Friday 22 October 2010

Remote software installation on Windows workstations

There are various articles out there about how such things may be done, but here are my collective thoughts on the matter.

Given a collection of machines that are members of an NT domain, and access to a domain user account that has administrative privileges on the workstations (such as a member of Domain Administrators).

Then you need to get hold of the PsTools suite from sysinternals. Just install this on the machine you will be running the installations from.

On the file server, I have a folder called swupdates which contains all the installers. In particular I have Firefox, Thunderbird, Adobe Reader, Flash Player, OpenOffice, Java JRE and RealVNC.

Firefox and Thunderbird need extracting from their original installers using 7-Zip. OpenOffice also needs extracting and this can be done by starting the installer and letting it run through the the extraction of files and then cancel the installation. I make sure that the folder names involved don't include spaces for the sake of simplicity in the scripts.

The installer for Flash Player can be downloaded from http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe to avoid the Adobe Download Manager.

For Thunderbird, I take advantage of this to put the custom Thunderbird customisation that I previously discussed on to the clients.

With OpenOffice I take the opportunity to install an extension that disables the first run wizard.

Configuring RealVNC is done by setting up one machine and then exporting the HLML\Software\RealVNC key to a .reg file which is then imported after the software is installed on the target machine.

Then we require a script to actually do the installations - for the current software collection at the time of writing this is as follows:

swupdate.cmd:

@echo off
echo "checking for installers directory on the target..."
if not exist \\%1\C$\installers mkdir \\%1\C$\installers
if not exist \\%1\C$\installers\Firefox3.6.11 mkdir \\%1\C$\installers\Firefox3.6.11
if not exist \\%1\C$\installers\Thunderbird3.1.5 mkdir \\%1\C$\installers\Thunderbird3.1.5
if not exist \\%1\C$\installers\OOo mkdir \\%1\c$\installers\OOo
echo "copying installers..."
copy \\server\software\swupdates\AdbeRdr940_en_US.exe \\%1\C$\installers\
copy \\server\software\swupdates\install_flash_player.exe \\%1\C$\installers\
xcopy "\\server\software\swupdates\Firefox3.6.11\*" "\\%1\C$\installers\Firefox3.6.11\" /e /y
xcopy "\\server\software\swupdates\Thunderbird3.1.5\*" "\\%1\C$\installers\Thunderbird3.1.5\" /e /y
xcopy "\\server\software\swupdates\OOo\*" "\\%1\C$\installers\OOo\" /e/y
copy \\server\software\swupdates\jre-6u22-windows-i586-s.exe \\%1\C$\installers\
copy \\server\software\swupdates\vnc-4_1_3-x86_win32.exe \\%1\C$\installers\
copy \\server\software\swupdates\realvnc.reg \\%1\C$\installers\
echo "Installing Firefox..."
psexec.exe \\%1 "C:\installers\Firefox3.6.11\setup.exe" -ms
psexec.exe \\%1 "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultappGlobal
echo "Installing Thunderbird..."
psexec.exe \\%1 "C:\installers\Thunderbird3.1.5\setup.exe" -ms
copy \\exodus\software\swupdates\custom.cfg "\\%1\C$\Program Files\Mozilla Thunderbird\"
copy \\exodus\software\swupdates\custom.js "\\%1\C$\Program Files\Mozilla Thunderbird\defaults\pref\"
echo "Installing Adobe Reader...."
psexec.exe \\%1 "C:\installers\AdbeRdr940_en_US.exe" /sAll /rs
del "\\%1\C$\Documents and Settings\All Users\desktop\Adobe*.lnk"
echo "Installing Flash Player..."
psexec.exe \\%1 "C:\installers\install_flash_player.exe" -install
echo "Installing OpenOffice..."
psexec.exe \\%1 msiexec /qn /norestart /i C:\installers\OOo\openofficeorg32.msi ADDLOCAL=ALL REMOVE=gm_o_Onlineupdate
copy \\exodus\software\swupdates\DisableFirstStartWzd_ooo321.oxt "\\%1\C$\Program Files\OpenOffice.org 3\program"
psexec.exe \\%1 "C:\Program Files\OpenOffice.org 3\program\unopkg" add --shared "C:\Program Files\OpenOffice.org 3\program\DisableFirstStartWzd_ooo321.oxt"
echo "Installing Java VM"
psexec.exe \\%1 "C:\installers\jre-6u22-windows-i586-s.exe" /s /v/qn
echo "Installing RealVNC"
psexec.exe \\%1 "C:\installers\vnc-4_1_3-x86_win32.exe" /SP- /VERYSILENT /NORESTART
psexec.exe \\%1 regedit /s c:\installers\realvnc.reg
echo "All done"


Then from a second script you call this first one with the name of each machine:

updatemachine.cmd:

@echo off
call swupdate.cmd machine1
call swupdate.cmd machine2
call swupdate.cmd machine3


Providing each machine has firewall settings set so that File and Print access is allowed in, then this will suitably run the installations on each of the machines.

There are obviously many other variations that could be achieved with this - the key thing is to find the method to silent install each piece of software that you're interested in. A lot of useful info can be found on the AppDeploy site.
Posted by at 1 comment:

Monday 9 August 2010

Using Ubuntu 10.04 ltsp workstations as character terminals

I've finally got round to updating our LTSP setup to use Lucid. We have a number of LTSP terminals that work just at the character terminal level, with the screens doing a telnet into another system and with no X Window running on them at all.

Lucid's switch to the Plymouth startup system has an interesting side effect with this - namely that with the default setup, you are left just looking at the Plymouth screen and are not able to access any of the VTs to do anything else.

The solution is a custom entry in the pxelinux.cfg directory relevant to the Lucid boot set (in my case /srv/tftp/ltsp/lucidi386/pxelinux.cfg - note the change from previous versions where /var/lib/tftpboot has been replaced by /srv/tftp)

I've rearranged the IP addresses of my text only workstations so that they are all in a block of 16 IP addresses which will look for the same config file using the hex address notation that PXE uses. Then in that file I put

default ltsp-text

label ltsp-text
kernel vmlinuz
append ro initrd=initrd.img quiet splash nbdport=2004 vga=normal nomodeset


This has the added advantage that the console stays at 80x30 characters which is very usable for the application that we are using.
Posted by at No comments:

Monday 26 July 2010

Using https with wget

The version of wget installed on a debian box seems to not like doing https by default due to not knowing about the CA certificates.

Here's a solution I found:

Download cacert.pem from http://curl.haxx.se/docs/caextract.html and put it in /etc/ssl/certs

Then amend /etc/wgetrc to add the line

ca_certificate=/etc/ssl/certs/cacert.pem

Then wget knows about the CA certificates and all is well for https
Posted by at 2 comments:

Monday 24 May 2010

Thunderbird 3 in a business setup

For a number of years we've used Thunderbird as the mail client of choice. It has a good feature set and does IMAP well. However, the advent of Thunderbird 3 adds a little issue.

To reduce the size of roaming profiles (and therefore speed up login and log out) we have thunderbird profiles mapped to a directory within the users' login directory - and hence stored on the server. Thunderbird 3, automatically downloads copies of all the users' IMAP email to make both an offline cache and to index the mail for the new search facility.

This would mean that the server space used by the Thunderbird profile would grow considerably.

So there's two choices. Either disable the global indexing and off line store or put the off line store somewhere else.

As the new search is a good tool, I've opted for the second - though I'll leave it up to the users as to whether they use the search tool or not.

The solution here is to add a couple of files to each machine running Thunderbird:

Firstly in the defaults/pref/ folder (/usr/lib/thunderbird-3.0.4/defaults/pref on linux , C:\Program Files\Thunderbird\defaults\pref on windows) I add a little file custom.js

/* Custom local config */

pref("general.config.obscure_value", 0);
pref("general.config.filename", "custom.cfg");


The first of those settings means that you can write your config file in plain ASCII rather than a strange encoding and the second is the name of the custom config.


Next, the custom config goes in /usr/lib/thunderbird-3.0.4 for linux or C:\Program Files\Thunderbird for windows

//
/* This will disable indexation by default - can be enabled per user */
defaultPref("mailnews.database.global.indexer.enabled", false);

/* This will disable offline download by default */
defaultPref("mail.server.default.offline_download", false);

/* This will parse the prefs.js and set the directory for "offline_download" for each IMAP account */

if(getenv("USER") != "") {
 // *NIX settings
 var env_user    = getenv("USER");
 var env_home    = getenv("HOME");
 var env_os = "linux";
} else {
 // Windows settings
 var env_user    = getenv("USERNAME");
 var env_home    = getenv("HOMEPATH");
 var env_os = "windows"
}

if (getPref("mail.accountmanager.accounts")) {

  var listExistingAccounts = getPref("mail.accountmanager.accounts");
  var arrayExistingAccounts = listExistingAccounts.split(',');

  for (var i=0; i < arrayExistingAccounts.length; i++){
    var serverFromAccount = getPref("mail.account." + arrayExistingAccounts[i] + ".server");
    var configType = getPref("mail.server." + serverFromAccount + ".type");
    if (configType == "imap") {
      defaultPref("mail.server." + serverFromAccount + ".offline_download", false);
      lockPref("mail.server." + serverFromAccount + ".server_sub_directory", "INBOX.");
      var serverName = getPref("mail.server." + serverFromAccount + ".hostname");
      var userName = getPref("mail.server." + serverFromAccount + ".userName");
      if (env_os == "windows") {
        lockPref("mail.server." + serverFromAccount + ".directory", "[LocalAppData]Thunderbird/" + serverName + "/" + userName);
        lockPref("mail.server." + serverFromAccount + ".directory-rel", "[LocalAppData]Thunderbird/" + serverName + "/" + userName);
      }
      if (env_os == "linux") {
        lockPref("mail.server." + serverFromAccount + ".directory", "/opt/mailcache/" + env_user + "/" + serverName + "/" + userName);
        lockPref("mail.server." + serverFromAccount + ".directory-rel", "/opt/mailcache/" + env_user + "/" + serverName + "/" + userName);
      }
    }
  }
}


I also take advantage of this to set the server directory for the IMAP folders to INBOX. as that gives the better layout of mailboxes in Thunderbird when talking to a Courier IMAP server.

On a Windows machine, I set the users' offline cache to being in the Local Settings part of their profile - this keeps it safe to the user but avoids it being synced to the server.

For a Linux machine, I set up an area called /opt/mailcache with the same kind of permissions as /tmp i.e. globally writable but with the sticky bit set. This has the result that individual users can't get at each others mail cache.

In our LTSP setup, /opt/mailcache will be excluded from the backup as there is no need to back this stuff up as it is simply a copy of what is already in the mailbox.
Posted by at 4 comments:

Tuesday 6 April 2010

Windows 7 on a Samba domain

After years of happily running Samba domains controlling Windows XP machines, I've had to investigate how Windows 7 integrates into that environment.

I usually use Debian as the server platform of choice. This has the benefit of a stable software platform at the detriment of not always being up to date. And in this instance that is a problem. Some of the bits that are required in Samba to support 7 in a domain environment don't appear until later versions of Samba than the one currently shipped with Debian "lenny" - the current stable release.

Fortunately the very nice people at SerNet provide Debian packages for the latest Samba release (http://enterprisesamba.com/index.php?id=148) - so by simply adding the relevant repository and installing sernet-samba in place of the normal samba, we can get these extra features.

There are still a couple of registry hacks needed to make 7 work:

HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0

And then it will join the domain. There is a warning that pops up about dns issues, but that is fine to ignore and it will work.

Now, the next fun part is that due to the drastic changes in profile data between XP and 7, the two won't share a profile - so you end up with two for each user if you are in a mixed environment. This is not a problem as such, but you will want to consider some folder redirection, particularly of My Documents to a location that both can see, otherwise you'll have a different copy of documents for each operating systems.

If you set that to be a network location - which would be the most sensible - then on desktop PCs you'll probably also want to disable offline files. While they're great for laptop users, there is no point in syncing each users files to the desktop in an environment where the machines never leave the network, plus the system tends to get rather confused as it keeps trying to connect to sync other users files without the appropriate permissions to do so.
Posted by at No comments:

Wednesday 10 February 2010

Ubuntu machine with NFS home and LDAP authentication

A while ago I posted about joining Ubuntu machines to an NFS / NIS setup. Well, things have moved on since then; both later Ubuntu distros and our authentication is now LDAP. So, here's the up to date procedure. This does assume some knowledge of linux commands and familiarity with editing config files.

As before, the first issue is that of moving /home. And that hasn't changed. When setting up the machine create a user who is local to the machine - pick a name that won't clash with any user in the LDAP - and then after the initial setup, boot in single user mode and move /home to /localhome. Then edit /etc/passwd to change references to /home into /localhome.

To allow NFS shares to be mounted install the nfs-common package. Then you can edit /etc/fstab to include the mounting of any NFS shares (after having made the mount point)

e.g.

bigserver:/home /home nfs defaults 0 0

Then to get the authentication going you want to install libnss-ldap and libpam-ldap. The installation of these packages will ask for the details of your LDAP setup such as the base dn and the admin cn and password.

Give it a re-boot and you should be off and running.

One caveat - due to the timing of things launching - you may see warnings about certain partitions not being mounted. This can be caused by delays in getting a network address.

A quick fix for this is to add "mount -a" to the /etc/rc.local file to force a re-try at any mounts that fail at the end of the boot process.

If you want to allow any of your users to have special powers on the desktop then /etc/security/group.conf is your friend. This grants extra group membership to logged in users depending on where they come from and what time / day it is.

You will probably want a line like:
gdm;*;*;Al0000-2400;cdrom, floppy, audio, video, plugdev

to allow all users at the desktop access to relevant hardware

But you may also want
gdm;*;importantuser;Al0000-2400;lpadmin, admin

To allow importantuser to do administrative things. You'll then need to add
auth optional pam_group.so
to /etc/pam.d/common-auth to make this active.
Posted by at No comments:
Subscribe to: Posts (Atom)