQL is available for SLES 12 but not SLED 12. ImageMagick is available via the SLE 12 SDK ISO or online repository.
  • SLES 12: There are no issues; all packages are available. ImageMagick is available via the SLE 12 SDK ISO or online repository.

To resolve this, the recommended approach is to obtain missing packages from the media for the alternate edition of SLE from which you are installing. That is, on SLED install missing packages from the SLES media, and on SLES install missing packages from the SLED media. The approach described below mounts both SLED and SLES ISO media files and adds repositories.

SLED 11


sudo mkdir -p /mnt/sles

sudo mount -t iso9660 \

           path-to-iso/SLES-11-SP4-DVD-x86_64-GM-DVD1.iso /mnt/sles

sudo zypper ar -f /mnt/sles sles

SLES 11

sudo mkdir -p /mnt/sled

sudo mount -t iso9660 \

           path-to-iso/SLED-11-SP4-DVD-x86_64-GM-DVD1.iso /mnt/sled

sudo zypper ar -f /mnt/sled sled

SLED 12

sudo mkdir -p /mnt/sles

sudo mount -t iso9660 \

           path-to-iso/SLES-12-SP1-DVD-x86_64-GM-DVD1.iso /mnt/sles

sudo zypper ar -f /mnt/sles sles

SLED/SLES 12

sudo mkdir -p /mnt/sdk

sudo mount -t iso9660 \

           path-to-iso/SLE-12-SP1-SDK-DVD-x86_64-GM-DVD1.iso /mnt/sdk

sudo zypper ar -f /mnt/sdk sdk

Install Kerberos client

Install the Kerberos client for mutual authentication between the Linux VDA with the XenDesktop Controllers:

command 複製

sudo zypper install krb5-client

The Kerberos client configuration is dependent on which Active Directory integration approach is used, which is described later.

Install OpenJDK

The Linux VDA dependent on OpenJDK 1.7.0.

提示

To avoid problems, make sure you only installed the 1.7.0 version of OpenJDK. Remove all other versions of Java on your system.

SLED

On SLED, the Java runtime environment should have been installed with the operating system. Confirm this with:

       sudo zypper info java-1_7_0-openjdk

Update to the latest version if status is reported as out-of-date:

sudo zypper update java-1_7_0-openjdk

Check the Java version:

java -version

SLES

On SLES, the Java runtime environment needs to be installed:

sudo zypper install java-1_7_0-openjdk

Check the Java version:

java -version

Install PostgreSQL

SLED/SLES 11

Install the packages:

sudo zypper install libecpg6

sudo zypper install postgresql-init

sudo zypper install postgresql

sudo zypper install postgresql-server

sudo zypper install postgresql-jdbc

Some post-installation steps are required to initialize the database service and ensure PostgreSQL starts on boot:

sudo /sbin/insserv postgresql

sudo /etc/init.d/postgresql restart

SLED/SLES 12

Install the packages:

sudo zypper install postgresql-init

sudo zypper install postgresql-server

sudo zypper install postgresql-jdbc

Post-installation steps are required to initialize the database service and ensure PostgreSQL starts on boot:

sudo systemctl enable postgresql

sudo systemctl restart postgresql

Database files will reside under /var/lib/pgsql/data.

Remove repositories

With dependent packages installed, the alternative edition repositories setup earlier can now be removed and the media unmounted:

SLED 11

Remove the following packages:

sudo zypper rr sles

sudo umount /mnt/sles

sudo rmdir /mnt/sles

SLES 11

Remove the following packages:

sudo zypper rr sled

sudo umount /mnt/sled

sudo rmdir /mnt/sled

SLED 12

Remove the following packages:

sudo zypper rr sles

sudo umount /mnt/sles

sudo rmdir /mnt/sles

SLED/SLES 12

Remove the following packages:

sudo zypper rr sdk

sudo umount /mnt/sdk

sudo rmdir /mnt/sdk

Prepare Linux VM for Hypervisor

Some changes are required when running the Linux VDA as a virtual machine on a supported hypervisor. Make the following changes according to the hypervisor platform in use. No changes are required if you are running the Linux machine on bare metal hardware.

Fix time synchronization on Citrix XenServer

If the XenServer Time Sync feature is enabled, within each paravirtualized Linux VM you will experience issues with NTP and XenServer both trying to manage the system clock. To avoid the clock becoming out of sync with other servers, the system clock within each Linux guest must be synchronized with NTP. This requires disabling host time synchronization. No changes are required in HVM mode.

On some Linux distributions, if you are running a paravirtualized Linux kernel with XenServer Tools installed, you can check whether the XenServer Time Sync feature is present and enabled from within the Linux VM:

command 複製

su -

cat /proc/sys/xen/independent_wallclock

This will return either:

  • 0 - The time sync feature is enabled, and needs to be disabled.
  • 1 - The time sync feature is disabled, and no further action is required.

If the /proc/sys/xen/indepent_wallclock file is not present, the following steps are not required.

If enabled, disable the time sync feature by writing 1 to the file:

command 複製

sudo echo 1 > /proc/sys/xen/independent_wallclock

To make this change permanent and persist after reboot, edit the /etc/sysctl.conf file and add the line:

command 複製

xen.independent_wallclock = 1

To verify these changes, reboot the system:

command 複製

reboot

After reboot, check that this has been set correctly:

command 複製

su -

cat /proc/sys/xen/independent_wallclock

This should return the value 1.

Fix time synchronization on Microsoft Hyper-V

Linux VMs with Hyper-V Linux Integration Services installed can leverage the Hyper-V time synchronization feature to use the host operating system's time. To ensure the system clock remains accurate, this feature should be enabled alongside NTP services.

From the management operating system:

  1. Open the Hyper-V Manager console. 
  2. For the settings of a Linux VM, select Integration Services
  3. Ensure Time synchronization is selected. 

注意

This approach is different from VMware and XenServer, where host time synchronization is disabled to avoid conflicts with NTP. Hyper-V time synchronization can co-exist and supplement NTP time synchronization.

Fix time synchronization on ESX and ESXi

If the VMware Time Synchronization feature is enabled, within each paravirtualized Linux VM you will experience issues with NTP and the hypervisor both trying to synchronize the system clock. To avoid the clock becoming out of sync with other servers, the system clock within each Linux guest must be synchronized with NTP. This requires disabling host time synchronization.

If you are running a paravirtualized Linux kernel with VMware Tools installed:

  1. Open the vSphere Client.
  2. Edit settings for the Linux VM.
  3. In the Virtual Machine Properties dialog, open the Options tab.
  4. Select VMware Tools.
  5. In the Advanced box, uncheck Synchronize guest time with host.

Add Linux machine to Windows domain

There are a number of methods for adding Linux machines to the Active Directory domain that are supported by XenDesktop for Linux:

  • Samba Winbind
  • Quest Authentication Service
  • Centrify DirectControl

Follow the instructions below for your chosen method.

Samba Winbind

Join Windows Domain

This requires that your domain controller is reachable and you have an Active Directory user account with permissions to add machines to the domain:

1.  Open YaST Windows Domain Membership.

2.  Make the following changes:

  • Set the Domain or Workgroup to the name of your Active Directory domain or the IP address of the domain controller. Ensure the domain is entered in uppercase.
  • Check Also Use SMB information for Linux Authentication.
  • Check Create Home Directory on Login.
  • Check Single Sign-on for SSH.
  • Ensure Offline Authentiation is not checked. This option is not compatible with the Linux VDA.

3.  Click OK. If prompted to install some packages, click Install.

4.  If a domain controller is found, it will ask whether you want to join the domain. Click Yes

5.  When prompted, enter the credentials of a domain user with permission to add computers to the domain and click OK

6.  A message indicating success is displayed. 

7.  If prompted to install some samba and krb5 packages, click Install

YaST may have indicated that these changes will require some services to be restarted or the machine needs to be rebooted. It is advisable to reboot:

command 複製

su -

reboot

SLED/SLES 12 Only: Patch Kerberos credential cache name

SLED/SLES 12 has changed the default Kerberos credential cache name specification from the usual FILE:/tmp/krb5cc_%{uid} to DIR:/run/user/%{uid}/krb5cc. This new DIR caching method is not compatible with the Linux VDA and must be manually changed. As root, edit /etc/krb5.conf and add the following setting under the [libdefaults] section if not set:

command 複製

default_ccache_name = FILE:/tmp/krb5cc_%{uid}

Verify domain membership

The XenDesktop Controller requires that all VDA machines, whether Windows or Linux, have a computer object in Active Directory.

Verify that the machine is joined to a domain using Samba's net ads command:

command 複製

sudo net ads testjoin

Verify additional domain and computer object information with:

command 複製

sudo net ads info

Verify the Kerberos configuration 

To verify Kerberos is configured correctly for use with the Linux VDA, check that the system keytab file has been created and contains valid keys:

command 複製

sudo klist –ke

This should display the list of keys available for the various combinations of principal names and cipher suites. Run the Kerberos kinit command to authenticate the machine with the domain controller using these keys:

command 複製

sudo kinit -k MACHINE\$@REALM

The machine and realm names must be specified in uppercase, and the dollar sign ($) must be escaped with a backslash (\) to prevent shell substitution. In some environments, the DNS domain name is different from the Kerberos realm name; ensure the realm name is used. If this command is successful, no output is displayed.

Verify that the TGT ticket for the machine account has been cached using:

command 複製

sudo klist

Examine the machine account details using:

command 複製

sudo net ads status

Verify user authentication 

Use the wbinfo tool to verify that domain users can authenticate with the domain:

command 複製

wbinfo --krb5auth=domain\\username%password

The domain specified here is the AD domain name, not the Kerberos realm name. For the bash shell, the backslash (\) character must be escaped with another backslash. This command will return a message indicating success or failure.

To verify that the Winbind PAM module is configured correctly, logon locally with a domain user account that has not logged onto the machine previously:

command 複製

ssh localhost -l domain\\username

id -u

Check that a corresponding Kerberos credential cache file was created for the uid returned by the id -u command:

command 複製

ls /tmp/krb5cc_uid

Check that the tickets in the user’s Kerberos credential cache are valid and not expired:

command 複製

klist

Exit the session

command 複製

exit

A similar test can be performed by logging onto the Gnome or KDE console directly.

Quest authentication service

Configure Quest on Domain Controller

This assumes you have installed and configured the Quest software on the Active Directory domain controllers, and have been granted administrative privileges to create computer objects in Active Directory.

Enable Domain Users to Logon to Linux VDA Machines

For each domain user that needs to establish HDX sessions on a Linux VDA machine:

  1. In the Active Directory Users and Computers management console, open Active Directory user properties for that user account.
  2. Select Unix Account tab.
  3. Check Unix-enabled.
  4. Set the Primary GID Number to the group ID of an actual domain user group.

注意

These instructions are equivalent for setting up domain users for logon using the console, RDP, SSH or any other remoting protocol.

Configure Quest on Linux VDA 

Configure VAS daemon

Auto-renewal of Kerberos tickets needs to be enabled and disconnected; authentication (offline logon) needs to be disabled:

command 複製

sudo /opt/quest/bin/vastool configure vas vasd \

auto-ticket-renew-interval 32400

sudo /opt/quest/bin/vastool configure vas vas_auth \

allow-disconnected-auth false

This sets the renewal interval to 9 hours (32400 seconds) which is an hour less than the default 10 hour ticket lifetime. Set this parameter to a lower value on systems with a shorter Kerberos ticket lifetime.

Configure PAM and NSS

Quest requires that PAM and NSS be manually configured to enable domain user login via HDX and other services such as su, ssh, and RDP. To configure PAM and NSS:

command 複製

sudo /opt/quest/bin/vastool configure pam

sudo /opt/quest/bin/vastool configure nss

Join Windows Domain

Join the Linux machine to the Active Directory domain using the Quest vastool command:

command 複製

sudo /opt/quest/bin/vastool -u user join domain-name

The user is any domain user with permissions to join computers to the Active Directory domain. The domain-name is the DNS name of the domain; for example, example.com.

Verify Domain Membership

The XenDesktop Controller requires that all VDA machines, whether Windows or Linux, have a computer object in Active Directory. To verify that a Quest-joined Linux machine is on the domain:

command 複製

sudo /opt/quest/bin/vastool info domain

If the machine is joined to a domain, the domain name is returned. If not joined, you will see the following error:

錯誤 複製

ERROR: No domain could be found.

ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realm

default_realm not configured in vas.conf. Computer may not be joined to domain

Verify User Authentication

To verify that Quest can authenticate domain users using PAM, logon with a domain user account that has not logged onto the machine previously:

command 複製

ssh localhost -l domain\\username

id -u

Check that a corresponding Kerberos credential cache file was created for the uid returned by the id -u command:

command 複製

ls /tmp/krb5cc_uid

Check that the tickets in user’s Kerberos credential cache are valid and not expired:

command 複製

/opt/quest/bin/vastool klist

Exit the session:

command 複製

exit

A similar test can be performed by logging onto the Gnome or KDE console directly.

Centrify DirectControl

Join Windows Domain

With the Centrify DirectControl Agent installed, join the Linux machine to the Active Directory domain using the Centrify adjoin command:

command 複製

su – 

adjoin -w -V -u user domain-name

The user parameter is any Active Directory domain user with permissions to join computers to the Active Directory domain. The domain-name parameter is the name of the domain to join the Linux machine to.

Verify Domain Membership

The XenDesktop Controller requires that all VDA machines, whether Windows or Linux, have a computer object in Active Directory. To verify that a Centrify-joined Linux machine is on the domain:

command 複製

su –

adinfo

Check that the Joined to domain value is valid and the CentrifyDC mode returns connected. If the mode remains stuck in the starting state, then the Centrify client is experiencing server connection or authentication problems.

More comprehensive system and diagnostic information is available using:

command 複製

adinfo --sysinfo all

adinfo –diag

To test connectivity to the various Active Directory and Kerberos services:

command 複製

adinfo --test