Category: VNC & RDP

How to RDP to VNC and authenticate using AD (OpenSuSe)

For this we will be setting up VNC server and XRDP which allow you to use windows remote desktop terminal services client to connect to your linux desktop as you would any windows machine with centralized authentication using Active directory.

XRDP is a wonderful Remote Desktop protocol application that allows you to RDP to your servers/workstations from any Windows machine, MAC running an RDP app or even Linux using an RDP app such as Remmina.
Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. Essentially the Linux version of windows RDP.

Now since there was no xrdp package in the opensuse repository it was a bit of dirty install to get it all working.

1. First you will need to install VNC Server using yast2

  • Yast2 –I tigervnc
  • Chkconfig vnc on
  • Vncpasswd <enter>
  • Type your vncpasswd twice
  • systemctl start vnc (/usr/bin/vncserver)

Should like below

New ‘X’ desktop is bvanhm01:1

Starting applications specified in /root/.vnc/xstartup

Log file is /root/.vnc/nicktailor.1:1.log

Now we want to install xrdp. Since Opensuse doesn’t come with a built in repository or rpm that has xrdp lalready compiled to use. We will have to make  this  setup just a little dirty and compile our own xrdp and then configure it to work the VNC. Im not 100% sure if there is one, however when I looked for one I didn’t see one so I chose this route which worked out. However it is a bit of a dirty setup

First we need to download xrdp source

  1. wget http://www.nicktailor.com/files/xrdp-v0.6.1.tar.gz
  • Create a directory to store it the source files
    1. cp xrdp-v0.6.1.tar.gz /home/xrdp
    2. tar –zxvf /home/xrdp/xrdp-v0.6.1.tar.gz
    3. zypper install git autoconf automake libtool make gcc gcc-c++ libX11-devel libXfixes-devel libXrandr-devel fuse-devel patch flex bison intltool libxslt-tools perl-libxml-perl font-util libxml2-devel openssl-devel pam-devel python-libxml2 xorg-11
    4. You will also want to enable remote desktop services inside opensuse
  • Now you want to install xrdp
    • change to the xrdp directory and run
    • ./bootstrap
    • ./configure
    • make
    • then as root
    • make install

2. Once the application is installed you will need to add the library files so the system can read it

  • vi /etc/ld.so.conf
  • add the following lines(32bit & 64bit):
    • /usr/local/lib64/xrdp
    • /usr/local/lib/xrdp
    • save the file
  • next run ldconfig so the system pick the libraries directories up.
  • Make sure your /etc/xrdp/xrdp.ini has the following

[globals]
bitmap_cache=yes
bitmap_compression=yes
port=3389
crypt_level=high
channel_code=1

[xrdp1]
name=sesman-Xvnc
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1

  • Your start up script for xrdp lives inside /home/xrdp/xrdp-v0.6.1/instfiles/xrdp.sh
    • cd in /etc/init.d/
    • You can create a symlink inside /etc/init.d/
    • ln -s /home/xrdp/xrdp-v0.6.1/instfiles/xrdp.sh xrdp.sh
  • Now I added the start up script to /etc/rc.d/boot.local so that it would start up on reboots
    • Add this line
      • /home/xrdp/xrdp-v0.6.1/instfiles/xrdp.sh start

For the next portion please ensure you opensuse is already added to AD and authenticating against AD. If not please refer to my earlier blog post on how to add opensuse to Active Directory. If you did everything correctly your pam.d authentication will be using pam_winbind to authenticate against AD and the following includes will use that authentication process for xrdp to get to VNC

  • Now in order to get xrdp to use AD authentication you will need to update the /etc/pam.d/xrdp-sesman

#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session

ISSUES YOU CAN RUN INTO WITH GNOME

  • So now you should be in theory be able to use remote desktop provided there is no firewall preventing you from connecting to the machine, connect using your AD credentials through rdp from a windows desktop. There is small catch. If your using gnome it MAY not work. What might happen is you will initially connect and then as soon as you get a screen lock, the login screen will be hammering away with you unable to type your password in to gain access to your session again
  • You might see something like this in your /var/log/messages

2015-08-27T14:15:44.341964-07:00 nicktailor01 gnome-session[10533]: ShellUserVerifier<._userVerifierGot@/usr/share/gnome-
shell/js/gdm/util.js:350

2015-08-27T14:15:44.342139-07:00 nicktailor01 gnome-session[10533]: wrapper@/usr/share/gjs-1.0/lang.js:213
2015-08-27T14:15:44.721076-07:00 bvanhm01 gnome-session[10533]: (gnome-shell:10609): Gjs-WARNING **: JS ERROR: Failed to obtain user
verifier: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No session available

2015-08-27T14:15:44.721381-07:00 nicktailor01 gnome-session[10533]: ShellUserVerifier<._userVerifierGot@/usr/share/gnome-
shell/js/gdm/util.js:350
2015-08-27T14:15:44.721553-07:00 nicktailor01 gnome-session[10533]: wrapper@/usr/share/gjs-1.0/lang.js:213

2015-08-27T14:15:45.100944-07:00 nicktailor01 gnome-session[10533]: (gnome-shell:10609): Gjs-WARNING **: JS ERROR: Failed to obtain user
verifier: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No session available

  • The reason for this appears to be related to a bug with systemd and gnome-shell. I reviewed several online forum cases regarding it, however there was no solid resolution other than downgrading system. Even later updates caused similar issues. Fear not..there is a solution. I found we can simply change the desktop from gnome to a more stable one like XFCE. How do we do this I will show you 🙂
  • First install XFCE
    1. zypper install -t pattern xfce
  • Next you want to remove gnome
    1. zypper rm $(rpm -qa | grep gnome)

Now reboot your machine and you should be able to remote desktop via rdp to your linux machine with no issues from opensusu. I realize this is bit dirty, but it was fun wasn’t it??? 🙂

If you have any questions email nick@nicktailor.com

 

How to RDP to VNC and authenticate using AD (Redhat 6)

For this we will be setting up VNC server and XRDP which allow you to use windows remote desktop terminal services client to connect to your linux desktop as you would any windows machine with centralized authentication using Active directory.

XRDP is a wonderful Remote Desktop protocol application that allows you to RDP to your servers/workstations from any Windows machine, MAC running an RDP app or even Linux using an RDP app such as Remmina. This was written for the new CentOS 6.5 on 64-bit but should work the same on any 6.x and 5.x Red Hat clone with the correct EPEL repositories.

Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. Essentially the Linux version of windows RDP.

We are going to make them work together so you can RDP from your windows machine to you linux desktop as you would any other windows machine using a windows RDP service. It create an ssh tunnel inside the RDP protocol to get to the vnc server and then authenicate against the active directory domain controller so you dont need to create users individually for vncserver.

First we need to download and install the EPEL repository for your correct version if you do now know what architecture you are using you can verify it with the below command. If the end shows x86_64 then you have a 64-bit install, if it shows i386 then it is a 32-bit install:

1
2
[root@server ~]# uname -r
2.6.32-431.el6.x86_64

Once you determine your architecture then you can install the correct EPEL repository with the below commands:

RHEL/CentOS 6 32-Bit
1
2
wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
RHEL/CentOS 6 64-Bit
1
2
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm

You can verify that the EPEL repository is there by running the below command and you should see the EPEL repository listed as you can see here in line #10 which is highlighted:

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@server ~]# yum repolist
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: mirror.thelinuxfix.com
 * epel: mirror.cogentco.com
 * extras: centos.mirror.nac.net
 * updates: centos.mirror.netriplex.com
repo id                         repo name                                                               status
base                            CentOS-6 - Base                                                          6,367
epel                            Extra Packages for Enterprise Linux 6 - x86_64                          10,220
extras                          CentOS-6 - Extras                                                           14
updates                         CentOS-6 - Updates                                                         286
repolist: 16,887

Once you have verified the EPEL repository is installed correctly you need to perform the last few steps below this will install XRDP and Tiger VNC Server for you to connect to. The Front end of XRDP uses the RDP protocol and internally it uses VNC to connect and display the Remote Desktop to you.

1
2
3
4
5
[root@server ~]# yum install xrdp tigervnc-server
[root@server ~]# service vncserver start
[root@server ~]# service xrdp start
[root@server ~]# chkconfig xrdp on
[root@server ~]# chkconfig vncserver on
  • If your vncserver did not start..probably due the /etc/sysconfig/vncserver file. You need at least one user and password configured.
  •  edit the file /etc/sysconfig/vncserver 
  • add the following below; adjust the users accordingly and save
=======================
VNCSERVERS=”1:nicktailora 2:nicktailorb”
VNCSERVERARGS[1]=”-geometry 800×600 -nolisten tcp -localhost”
VNCSERVERARGS[2]=”-geometry 800×600 -nolisten tcp -localhost”
=========================
  • Now you su to your the user you created
    • su ntailora
    • then run vncpasswd
    • type a complex password twice
    • exit back to root by typing exit
    • restart vncserver /etc/init.d/vncserver restart

Now to make it so that xrdp will authenticate against AD when creating a ssh tunnel through the rdp protocol.

NOTE: YOU WILL OF HAVE HAD TO FOLLOW MY EARLIER BLOG POST ON “HOW TO ADD A REDHAT SERVER TO ACTIVE DIRECTORY” FOR THIS PORTION TO WORK. 

Since your already authenticating using sssd/kerberos/ldap.
  • we just need edit the pam authentication file that was created when xrdp was installed
  • /etc/pam.d/xrdp-sesman
Its should look like this something like this
===============================
#%PAM-1.0
auth include password-auth
account include password-auth
session include password-auth
  1. Make a back up of the file /etc/pam.d/xrdp-sesman
    • cp  /etc/pam.d/xrdp-sesman  /etc/pam.d/xrdp-sesman.bak
  2. Now copy your system-auth file over the /etc/pam.d/xrdp-sesman
    • cp /etc/pam.d/system-auth /etc/pam.d/xrdp-sesman

It should look something like below. Iv bolded the sections that show the sssd authentication section in the file. Now you should be able to use your Active Directory(AD) credentials to authentication when trying to rdp to your linux desktop.

===================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
============================================================

Cheers

If you have any questions email nick@nicktailor.com

0