To share some experience of ThinLinc kerberos under MacOS

xm1234567 · 17 October 2023 13:03

Hello, I’d like to share some experience about Kerbero with ThinLinc for MacOS client.

My environment:
A stand alone server is Rocky 9 with thinlinc-server-4.15.0-3358.x86_64. This server is playing both master and agent. The vsmagent.hconf is like below:

/opt/thinlinc/etc/conf.d/vsmagent.hconf
master_hostname=localhost
agent_hostname=

When I test from a Ubuntu client, password and Kerbeos are both working fine. But for Macbook pro intel MacosX Sonoma (14.0), the client has trouble to set up the connection with the ThinLinc agent.
The error message is: Impossible to configure a securty turnnel to ThinLinc agent

So I set clealy the FQDN for the agent_hostname, restart the service, then it works for MacOS. Of course, Ubuntu client is still happy with this setting.

/opt/thinlinc/etc/conf.d/vsmagent.hconf
master_hostname=localhost
agent_hostname=server.abc.com

Xm

martin · 18 October 2023 08:34

Thank you for sharing.

Generally, fully working DNS resolution is a requirement of Kerberos. So I’m a bit surprised it worked fine with Ubuntu without specifying agent_hostname.

I also believe this could differ depending on the Kerberos implementation. If I’m not mistaking, macOS uses Heimdal (and probably tweaked) while GNU/Linux would typically use MIT.

Regards,
Martin