Bug 1465140 - VNC error - problem connecting
VNC error - problem connecting
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: xrdp (Show other bugs)
26
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Itamar Reis Peixoto
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-26 14:43 EDT by Dean Hunter
Modified: 2017-08-20 18:33 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-20 18:33:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
xrdp.log (2.67 KB, text/plain)
2017-06-26 14:50 EDT, Dean Hunter
no flags Details
xrdp-sesman.log (2.36 KB, text/plain)
2017-06-26 14:50 EDT, Dean Hunter
no flags Details
strace of xrdp VNC error - problem connecting (19.56 KB, application/zip)
2017-06-30 09:42 EDT, Dean Hunter
no flags Details
terminal log of installation, cnfiguration, and testing (15.21 KB, text/plain)
2017-07-26 13:27 EDT, Dean Hunter
no flags Details
Windows 10, running VMware 12, running Fedora 26 - xrdp connection (494.31 KB, image/png)
2017-08-05 01:41 EDT, Bojan Smojver
no flags Details

  None (edit)
Description Dean Hunter 2017-06-26 14:43:07 EDT
Description of problem:
Cannot start an RDP session

Version-Release number of selected component (if applicable):
xrdp.x86_64  1:0.9.2-12.fc26

How reproducible:
Consistent

Steps to Reproduce:
1. Create a new Fedora 26 Beta install using Live USB
2. Apply all pending updates
3. sudo dnf -y install xrdp
4. sudo firewall-cmd --add-port=3389/tcp --permanent 
5. sudo firewall-cmd --reload
6. sudo systemctl enable xrdp
7. sudo systemctl start xrdp
8. sudo dnf -y install freerdp
9. xfreerdp /v:localhost
10. Answer yes to question about certificate names not matching
11. Enter userid/password when prompted

Actual results:
The Connection log window is displayed with the VNC error

Expected results:
Gnome desktop to be displayed

Additional info:
Comment 1 Dean Hunter 2017-06-26 14:50 EDT
Created attachment 1292047 [details]
xrdp.log
Comment 2 Dean Hunter 2017-06-26 14:50 EDT
Created attachment 1292048 [details]
xrdp-sesman.log
Comment 3 Bojan Smojver 2017-06-26 17:05:05 EDT
Do you have SELinux running on the machine by any chance? If so, did you install xrdp-selinux package?

Also, new TigerVNC packages require some extra options, which are mentioned in README.Fedora file. Did you apply those to your config?
Comment 4 Dean Hunter 2017-06-26 18:12:22 EDT
Thank you for your response.  Yes, I have SELinux running.  No, originally I had not installed xrdp-selinux, but since filing this bug report I found the README.Fedora.  I did:

1. sudo dnf -y install xrdp-selinux
2. sudo reboot
3. logged into Gnome
4. xfreerdp /v:localhost

but the problem persists.  Then I editted the VNC stanza of sesman.ini and restarted xrdp, and again the problem persists.
Comment 5 Dean Hunter 2017-06-26 18:24:24 EDT
By the way, README.Fedora references /etc/X11/Xwrapper.config which dies not exist in my installation.
Comment 6 Bojan Smojver 2017-06-26 18:30:30 EDT
(In reply to Dean Hunter from comment #5)
> By the way, README.Fedora references /etc/X11/Xwrapper.config which dies not
> exist in my installation.

If you're running xorgxrdp, you will need to create that file. Does not apply to VNC.
Comment 7 Bojan Smojver 2017-06-26 18:35:48 EDT
Anything in the audit logs about SELinux denials?

Also, what you you have in /etc/pam.d/xrdp-sesman? Default or Gnome specific stuff (i.e. gdm-password entries)?
Comment 8 Dean Hunter 2017-06-27 17:39:23 EDT
Thank you for the note about Xwrapper.config.  I have had not notices about SELinux denials.  Please remind me how to search the audit log for denials.

>cat /etc/pam.d/xrdp-sesman
#%PAM-1.0
# Generic Fedora config
auth       include      password-auth
account    include      password-auth
password   include      password-auth
session    include      password-auth

# Gnome specific Fedora config
#auth       include      gdm-password
#account    include      gdm-password
#password   include      gdm-password
#session    include      gdm-password
Comment 9 Bojan Smojver 2017-06-27 17:42:37 EDT
To search for denials, try:

grep denied /var/log/audit/audit.log

You may also want to convert that into a more readable SELinux format:

grep denied /var/log/audit/audit.log | audit2allow -m denials

Try using Gnome specific stuff in xrdp-sesman PAM configuration. That is what I have on my VM that runs xrdp and Gnome.
Comment 10 Dean Hunter 2017-06-28 18:22:47 EDT
$ sudo grep denied /var/log/audit/audit.log | audit2allow -m denials

module denials 1.0;

require {
	type unconfined_service_t;
	type geoclue_t;
	type lib_t;
	type init_t;
	type useradd_t;
	type xdm_t;
	class dir { search setattr };
	class dbus send_msg;
}

#============= geoclue_t ==============
allow geoclue_t unconfined_service_t:dir search;

#============= useradd_t ==============
allow useradd_t init_t:dbus send_msg;

#============= xdm_t ==============
allow xdm_t lib_t:dir setattr;

$
Comment 11 Dean Hunter 2017-06-28 18:30:35 EDT
Modified /etc/pam.d/xrdp-sesman to be:

#%PAM-1.0
# Generic Fedora config
#auth       include      password-auth
#account    include      password-auth
#password   include      password-auth
#session    include      password-auth

# Gnome specific Fedora config
auth       include      gdm-password
account    include      gdm-password
password   include      gdm-password
session    include      gdm-password

then restarted xrdp but the problem persists.
Comment 12 Bojan Smojver 2017-06-28 19:23:42 EDT
I'm out of ideas, so try to strace the xrdp processes when you login to see what's happening. There were problems with IPv6 at one point as well, so you may want to try disabling that.
Comment 13 Dean Hunter 2017-06-28 20:42:17 EDT
I am not familiar with strace.  Can you give me the command lines for which you would like to see the output?
Comment 14 Bojan Smojver 2017-06-28 20:45:46 EDT
Posting all of strace output will probably not be practical - the program prints out system calls. So, you would need to be able to determine which system call is resulting in the problem that may be related.

Normally, you want to see which xrdp processes are running when the service is started and then run:

strace -f -p <pid> -p <pid>...

This will then follow the forks of these processes as well.
Comment 15 Dean Hunter 2017-06-30 09:40:59 EDT
[admin@developer ~]$ sudo systemctl restart xrdp
[admin@developer ~]$ sudo systemctl status xrdp
● xrdp.service - xrdp daemon
   Loaded: loaded (/usr/lib/systemd/system/xrdp.service; enabled; vendor preset:
   Active: active (running) since Fri 2017-06-30 08:37:56 CDT; 7s ago
     Docs: man:xrdp(8)
           man:xrdp.ini(5)
 Main PID: 6216 (xrdp)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/xrdp.service
           └─6216 /usr/sbin/xrdp --nodaemon

Jun 30 08:37:56 developer.hunter.org systemd[1]: Started xrdp daemon.
Jun 30 08:37:56 developer.hunter.org xrdp[6216]: (6216)(140429996107904)[INFO ] 
Jun 30 08:37:56 developer.hunter.org xrdp[6216]: (6216)(140429996107904)[INFO ] 
[admin@developer ~]$ sudo strace -f -p 6216 -o strace.log
strace: Process 6216 attached
strace: Process 6250 attached
^Cstrace: Process 6216 detached
[admin@developer ~]$ zip strace.zip strace.log
updating: strace.log (deflated 96%)
[admin@developer ~]$ 

strace.zip is attached
Comment 16 Dean Hunter 2017-06-30 09:42 EDT
Created attachment 1293225 [details]
strace of xrdp VNC error - problem connecting
Comment 17 Dean Hunter 2017-07-10 13:33:27 EDT
Was the strace useful?  Do you need anything else?
Comment 18 Bojan Smojver 2017-07-19 20:31:37 EDT
(In reply to Dean Hunter from comment #17)
> Was the strace useful?  Do you need anything else?

Looked at the strace output and I can only see what appear to be timeouts to be back end (i.e. the VNC process), if I'm reading that correctly. I'm not any smarter after it, I'm afraid. :-(
Comment 19 Bojan Smojver 2017-07-19 20:35:23 EDT
Do you have this set in /etc/xrdp/sesman.ini when you're running the VNC session:

param=-AcceptCutText=0
param=-SendCutText=0
param=-SendPrimary=0
param=-SetPrimary=0
Comment 20 Dean Hunter 2017-07-24 13:13:06 EDT
So xrdp is timing out while trying to connect to VNC?  I have only the default configuration of VNC provided by a new install of Fedora 26.

Installed Packages
tigervnc-license.noarch                     1.8.0-1.fc26               @anaconda
tigervnc-server-minimal.x86_64              1.8.0-1.fc26               @anaconda

None of the parameters you listed are set in the sesman.ini built by a new install of Fedora 26 and I have not changed the file.  In which stanza do they belong?
Comment 21 Dean Hunter 2017-07-24 13:40:09 EDT
I found that I had tried this test before with a ticket opened with Neutrino Labs: https://github.com/neutrinolabs/xrdp/issues/765  So I added the params to the [Xvnc] stanza, restarted xrdp, and tried again with the same erroneous results.

I see some new information in the ticket from grishin-a that says there is a problem with xrdp-selinux.  Can you review it and advise whether it really applies to this problem?
Comment 22 Dean Hunter 2017-07-24 14:14:02 EDT
grishin-a is using the MATE desktop where I am using the standard Gnome desktop.  grishin-a is installing oddjob-mkhomedir which is not installed with Fedora 26 Workstation.  His changes to xrdp-selinux seem to be limited to to including oddjob-mkhomedir.
Comment 23 Bojan Smojver 2017-07-24 16:56:50 EDT
(In reply to Dean Hunter from comment #20)

> None of the parameters you listed are set in the sesman.ini built by a new
> install of Fedora 26 and I have not changed the file.  In which stanza do
> they belong?

Per README.Fedora:
---------------
TigerVNC 1.8.0 enables clipboard support by default (i.e. no need to run
vncconfig), which may cause disconnections in xrdp. To avoid the issue, these
can be added to [Xvnc] stanza in /etc/xrdp/sesman.ini:

param=-AcceptCutText=0
param=-SendCutText=0
param=-SendPrimary=0
param=-SetPrimary=0

Of course, cut and paste support will not work with these set.
---------------

This was sprung upon us in xrdp world without any notice and there must be some kind of bug in xrdp that is causing disconnections. Given that recent Fedoras can have both version 1.7.x and 1.8.x of TigerVNC installed, I didn't want to set this as default.

Also, without patched xrdp, passing that =0 would not work anyway.

I know, less than ideal...
Comment 24 Bojan Smojver 2017-07-24 16:57:42 EDT
The SELinux theories are always easy to prove/disprove - just turn it off or put it in permissive mode. If it starts working, it was SELinux.
Comment 25 Dean Hunter 2017-07-26 13:27 EDT
Created attachment 1304936 [details]
terminal log of installation, cnfiguration, and testing
Comment 26 Dean Hunter 2017-07-26 13:36:41 EDT
I created a new VM with gnome-boxes and Fedora-Workstation-Live-86_64-26-1.5.iso.  I applied all updates then installed, configured using all of your advice, and tested.  Xrdp still does not work.  I have attached the log of my work, see Comment 25.

I know you said Xrdp works in your VM, what am I doing that is different?
Comment 27 Bojan Smojver 2017-07-26 23:00:45 EDT
I am thinking that maybe some component is missing to run gnome properly. Can you run gnome all by itself on that VM?
Comment 28 Dean Hunter 2017-07-27 19:09:00 EDT
Yes, Gnome seems to work.  I have used Activities to run Terminal to install and test Xrdp, Files to find the configuration and log files, Text Editor to edit the configuration files, and Software to update the installation of Fedora 26.

Did you use Fedora 26 Workstation for your VM?
Comment 29 Bojan Smojver 2017-07-27 19:16:12 EDT
(In reply to Dean Hunter from comment #28)

> Did you use Fedora 26 Workstation for your VM?

My VM is an upgrade from (I think) F25. I think I may have used the workstation product to install it.
Comment 30 Dean Hunter 2017-08-02 12:51:47 EDT
I created a new VM using Fedora-Workstation-Live-x86_64-25-1.3.iso, then followed the same procedure as in Comment 25 to install, configure, and test Xrdp.  This installs the same version of Xrdp as with Fedora 26, and, without surprise, produces the exact same erroneous results.

I was trying to reproduce your VM where you say Xrdp works.  So I will not be able to compare a working installation with the installation created from Fedora 26 Workstation Live.  Please, can you tell me what is missing?
Comment 31 Bojan Smojver 2017-08-02 19:19:53 EDT
(In reply to Dean Hunter from comment #30)

> Please, can you tell me what is missing?

I honestly wish I could. There is bound to be something that I must have done by hand to get mine working (although I don't remember it), but I cannot remember what any more, if anything.

I do have root logins turned off in my sesman.ini. That surely cannot be it.
Comment 32 Dean Hunter 2017-08-02 20:01:16 EDT
I REALLY do not understand.  Could you not create a Fedora 26 Workstation VM, as I have done, and compare it to the VM where you say Xrdp is working?
Comment 33 Bojan Smojver 2017-08-02 20:35:52 EDT
(In reply to Dean Hunter from comment #32)
> I REALLY do not understand.  Could you not create a Fedora 26 Workstation
> VM, as I have done, and compare it to the VM where you say Xrdp is working?

I will do that when I get an opportunity.
Comment 34 Dean Hunter 2017-08-02 21:12:02 EDT
Here is another data point: I built another VM using CentOS 7.0, updated, installed, and tested Xrdp.  It works with the default configuration.  The first difference I see is that CentOS 7 is using a different version of TigerVNC:

[admin@centos70 ~]$ yum list installed tigervnc*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.ancl.hawaii.edu
 * epel: fedora-epel.mirror.lstn.net
 * extras: mirror.cs.vt.edu
 * updates: repos-tx.psychz.net
Installed Packages
tigervnc-license.noarch                      1.3.1-9.el7               @anaconda
tigervnc-server-minimal.x86_64               1.3.1-9.el7               @anaconda
[admin@centos70 ~]$ 

[admin@xrdptest ~]$ dnf list installed tigervnc*
Installed Packages
tigervnc-license.noarch                     1.8.0-1.fc26               @anaconda
tigervnc-server-minimal.x86_64              1.8.0-1.fc26               @anaconda
[admin@xrdptest ~]$
Comment 35 Bojan Smojver 2017-08-03 01:30:10 EDT
Try:

systemctl set-default multi-user.target

Then reboot. Then try an RDP connection. See if that works.
Comment 36 Dean Hunter 2017-08-04 15:44:11 EDT
[admin@xrdptest ~]$ sudo systemctl get-default 
graphical.target
[admin@xrdptest ~]$ sudo systemctl set-default multi-user.target
Removed /etc/systemd/system/default.target.
Created symlink /etc/systemd/system/default.target → /usr/lib/systemd/system/multi-user.target.
[admin@xrdptest ~]$ sudo systemctl get-default 
multi-user.target
[admin@xrdptest ~]$ sudo reboot

And I get no Gnome shell!!!
Comment 37 Dean Hunter 2017-08-04 15:50:39 EDT
[admin@xrdptest ~]$ systemctl list-units --type target
UNIT                   LOAD   ACTIVE SUB    DESCRIPTION                  
basic.target           loaded active active Basic System                 
cryptsetup.target      loaded active active Encrypted Volumes            
getty.target           loaded active active Login Prompts                
graphical.target       loaded active active Graphical Interface          
local-fs-pre.target    loaded active active Local File Systems (Pre)     
local-fs.target        loaded active active Local File Systems           
multi-user.target      loaded active active Multi-User System            
network-online.target  loaded active active Network is Online            
network-pre.target     loaded active active Network (Pre)                
network.target         loaded active active Network                      
nfs-client.target      loaded active active NFS client services          
nss-lookup.target      loaded active active Host and Network Name Lookups
nss-user-lookup.target loaded active active User and Group Name Lookups  
paths.target           loaded active active Paths                        
remote-fs-pre.target   loaded active active Remote File Systems (Pre)    
remote-fs.target       loaded active active Remote File Systems          
rpc_pipefs.target      loaded active active rpc_pipefs.target            
slices.target          loaded active active Slices                       
sockets.target         loaded active active Sockets                      
sound.target           loaded active active Sound Card                   
spice-vdagentd.target  loaded active active Agent daemon for Spice guests
swap.target            loaded active active Swap                         
sysinit.target         loaded active active System Initialization        
timers.target          loaded active active Timers                       

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

24 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
[admin@xrdptest ~]$
Comment 38 Bojan Smojver 2017-08-04 23:19:06 EDT
(In reply to Dean Hunter from comment #36)
> [admin@xrdptest ~]$ sudo systemctl get-default 
> graphical.target
> [admin@xrdptest ~]$ sudo systemctl set-default multi-user.target
> Removed /etc/systemd/system/default.target.
> Created symlink /etc/systemd/system/default.target →
> /usr/lib/systemd/system/multi-user.target.
> [admin@xrdptest ~]$ sudo systemctl get-default 
> multi-user.target
> [admin@xrdptest ~]$ sudo reboot
> 
> And I get no Gnome shell!!!

Hmm, interesting. I set up an F26 VM and installed xrdp on it. Originally it was set to boot in graphical.traget and the logs were showing Gnome Shell errors when I tried to connect to it (probably some kind of clash with gdm's shell). Once I switched to multi-user.target (i.e. non-graphical), I could connect to it using remote desktop client in Windows over RDP.
Comment 39 Bojan Smojver 2017-08-05 01:40:25 EDT
Just to avoid confusion, I blew away the F26 VM I created earlier and set it up again. I did that on Windows 10 with VMware Player 12 something (the free download from their site). I use x86_64 live image of F26 workstation to set up the VM, all defaults. I added user test (with password).

Once I booted into the installed VM, I switched to VT2 and did the following (paraphrasing here):

- systemctl set-default multi-user.target
- dnf install xrdp-selinux (this installs xrdp as well)
- dnf -y update
- cut/pasted TigerVNC stuff from README.Fedora into Xvnc stanza of sesman.ini
- edited /etc/pam.d/xrdp-sesman and enabled gdm stuff instead of standard
- firewall-cmd --add-service=ms-wbt --permanent (or something to that effect)

Then I rebooted and used remote desktop client from Windows 10 to connect to the address of the VM. You will see the result in the image I'll attach. Basically, Gnome ran just fine.
Comment 40 Bojan Smojver 2017-08-05 01:41 EDT
Created attachment 1309274 [details]
Windows 10, running VMware 12, running Fedora 26 - xrdp connection
Comment 41 Dean Hunter 2017-08-14 13:49:48 EDT
Thank you for your patience.  I have verified that it is necessary to shut down the graphical interface for the console on the machine running Xrdp.  This is something new to me on Fedora, although it has been a few years since I have tried this.  And it is not necessary on CentOS 7 running the same version of Xrdp.  Can you spare a few more minutes to explain why it is necessary?
Comment 42 Dean Hunter 2017-08-14 14:37:26 EDT
I feel I must apologize for being an idiot.  Shutting off the graphical interface to the console worked because it forced me to use another VM workstation to test the connection instead of trying to connect to localhost, as I have been able to do with CentOS.

Note You need to log in before you can comment on or make changes to this bug.