[NOTABUG] Feature Ideas

[ccallahan]

A friend showed me this, and I wanted to jot down some thoughts/ideas that could make this really neat.

• Kerberos Support: This would also require action on Proxmox's part, but in a perfect world you should be able to login to either a Windows or *nix host and use the Kerberos ticket generated by AD or whatever IdM solution you use to have the VDI client login to Proxmox, and then delegate the TGT to the VDI session host via SPICE or RDP (if Windows).

• RDP Support: It would be neat if there was logic to allow you to connect to Windows VDI clients using RDP if the host is also running RDP. This would especially be useful with my point above, that way you can just login with AD to the VDI session host.

Anyways, just my two cents worth. If I had any actual good programming skills, I'd try to help with this, but the way I am now I'd just get in the way.

[jpattWPC]

1. Kerberos support would pretty much be entirely on Proxmox to implement before it could be implemented client side
2. RDP seems like an interesting idea, but there needs to be a mechanism for determining what IP/hostname to connect to and I'm not sure the best way to go about that.

[otopetrik]

2. RDP seems like an interesting idea, but there needs to be a mechanism for determining what IP/hostname to connect to and I'm not sure the best way to go about that.

IP addresses are available for VMs with qemu-guest-agent installed and running:

• API docs: https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/qemu/{vmid}/agent/network-get-interfaces
• Also accessible from from proxmoxer python wrapper: https://github.com/proxmoxer/proxmoxer/issues/36#issuecomment-702335540

Not every Windows VM has RDP ("home edition"), and a Linux VM can have RDP ("xrdp") installed.

Probably a good idea to require presence of string rdp in field tags in /nodes/{node}/qemu/{vmid}/config (or something similar). Auto-detection by just attempting the connection could generate noise in logs or even trigger fail2ban.

This can be set using qm set <vmid> --tags rdp.

Unfortunately it looks like Proxmox handles tags as a single string (that cannot contain =), instead of more generic format key1=valueA;key2=valueB,valueC,valueD;key3withoutvalue. Proxmox accepts qm set 2001 --tags "rdp;rdp_ip-192.168.1.1", but using - instead of = is a hack.

Using rdp;rdp_if-eth2,eth3 in tags could work for VMs that have only some interfaces connected to accessible networks (e.g. do not attempt connecting to addresses for interfaces eth0,eth1,eth4,.. or tun0,... or any other interface).

For multiple possible IP addresses, client should select the first address from the list which is also on the same subnet as one of the client's interfaces (prefer LAN over VPN for rdp;rdp_if-eth0,tun0 when client is in LAN), if no IP address is on the same subnet, try connecting to the addresses in listed order.

Combining rdp;rdp_ip-192.168.1.1 or rdp;rdp_ip-vm.example.com could work for VMs without qemu-guest-agent.

[hidrawlic]

I'm late to the conversation but it has to do with why I came here in the first place. Proxmox has LDAP functionality and you can join it to a domain/realm (I'm using FreeIPA which is upstream Red Hat IdM and it Just Works ™)

That said, am I understanding correctly that PVE (local) auth is all that will work with this right now? I tried pam auth which is a local system user and that didn't work. Replacing that with 'ldap' in the config and no joy.

[jpattWPC]

You have to use the name of the realm in the config file, which is in the authentication section of proxmox:

[hidrawlic]

Ha. Caught up in my own cleverness. I had tried that already; unfortunately I forgot that the realm name needs to be in all-caps.