Hi All,
I have created a CentOS 6.5 OpenStack image using kickstart. I have noticed that when connecting directly to the Virtual Machine's console (think connecting directly to the physical machine) all of the system-config, firewall configuration, application update and install GUI applications work fine and prompt for root login when executed. Hoever if I connect to the VM using xrdp with a tiger-vncserver backend the apps either do not work, or take several minutes to prompt for the root password.
Here is a post I made in the forums that has no response: https://www.centos.org/forums/viewtopic.php?f=13&t=45307&sid=865afae...
It looks like my problem may be that when I do a ck-list-sessions the device/terminal information does not seem to be known: Session2: unix-user = '500' realname = '(null)' seat = 'Seat2' session-type = '' active = FALSE x11-display = '' x11-display-device = '' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2014-03-06T17:23:07.718097Z' login-session-id = '4294967295'
I have tried disabling selinux, modifying the startwm.sh script included with xrdp to launch the session with "ck-launch-session gnome-session".
Neither seem to help.
Does anyone have any idea what might be going, or an explanation of how authentication works when one of these apps requires root permission?
Thanks!
Sam
Hi All,
I have created a CentOS 6.5 OpenStack image using kickstart. I have noticed that when connecting directly to the Virtual Machine's console (think connecting directly to the physical machine) all of the system-config, firewall configuration, application update and install GUI applications work fine and prompt for root login when executed. Hoever if I connect to the VM using xrdp with a tiger-vncserver backend the apps either do not work, or take several minutes to prompt for the root password.
Here is a post I made in the forums that has no response: https://www.centos.org/forums/viewtopic.php?f=13&t=45307&sid=865afae...
It looks like my problem may be that when I do a ck-list-sessions the device/terminal information does not seem to be known: Session2: unix-user = '500' realname = '(null)' seat = 'Seat2' session-type = '' active = FALSE x11-display = '' x11-display-device = '' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2014-03-06T17:23:07.718097Z' login-session-id = '4294967295'
I have tried disabling selinux, modifying the startwm.sh script included with xrdp to launch the session with "ck-launch-session gnome-session".
Neither seem to help.
Does anyone have any idea what might be going, or an explanation of how authentication works when one of these apps requires root permission?
Most of the /usr/bin/system-config-* are symlinks to /usr/bin/consolehelper.
My recommendation is, instead of trying to get a graphical console, SSH into the instance. You'll need to know/set a root password, have your SSH client configured to forward X11 (as well as the sshd on the remote VM), and be running an Xserver on your local system, but that way, you'll have the graphical version coming to you, directly. Because it's running via consolehelper, it will prompt you for the root user's password, and you'll be off to the races.
Hi Mike, thanks for the response.
Unfortunately this image is: A) Aimed at those with very little Linux knowledge B) Required to be accessible from multiple OSes with minimal client installation.
Really I would like to either track down why the consolehelper/PAM authentication does not work over xrdp (My next step is try straight vnc) or find an alternate, yet seamless authentication method.
Thanks, Sam
On Thu, Mar 13, 2014 at 2:07 PM, Mike Burger mburger@bubbanfriends.orgwrote:
Hi All,
I have created a CentOS 6.5 OpenStack image using kickstart. I have noticed that when connecting directly to the Virtual Machine's console (think connecting directly to the physical machine) all of the system-config, firewall configuration, application update and install GUI applications work fine and prompt for root login when executed. Hoever
if
I connect to the VM using xrdp with a tiger-vncserver backend the apps either do not work, or take several minutes to prompt for the root password.
Here is a post I made in the forums that has no response:
https://www.centos.org/forums/viewtopic.php?f=13&t=45307&sid=865afae...
It looks like my problem may be that when I do a ck-list-sessions the device/terminal information does not seem to be known: Session2: unix-user = '500' realname = '(null)' seat = 'Seat2' session-type = '' active = FALSE x11-display = '' x11-display-device = '' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2014-03-06T17:23:07.718097Z' login-session-id = '4294967295'
I have tried disabling selinux, modifying the startwm.sh script included with xrdp to launch the session with "ck-launch-session gnome-session".
Neither seem to help.
Does anyone have any idea what might be going, or an explanation of how authentication works when one of these apps requires root permission?
Most of the /usr/bin/system-config-* are symlinks to /usr/bin/consolehelper.
My recommendation is, instead of trying to get a graphical console, SSH into the instance. You'll need to know/set a root password, have your SSH client configured to forward X11 (as well as the sshd on the remote VM), and be running an Xserver on your local system, but that way, you'll have the graphical version coming to you, directly. Because it's running via consolehelper, it will prompt you for the root user's password, and you'll be off to the races.
-- Mike Burger http://www.bubbanfriends.org
"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, Mar 14, 2014 at 10:13 AM, Samuel Winchenbach swinchen@gmail.com wrote:
Hi Mike, thanks for the response.
Unfortunately this image is: A) Aimed at those with very little Linux knowledge B) Required to be accessible from multiple OSes with minimal client installation.
Really I would like to either track down why the consolehelper/PAM authentication does not work over xrdp (My next step is try straight vnc) or find an alternate, yet seamless authentication method.
Have you tried it with x2go or freenx/NX? Those aren't exactly 'minimal' client installs, but they are cross platform and worth the trouble for remote work. They should at least fix the problem of taking several minutes to open a prompt window.
Hi Les,
The "several minutes" to open a window is not a rendering issue. The user experience overall is _very_ good. As I use it more and more I can not seem to recreate the delayed root prompt.
We have used freenx in the past, but with the change of licensing in the newest release and several difficulties (mostly involving Max OSX clients) we have decided to go with RDP.
Sam
On Fri, Mar 14, 2014 at 1:41 PM, Les Mikesell lesmikesell@gmail.com wrote:
On Fri, Mar 14, 2014 at 10:13 AM, Samuel Winchenbach swinchen@gmail.com wrote:
Hi Mike, thanks for the response.
Unfortunately this image is: A) Aimed at those with very little Linux knowledge B) Required to be accessible from multiple OSes with minimal client installation.
Really I would like to either track down why the consolehelper/PAM authentication does not work over xrdp (My next step is try straight vnc) or find an alternate, yet seamless authentication method.
Have you tried it with x2go or freenx/NX? Those aren't exactly 'minimal' client installs, but they are cross platform and worth the trouble for remote work. They should at least fix the problem of taking several minutes to open a prompt window.
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Mar 17, 2014 at 8:50 AM, Samuel Winchenbach swinchen@gmail.com wrote:
The "several minutes" to open a window is not a rendering issue. The user experience overall is _very_ good. As I use it more and more I can not seem to recreate the delayed root prompt.
We have used freenx in the past, but with the change of licensing in the newest release and several difficulties (mostly involving Max OSX clients) we have decided to go with RDP.
Note that x2go does approximately the same as freenx/NX, using some of the same supporting libraries. However, it is all open source, including the cross-platform clients. I had some problems with earlier versions, but the current version seems pretty good and might be worth another look. It is somewhat nicer than the old NX client on windows because it allows resizing the window after startup - and resizes the remote desktop to match. It also claims to connect audio and client disk shares, but I haven't used those features.
A couple of things that can cause long delays that seem kind of random are the first of your DNS servers failing with a timeout before the retry to the good one, or something that does an IDENT query to log the remote socket user hitting a firewall that silently drops the packet instead of rejecting with an ICMP.
Well the slow dialog isn't the problem so much.
I have disabled selinux just to remove one variable from the problem!
Here are a list of applications and if they prompt for the root password correctly: "Add/Remove Software" - Application start fine, but when I click apply I get "Authorization Failed" dialog box. "Authentication" - Works great! "Firewall" - I get an org.fedoraproject.slip.dbus.service.PolKit.NotAuthroized.org.fedoraproject.config.firewall.auth error dialog box on start. "Services" - Application starts fine, but it never prompts for root password and none of the buttons (enable, disable, start, stop, restart) seem to do anything "Software Update" - Application starts fine but "Install Updates" doesn't do anything. "Users and Groups" - Works great!
So it is strange that "Authentication" and "Users and Groups" work great, but the other fail one way or another. Different authentication mechanisms? I am really quite lost.
Sam
On Mon, Mar 17, 2014 at 10:57 AM, Les Mikesell lesmikesell@gmail.comwrote:
On Mon, Mar 17, 2014 at 8:50 AM, Samuel Winchenbach swinchen@gmail.com wrote:
The "several minutes" to open a window is not a rendering issue. The
user
experience overall is _very_ good. As I use it more and more I can not seem to recreate the delayed root prompt.
We have used freenx in the past, but with the change of licensing in the newest release and several difficulties (mostly involving Max OSX
clients)
we have decided to go with RDP.
Note that x2go does approximately the same as freenx/NX, using some of the same supporting libraries. However, it is all open source, including the cross-platform clients. I had some problems with earlier versions, but the current version seems pretty good and might be worth another look. It is somewhat nicer than the old NX client on windows because it allows resizing the window after startup - and resizes the remote desktop to match. It also claims to connect audio and client disk shares, but I haven't used those features.
A couple of things that can cause long delays that seem kind of random are the first of your DNS servers failing with a timeout before the retry to the good one, or something that does an IDENT query to log the remote socket user hitting a firewall that silently drops the packet instead of rejecting with an ICMP.
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I just tried x2go - Same problems.
On Mon, Mar 17, 2014 at 11:18 AM, Samuel Winchenbach swinchen@gmail.comwrote:
Well the slow dialog isn't the problem so much.
I have disabled selinux just to remove one variable from the problem!
Here are a list of applications and if they prompt for the root password correctly: "Add/Remove Software" - Application start fine, but when I click apply I get "Authorization Failed" dialog box. "Authentication" - Works great! "Firewall" - I get an org.fedoraproject.slip.dbus.service.PolKit.NotAuthroized.org.fedoraproject.config.firewall.auth error dialog box on start. "Services" - Application starts fine, but it never prompts for root password and none of the buttons (enable, disable, start, stop, restart) seem to do anything "Software Update" - Application starts fine but "Install Updates" doesn't do anything. "Users and Groups" - Works great!
So it is strange that "Authentication" and "Users and Groups" work great, but the other fail one way or another. Different authentication mechanisms? I am really quite lost.
Sam
On Mon, Mar 17, 2014 at 10:57 AM, Les Mikesell lesmikesell@gmail.comwrote:
On Mon, Mar 17, 2014 at 8:50 AM, Samuel Winchenbach swinchen@gmail.com wrote:
The "several minutes" to open a window is not a rendering issue. The
user
experience overall is _very_ good. As I use it more and more I can not seem to recreate the delayed root prompt.
We have used freenx in the past, but with the change of licensing in the newest release and several difficulties (mostly involving Max OSX
clients)
we have decided to go with RDP.
Note that x2go does approximately the same as freenx/NX, using some of the same supporting libraries. However, it is all open source, including the cross-platform clients. I had some problems with earlier versions, but the current version seems pretty good and might be worth another look. It is somewhat nicer than the old NX client on windows because it allows resizing the window after startup - and resizes the remote desktop to match. It also claims to connect audio and client disk shares, but I haven't used those features.
A couple of things that can cause long delays that seem kind of random are the first of your DNS servers failing with a timeout before the retry to the good one, or something that does an IDENT query to log the remote socket user hitting a firewall that silently drops the packet instead of rejecting with an ICMP.
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Mar 17, 2014 at 10:18 AM, Samuel Winchenbach swinchen@gmail.com wrote:
Well the slow dialog isn't the problem so much.
I have disabled selinux just to remove one variable from the problem!
Here are a list of applications and if they prompt for the root password correctly: "Add/Remove Software" - Application start fine, but when I click apply I get "Authorization Failed" dialog box. "Authentication" - Works great! "Firewall" - I get an org.fedoraproject.slip.dbus.service.PolKit.NotAuthroized.org.fedoraproject.config.firewall.auth error dialog box on start. "Services" - Application starts fine, but it never prompts for root password and none of the buttons (enable, disable, start, stop, restart) seem to do anything "Software Update" - Application starts fine but "Install Updates" doesn't do anything. "Users and Groups" - Works great!
So it is strange that "Authentication" and "Users and Groups" work great, but the other fail one way or another. Different authentication mechanisms? I am really quite lost.
I was assuming that this behavior was different from a freenx/NX session but I see approximately the same thing where the apps that are links to consolehelper with the matching name configured under /etc/pam.d/ (system-config-authentication, etc.) work with with a password prompt as needed, but not the ones that are just python (system-config-firewall, etc.) My ck-list-sessions says: $ ck-list-sessions Session2: unix-user = '500' realname = '(null)' seat = 'Seat1' session-type = '' active = TRUE x11-display = ':0' x11-display-device = '/dev/tty1' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2014-02-27T20:46:01.675451Z' login-session-id = '1' idle-since-hint = '2014-02-27T22:36:31.861340Z'
I don't know what most of that means, but my X display is definitely not :0. $ echo $DISPLAY :1320.0
So something is not right here... Googleing for that org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.config.firewall.auth: error turns up a bunch of hits but I couldn't find a real fix to make the password prompt happen. Seems to be controlled by stuff related to PolicyKit, and maybe something to do with the magic that happens when you log in on the console device. I don't believe much in magic, so I've always thought that was a very strange concept for an inherently multiuser OS.
Well it turns out I didn't test all of the applications using x2go, only the one that didn't work (Firewall). All of the others seem to work fine. Perhaps I will suggest x2go, but I am still quite aggravated I can't figure out the xrdp problem :P
On Mon, Mar 17, 2014 at 1:58 PM, Les Mikesell lesmikesell@gmail.com wrote:
On Mon, Mar 17, 2014 at 10:18 AM, Samuel Winchenbach swinchen@gmail.com wrote:
Well the slow dialog isn't the problem so much.
I have disabled selinux just to remove one variable from the problem!
Here are a list of applications and if they prompt for the root password correctly: "Add/Remove Software" - Application start fine, but when I click apply I get "Authorization Failed" dialog box. "Authentication" - Works great! "Firewall" - I get an
org.fedoraproject.slip.dbus.service.PolKit.NotAuthroized.org.fedoraproject.config.firewall.auth
error dialog box on start. "Services" - Application starts fine, but it never prompts for root password and none of the buttons (enable, disable, start, stop, restart) seem to do anything "Software Update" - Application starts fine but "Install Updates" doesn't do anything. "Users and Groups" - Works great!
So it is strange that "Authentication" and "Users and Groups" work great, but the other fail one way or another. Different authentication mechanisms? I am really quite lost.
I was assuming that this behavior was different from a freenx/NX session but I see approximately the same thing where the apps that are links to consolehelper with the matching name configured under /etc/pam.d/ (system-config-authentication, etc.) work with with a password prompt as needed, but not the ones that are just python (system-config-firewall, etc.) My ck-list-sessions says: $ ck-list-sessions Session2: unix-user = '500' realname = '(null)' seat = 'Seat1' session-type = '' active = TRUE x11-display = ':0' x11-display-device = '/dev/tty1' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2014-02-27T20:46:01.675451Z' login-session-id = '1' idle-since-hint = '2014-02-27T22:36:31.861340Z'
I don't know what most of that means, but my X display is definitely not :0. $ echo $DISPLAY :1320.0
So something is not right here... Googleing for that
org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.config.firewall.auth: error turns up a bunch of hits but I couldn't find a real fix to make the password prompt happen. Seems to be controlled by stuff related to PolicyKit, and maybe something to do with the magic that happens when you log in on the console device. I don't believe much in magic, so I've always thought that was a very strange concept for an inherently multiuser OS.
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Mar 17, 2014 at 1:01 PM, Samuel Winchenbach swinchen@gmail.com wrote:
Well it turns out I didn't test all of the applications using x2go, only the one that didn't work (Firewall). All of the others seem to work fine. Perhaps I will suggest x2go, but I am still quite aggravated I can't figure out the xrdp problem :P
It probably relates somehow to not having an x11-display or device in your ck-list-sessions. And you might be able to bypass it with something under /etc/polkit-1/ that lets all users or those in a group run the commands without a password prompt. But there is always brute force... su to root in a terminal window and type the command instead of picking it from the menu.
On 03/12/2014 03:18 PM, Samuel Winchenbach wrote:
I have tried disabling selinux, modifying the startwm.sh script included with xrdp to launch the session with "ck-launch-session gnome-session".
Neither seem to help.
Does anyone have any idea what might be going, or an explanation of how authentication works when one of these apps requires root permission?
try using beesu, I think it is in EPEL.
-
Les Mikesell -
Ljubomir Ljubojevic -
Mike Burger -
Samuel Winchenbach