Deploying Citrix XenDesktop Linux VDA using Red Hat Enterprise and vSphere – Part 2
Previously I covered pre-deployment information for the Linux VDA and demonstrated the deployment steps for a standard Red Hat Enterprise Linux VM on vSphere. If you have not already read through Part 1, I highly encourage you to do so by selecting the link below.
Part 1: Introduction to the Linux VDA and Red Hat Enterprise Linux
Part 2: Preparing the Linux VM for the VDA – Installing and Configuring Prereqs < YOU ARE HERE
Part 3: Installing the Linux VDA and Deploying Linux Specific Catalogs and Delivery Groups
Part 4: Bonus – Simple Image Management and Deployment of Linux VDAs
Install VMware Tools
VMware tools is required as part of the Linux VM deployment. Not only does it install the correct drivers, but it is also used in the later step to customize the VMs deployed from template.
From the VM console select VM -> Guest -> Install/Upgrade VMware Tools
Click OK at the informational and warning message.
From within the OS, the VMware Tools ISO will mount and the below VMware Tools folder will appear.
Right click on VMwareTools-9.4.10-2068191.tar.gz and select Extract To.
Select a folder location to which the files will be extracted. I selected Documents and created a folder vmware tools. Click Extract.
A new folder will be created, vmware-tools-distrib. Double click on the vmware-install.pl file within this folder to launch the VMware Tools setup.
Select Run in Terminal.
All configurations can be left at default throughout the VMware Tools setup. Simply hit enter after each question.
VMware Tools install continued…
VMware Tools install is complete!
Install Prerequisite RPM Packages (Or use YUM)
Install Using RPM Command
Mount the RHEL 6.6 ISO and double click on the Packages folder. This folder contains all of the necessary packages for the Linux VDA installation (aside from the Linux VDA RMP itself). For easy installation of these packages, I would recommend copying them from the ISO to a local folder of your choise.
Launch a terminal session and navigate to the location of the copied and/or download RPMs. If you are not updating packages, the following rpms should not be included in the folder as they are already installed:
Package Name |
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm |
krb5-libs-1.10.3-37.el6_6.x86_64.rpm |
krb5-workstation-1.10.3-37.el6_6.x86_64.rpm |
samba-client-3.6.23-14.el6_6.x86_64.rpm |
samba-common-3.6.23-14.el6_6.x86_64.rpm |
samba-winbind-3.6.23-14.el6_6.x86_64.rpm |
samba-winbind-clients-3.6.23-14.el6_6.x86_64.rpm |
If you are going to install all of the required RPMs without the updates listed above, this is what you will see. Since all packages are located in a single folder I can simply run the command:
rpm –Uvh *.rpm
Install With YUM
As an alternative you can use yum to install the prerequisite software as described in the Citrix Linux VDA documentation. The Citrix documentation includes the following yum entries:
yum –y install java-1.7.0-openjdk-devel (for Java update)
yum –y install postgresql-server
yum –y install postgresql
yum –y install postresql-devel
yum –y install postgresql-jdbc
yum –y install redhat-lsb-core
yum –y install ImageMagick
yum –y update samba-winbind
yum –y update krb5-workstation
Prepare the Linux VDA
The next steps will take us through the verification and configuration process, after which we will have a domain joined Linux VM ready to have the VDA software installed.
Verify Hostname, Name Resolution, and set NTP Service Configuration
Launch a terminal windows and run the following commands
hostname –f
nslookup <domain controller fqdn>
ping <domain controller fqdn>
To configure the NTP Service, navigate to System->Administration->Date & Time
Check the box to Synchronize date and time over the network. Then select Add and type in the fully qualified domain name of your local NTP servers (usually just your Domain Controllers).
Click OK once your NTP servers have been added.
Next we’ll need to implement a fix for a known RHEL 6 issue that will ask users for the root password after logon. Since our users may not have root access, this could leave the Linux Desktop in an unusable state.
Create and open a new file by running the command:
nano /etc/polkit-1/localauthority/30-site.d/20-no-show-proxy-dialog.pkla
Type in the following text and hit CTRL+O to save the file:
[No Show Proxy Dialog]
Identity=unix-user:*
Action=org.freedesktop.packagekit.system-network-proxy-configure
ResultAny=no
ResultInactive=no
ResultActive=no
.
Hit CTRL+X to exit and return to the Linux Desktop.
Configure Java and PostgreSQL
Since PostgreSQL and Java have already been installed we can jump straight into their configuration, though these steps can be performed immediately following installation as well.
Open a terminal and run the following command to set the JAVA_HOME environment variable:
export JAVA_HOME=/usr/lib/jvm/java
Moving onto PostgreSQL, we will first need to initialize the PostrgreSQL database.
sudo service postrgresql initdb
Run the next commands to ensure the PostgreSQL service starts on boot, and also starts immediately.
sudo chkconfig postrgesql on
sudo service postrgresql start
Finally, the version of PostrgeSQL and the location of the data directory should be verified.
Run the below commands and verify the information is as follows:
psql –version
sudo –u postgres psql –c ‘show data_directory’
Add the Linux Virtual Desktop to the Windows Domain using Samba Winbind
Either Samba Winbind or Quest can be used to join the Linux OS to the Windows Domain. However, Quest requires additional software to be installed on the Domain Controllers, and I would recommend taking the Winbind route unless your enterprise already utilizes Quest for authentication. The packages installed thus far assume a Winbind implementation.
First, the Windbind and Kerberos services must be configured. Open a terminal and run the following command to configure Winbind to start on boot:
sudo chkconfig winbind on
Next we’ll want to force Winbind to create the system keytab file when joining the domain, which is required for machine account authentication. Run the following command to open the smb.conf file:
nano /etc/samba/smb.conf
Under the [global] section add the following text as shown the below screenshot.
kerberos method = secrets and keytab
windbind refresh tickets = true
The Citrix Linux Virtual Desktop Installation Guide walks through the process of joining the domain using the GUI. Below I’ve shown the process for joining the domain using command line, which I find to be much faster. Refer to the Citrix Installation Guide for more details on the alternate configuration process.
Run the following commands and provide the administrative user’s password when prompted. Be sure to type in all references to the domain in ALL CAPS or authentication issues will occur during VDA access.
chkconfig oddjobd on
authconfig –update –kickstart –enablewinbind –smbsecurity=ads –smbworkgroup=<SHORT DOMAIN NAME> –smbrealm=<FQDN> –winbindtemplatehomedir=/home/%U –winbindtemplateshell=/bin/bash –enablewinbindusedefaultdomain –enablelocauthorize –enablekrb5 –krb5realm=<FQDN> –enablekrb5kdcdns –enablekrb5realmdns –enablepamaccess
net ads join -U <User with Computer Join Privileges>
Open the file pam_windbind.conf to enable ticket caching and home directory creation. The settings are prepopulated but may be commend out. Use the following command to quickly open the file:
nano /etc/security/pam_winbind.conf
Set the configuration for the following items as shown below:
krb5_auth = yes
krb5_ccache_type = file
mkhomedir = yes
Reboot the Winbind service.
sudo service winbind restart
The system is joined to the domain and ready to have the XenDesktop VDA installed. However, since authentication issues are the most likely cause of problems, we will first run through a series of tests to verify the Linux VM is properly authenticated to the Windows Domain. Remember the authconfig and net ads join commands though, as they will be added to a script allowing us to more quickly clone off and spin up additional Linux VDAs!
Active Directory Testing
Let’s begin the Active Directory authentication testing by verifying the system joined properly. Run the following command:
sudo net ads testjoin
If successful, you should see the output “Join is OK”
Next we will verify that a domain user is able to authenticate to the domain on the Linux OS. This can be done by passing krb authentication credentials to the winbind info command wbinfo.
wbinfo –krb5auth=domain\\username%password
Now that we know the Linux VM allows domain authentication for user logon, we will want to verify the Winbind PAM module is configured correctly. This can be done by connecting to the localhost via SSH and logging in with a user that has yet to logon to this system.
ssh localhost –l domain\\username
If the output is anything other than “Creating home directory for user.”, either the user has already logged onto this system, or the PAM module is not configured correctly.
While logged in as the domain user, check the user’s ID.
id -u
Using the user ID obtained in the previous step, run the following command to verify the Kerberos credential cache file was created:
ls /tmp/krb5cc_uid
If the file exists, you will see the path returned as output. If the file does not exist a “No such file or directory” error will be returned.
Finally, we need to verify that the Kerberos tickets in the users credential cache are valid. The expiration dates should return a future value.
klist
Exit the terminal. Active Directory authentication configuration is now verified.
If additional troubleshooting and/or information is required, see the Citrix Linux Virtual Desktop Installation Guide. I intentionally left a few of the AD testing commands out of this blog as they are not required for setup.
Next in the series, we will continue on with the actual installation and configuration of the Linux VDA software!
To continue on in the series, choose one of the sections below.
Part 1: Introduction to the Linux VDA and Red Hat Enterprise Linux
Part 2: Preparing the Linux VM for the VDA – Installing and Configuring Prereqs < YOU ARE HERE
Part 3: Installing the Linux VDA and Deploying Linux Specific Catalogs and Delivery Groups
Part 4: Bonus – Simple Image Management and Deployment of Linux VDAs
As always, if you wish to leave any questions, comments, or feedback, feel free to do so below. Thanks!
Leave a Reply