Description of problem: Cannot start an RDP session Version-Release number of selected component (if applicable): xrdp.x86_64 1:0.9.2-12.fc26 How reproducible: Consistent Steps to Reproduce: 1. Create a new Fedora 26 Beta install using Live USB 2. Apply all pending updates 3. sudo dnf -y install xrdp 4. sudo firewall-cmd --add-port=3389/tcp --permanent 5. sudo firewall-cmd --reload 6. sudo systemctl enable xrdp 7. sudo systemctl start xrdp 8. sudo dnf -y install freerdp 9. xfreerdp /v:localhost 10. Answer yes to question about certificate names not matching 11. Enter userid/password when prompted Actual results: The Connection log window is displayed with the VNC error Expected results: Gnome desktop to be displayed Additional info:
Created attachment 1292047 [details] xrdp.log
Created attachment 1292048 [details] xrdp-sesman.log
Do you have SELinux running on the machine by any chance? If so, did you install xrdp-selinux package? Also, new TigerVNC packages require some extra options, which are mentioned in README.Fedora file. Did you apply those to your config?
Thank you for your response. Yes, I have SELinux running. No, originally I had not installed xrdp-selinux, but since filing this bug report I found the README.Fedora. I did: 1. sudo dnf -y install xrdp-selinux 2. sudo reboot 3. logged into Gnome 4. xfreerdp /v:localhost but the problem persists. Then I editted the VNC stanza of sesman.ini and restarted xrdp, and again the problem persists.
By the way, README.Fedora references /etc/X11/Xwrapper.config which dies not exist in my installation.
(In reply to Dean Hunter from comment #5) > By the way, README.Fedora references /etc/X11/Xwrapper.config which dies not > exist in my installation. If you're running xorgxrdp, you will need to create that file. Does not apply to VNC.
Anything in the audit logs about SELinux denials? Also, what you you have in /etc/pam.d/xrdp-sesman? Default or Gnome specific stuff (i.e. gdm-password entries)?
Thank you for the note about Xwrapper.config. I have had not notices about SELinux denials. Please remind me how to search the audit log for denials. >cat /etc/pam.d/xrdp-sesman #%PAM-1.0 # Generic Fedora config auth include password-auth account include password-auth password include password-auth session include password-auth # Gnome specific Fedora config #auth include gdm-password #account include gdm-password #password include gdm-password #session include gdm-password
To search for denials, try: grep denied /var/log/audit/audit.log You may also want to convert that into a more readable SELinux format: grep denied /var/log/audit/audit.log | audit2allow -m denials Try using Gnome specific stuff in xrdp-sesman PAM configuration. That is what I have on my VM that runs xrdp and Gnome.
$ sudo grep denied /var/log/audit/audit.log | audit2allow -m denials module denials 1.0; require { type unconfined_service_t; type geoclue_t; type lib_t; type init_t; type useradd_t; type xdm_t; class dir { search setattr }; class dbus send_msg; } #============= geoclue_t ============== allow geoclue_t unconfined_service_t:dir search; #============= useradd_t ============== allow useradd_t init_t:dbus send_msg; #============= xdm_t ============== allow xdm_t lib_t:dir setattr; $
Modified /etc/pam.d/xrdp-sesman to be: #%PAM-1.0 # Generic Fedora config #auth include password-auth #account include password-auth #password include password-auth #session include password-auth # Gnome specific Fedora config auth include gdm-password account include gdm-password password include gdm-password session include gdm-password then restarted xrdp but the problem persists.
I'm out of ideas, so try to strace the xrdp processes when you login to see what's happening. There were problems with IPv6 at one point as well, so you may want to try disabling that.
I am not familiar with strace. Can you give me the command lines for which you would like to see the output?
Posting all of strace output will probably not be practical - the program prints out system calls. So, you would need to be able to determine which system call is resulting in the problem that may be related. Normally, you want to see which xrdp processes are running when the service is started and then run: strace -f -p <pid> -p <pid>... This will then follow the forks of these processes as well.
[admin@developer ~]$ sudo systemctl restart xrdp [admin@developer ~]$ sudo systemctl status xrdp ● xrdp.service - xrdp daemon Loaded: loaded (/usr/lib/systemd/system/xrdp.service; enabled; vendor preset: Active: active (running) since Fri 2017-06-30 08:37:56 CDT; 7s ago Docs: man:xrdp(8) man:xrdp.ini(5) Main PID: 6216 (xrdp) Tasks: 1 (limit: 4915) CGroup: /system.slice/xrdp.service └─6216 /usr/sbin/xrdp --nodaemon Jun 30 08:37:56 developer.hunter.org systemd[1]: Started xrdp daemon. Jun 30 08:37:56 developer.hunter.org xrdp[6216]: (6216)(140429996107904)[INFO ] Jun 30 08:37:56 developer.hunter.org xrdp[6216]: (6216)(140429996107904)[INFO ] [admin@developer ~]$ sudo strace -f -p 6216 -o strace.log strace: Process 6216 attached strace: Process 6250 attached ^Cstrace: Process 6216 detached [admin@developer ~]$ zip strace.zip strace.log updating: strace.log (deflated 96%) [admin@developer ~]$ strace.zip is attached
Created attachment 1293225 [details] strace of xrdp VNC error - problem connecting
Was the strace useful? Do you need anything else?
(In reply to Dean Hunter from comment #17) > Was the strace useful? Do you need anything else? Looked at the strace output and I can only see what appear to be timeouts to be back end (i.e. the VNC process), if I'm reading that correctly. I'm not any smarter after it, I'm afraid. :-(
Do you have this set in /etc/xrdp/sesman.ini when you're running the VNC session: param=-AcceptCutText=0 param=-SendCutText=0 param=-SendPrimary=0 param=-SetPrimary=0
So xrdp is timing out while trying to connect to VNC? I have only the default configuration of VNC provided by a new install of Fedora 26. Installed Packages tigervnc-license.noarch 1.8.0-1.fc26 @anaconda tigervnc-server-minimal.x86_64 1.8.0-1.fc26 @anaconda None of the parameters you listed are set in the sesman.ini built by a new install of Fedora 26 and I have not changed the file. In which stanza do they belong?
I found that I had tried this test before with a ticket opened with Neutrino Labs: https://github.com/neutrinolabs/xrdp/issues/765 So I added the params to the [Xvnc] stanza, restarted xrdp, and tried again with the same erroneous results. I see some new information in the ticket from grishin-a that says there is a problem with xrdp-selinux. Can you review it and advise whether it really applies to this problem?
grishin-a is using the MATE desktop where I am using the standard Gnome desktop. grishin-a is installing oddjob-mkhomedir which is not installed with Fedora 26 Workstation. His changes to xrdp-selinux seem to be limited to to including oddjob-mkhomedir.
(In reply to Dean Hunter from comment #20) > None of the parameters you listed are set in the sesman.ini built by a new > install of Fedora 26 and I have not changed the file. In which stanza do > they belong? Per README.Fedora: --------------- TigerVNC 1.8.0 enables clipboard support by default (i.e. no need to run vncconfig), which may cause disconnections in xrdp. To avoid the issue, these can be added to [Xvnc] stanza in /etc/xrdp/sesman.ini: param=-AcceptCutText=0 param=-SendCutText=0 param=-SendPrimary=0 param=-SetPrimary=0 Of course, cut and paste support will not work with these set. --------------- This was sprung upon us in xrdp world without any notice and there must be some kind of bug in xrdp that is causing disconnections. Given that recent Fedoras can have both version 1.7.x and 1.8.x of TigerVNC installed, I didn't want to set this as default. Also, without patched xrdp, passing that =0 would not work anyway. I know, less than ideal...
The SELinux theories are always easy to prove/disprove - just turn it off or put it in permissive mode. If it starts working, it was SELinux.
Created attachment 1304936 [details] terminal log of installation, cnfiguration, and testing
I created a new VM with gnome-boxes and Fedora-Workstation-Live-86_64-26-1.5.iso. I applied all updates then installed, configured using all of your advice, and tested. Xrdp still does not work. I have attached the log of my work, see Comment 25. I know you said Xrdp works in your VM, what am I doing that is different?
I am thinking that maybe some component is missing to run gnome properly. Can you run gnome all by itself on that VM?
Yes, Gnome seems to work. I have used Activities to run Terminal to install and test Xrdp, Files to find the configuration and log files, Text Editor to edit the configuration files, and Software to update the installation of Fedora 26. Did you use Fedora 26 Workstation for your VM?
(In reply to Dean Hunter from comment #28) > Did you use Fedora 26 Workstation for your VM? My VM is an upgrade from (I think) F25. I think I may have used the workstation product to install it.
I created a new VM using Fedora-Workstation-Live-x86_64-25-1.3.iso, then followed the same procedure as in Comment 25 to install, configure, and test Xrdp. This installs the same version of Xrdp as with Fedora 26, and, without surprise, produces the exact same erroneous results. I was trying to reproduce your VM where you say Xrdp works. So I will not be able to compare a working installation with the installation created from Fedora 26 Workstation Live. Please, can you tell me what is missing?
(In reply to Dean Hunter from comment #30) > Please, can you tell me what is missing? I honestly wish I could. There is bound to be something that I must have done by hand to get mine working (although I don't remember it), but I cannot remember what any more, if anything. I do have root logins turned off in my sesman.ini. That surely cannot be it.
I REALLY do not understand. Could you not create a Fedora 26 Workstation VM, as I have done, and compare it to the VM where you say Xrdp is working?
(In reply to Dean Hunter from comment #32) > I REALLY do not understand. Could you not create a Fedora 26 Workstation > VM, as I have done, and compare it to the VM where you say Xrdp is working? I will do that when I get an opportunity.
Here is another data point: I built another VM using CentOS 7.0, updated, installed, and tested Xrdp. It works with the default configuration. The first difference I see is that CentOS 7 is using a different version of TigerVNC: [admin@centos70 ~]$ yum list installed tigervnc* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.ancl.hawaii.edu * epel: fedora-epel.mirror.lstn.net * extras: mirror.cs.vt.edu * updates: repos-tx.psychz.net Installed Packages tigervnc-license.noarch 1.3.1-9.el7 @anaconda tigervnc-server-minimal.x86_64 1.3.1-9.el7 @anaconda [admin@centos70 ~]$ [admin@xrdptest ~]$ dnf list installed tigervnc* Installed Packages tigervnc-license.noarch 1.8.0-1.fc26 @anaconda tigervnc-server-minimal.x86_64 1.8.0-1.fc26 @anaconda [admin@xrdptest ~]$
Try: systemctl set-default multi-user.target Then reboot. Then try an RDP connection. See if that works.
[admin@xrdptest ~]$ sudo systemctl get-default graphical.target [admin@xrdptest ~]$ sudo systemctl set-default multi-user.target Removed /etc/systemd/system/default.target. Created symlink /etc/systemd/system/default.target → /usr/lib/systemd/system/multi-user.target. [admin@xrdptest ~]$ sudo systemctl get-default multi-user.target [admin@xrdptest ~]$ sudo reboot And I get no Gnome shell!!!
[admin@xrdptest ~]$ systemctl list-units --type target UNIT LOAD ACTIVE SUB DESCRIPTION basic.target loaded active active Basic System cryptsetup.target loaded active active Encrypted Volumes getty.target loaded active active Login Prompts graphical.target loaded active active Graphical Interface local-fs-pre.target loaded active active Local File Systems (Pre) local-fs.target loaded active active Local File Systems multi-user.target loaded active active Multi-User System network-online.target loaded active active Network is Online network-pre.target loaded active active Network (Pre) network.target loaded active active Network nfs-client.target loaded active active NFS client services nss-lookup.target loaded active active Host and Network Name Lookups nss-user-lookup.target loaded active active User and Group Name Lookups paths.target loaded active active Paths remote-fs-pre.target loaded active active Remote File Systems (Pre) remote-fs.target loaded active active Remote File Systems rpc_pipefs.target loaded active active rpc_pipefs.target slices.target loaded active active Slices sockets.target loaded active active Sockets sound.target loaded active active Sound Card spice-vdagentd.target loaded active active Agent daemon for Spice guests swap.target loaded active active Swap sysinit.target loaded active active System Initialization timers.target loaded active active Timers LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 24 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [admin@xrdptest ~]$
(In reply to Dean Hunter from comment #36) > [admin@xrdptest ~]$ sudo systemctl get-default > graphical.target > [admin@xrdptest ~]$ sudo systemctl set-default multi-user.target > Removed /etc/systemd/system/default.target. > Created symlink /etc/systemd/system/default.target → > /usr/lib/systemd/system/multi-user.target. > [admin@xrdptest ~]$ sudo systemctl get-default > multi-user.target > [admin@xrdptest ~]$ sudo reboot > > And I get no Gnome shell!!! Hmm, interesting. I set up an F26 VM and installed xrdp on it. Originally it was set to boot in graphical.traget and the logs were showing Gnome Shell errors when I tried to connect to it (probably some kind of clash with gdm's shell). Once I switched to multi-user.target (i.e. non-graphical), I could connect to it using remote desktop client in Windows over RDP.
Just to avoid confusion, I blew away the F26 VM I created earlier and set it up again. I did that on Windows 10 with VMware Player 12 something (the free download from their site). I use x86_64 live image of F26 workstation to set up the VM, all defaults. I added user test (with password). Once I booted into the installed VM, I switched to VT2 and did the following (paraphrasing here): - systemctl set-default multi-user.target - dnf install xrdp-selinux (this installs xrdp as well) - dnf -y update - cut/pasted TigerVNC stuff from README.Fedora into Xvnc stanza of sesman.ini - edited /etc/pam.d/xrdp-sesman and enabled gdm stuff instead of standard - firewall-cmd --add-service=ms-wbt --permanent (or something to that effect) Then I rebooted and used remote desktop client from Windows 10 to connect to the address of the VM. You will see the result in the image I'll attach. Basically, Gnome ran just fine.
Created attachment 1309274 [details] Windows 10, running VMware 12, running Fedora 26 - xrdp connection
Thank you for your patience. I have verified that it is necessary to shut down the graphical interface for the console on the machine running Xrdp. This is something new to me on Fedora, although it has been a few years since I have tried this. And it is not necessary on CentOS 7 running the same version of Xrdp. Can you spare a few more minutes to explain why it is necessary?
I feel I must apologize for being an idiot. Shutting off the graphical interface to the console worked because it forced me to use another VM workstation to test the connection instead of trying to connect to localhost, as I have been able to do with CentOS.
I followed instruction on comment #39, so that the Vnc username and password can pass. But then the RDP session will got cut immediately afterwards. I can see the Gnome desktop wallpaper show up for a while before connect is cut.