xrdp in fedora 20 not working properly with active directory users
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 2 of 2
  1. #1
    Join Date
    Aug 2014
    Location
    Vancouver, BC
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    xrdp in fedora 20 not working properly with active directory users

    This bug report concerns active directory logins not working properly on xrdp 0.6.1 / tigervnc 1.3.0 on fedora 20.
    System configuration: Fedora 20 64 bit installation as a guest on vmware esxi server
    selinux : disabled
    firewall : disabled
    joined to active directory domain corp.mydomain.com (CORP) through realmd.


    Steps to isolate xrdp / tigervnc as the source of the problem: users can login properly through ssh using the username format username@corp.mydomain.com so we know that pam/sssd/realmd are all working properly.


    Basic issue : .vnc directory and vnc password file is not properly created when the user first logs in.


    Steps to reproduce :
    1)attempt to connect with remote desktop to the server and login using username format username@corp.mydomain.com or CORP\username.
    expected result : sucessful login
    actual result : home directory is created properly but .vnc directory is not so login fails

    2)Attempt to login as many times as you want using the same username format you chose in step 1.
    result : after about 15 attempts I got bored and gave up. Attempt # 2 is the only one I logged below because all subsequent attempts are identical in log entries and error messages.

    3)Switch username format. If you initially logged in with username@corp.mydomain.com switch to CORP\username and vice versa.
    result : .vnc directory is automatically created, vnc password file is automatically generated by the server, user is able to successfully log in!!!

    Issue that needs to be addressed
    ================================
    -Why is the .vnc directory and password file not created when the user home directory is created?
    -Why does switching the login name format after an initial failed login cause the .vnc directory and password file to now be created?

    First login using username@corp.mydomain.com as login username

    xrdp screen shows :
    ===================
    connecting to sesman ip 127.0.0.1 port 3350
    sesman connect ok
    sending login info to session manager, please wait...
    xrdp_mm_process_login_response: login successful for display
    started connecting
    connecting to 127.0.0.1 5910
    tcp connected
    security level is 2 (1 = none, 2 = standard)
    password failed
    error - problem connecting

    journalctl shows:
    =================

    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Wed Aug 27 10:56:55 2014
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Connections: accepted: 127.0.0.1::42003
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SConnection: Client needs protocol version 3.3
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SVncAuth: opening password file
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: '/home/corp.mydomain.com/username/.vnc/sesman_username@corp.mydomain.com_passwd'
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: failed
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SConnection: AuthFailureException: No password configured for VNC Auth
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Connections: closed: 127.0.0.1::42003 (No password configured for VNC Auth)
    Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: touch: cannot touch ‚/home/corp.mydomain.com/username/.cache/imsettings/log‚: No such file or directory
    Aug 27 10:56:56 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: gpg-agent[1537]: directory `/home/corp.mydomain.com/username/.gnupg' created
    Aug 27 10:56:56 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: gpg-agent[1537]: directory `/home/corp.mydomain.com/username/.gnupg/private-keys-v1.d' created
    Aug 27 10:56:56 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: gpg-agent[1538]: gpg-agent (GnuPG) 2.0.22 started


    2nd attempt using login name format username@corp.mydomain.com
    ======================
    Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SVncAuth: opening password file
    Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: '/home/corp.mydomain.com/username/.vnc/sesman_username@corp.mydomain.com_passwd'
    Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: failed
    Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SConnection: AuthFailureException: No password configured for VNC Auth
    Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Connections: closed: 127.0.0.1::42007 (No password configured for VNC Auth)

    3rd attempt using login name format CORP\username
    =============================
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=CORP\username
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=CORP\username
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Xvnc TigerVNC 1.3.0 - built Oct 2 2013 10:43:43
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Copyright (C) 1999-2011 TigerVNC Team and many others (see README.txt)
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: See http://www.tigervnc.org for information on TigerVNC.
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Underlying X server release 11402000, The X.Org Foundation
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Wed Aug 27 11:03:24 2014
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: vncext: VNC extension running!
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: vncext: Listening for VNC connections on all interface(s), port 5911
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: vncext: created VNC server for screen 0
    Aug 27 11:03:24 vm-fedora20.corp.mydomain.com systemd[1]: Starting Session c2 of user username@corp.mydomain.com.

    home directory of user username
    Notes : notice that the creation time on most of those files matches exactly the time 10:56 which is my first attempted login. First login caused home directory to get created but no vncpasswd file created.
    Notice that the creation time of the .vnc directory corresponds to the 3rd login attempt when I switched to the CORP\username login format. Somehow vnc or xrdp auto-created my .vncpasswd file for me on that login attempt.
    =============================
    [root@vm-fedora20 username]# ls -al
    total 84
    drwxr-xr-x. 16 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 11:03 .
    drwx--x--x. 4 root root 4096 Aug 27 10:56 ..
    -rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 18 Aug 27 10:56 .bash_logout
    -rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 193 Aug 27 10:56 .bash_profile
    -rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 231 Aug 27 10:56 .bashrc
    drwx------. 4 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 .cache
    drwxr-xr-x. 6 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 11:03 .config
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 Desktop
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Documents
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Downloads
    -rw-------. 1 username@corp.mydomain.com domain users@corp.mydomain.com 16 Aug 27 10:57 .esd_auth
    drwx------. 3 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 .gnupg
    -rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 113 Mar 8 2011 .gtkrc-2.0-kde4
    drwx------. 4 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 .kde
    drwxr-xr-x. 3 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 .local
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Music
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Pictures
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Public
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Templates
    drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Videos
    drwx------. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 11:03 .vnc

    /var/log/xrdp-sesman.log
    Notes : entire contents here. Not very useful at all
    ========================
    [20140827-10:56:54] [INFO ] scp thread on sck 9 started successfully
    [20140827-10:56:54] [INFO ] ++ created session (access granted): username username@corp.mydomain.com, ip 10.1.4.111:58366 - socket: 7
    [20140827-10:56:54] [INFO ] starting Xvnc session...
    [20140827-10:56:54] [WARN ] can't read vnc password file - /home/corp.mydomain.com/username/.vnc/sesman_username@corp.mydomain.com_passwd
    [20140827-10:56:55] [INFO ] starting xrdp-sessvc - xpid=1363 - wmpid=1362
    [20140827-11:02:02] [INFO ] scp thread on sck 9 started successfully
    [20140827-11:02:02] [INFO ] ++ reconnected session: username username@corp.mydomain.com, display :10.0, session_pid 1361, ip 10.1.4.111:58366 - socket: 7
    [20140827-11:03:23] [INFO ] scp thread on sck 9 started successfully
    [20140827-11:03:24] [INFO ] ++ created session (access granted): username CORP\username, ip 10.1.4.111:58366 - socket: 7
    [20140827-11:03:24] [INFO ] starting Xvnc session...
    [20140827-11:03:24] [INFO ] starting xrdp-sessvc - xpid=2027 - wmpid=2026

  2. #2
    Join Date
    Aug 2014
    Location
    Vancouver, BC
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: xrdp in fedora 20 not working properly with active directory users

    I kind of solved this. In case anyone is trying to get the same setup working here is what I did.

    Edit /etc/xrdp/sesman.ini and add these 2 lines at the bottom of the file

    Code:
    param8=-SecurityTypes
    param9=None
    Because xrdp handles the authentication through PAM, there is no need to have vnc authenticate a 2nd time. This seems to be secure enough because vnc only listens on 127.0.0.1 so there is no worry about someone logging in directly through vnc and getting in without a password.

    I even tried leaving a session running by disconnecting remote desktop client and then trying to connect to the underlying vnc session and because it was bound to localhost it refused the connection.

Similar Threads

  1. [SOLVED]
    KDM not listing Active Directory users
    By charlweed in forum Using Fedora
    Replies: 1
    Last Post: 21st February 2014, 07:35 AM
  2. Fedora 13 and Active Directory
    By Xinef in forum Servers & Networking
    Replies: 0
    Last Post: 7th July 2010, 06:25 AM
  3. Fedora 9 on Active Directory
    By benso37 in forum Using Fedora
    Replies: 0
    Last Post: 13th August 2008, 08:52 PM
  4. Active directory users problem
    By alexpacio in forum Servers & Networking
    Replies: 2
    Last Post: 23rd May 2006, 05:54 PM
  5. authenticating users against Active Directory
    By monti in forum Security and Privacy
    Replies: 0
    Last Post: 23rd October 2005, 04:55 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •