[SOLVED] Running System | Administration apps with VNC

andyhorton · #1 28th February 2011, 02:44 PM

Hello,

I have an issue which is fairly common I believe. I have found lots of pages discussing the problem but I have been unable to find any which give an answer.

I am logging in to my Fedora 14 box using VNC. Mostly it is fine, but when I try to run some of the admin GUIs I get a problem. For example, running the Firewall Admin GUI displays the usual warning about overwriting your configs, and then it displays a dialog with the error "org.fedoraproject.slip.dbus.service.PolKit.NotAut horizedException.org.fedoraproject.config.firewall .auth:". When I try the same thing from the console (sitting in front of the box) I get a prompt to authenticate as root... which I do, and then I can administrate the firewall.

So, the difference is, when using VNC the root authentication does not work.

This is the case with the Firewall Admin, with Add/Remove Software and a few others.

However, some GUIs work fine, for example, Users and Groups does still ask for root authentication before moving on and allowing me to administrate the users and groups.

I have read that the issue is the policy kit. But there is no GUI anymore for the policy kit, so it is not easy to configure. Of course it might not be this.

Could anyone help me with how to configure things so that one can do the same work down VNC sessions as one can do at the console? This box is a headless server, which means that the remote sessions are the only way we can connect to the box.

Thanks guys.

SiliconSlick · #2 28th February 2011, 04:55 PM

Are you using a vncserver on display :1 or the vnc module on display :0? I use the latter and it allows me to run virt-manager and other tools that I can't run via vncserver.

SS

---------- Post added at 10:55 AM ---------- Previous post was at 10:01 AM ----------

Oh... headless. So you likely boot to init level 3 and don't have X set up... the X11 vnc module won't do you any good in that case unless you are willing to boot to level 5 (with the GUI overhead that implies) and trick X into ignoring the lack of a monitor (which isn't too hard). If you are willing to do that overhead I can try to help... if you want to figure out how to authenticate when not having a "console" session (i.e. when using vncserver), I'll have to let someone else answer... I'd like to know myself for virt-manager. But until then my home server is booting level 5 with vnc (I have an old CRT hooked up to it and really don't want to have to get up from the computer I am using when I need console access).

SS

andyhorton · #3 1st March 2011, 09:02 AM

Please don't let me mislead you when I say "headless". What that means to me is that there is no monitor attached. What it means is that I *am* running vncserver and logging in on display :3 (don't ask me why :3, had some other users on :1 and :2, they are gone now).

The first part of your answer is interesting. If running on screen :0 is the thing to do, then I would like to do that. So please do tell...

I assume from what you say that vncserver runs on screen :1 and over, is that right?

What is display :0? Is it the "console" (which to me means the thing you would see when you sit in front of the box - i.e. you can log out of it, and it is still there, and you can log back in again as someone else)

How does one setup the vnc module on display :0? Can you give instructions or point me in the right direction?

Thanks.

Andy

andyhorton · #4 1st March 2011, 09:39 AM

Don't let me mislead you with "headless", it might mean something different in detail to me to you (if you know what I mean). A headless server, to me, is a server without a physical monitor, generally accessed using iLO (for HP servers) or other network-accessible screen. Generally one wants the network-based screen to look the same as the physical screen - one can log in and out as different users.

Anyway, to your original answer: Yes I am using vncserver on :3 (:1 and :2 were other users who are deleted now). It does not let me run some of the admin functions as described. So, by the sounds of it, I need to run :0.

What is :0? Is it fundamentally different to :1 and above?

How do I connect to the system using the vnc module on display :0? Could you point me at instructions or some other information?

andyhorton · #5 1st March 2011, 09:39 AM

Oh oh. I think I just posted twice... did not see the "Your post will not be visible until a moderator has approved it for posting" message. Sorry guys.

SiliconSlick · #6 1st March 2011, 02:57 PM

1) Install tigervnc-server-module.
2) create a system-wide VNC password in /root/.vnc/vncpasswd with vncpasswd
3) Add/incorporate the following bits into /etc/X11/xorg.conf... you will need to create one if you don't have one.

Code:

Section "Module"
        Load        "vnc"
EndSection

Section "Screen"
Option "PasswordFile" "/root/.vnc/passwd"
EndSection

4) Restart X/reboot
5) There should be a VNC session on :0 (i.e. vncviewer hostname:0) that will give you all the powers you would have if sitting at the console

SS

andyhorton · #7 1st March 2011, 03:31 PM

Thanks, I will try this when I get home from work - do have a VNC connection to the machine from here, but I don't want it to go down and not be able to fix it (using a monitor and keyboard!).

One question though, is I notice that you are setting root's VNC password. Does this mean that I will need to use root's VNC password to get to :0? I assume yes. But is it also the case that I will see a Fedora login screen and be able to then login as any user (e.g. me - andrew)?

You don't have to answer those really, I will get to try it soon.

SiliconSlick · #8 1st March 2011, 05:05 PM

The VNC password can be anything (not root's). Once you login into VNC (using that password) you can log in as a normal user (with the users password).

Note: the tricky/dicey part in this is getting X to start when there is no monitor connected. For example, here I have to use nvidias ConnectedMonitor Option in the Device/VideoCard0 section of xorg.conf to "CRT" to tell it not to try to detect the monitor (since the monitor is often turned off when booting). Different drives will have different ways of dealing with it (if it even poses a problem).

SS

flyingfsck · #9 2nd March 2011, 06:06 AM

Howdy,

Using SSH should be easier, since SSH has X features built in, so you don't need to have X running on your server:
$ ssh -X -C -c blowfish user@server "whichever GUI program you wanna run"

andyhorton · #10 2nd March 2011, 10:06 AM

FF, I cannot use ssh like that as I am making connections to the server from a Windows machine sometimes... I don't think PuTTY has built in X server. And besides, SS's suggestion is describing the setup I am after... I want to get to the console (which in my world means "the session I would see if there were a monitor attached"). I mean, I would like to get to the console and see the whole boot (CMOS stuff and all) but that is not going to work without iLO or some such hardware based network console.

So, back to SS's method.

I have carried out the following steps:

1. Installed tigervnc-server-module.
2. Created a system-wide VNC password in /root/.vnc/vncpasswd with
$ su -
# vncpasswd
3) Created a /etc/X11/xorg.conf as follows (there was not one before):

##############START###############
Section "Module"
Load "vnc"
EndSection

Section "Screen"
Option "SecurityTypes" "VncAuth"
Option "UserPasswdVerifier" "VncAuth"
Option "PasswordFile" "/root/.vnc/passwd"
EndSection
##############END###############

4) Rebooted the machine

Now, it does not work. There are two problems:

1. Not central, but important anyway - the reboot hung (I think it might be waiting somewhere for me to confirm). That is fine, I will deal with that later... but I would like to know how to ask the X server (or whatever) to reboot (bearing in mid I am working over an SSH session) so that any settings I make will take effect.

2. I think SS refers to this below - the X session does not seem to be starting, the log (below) seems to point to two problems:
(A) my config file appears to have an error
(B) X won't start as there is no monitor
So, what is wrong with my config file? And how do I tell it to ignore the fact there is no monitor?

Here is my /var/log/Xorg.0.log

##############START###############
[ 40.057] (==) Log file: "/var/log/Xorg.0.log", Time: Tue Mar 1 21:18:05 2011
[ 40.081] (==) Using config file: "/etc/X11/xorg.conf"
[ 40.082] (==) Using config directory: "/etc/X11/xorg.conf.d"
[ 40.082] (==) Using system config directory "/usr/share/X11/xorg.conf.d"
[ 40.188] Parse error on line 7 of section Screen in file /etc/X11/xorg.conf
This section must have an Identifier line.
[ 40.188] (EE) Problem parsing the config file
[ 40.188] (EE) Error parsing the config file
[ 40.188]
Fatal server error:
[ 40.188] no screens found
[ 40.188]
Please consult the Fedora Project support
at http://wiki.x.org
for help.
[ 40.188] Please also check the log file at "/var/log/Xorg.0.log" for additional information.
##################END###############

I am sooo going to blog the whole solution when I find it, there are sooo many people out there trying to get this to work!

droidhacker · #11 2nd March 2011, 01:28 PM

The reason it doesnt like you to do that is because VNC is NOT SECURE. You can change the system policy that prevents what you want to do, but if you do, *make certain* that if you are using a potentially unsafe network, that you tunnel your VNC over a secure protocol, like SSH.

andyhorton · #12 2nd March 2011, 01:40 PM

droidhacker,

Sure, I am all for security. I have the existing VNC connections secured with the VNC password (I know, that is no protection, but for a start...)

Internally (at home, in a secure environment - firewalled WPA secured network) I can connect on 590x.

Externally (the big bad wild internet) the firewall blocks all but port 22 and I tunnel in with SSH.

So, I am happy with my security arrangements.... but do need (ok, would like) to get the :0 screen running with VNC. Any tips would be welcome.

Andy

beaker_ · #13 2nd March 2011, 01:45 PM

+1 for over ssh. And yes can even in windows. There's also xrdp which presents it's own permissions problems but it's the same theme so np in getting over it.

andyhorton · #14 2nd March 2011, 01:47 PM

Anyway, this is digression. The point is, how to get it to work?

beaker_ · #15 2nd March 2011, 01:54 PM

su
yum install xrdp
service xrdp restart <---- That or setup xinit
exit

Set your firewall.
Jump to Windblows and fireup rdp client and presto 90% of it works. Then go back and rt-fine-m wrt to polkit and policies.

Quote:

I am sooo going to blog the whole solution when I find it, there are sooo many people out there trying to get this to work!

Then again I'm not in the habit of writing how-to's for other people's blogs.