This bug report concerns active directory logins not working properly on xrdp 0.6.1 / tigervnc 1.3.0 on fedora 20.
System configuration: Fedora 20 64 bit installation as a guest on vmware esxi server
selinux : disabled
firewall : disabled
joined to active directory domain corp.mydomain.com (CORP) through realmd.
Steps to isolate xrdp / tigervnc as the source of the problem: users can login properly through ssh using the username format username@corp.mydomain.com so we know that pam/sssd/realmd are all working properly.
Basic issue : .vnc directory and vnc password file is not properly created when the user first logs in.
Steps to reproduce :
1)attempt to connect with remote desktop to the server and login using username format username@corp.mydomain.com or CORP\username.
expected result : sucessful login
actual result : home directory is created properly but .vnc directory is not so login fails
2)Attempt to login as many times as you want using the same username format you chose in step 1.
result : after about 15 attempts I got bored and gave up. Attempt # 2 is the only one I logged below because all subsequent attempts are identical in log entries and error messages.
3)Switch username format. If you initially logged in with username@corp.mydomain.com switch to CORP\username and vice versa.
result : .vnc directory is automatically created, vnc password file is automatically generated by the server, user is able to successfully log in!!!
Issue that needs to be addressed
================================
-Why is the .vnc directory and password file not created when the user home directory is created?
-Why does switching the login name format after an initial failed login cause the .vnc directory and password file to now be created?
First login using username@corp.mydomain.com as login username
xrdp screen shows :
===================
connecting to sesman ip 127.0.0.1 port 3350
sesman connect ok
sending login info to session manager, please wait...
xrdp_mm_process_login_response: login successful for display
started connecting
connecting to 127.0.0.1 5910
tcp connected
security level is 2 (1 = none, 2 = standard)
password failed
error - problem connecting
journalctl shows:
=================
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Wed Aug 27 10:56:55 2014
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Connections: accepted: 127.0.0.1::42003
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SConnection: Client needs protocol version 3.3
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SVncAuth: opening password file
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: '/home/corp.mydomain.com/username/.vnc/sesman_username@corp.mydomain.com_passwd'
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: failed
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SConnection: AuthFailureException: No password configured for VNC Auth
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Connections: closed: 127.0.0.1::42003 (No password configured for VNC Auth)
Aug 27 10:56:55 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: touch: cannot touch â/home/corp.mydomain.com/username/.cache/imsettings/logâ: No such file or directory
Aug 27 10:56:56 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: gpg-agent[1537]: directory `/home/corp.mydomain.com/username/.gnupg' created
Aug 27 10:56:56 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: gpg-agent[1537]: directory `/home/corp.mydomain.com/username/.gnupg/private-keys-v1.d' created
Aug 27 10:56:56 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: gpg-agent[1538]: gpg-agent (GnuPG) 2.0.22 started
2nd attempt using login name format username@corp.mydomain.com
======================
Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SVncAuth: opening password file
Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: '/home/corp.mydomain.com/username/.vnc/sesman_username@corp.mydomain.com_passwd'
Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: failed
Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: SConnection: AuthFailureException: No password configured for VNC Auth
Aug 27 11:02:03 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Connections: closed: 127.0.0.1::42007 (No password configured for VNC Auth)
3rd attempt using login name format CORP\username
=============================
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=CORP\username
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=CORP\username
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Xvnc TigerVNC 1.3.0 - built Oct 2 2013 10:43:43
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Copyright (C) 1999-2011 TigerVNC Team and many others (see README.txt)
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: See http://www.tigervnc.org for information on TigerVNC.
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Underlying X server release 11402000, The X.Org Foundation
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: Wed Aug 27 11:03:24 2014
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: vncext: VNC extension running!
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: vncext: Listening for VNC connections on all interface(s), port 5911
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com xrdp-sesman[1352]: vncext: created VNC server for screen 0
Aug 27 11:03:24 vm-fedora20.corp.mydomain.com systemd[1]: Starting Session c2 of user username@corp.mydomain.com.
home directory of user username
Notes : notice that the creation time on most of those files matches exactly the time 10:56 which is my first attempted login. First login caused home directory to get created but no vncpasswd file created.
Notice that the creation time of the .vnc directory corresponds to the 3rd login attempt when I switched to the CORP\username login format. Somehow vnc or xrdp auto-created my .vncpasswd file for me on that login attempt.
=============================
[root@vm-fedora20 username]# ls -al
total 84
drwxr-xr-x. 16 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 11:03 .
drwx--x--x. 4 root root 4096 Aug 27 10:56 ..
-rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 18 Aug 27 10:56 .bash_logout
-rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 193 Aug 27 10:56 .bash_profile
-rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 231 Aug 27 10:56 .bashrc
drwx------. 4 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 .cache
drwxr-xr-x. 6 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 11:03 .config
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 Desktop
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Documents
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Downloads
-rw-------. 1 username@corp.mydomain.com domain users@corp.mydomain.com 16 Aug 27 10:57 .esd_auth
drwx------. 3 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 .gnupg
-rw-r--r--. 1 username@corp.mydomain.com domain users@corp.mydomain.com 113 Mar 8 2011 .gtkrc-2.0-kde4
drwx------. 4 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 .kde
drwxr-xr-x. 3 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:57 .local
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Music
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Pictures
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Public
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Templates
drwxr-xr-x. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 10:56 Videos
drwx------. 2 username@corp.mydomain.com domain users@corp.mydomain.com 4096 Aug 27 11:03 .vnc
/var/log/xrdp-sesman.log
Notes : entire contents here. Not very useful at all
========================
[20140827-10:56:54] [INFO ] scp thread on sck 9 started successfully
[20140827-10:56:54] [INFO ] ++ created session (access granted): username username@corp.mydomain.com, ip 10.1.4.111:58366 - socket: 7
[20140827-10:56:54] [INFO ] starting Xvnc session...
[20140827-10:56:54] [WARN ] can't read vnc password file - /home/corp.mydomain.com/username/.vnc/sesman_username@corp.mydomain.com_passwd
[20140827-10:56:55] [INFO ] starting xrdp-sessvc - xpid=1363 - wmpid=1362
[20140827-11:02:02] [INFO ] scp thread on sck 9 started successfully
[20140827-11:02:02] [INFO ] ++ reconnected session: username username@corp.mydomain.com, display :10.0, session_pid 1361, ip 10.1.4.111:58366 - socket: 7
[20140827-11:03:23] [INFO ] scp thread on sck 9 started successfully
[20140827-11:03:24] [INFO ] ++ created session (access granted): username CORP\username, ip 10.1.4.111:58366 - socket: 7
[20140827-11:03:24] [INFO ] starting Xvnc session...
[20140827-11:03:24] [INFO ] starting xrdp-sessvc - xpid=2027 - wmpid=2026