Hi All,

There are my notes on setting up XRDP on Fedora 26.

-T

Fedora 25: how to configure "xrdp":

Reference: http://www.scottalanmiller.com/linux...-on-fedora-19/

Installing XRDP on Fedora 25


0) Prerequisite: each user musts log in locall one and run from w his own profile
at least once:
$ xhost +

1) install xrdp:
# dnf install xrdp


2) change the default port and configure Autorun:

# vi /etc/xrdp/xrdp.ini

Under the [Global] section:
port=xxxx (default is 3389)
autorun=Xorg (default is empty)


3) Configure Xwrapper.config for everyone:
# echo 'allowed_users = anybody' >> /etc/X11/Xwrapper.config
or edit it with vi, if this file exists


4) add the service descriptions to the systemd system and set them to start.

# systemctl enable xrdp.service
# systemctl start xrdp.service
# systemctl enable xrdp-sesman.service
# systemctl start xrdp-sesman.service


5) SELinux issues:

Note: if you experiencing bug:
xrdp fails to start with permission denied error
https://bugzilla.redhat.com/show_bug.cgi?id=1177202
this is the workaround:

# chcon --type=bin_t /usr/sbin/xrdp
# chcon --type=bin_t /usr/sbin/xrdp-sesman
# systemctl reenable xrdp.service
# systemctl start xrdp.service


6) Firewall:
Change the port to whatever you changed it to (3389 is the default)

Firewalld:
# firewall-cmd --permanent --add-port=3389/tcp
or # firewall-cmd --permanent --add-port=6789/tcp
# systemctl restart firewalld

iptables:
enable_xrdp=yes # yes|no xRDP Linux's Terminal Services
#rdp_port=3389
xrdp_port=6789

if [ "$enable_xrdp" = "yes" ]; then
# Warning: this user is given access to SYN's
# xrdp is Linux'sTerminal Services

$tbls -A dsl-in -i $eth1 -p tcp --syn -s $ANY_IP --sport $unassgn -d $eth1_addr --dport $xrdp_port -m state --state NEW,ESTABLISHED -j ACCEPT
$tbls -A dsl-in -i $eth1 -p tcp ! --syn -s $ANY_IP --sport $unassgn -d $eth1_addr --dport $xrdp_port -m state --state RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $xrdp_port --dport $unassgn -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Firewall external rules warning: XRDP $eth1_addr accepts SYN's on Port $xrdp_port." | systemd-cat -t firewall -p warning
fi

Then restart your firewall (this is a customer service in systemd)


7) test to see if your ports are open:

# nmap -Pn -p T:3389,6789 192.168.xxx.yyy (insert correct address)
...
PORT STATE SERVICE
6789/tcp open unknown



8) if you goofed the firewalld rule or the port

Remove the bad firewall rule with:
# firewall-cmd --remove-port=6789/tcp -->Or whatever port<--

edit /etc/xrdp/xrdp.ini and modify the "Port"

To restart everything and make the new setting take:

# systemctl restart firewalld
# systemctl restart xrdp.service
# systemctl restart xrdp-sesman.service


9) to make Xfce your default session:

Reference:
http://askubuntu.com/questions/13548...esktop-session

Xfce4:

cd ~
echo "startxfce4" > ~/.Xclients
chmod +x ~/.Xclients
su root -c "systemctl restart xrdp.service"


10) A working xrdp.ini (port changerd to 6789):

[Globals]
; xrdp.ini file version number
ini_version=1

; fork a new process for each incoming connection
fork=true
; tcp port to listen
#port=3389
port=6789
; regulate if the listening socket use socket option tcp_nodelay
; no buffering will be performed in the TCP stack
tcp_nodelay=true
; regulate if the listening socket use socket option keepalive
; if the network connection disappear without close messages the connection will be closed
tcp_keepalive=true
#tcp_send_buffer_bytes=32768
#tcp_recv_buffer_bytes=32768

; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
; set TLS cipher suites
#tls_ciphers=HIGH

; Section name to use for automatic login if the client sends username
; and password. If empty, the domain name sent by the client is used.
; If empty and no domain name is given, the first suitable section in
; this file will be used.
autorun=Xorg

allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
#hidelogwindow=true
max_bpp=32
new_cursors=true
; fastpath - can be 'input', 'output', 'both', 'none'
use_fastpath=both
; when true, userid/password *must* be passed on cmd line
#require_credentials=true
; You can set the PAM error text in a gateway setup (MAX 256 chars)
#pamerrortxt=change your password according to policy at http://url

;
; colors used by windows in RGB format
;
blue=009cb5
grey=dedede
#black=000000
#dark_grey=808080
#blue=08246b
#dark_blue=08246b
#white=ffffff
#red=ff0000
#green=00ff00
#background=626c72

;
; configure login screen
;

; Login Screen Window Title
#ls_title=My Login Title

; top level window background color in RGB format
ls_top_window_bg_color=009cb5

; width and height of login screen
ls_width=350
ls_height=430

; login screen background color in RGB format
ls_bg_color=dedede

; optional background image filename (bmp format).
#ls_background_image=

; logo
; full path to bmp-file or file in shared folder
ls_logo_filename=
ls_logo_x_pos=55
ls_logo_y_pos=50

; for positioning labels such as username, password etc
ls_label_x_pos=30
ls_label_width=60

; for positioning text and combo boxes next to above labels
ls_input_x_pos=110
ls_input_width=210

; y pos for first label and combo box
ls_input_y_pos=220

; OK button
ls_btn_ok_x_pos=142
ls_btn_ok_y_pos=370
ls_btn_ok_width=85
ls_btn_ok_height=30

; Cancel button
ls_btn_cancel_x_pos=237
ls_btn_cancel_y_pos=370
ls_btn_cancel_width=85
ls_btn_cancel_height=30

[Logging]
LogFile=xrdp.log
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG
; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug

[Channels]
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
tcutils=true

; Session types

# [Xvnc]
# name=Xvnc
# lib=libvnc.so
# username=ask
# password=ask
# ip=127.0.0.1
# port=-1
# #xserverbpp=24
# #delay_ms=2000

[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20

#[X11rdp]
#name=X11rdp
#lib=libxup.so
#username=ask
#password=ask
#ip=127.0.0.1
#port=-1
#xserverbpp=24
#code=10


11) if you are testing from xfreerdp, run it from a terminal once
so you can accept its security certificate


12) Note: due to bug
Clipboard not working with xrdp and Xvnc (works with Xorg)
https://github.com/neutrinolabs/xrdp/issues/469

to keep it from crashing after log on, you have to
disable your clipboard or log on with Xorg.

freexrdp's run string to disable the clipboard is
-clipboard


13) A sample run string (Xorg):

$ /opt/freerdp-nightly/bin/xfreerdp /u:tony /title:StorAllServer +clipboard /drive:temp,/home/temp /printer:B4350,"HP LaserJet 2200 Series PCL 5" /size:92%% +auto-reconnect /v:aaa.bbb.ccc.ddd:xxxx

Where aaa.bbb.ccc.ddd is the IP addess and xxxx is the port