Hello,

I have an issue which is fairly common I believe. I have found lots of pages discussing the problem but I have been unable to find any which give an answer.

I am logging in to my Fedora 14 box using VNC. Mostly it is fine, but when I try to run some of the admin GUIs I get a problem. For example, running the Firewall Admin GUI displays the usual warning about overwriting your configs, and then it displays a dialog with the error "org.fedoraproject.slip.dbus.service.PolKit.NotAuth orizedException.org.fedoraproject.config.firewall. auth:". When I try the same thing from the console (sitting in front of the box) I get a prompt to authenticate as root... which I do, and then I can administrate the firewall.

So, the difference is, when using VNC the root authentication does not work.

This is the case with the Firewall Admin, with Add/Remove Software and a few others.

However, some GUIs work fine, for example, Users and Groups does still ask for root authentication before moving on and allowing me to administrate the users and groups.

I have read that the issue is the policy kit. But there is no GUI anymore for the policy kit, so it is not easy to configure. Of course it might not be this.

Could anyone help me with how to configure things so that one can do the same work down VNC sessions as one can do at the console? This box is a headless server, which means that the remote sessions are the only way we can connect to the box.

Thanks guys.

Are you using a vncserver on display :1 or the vnc module on display :0? I use the latter and it allows me to run virt-manager and other tools that I can't run via vncserver.

SS

---------- Post added at 10:55 AM ---------- Previous post was at 10:01 AM ----------

Oh... headless. So you likely boot to init level 3 and don't have X set up... the X11 vnc module won't do you any good in that case unless you are willing to boot to level 5 (with the GUI overhead that implies) and trick X into ignoring the lack of a monitor (which isn't too hard). If you are willing to do that overhead I can try to help... if you want to figure out how to authenticate when not having a "console" session (i.e. when using vncserver), I'll have to let someone else answer... I'd like to know myself for virt-manager. But until then my home server is booting level 5 with vnc (I have an old CRT hooked up to it and really don't want to have to get up from the computer I am using when I need console access).

SS

Please don't let me mislead you when I say "headless". What that means to me is that there is no monitor attached. What it means is that I *am* running vncserver and logging in on display :3 (don't ask me why :3, had some other users on :1 and :2, they are gone now).

The first part of your answer is interesting. If running on screen :0 is the thing to do, then I would like to do that. So please do tell...

I assume from what you say that vncserver runs on screen :1 and over, is that right?

What is display :0? Is it the "console" (which to me means the thing you would see when you sit in front of the box - i.e. you can log out of it, and it is still there, and you can log back in again as someone else)

How does one setup the vnc module on display :0? Can you give instructions or point me in the right direction?

Thanks.

Andy

Don't let me mislead you with "headless", it might mean something different in detail to me to you (if you know what I mean). A headless server, to me, is a server without a physical monitor, generally accessed using iLO (for HP servers) or other network-accessible screen. Generally one wants the network-based screen to look the same as the physical screen - one can log in and out as different users.

Anyway, to your original answer: Yes I am using vncserver on :3 (:1 and :2 were other users who are deleted now). It does not let me run some of the admin functions as described. So, by the sounds of it, I need to run :0.

What is :0? Is it fundamentally different to :1 and above?

How do I connect to the system using the vnc module on display :0? Could you point me at instructions or some other information?

Oh oh. I think I just posted twice... did not see the "Your post will not be visible until a moderator has approved it for posting" message. Sorry guys.

1) Install tigervnc-server-module.
2) create a system-wide VNC password in /root/.vnc/vncpasswd with vncpasswd
3) Add/incorporate the following bits into /etc/X11/xorg.conf... you will need to create one if you don't have one.

Section "Module"
Load "vnc"
EndSection

Section "Screen"
Option "PasswordFile" "/root/.vnc/passwd"
EndSection

4) Restart X/reboot
5) There should be a VNC session on :0 (i.e. vncviewer hostname:0) that will give you all the powers you would have if sitting at the console

SS

Thanks, I will try this when I get home from work - do have a VNC connection to the machine from here, but I don't want it to go down and not be able to fix it (using a monitor and keyboard!).

One question though, is I notice that you are setting root's VNC password. Does this mean that I will need to use root's VNC password to get to :0? I assume yes. But is it also the case that I will see a Fedora login screen and be able to then login as any user (e.g. me - andrew)?

You don't have to answer those really, I will get to try it soon.

The VNC password can be anything (not root's). Once you login into VNC (using that password) you can log in as a normal user (with the users password).

Note: the tricky/dicey part in this is getting X to start when there is no monitor connected. For example, here I have to use nvidias ConnectedMonitor Option in the Device/VideoCard0 section of xorg.conf to "CRT" to tell it not to try to detect the monitor (since the monitor is often turned off when booting). Different drives will have different ways of dealing with it (if it even poses a problem).

SS

Howdy,

Using SSH should be easier, since SSH has X features built in, so you don't need to have X running on your server:
$ ssh -X -C -c blowfish user@server "whichever GUI program you wanna run"

FF, I cannot use ssh like that as I am making connections to the server from a Windows machine sometimes... I don't think PuTTY has built in X server. And besides, SS's suggestion is describing the setup I am after... I want to get to the console (which in my world means "the session I would see if there were a monitor attached"). I mean, I would like to get to the console and see the whole boot (CMOS stuff and all) but that is not going to work without iLO or some such hardware based network console.

So, back to SS's method.

I have carried out the following steps:

1. Installed tigervnc-server-module.
2. Created a system-wide VNC password in /root/.vnc/vncpasswd with
$ su -
# vncpasswd
3) Created a /etc/X11/xorg.conf as follows (there was not one before):

##############START###############
Section "Module"
Load "vnc"
EndSection

Section "Screen"
Option "SecurityTypes" "VncAuth"
Option "UserPasswdVerifier" "VncAuth"
Option "PasswordFile" "/root/.vnc/passwd"
EndSection
##############END###############

4) Rebooted the machine

Now, it does not work. There are two problems:

1. Not central, but important anyway - the reboot hung (I think it might be waiting somewhere for me to confirm). That is fine, I will deal with that later... but I would like to know how to ask the X server (or whatever) to reboot (bearing in mid I am working over an SSH session) so that any settings I make will take effect.

2. I think SS refers to this below - the X session does not seem to be starting, the log (below) seems to point to two problems:
(A) my config file appears to have an error
(B) X won't start as there is no monitor
So, what is wrong with my config file? And how do I tell it to ignore the fact there is no monitor?

Here is my /var/log/Xorg.0.log

##############START###############
[ 40.057] (==) Log file: "/var/log/Xorg.0.log", Time: Tue Mar 1 21:18:05 2011
[ 40.081] (==) Using config file: "/etc/X11/xorg.conf"
[ 40.082] (==) Using config directory: "/etc/X11/xorg.conf.d"
[ 40.082] (==) Using system config directory "/usr/share/X11/xorg.conf.d"
[ 40.188] Parse error on line 7 of section Screen in file /etc/X11/xorg.conf
This section must have an Identifier line.
[ 40.188] (EE) Problem parsing the config file
[ 40.188] (EE) Error parsing the config file
[ 40.188]
Fatal server error:
[ 40.188] no screens found
[ 40.188]
Please consult the Fedora Project support
at http://wiki.x.org
for help.
[ 40.188] Please also check the log file at "/var/log/Xorg.0.log" for additional information.
##################END###############

I am sooo going to blog the whole solution when I find it, there are sooo many people out there trying to get this to work!

The reason it doesnt like you to do that is because VNC is NOT SECURE. You can change the system policy that prevents what you want to do, but if you do, *make certain* that if you are using a potentially unsafe network, that you tunnel your VNC over a secure protocol, like SSH.

droidhacker,

Sure, I am all for security. I have the existing VNC connections secured with the VNC password (I know, that is no protection, but for a start...)

Internally (at home, in a secure environment - firewalled WPA secured network) I can connect on 590x.

Externally (the big bad wild internet) the firewall blocks all but port 22 and I tunnel in with SSH.

So, I am happy with my security arrangements.... but do need (ok, would like) to get the :0 screen running with VNC. Any tips would be welcome.

Andy

+1 for over ssh. And yes can even in windows. There's also xrdp which presents it's own permissions problems but it's the same theme so np in getting over it.

Anyway, this is digression. The point is, how to get it to work?

su
yum install xrdp
service xrdp restart <---- That or setup xinit
exit

Set your firewall.
Jump to Windblows and fireup rdp client and presto 90% of it works. Then go back and rt-fine-m wrt to polkit and policies.

I am sooo going to blog the whole solution when I find it, there are sooo many people out there trying to get this to work!
Then again I'm not in the habit of writing how-to's for other people's blogs.

Here you go:
http://cygwin.org

Windows is totally cripple without Cygwin.

Again, does not meet requirements.

I want to connect with Windows and Linux machines, so VNC is what I want to use.

Also, this is not displaying the console. The session 0.

Andy

Hmmm... rigid requirements... starting to sound like home work or you don't have control (physically & administratively) of the machine. Other than that, I really don't see why you're having such difficulty in making it work.

Late Edit: LMV, Date and Time, SELinux, system-config-network... no problems here.

beaker,

Sorry, I might not be clear, which is my fault.

It is not that my requirements are tight, it is that they are simple.

I need to access the :0 session, the console (not *a* console). This means I am seeing the screen that one would see sitting in front of the machine, if it had a monitor. Now there are many ways to skin a cat, but I have found that it is best to identify one and go for that rather than jumping around and getting nowhere.

So, running X with a vnc module is a good way to go methinks. I don't want to run RDP on my Linux box, and I don't want to run a X server on my Windows machine. I did sidetrack and try xinetd, but didn't work first time, so decided to stick with fixing the first option. I own the machine, but want to administer it remotely. I am currently doing some of that on a :3 (:1 and :2 were for some other users) but have some problems with that as some admin programs don't work on Fedora down :1, :2 etc. sessions (thanks to the PolicyKit - I know I could fix it, but...).

So, siliconslick was generous enough to share with me the method whereby one uses X with a VNC module. I tried it and got stuck where he said I might get stuck (with X not starting). I know that can be fixed, so thought I would provide all the information anyone might need for further tips.

I did not mean I will blog it to add to my kudos as a great Linux master, I mean I will put it all together so someone else might find it and find it helpful. Maybe I will not blog (I mean, I don't have a blog) and instead will summarise on this here thread).

So, to summarise:

(A) my config file appears to have an error
(B) X won't start as there is no monitor
So, what is wrong with my config file? And how do I tell it to ignore the fact there is no monitor?

Of course, if this goes nowhere, maybe I am back to xinetd or some other method. But not RDP, not Windows-specific...

Actually, on the linux side, you have two vnc/rdp clients (vinagre, krdc) which support both vnc & rpd. So no, it is not windows only and actually runs much smoother. Or at least in my experience. And xrdp actually uses Xvnc or X11rdp. Any 0 - remote desktop in notime.

Headless has one easy choice and it's run level three. You can also do the nomodeset trick to get past modesetting... or set vga=XXx... anyway that attachment is from an old headless crapbox at 1440x900 with intels 82865 (it doesn't support 1440x900). Or when in doubt, toss a cheap kvm on it so X senses something.

Install the free (2 user) version of NX from nomachine.com. Or if you prefer try using the freeNX version. Think google has a variant as well. Its easy as pie, its secure, its fast, you dont need an X server client side. With the 4.0 version to be released you dont even need an NX client installed. VNC and RDP are some of the slowest(fact) and worst(opinion) protocols created for remote desktop viewing/use.

Frankly though, for administration (assuming SA job) you should learn the command line and admin primarily via ssh and a shell.

I may try FreeNX.

I do know the command line.

Started in 1979 with the Acorn Atom... :-)

Hmm, there are many good reasons why everybody keeps suggesting SSH. You'll eventually learn why the hard way I guess.

BTW, SSH works better on Windows too. I have had many cases where a Windows box was so locked up that the GUI keyboard and mouse wouldn't work anymore, while I could still log in via SSH and reboot it remotely.

flyingfsck,

I was going to say "I have been using SSH to administer **nix boxes since before you were born / out of short trousers" or some such, but I can see that you have referred in another post to administering Unix boxes for "decades" so respect due. However, we are missing the point here...

My question is, "How do I get VNC running on the console :0 using the Xorg.conf method, or something very similar? It is because I have been using SSH for years that I don't know anything about X, so what can I do?

If anyone has an answer to the question, or can help me out with pointers that would be great. Advice along the lines of "why don't you do this other unrelated thing" is welcome too, just not helpful.

I am new to Fedora, but I started years back with V/386, well before that with CP/M, but the first Unix-type thing was the Xenix V/386. So, new to Fedora and trying out the forums... so please go easy on the sorta noobie.

OK, I dug up some old scripts that I used with VNC in the past:

This script will start VNC on display 2

#! /bin/bash
# HTTP connect to port 5800 + display number
# RFB connect to port 5900 + display number
# 1024x768 display size assumed
vncserver :2 -geometry 1018x706 -depth 24

For good measure, also make a script to stop vnc called vncstop

#! /bin/bash
# HTTP connect to port 5800 + display number
# RFB connect to port 5900 + display number
# 1024x768 display size assumed
vncserver -kill :2

However, you want to connect to display 0. That would require that X is not already using display zero, so you should be in runlevel 3 and then replace the 2s above with 0s and maybe, just maybe, that will work.

Sooo, do 'init 3' on the server and give it a bash.

My experience with VNC is that it is just not reliable enough. Either it messes up, or it refuses to connect to the display for some inexplicable reason (exactly your problem now) and when one is far away on the other side of the globe (currently, I'm in the UAE), one cannot just walk over and give the damned thing a kick, so I gave up and use SSH exclusively. It is slow as molasses sometimes, but it always works, which is more important to me than speed or convenience.

Cheers,

F.

I have a tidy mind.... sooo, I thought I should conclude this thread.

In the end, the server got upgraded, which I did by reinstalling to the new box, so the issue went away with the new install.

Thanks for the help and tips though.

Andy