为了使用 DeviceAuthentication 对连接到 keycloak 的现有 ADFS 环境进行身份验证,我配置了 RHEL 8 工作站,并且能够使用命令行对 AD 用户进行身份验证su - aduser,但是当尝试使用 xRDP 进行登录时,xrdp.log 上出现错误和 xrdp-sesman.log,我遇到黑屏,这是 xrdp.log
[20230927-05:37:35] [INFO ] connecting to sesman on 127.0.0.1:3350
[20230927-05:37:35] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20230927-05:37:35] [INFO ] sesman connect ok
[20230927-05:37:35] [INFO ] sending login info to session manager. Please wait...
[20230927-05:37:35] [INFO ] xrdp_wm_log_msg: login successful for user [email protected] on display 11
[20230927-05:37:35] [INFO ] login successful for user [email protected] on disp
[20230927-05:37:35] [INFO ] lay 11
[20230927-05:37:35] [INFO ] loaded module 'libvnc.so' ok, interface size 4064, version 4
[20230927-05:37:35] [INFO ] VNC started connecting
[20230927-05:37:35] [INFO ] VNC connecting to 127.0.0.1 5911
[20230927-05:37:36] [INFO ] VNC tcp connected
[20230927-05:37:36] [INFO ] VNC security level is 1 (1 = none, 2 = standard)
[20230927-05:37:36] [INFO ] VNC sending share flag
[20230927-05:37:36] [INFO ] VNC receiving server init
[20230927-05:37:36] [INFO ] VNC receiving pixel format
[20230927-05:37:36] [INFO ] VNC receiving name length
[20230927-05:37:36] [INFO ] VNC receiving name
[20230927-05:37:36] [INFO ] VNC sending pixel format
[20230927-05:37:36] [INFO ] VNC sending cursor
[20230927-05:37:36] [INFO ] VNC connection complete, connected ok
[20230927-05:37:36] [INFO ] VNC: Clipboard (if available) is provided by chansrv facility
[20230927-05:37:36] [INFO ] connected ok
[20230927-05:37:40] [WARN ] xrdp_mm_chansrv_connect: connect failed trying again...
[20230927-05:37:44] [WARN ] xrdp_mm_chansrv_connect: connect failed trying again...
[20230927-05:37:48] [WARN ] xrdp_mm_chansrv_connect: connect failed trying again...
[20230927-05:37:52] [WARN ] xrdp_mm_chansrv_connect: connect failed trying again...
[20230927-05:37:52] [ERROR] xrdp_mm_chansrv_connect: error in trans_connect chan
[20230927-05:37:52] [INFO ] Layout from OldLayout (geom=1224x679 #screens=1) : 1804289383:(1224x679+0+0)
在 xrdp-sesman.log 上
[20230927-05:37:35] [INFO ] Socket 14: AF_INET6 connection received from ::1 port 55938
[20230927-05:37:35] [DEBUG] session_get_bydata: search policy 0 U [email protected] W 1224 H 679 bpp 16 T 2 IP ::ffff:10.129.70.176:50794 - socket: 12
[20230927-05:37:35] [DEBUG] session_get_bydata: try 0x5635f1a19450 U [email protected] W 1608 H 895 bpp 16 T 2 IP ::ffff:10.129.70.176:52985 - socket: 12
[20230927-05:37:35] [INFO ] ++ reconnected session: username [email protected], display :11.0, session_pid 398914, ip ::ffff:10.129.70.176:50794 - socket: 12
[20230927-05:37:35] [ERROR] sesman_data_in: scp_process_msg failed
[20230927-05:37:35] [ERROR] sesman_main_loop: trans_check_wait_objs failed, removing trans
[20230927-05:37:35] [INFO ] Starting session reconnection script on display 11: /usr/libexec/xrdp/reconnectwm.sh
[20230927-05:37:35] [DEBUG] Calling exec (executable: /usr/libexec/xrdp/reconnectwm.sh, arguments: /usr/libexec/xrdp/reconnectwm.sh )
[20230927-05:37:35] [DEBUG] Closed socket 14 (AF_INET6 ::1 port 3350)
[20230927-05:37:35] [DEBUG] receiving SIGCHLD
[20230927-05:37:35] [INFO ] Process 486970 has exited
在我的 xrdp.ini 上
[Globals]
; xrdp.ini file version number
ini_version=1
; fork a new process for each incoming connection
fork=true
port=3389
use_vsock=false
tcp_nodelay=true
tcp_keepalive=true
security_layer=negotiate
crypt_level=high
certificate=
key_file=
ssl_protocols=TLSv1.2, TLSv1.3
autorun=
allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
max_bpp=32
new_cursors=true
use_fastpath=both
blue=009cb5
grey=dedede
;
; configure login screen
;
; Login Screen Window Title
ls_top_window_bg_color=009cb5
; width and height of login screen
ls_width=350
ls_height=430
ls_bg_color=dedede
ls_logo_filename=
ls_logo_x_pos=55
ls_logo_y_pos=50
ls_label_x_pos=30
ls_label_width=65
ls_input_x_pos=110
ls_input_width=210
ls_input_y_pos=220
ls_btn_ok_x_pos=142
ls_btn_ok_y_pos=370
ls_btn_ok_width=85
ls_btn_ok_height=30
ls_btn_cancel_x_pos=237
ls_btn_cancel_y_pos=370
ls_btn_cancel_width=85
ls_btn_cancel_height=30
[Logging]
LogFile=xrdp.log
LogLevel=INFO
EnableSyslog=true
[LoggingPerLogger]
; Note: per logger configuration is only used if xrdp is built with
; --enable-devel-logging
#xrdp.c=INFO
#main()=INFO
[Channels]
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
tcutils=true
; for debugging xrdp, in section xrdp1, change port=-1 to this:
#port=/tmp/.xrdp/xrdp_display_10
;
; Session types
;
#[Xorg]
#param=-config
#param=/etc/X11/xorg.conf
#param=-noreset
#param=-nolisten
#param=tcp
#name=Xorg
#lib=libxup.so
#username=ask
#password=ask
#ip=127.0.0.1
#port=-1
#code=20
[Xvnc]
name=Xvnc
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
#xserverbpp=24
#delay_ms=2000
chansrvport=DISPLAY(0)
; Generic VNC Proxy
; Tailor this to specific hosts and VNC instances by specifying an ip
; and port and setting a suitable name.
#[vnc-any]
#name=vnc-any
#lib=libvnc.so
#ip=ask
#port=ask5900
#username=na
#password=ask
#pamusername=asksame
#pampassword=asksame
#pamsessionmng=127.0.0.1
#delay_ms=2000
; Generic RDP proxy using NeutrinoRDP
; Tailor this to specific hosts by specifying an ip and port and setting
; a suitable name.
#[neutrinordp-any]
#name=neutrinordp-any
; To use this section, you should build xrdp with configure option
; --enable-neutrinordp.
#lib=libxrdpneutrinordp.so
#ip=ask
#port=ask3389
#username=ask
#password=ask
; Uncomment the following lines to enable PAM authentication for proxy
; connections.
#pamusername=ask
#pampassword=ask
#pamsessionmng=127.0.0.1
; Currently NeutrinoRDP doesn't support dynamic resizing. Uncomment
; this line if you're using a client which does.
#enable_dynamic_resizing=false
; By default, performance settings requested by the RDP client are ignored
; and chosen by NeutrinoRDP. Uncomment this line to allow the user to
; select performance settings in the RDP client.
#perf.allow_client_experiencesettings=true
; Override any experience setting by uncommenting one or more of the
; following lines.
#perf.wallpaper=false
#perf.font_smoothing=false
#perf.desktop_composition=false
#perf.full_window_drag=false
#perf.menu_anims=false
#perf.themes=false
#perf.cursor_blink=false
; By default NeutrinoRDP supports cursor shadows. If this is giving
; you problems (e.g. cursor is a black rectangle) try disabling cursor
; shadows by uncommenting the following line.
#perf.cursor_shadow=false
; By default, NeutrinoRDP uses the keyboard layout of the remote RDP Server.
; If you want to tell the remote the keyboard layout of the RDP Client,
; by uncommenting the following line.
#neutrinordp.allow_client_keyboardLayout=true
; The following options will override the remote keyboard layout settings.
; These options are for DEBUG and are not recommended for regular use.
#neutrinordp.override_keyboardLayout_mask=0x0000FFFF
#neutrinordp.override_kbd_type=0x04
#neutrinordp.override_kbd_subtype=0x01
#neutrinordp.override_kbd_fn_keys=12
#neutrinordp.override_kbd_layout=0x00000409
; You can override the common channel settings for each session type
#channel.rdpdr=true
#channel.rdpsnd=true
#channel.drdynvc=true
#channel.cliprdr=true
#channel.rail=true
#channel.xrdpvr=true
在 sesman.ini 上
;; See `man 5 sesman.ini` for details
[Globals]
ListenAddress=127.0.0.1
ListenPort=3350
EnableUserWindowManager=true
; Give in relative path to user's home directory
UserWindowManager=startwm.sh
; Give in full path or relative path to /etc/xrdp
DefaultWindowManager=startwm-bash.sh
; Give in full path or relative path to /etc/xrdp
ReconnectScript=reconnectwm.sh
[Security]
AllowRootLogin=true
MaxLoginRetry=4
TerminalServerUsers=tsusers
TerminalServerAdmins=tsadmins
; When AlwaysGroupCheck=false access will be permitted
; if the group TerminalServerUsers is not defined.
AlwaysGroupCheck=false
; When RestrictOutboundClipboard=all clipboard from the
; server is not pushed to the client.
; In addition, you can control text/file/image transfer restrictions
; respectively. It also accepts comma separated list such as text,file,image.
; To keep compatibility, some aliases are also available:
; true: an alias of all
; false: an alias of none
; yes: an alias of all
RestrictOutboundClipboard=none
; When RestrictInboundClipboard=all clipboard from the
; client is not pushed to the server.
; In addition, you can control text/file/image transfer restrictions
; respectively. It also accepts comma separated list such as text,file,image.
; To keep compatibility, some aliases are also available:
; true: an alias of all
; false: an alias of none
; yes: an alias of all
RestrictInboundClipboard=none
; Set to 'no' to prevent users from logging in with alternate shells
#AllowAlternateShell=true
[Sessions]
;; X11DisplayOffset - x11 display number offset
; Type: integer
; Default: 10
X11DisplayOffset=10
;; MaxSessions - maximum number of connections to an xrdp server
; Type: integer
; Default: 0
MaxSessions=50
;; KillDisconnected - kill disconnected sessions
; Type: boolean
; Default: false
; if 1, true, or yes, every session will be killed within DisconnectedTimeLimit
; seconds after the user disconnects
KillDisconnected=false
;; DisconnectedTimeLimit (seconds) - wait before kill disconnected sessions
; Type: integer
; Default: 0
; if KillDisconnected is set to false, this value is ignored
DisconnectedTimeLimit=0
;; IdleTimeLimit (seconds) - wait before disconnect idle sessions
; Type: integer
; Default: 0
; Set to 0 to disable idle disconnection.
IdleTimeLimit=0
;; Policy - session allocation policy
; Type: enum [ "Default" | "UBD" | "UBI" | "UBC" | "UBDI" | "UBDC" ]
; "Default" session per <User,BitPerPixel>
; "UBD" session per <User,BitPerPixel,DisplaySize>
; "UBI" session per <User,BitPerPixel,IPAddr>
; "UBC" session per <User,BitPerPixel,Connection>
; "UBDI" session per <User,BitPerPixel,DisplaySize,IPAddr>
; "UBDC" session per <User,BitPerPixel,DisplaySize,Connection>
Policy=Default
[Logging]
; Note: Log levels can be any of: core, error, warning, info, debug, or trace
LogFile=xrdp-sesman.log
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG
#EnableConsole=false
#ConsoleLevel=INFO
#EnableProcessId=false
[LoggingPerLogger]
; Note: per logger configuration is only used if xrdp is built with
; --enable-devel-logging
#sesman.c=INFO
#main()=INFO
;
; Session definitions - startup command-line parameters for each session type
;
[Xorg]
; Specify the path of non-suid Xorg executable. It might differ depending
; on your distribution and version. Find out the appropriate path for your
; environment. The typical path is known as follows:
;
; Fedora 26 or later : param=/usr/libexec/Xorg
; Debian 9 or later : param=/usr/lib/xorg/Xorg
; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg
; Arch Linux : param=/usr/lib/Xorg
; CentOS 7 : param=/usr/bin/Xorg or param=Xorg
; CentOS 8 : param=/usr/libexec/Xorg
; FreeBSD (from 2022Q4) : param=/usr/local/libexec/Xorg
;
param=/usr/libexec/Xorg
; Leave the rest parameters as-is unless you understand what will happen.
param=-config
param=xrdp/xorg.conf
param=-noreset
param=-nolisten
param=tcp
param=-logfile
param=.xorgxrdp.%s.log
[Xvnc]
param=Xvnc
param=-bs
param=-nolisten
param=tcp
param=-localhost
param=-dpi
param=96
param=-SecurityTypes
param=None
[Chansrv]
; drive redirection
; See sesman.ini(5) for the format of this parameter
#FuseMountName=/run/user/%u/thinclient_drives
#FuseMountName=/media/thinclient_drives/%U/thinclient_drives
FuseMountName=thinclient_drives
; this value allows only the user to access their own mapped drives.
; Make this more permissive (e.g. 022) if required.
FileUmask=077
; Can be used to disable FUSE functionality - see sesman.ini(5)
#EnableFuseMount=false
; Uncomment this line only if you are using GNOME 3 versions 3.29.92
; and up, and you wish to cut-paste files between Nautilus and Windows. Do
; not use this setting for GNOME 4, or other file managers
#UseNautilus3FlistFormat=true
[ChansrvLogging]
; Note: one log file is created per display and the LogFile config value
; is ignored. The channel server log file names follow the naming convention:
; xrdp-chansrv.${DISPLAY}.log
;
; Note: Log levels can be any of: core, error, warning, info, debug, or trace
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG
#EnableConsole=false
#ConsoleLevel=INFO
#EnableProcessId=false
[ChansrvLoggingPerLogger]
; Note: per logger configuration is only used if xrdp is built with
; --enable-devel-logging
#chansrv.c=INFO
#main()=INFO
[SessionVariables]
PULSE_SCRIPT=/etc/xrdp/pulse/default.pa
我做了 yum 更新,但没有任何变化