I recently installed a Linuxmuster server (I ran into a bug right away, so it took a while , but the bug has been fixed since then).
I want to use proxies for most of the clients, but after adding the domain, the proxy settings are not automatically received by the client, I could only test manually that it really works. As I started to look into it, there seem to be several possibilities. One that I’m not sure about, because I haven’t tried it yet, is that with Linbo cloning it happens automatically if set correctly, but for now I don’t want to reinstall every client, but simply move it from the old domain to the new one. The old server automatic proxy settings worked with a wpad pac file, I guess this could be done here, just question if this should be set on opnsense (where the proxy is) or on the lmn server (where the dhcp server is), I found a description for opnsense, but in the current version I don’t have a menu item that it refers to (maybe I need a plugin for that?)?
The other possible option seems to be to create a gpo for this purpose, but I haven’t looked into that yet, I guess you would need rsat first, then a registry, but I don’t know exactly how that would work for lmn.
i think it is relatively easy to do it with gpos.
You have to download the firedox esr gpos and put them into the folder windows/Policydefinitons and there is then a policy for the proxyconfiguration where you put in the information you entered manually.
To make the gpo work for the domain, you have to install gpmc on a admin windows pc and then you can configure that.
I can provide more details if needed.
However, if you want to use linbo later anyway, it might be the better option to setup linbo and put the settings in the default user profile of the linbo image. and then you should be set too… it is a little work to get the windows image working… but it might be worth it…
the manual domain join for all the pcs is also work… You still have to fill the devices.csv. so if u had a working linbo image you would save the work of the manual domain join for every pc, right?
So, if I understand correctly, are there some firefox esr gpos available for download somewhere, including one for global proxy settings? If I could find this and edit it, all I would have to do is create a gpo that copies this into the windows\policymanagement folder? The scope I assume would be domain users and computers or is just domain computers enough?
Yes I would like to use Linbo anyway, on student machines reinstallation with cloning is not a problem, but it’s about 4 rooms of machines (and there are clients outside of those where there is no important data stored), the other staff machines are the more troublesome ones, because there is often data, client programs and settings, certificates etc that need to be saved and these are often unique, so cloning would not work here. By the way, if the above gpo could be created, if Linbo solves auto proxy settigns in a similar way, no problem 2 gpo’s with similar purpose? Is the wpad.pac setup much more complicated?
well in the linbo solution the setting is stored into the image directly
with the gpo you force every machine in the domain to this setting.
the gpo way works like this: you download the policy templates from firefox
(or form google for chrome or from microsoft from edge) and store the files into the folder c:\windows\PolicyDefinitions
there are usually two files per policy: admx and adml (the language files)
you have to copy those files in the appropriate subfolders of c:\windows\PolicyDefinitions
then you can test the policy on a local machine first by using the local windows gpo. you access that with gpedit.msc.
If you copied the files to the correct place you ll find the policies like in this picture here… since u probably use hungarian it is a little different, but the folder structure should be the same. here you find the policies for the https proxy and http proxy. the configuration is pretty much the same as the local one within firefox just that is then set in gpo…
but this is jsut the local version…
next you have to put the in the gpo in the domain so it is effective for all pcs in the domain.
so then you close gpedit and switch to the gpmc.mmc (rsat tools) and put in the same configuration into the default-school object similar to this example. https://docs.linuxmuster.net/de/latest/systemadministration/gpo/gpo.html
instead of drive letters u would configure the firefox policy…
there are porbably many videos or ai to help u with the necessary clicks…
if you wanna use linbo though, you dont need this… but i guess it doesnt hurt…
Thanks, I’ll look into it, yes I used rsat on the previous server too, so it’s not unknown, now I put it on my win 8.1 client with only domain access (it’s a half-way out of the box laptop, perfect for testing, no one misses it) and a simple control panel global proxy setup works with any browser, now I’ll have to test if this gpo works for win 10 and win 11 client.
I would like to have a global autoproxy setting if possible (that runs on multiple versions of windows), I don’t want to create a separate one for each browser if possible.
Also, one more question, what about the domain clients that are in the no-proxy group, will gpo advertise there too (with the wpad solution this was certainly not a problem, but if i force the manual setting with gpo i am not sure at all)?
I tried putting the client in the no-proxy group and indeed if this gpo is active it still goes through the proxy then the client so then this form of gpo is not the solution. An alternative might be to make a domain computers group and put all the clients that use proxy in it (quite a woodworking job as most of the clients will be like that) and then apply gpo only to that domain computers group, would that work?
The wpad solution is definitely more complicated, so I’m sure I won’t digest it on first reading, especially since the screenshots are in German, so that will be time consuming to translate, but I’ll give it a try and see what I get.
sorry: i dont get the point of the Discussion.
In my eyes it is very simple:
The no proxy group is for servers only: no Client is in there. Maybe you have special Clients: the one of the Housekeeper or such …
every Client has the Proxy globaly set up.
If you like a very complicated way, then, by all means, use the gpo
If you like a simple way: set the Proxy globaly as admin in the Windows Machine, create a new Image and roll it out.
Yes, I got to the same place with the above longer wpad solution as with gpo, even though I put the client in a no-proxy group it still runs through the proxy, the previous server somehow managed to fix it. Maybe I should create acl or something similar, I’m really not very familiar with that, on the previous server you could simply set proxy settings (accept all/deny all expcet types and blacklist categories) on a room of machines (ip groups), you could even set no proxy. I found the blacklist categories in opnsense, but not the acl lists, but from that I practically only needed to ban everything except one website (negative list or whitelist on a room of machines, I don’t know the official term for it)
The reason why I need some clients in the noproxy group is that there are some programs that don’t work with proxy (e.g. winscp, the library system program, the camera server monitoring client and some others I can’t think of offhand, but I’m sure there are some)
Ok, so so far I’ve found that even if I put the test client in the noporxy group, it gets the automatic proxy settings anyway, but the good news is that if I don’t advertise the proxy settings either with gpo or wpad.pac via dhcp, the client works without proxy. Now I just need to figure out how not to get the autoproxy settings for the client in the noporxy group. With gpo I have an idea, although a rather lumberjack method is to make a domain computer group in which I put all clients (most are) that would work through proxy and the scope of gpo would only apply to that. With wpad, however, I don’t know if it’s possible to put some kind of excpect ip addresses in the dhpc so that it doesn’t advertise there, that would no doubt be easier to maintain. For that I would probably have to create a rule in opnsense in the wpad.dat settings…
EDIT:
If I create a room in device management where I want to put the unfiltered clients and then create a rule in opnsense’s wpad that does not filter PCs with this hostname, will that work? Doesn’t it hit me that I’ve previously told all hosts to get a proxy? Here wpad file generated by this rule, can it work?
it think the philosophy of linuxmuster is:
as soon as a student can log into a certain physical machine and have access to it, he the students internet access should only allowed through the proxy with authentication…
as holger said, the no proxy is only for severs or machines with only admin access…
being in the noproxy group means just the client is allowed to access the internet without proxy…
being in the proxy group means the client is only allowed internet access with proxy.
instead of trying to put the wpad to work… it is probably more fruitful to get linbo to work and have a first windows image
once you understand that concept you find other possibilities to do what you are trying to do…
there is a difference using gpo vs no gpo. with gpo u enforce the setting… without gpo everybody can change the setting. this might be good or bad depending what u need.
the wpad settings are as I understand not enforced either. those are the automatic settings if the browsers are set to discover the proxy setting. if u set it to no proxy… then the browser tries to connect without proxy… which only succeeds if the firewall allows it (noproxy group)
in the linbo philiopsophy u put these settings into the image and deploy it to thecomputers… if u want different settings for different machines u can create other hardware classes or startup script that tweak the registry at start up so the browsers are configured the way you want.
the hardware classes are a set of rules how the harddrives of certain computers (by device.csv) are formatted, partitioned, which images are associated with the image and which startup scripts and regpatches are applied…
understanding those concepts will help u how to achieve client configurations the way you want to have it…
you might be right that some applications have trouble with proxy… but thats a different problem that can also be tackled in different ways…
someone installed an additoonal proxy on the lmn server I believe for services that have trouble with kerberors auth for the proxy…
in the linbo philopsophy the goal is not an uptodate system that has access to all updates all the time and downloads the newest packages everyday, instead, the goal is to have a working and stable client that is reset every day to its stable origin…
so with my gpo example u see… gpo doesnt allow the users to change the settings… bu t does it matter if they change it when the client is reset to its stable configuration every morning…? thats what holger means in his post… u can do it easy or complicated it is your choice
Finally, the above wpados solution works, not the last one I screenshotted, it’s the other way around as I thought, but the one before when it first advertises autoporxy to all clients in the domain, then as a second rule it advertises direct access to clients in the nem-szurt room (of course, for this you have to put the ip address of the added machine in the noproxy group, but this would only affect a few staff/teacher machines, all student machines and most of the teacher machines would still go through proxy)
Thanks for the helpful comments, I don’t insist on the above solution, everything is still in flux, it’s just a test system, I will be able to connect it to the production network only at the end of the school year. If there are better solutions, I’m open to it, really one of the next steps will have to be to test out how Linbo works, I’ll ask for help with that, I guess first step is to set up Linbo-pxe for the machine class and create a partition table, I’d put Windows at the end so that if it’s on a bigger drive in reality it can be easily expanded, but from here I’d have to read how the installation will eventually take place.
What I could still do before putting the server into production network is import clients and users, maybe create special groups for network shares, but I couldn’t find the latter in webui, would that be maybe for projects?
Alternatively, for students, it doesn’t make sense to add graduates, but is there a year-end function? I’m thinking here of deleting seniors after the school year is over, while moving everyone else up a grade? That way at the beginning of each year you only have to add the starting class not maintain the whole csv.
LINBO: it‘s much better to take the examples for different clients in the linbo-subfolder and simply change only the size of the partitions. No recommendation of changing the order of the partitions!!!
i second that… if u deviate form the templates (order) u can run into problems and burn a lot of time trying out stuff. i think windows likes to be the first primary partition… u wont be easily able to run windows setup if u do it differently… windows actually like to do the partition itself… but this is linbos task if u use linbo… one of the problems that windows can only be installed if windows detects that there is space of a rescue partition…
so stick to the templates first… it is the first hurdle u have to overcome
maybe start with a one OS setting first. Once you have a working windows image u can try other partiton setups too… that is my experience when i did this the last time…
I don’t see any examples of this in webui, or would it already show up in Linbo boot?
According to the description, the partition table created in webui has to be created with linbo, then the installation with the installation media and here you have to take care of course that the given op system is placed on the right partition. And yes in the example above the 500 mb windows rescue partition is left out (it would go after the efi), but that was not set in stone, I was just looking at the options. However, it would be nice if windows partition was the last one that could easily run out of space, but in that case it would remain easily expandable for the rest of the back drive. Mostly it can be messed up by syncing at the wrong time as I read, and you have to choose the op with the correct version of course (for Linux client e.g. Ubuntu 22.04 can only be with gdm display manager, I guess it uses the gdm configuration file to log into the domain), question if I want a multiboot system, when should the syncs be done? Already after installing Windows, or after I have already installed Ubuntu with grub and set Win as primary in grub configuration?
ssh <server>
cd /srv/linbo/examples
Here you can find many examples for nearly every situation:
ll
-rw-r--r-- 1 root root 797 Mär 3 2023 image.postsync
-rw-r--r-- 1 root root 513 Feb 19 2023 image.prestart
-rw-r--r-- 1 root root 1045 Mai 8 2023 README.txt
-rw-r--r-- 1 root root 1985 Mai 22 2019 start.conf.linux
-rw-r--r-- 1 root root 3972 Aug 5 2024 start.conf.opensuse
-rw-r--r-- 1 root root 3143 Aug 5 2024 start.conf.remote_cache
-rw-r--r-- 1 root root 3980 Aug 5 2024 start.conf.ubuntu
-rw-r--r-- 1 root root 3980 Aug 5 2024 start.conf.ubuntu2004
-rw-r--r-- 1 root root 4324 Aug 5 2024 start.conf.ubuntu2004-efi
-rw-r--r-- 1 root root 5790 Aug 5 2024 start.conf.ubuntu2004-opensuse-efi
-rw-r--r-- 1 root root 4324 Aug 5 2024 start.conf.ubuntu-efi
-rw-r--r-- 1 root root 5790 Aug 5 2024 start.conf.ubuntu-opensuse-efi
-rw-r--r-- 1 root root 3616 Aug 5 2024 start.conf.win10
-rw-r--r-- 1 root root 4310 Aug 5 2024 start.conf.win10-efi
-rw-r--r-- 1 root root 5847 Aug 5 2024 start.conf.win10-ubuntu
-rw-r--r-- 1 root root 5847 Aug 5 2024 start.conf.win10-ubuntu2004
-rw-r--r-- 1 root root 6161 Aug 5 2024 start.conf.win10-ubuntu2004-efi
-rw-r--r-- 1 root root 6161 Aug 5 2024 start.conf.win10-ubuntu-efi
-rw-r--r-- 1 root root 5849 Aug 5 2024 start.conf.win10-win10-efi
-rw-r--r-- 1 root root 1600 Mai 10 2023 win10.global.reg
-rw-r--r-- 1 root root 900 Mai 10 2023 win10.image.reg
-rw-r--r-- 1 root root 367 Mai 4 2023 win11bypass.reg
You can copy one of these examples: cp start.conf.win10-efi .. (and don’t forget to copy the *.reg-Keys, too!)
but it’s important that you use the same name for this hardware class in your devices.csv – maybe something like this:
When this client is up and running it’s no problem to increase the partition size later … just change the value, let LINBO re-format the client and re-install it via PXE and it’s done!
Ok, thanks, but where to copy these example files, and in the Win-Ubuntu multiboot example the Windows partition is not at the end (and only 50 gb, which is very little), so I could not easily increase it afterwards just by hammering Linux, and there is a linux ext4 cache partition in it, what does that cover (maybe this would be home, isn’t this the linbo cache, how big should it be set to? )?
I think I’ll try my own custom partition table first, this will be a test installation anyway to see how Linbo works, the only issue here is the time of synchronizations under multiboot, because this is not described in the documentation, only separately for Windows and Linux client.
But I might start tomorrow, because only the uplink of this test system network is gigabit, the rest is only 100 mbit.
Update:
I’d test it, but my test network is too slow, it’s a very old cisco switch that takes about 2 minutes to get an ip address with dhcp, and during the linbo boot it asks several times and maybe on the third one (when the GUI comes in write me out no ip) there is not enough waiting time to get the ip address/or the link is up (this was also a problem with the Sambaedu pxe boot, but there I could bypass the problem by pressing the pause button, but here it doesn’t work), so I only get the console boot menu, where I can only choose between restart and shutdown.
Is there no way to increase the wait times of the network is get ready? If not then I’ll have to look for a faster response time test switch, but there are occasional old switches like this elsewhere in the building, there will be a problem with Linbo in those places.
I solved it with an intermediate switch, but the network latency is still short on older Cisco switches (e.g. 2960), I don’t know if there is somewhere to edit it, but what you have to pay attention to when entering the password is that the keyboard assignment will be in the language of your choice, say it only occurs on non-English/German/French keyboards.
The ext4 cache partition is the place where LINBO stores the images of your installed OSs locally —- when the download of the server has finished successfully
I suppose 100 MBit/s is no fun for big images
You can set the „DHCP retry“ command in the start.conf. Maybe increase the value
So the linbo cache partition will not be copied to the real machine? Is it just to store the installed system(s) as an image on the server? So then as I look at the examples, it should only be put after op systems, so it’s worth leaving it big enough to make sure the image fits. Otherwise, is it an option to edit an example config like this to put Win system partition at the end or is the order of partitions wired in?
And I’ll try the dhcp retry option, by the way if I put this in the global dhcpd.conf file it won’t affect Linbo?
LINBO works like this:
a client is booting via PXE → LINBO is coming up and within LINBO you can set the option „synchronized start“. If this option is set the client compares the locally stored image with the one on the server. Normally they have the same timestamp and the client can boot normally. But whenever you took your master-client and pushed a new image to the linuxmuster-server the client will notice it and download the newer image from the server first. After the download LINBO will rollout the new image locally.
So you have the „master-images“ on the v7-server and on top local copies on every client which is booting via PXE. When a client is managed by LINBO it can completely boot and synchronize itself automatically.
When you look at the partition table in the examples-folder:
[Partition] # partition section (cache)
Dev = /dev/nvme0n1p4 # device name of the partition
#Dev = /dev/sda4 # device name of the partition
Label = cache # partition label
Size = 50G # partition size 50G
Id = 83 # partition id (83 = linux)
FSType = ext4 # filesystem ext4
Bootable = no # set bootable flag no
This is the local cache for the client with 50 GB.
On this partition there’s our Win10-Image with 27 GB (in qcow2 format). So there’s still plenty of free diskspace left.
Our Linux-Image has a size of „only“ 11 GB at the moment (but of course I know that you can have much smaller Linux-images with around 4-5 GB, too!!)
But if you want to transfer these files with 100 MBit/s it will take a lot of time:
~ 37 minutes for the big Win10-Image at least!
The good point: As long as you don’t change your master-image there’s no need to transfer it again with the next PXE-boot of that client. Let’s say a user broke the system (with format c: /force). In this case the client will boot via PXE and compares the images again: as the image on the server didn’t change meanwhile it won’t download it again but take the local copy to roll it out again. So the client can repair itself within minutes (without network traffic!!). Did you understand LINBO better now?
I always set the dhcp-Options directly in the start.conf:
cd /srv/linbo/
mcedit start.conf.win10-efi
Find the line:
KernelOptions = quiet splash nomodeset dhcpretry=10 # linbo kernel options, space separated
You can increase the value to 20 and see if it’s enough for the client to get its IP-address from the server.
Last but not least: On Cisco switches there are many pitfalls to be aware of … one of them is the „STP (spanning tree protocol) / RSTP (rapid spanning tree protocol)“. Another one is the option „DHCP-Relaying/Snooping“
, but the bug has been fixed since then).
