Closed kluehrsen closed 6 months ago
To note: I did use Script Version 1.4.8 from c-nergy.be to install, and made a few other manual changes to the config.
added xrdp to ssl-cert group changed permission settings on /etc/ssl/private to allow other users to access --
At this point I'm not sure if the issue is somewhere in the XRDP files where I need to tweak a line of code, or if there's something wrong with my VPN/network. Have been troubleshooting for over a week (different installation methods) - so hoping there's some answer here on how to resolve the behavior.
I think this should help you. https://github.com/neutrinolabs/xrdp/issues/2297
I think this should help you. #2297
Thank you! I attempted to make a few of the changes recommended in that thread, but still having issues with permissions in my session - specifically trying to download cudnn software.
Here are the steps I took:
chmod 644 /etc/xrdp/cert.pem chmod 640 /etc/xrdp/key.pem chown :xrdp /etc/xrdp/key.pem usermod -G ssl-cert xrdp Reboot system
A few differences. When I run ls -l /etc/xrdp/key.pem /etc/xrdp/cert.pem my output is:
lrwxrwxrwx 1 root root 36 Jan 22 22:27 /etc/xrdp/cert.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem lrwxrwxrwx 1 root root 38 Jan 22 22:27 /etc/xrdp/key.pem -> /etc/ssl/private/ssl-cert-snakeoil.key
id xrdp uid=129(xrdp) gid=135(xrdp) groups=135(xrdp),113(ssl-cert)
ls -l total 4 -rw-r----- 1 root xrdp 1704 Jan 22 22:06 ssl-cert-snakeoil.key
Does this have to do with using the snakeoil key? If there are additional steps I should take, the advice is greatly appreciated.
@kluehrsen - your session permissions are nothing to do with the TLS key. This is exclusively used for setting up a TLS connection to the machine.
I suspect your issues are related to 'polkit'. I've just added a FAQ for this, which frankly I should have done a long time ago:-
Have a read of that, and please let me know if it's useful or not.
@kluehrsen - your session permissions are nothing to do with the TLS key. This is exclusively used for setting up a TLS connection to the machine.
I suspect your issues are related to 'polkit'. I've just added a FAQ for this, which frankly I should have done a long time ago:-
Have a read of that, and please let me know if it's useful or not.
Thank you, this was very helpful. For my case, running the script didn't resolve the issue initially -- it took checking the auth.log and seeing org.freedesktop.packagekit.package-install-untrusted was failing authentication --
I then added the following to your /etc/pol-kit-1/localauthority/50-local/pk-local.pkla :
[pk-local override for org.freedesktop.packagekit.package-install-untrusted] Identity=unix-group:pk-local Action=org.freedesktop.packagekit.package-install-untrusted
ResultAny=yes
Thanks so much for your help, very much appreciated!! KL
Interesting.
On my Mint system, I get this:-
$ pkaction --action-id org.freedesktop.packagekit.package-install-untrusted --verbose
org.freedesktop.packagekit.package-install-untrusted:
description: Install untrusted local file
message: Authentication is required to install untrusted software
vendor: The PackageKit Project
vendor_url: http://www.packagekit.org/
icon: package-x-generic
implicit any: auth_admin
implicit inactive: auth_admin
implicit active: auth_admin
annotation: org.freedesktop.policykit.imply -> org.freedesktop.packagekit.package-install
auth_admin
means you need to be an administrator (or able to authenticate as one). auth_any
lets all users install untrusted software. Is teh user you're running as also in the sudo
group?
xrdp version
0.9.12
Detailed xrdp version, build options
Operating system & version
Ubuntu 20.04
Installation method
dnf / apt / zypper / pkg / etc
Which backend do you use?
xorgxrdp
What desktop environment do you use?
Xfce
Environment xrdp running on
server with (4) NVIDIA A40
What's your client?
No response
Area(s) with issue?
Authentication
Steps to reproduce
While attempting to do anything that requires privileged access, errors get thrown in XRDP. i.e. unable to create raid array, unable to download software, etc.
✔️ Expected Behavior
The user for xrdp is in the sudo group, so I would expect to be able to fulfill these operations - but continue to get error messages.
❌ Actual Behavior
Error message denying software download
Anything else?
xrdp.log.docx xrdp-sesman.log.docx
[20240125-10:31:23] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem [20240125-10:31:23] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem [20240125-10:31:23] [DEBUG] TLSv1.3 enabled [20240125-10:31:23] [DEBUG] TLSv1.2 enabled [20240125-10:31:23] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389) [20240125-10:31:27] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:10.255.7.254 port 54588 [20240125-10:31:27] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389) [20240125-10:31:27] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389) [20240125-10:31:27] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem [20240125-10:31:27] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem [20240125-10:31:27] [DEBUG] TLSv1.3 enabled [20240125-10:31:27] [DEBUG] TLSv1.2 enabled [20240125-10:31:27] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389) [20240125-10:31:29] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:10.255.3.254 port 44638 [20240125-10:31:29] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389) [20240125-10:31:29] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389) [20240125-10:31:29] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem [20240125-10:31:29] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem [20240125-10:31:29] [DEBUG] TLSv1.3 enabled [20240125-10:31:29] [DEBUG] TLSv1.2 enabled [20240125-10:31:29] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389)