User coming in through RDP has different settings than one logging in directly

hwyhobo · 07-30-2013, 05:59 PM

When I log in to my CentOS 6.4 directly, nm-connection-editor works normally, I can edit connections. However, if I log in through rdp, I can't. "Edit" is always grayed out. It must be something simple I am not seeing.

Any pointers will be appreciated.

gradinaruvasile · 07-31-2013, 08:53 AM

rdp? More exactly?

hwyhobo · 07-31-2013, 12:33 PM

rdp = Remote Desktop Protocol.

gradinaruvasile · 07-31-2013, 01:21 PM

You talk about the xrdp or freerdp implementation?

Or

Gnome has "a "RDP" server shich is a big messy misunderstanding because that is just plain and simple VNC.
?

hwyhobo · 07-31-2013, 01:42 PM

xrdp. Yes, it runs on VNC, but seems to connect nicely, no drops, no problems. It's just that the user coming in through rdp seems to have different settings and permissions. There has to be some hidden setting to make the system treat that user like any other logging in directly, but I haven't found it yet.

gradinaruvasile · 07-31-2013, 02:50 PM

Most likely the user is treated as "inactive" or "not local" by consolekit/policykit. Log in a session, open a terminal then type:

Code:

ck-list-sessions

Will output something like:

Code:

$ ck-list-sessions 
Session3:
	unix-user = '0'
	realname = 'root'
	seat = 'Seat1'
	session-type = ''
	active = FALSE
	x11-display = ''
	x11-display-device = ''
	display-device = '/dev/pts/1'
	remote-host-name = ''
	is-local = TRUE
	on-since = '2013-07-29T18:30:09.478535Z'
	login-session-id = '1'
	idle-since-hint = '2013-07-31T19:44:14.123049Z'
Session2:
	unix-user = '1000'
	realname = 'Kertesz Laszlo'
	seat = 'Seat1'
	session-type = ''
	active = TRUE
	x11-display = ':0'
	x11-display-device = '/dev/tty7'
	display-device = ''
	remote-host-name = ''
	is-local = TRUE
	on-since = '2013-07-29T18:29:14.080634Z'
	login-session-id = '1'

Find your session there (probably display will be 1 or 10) then see what you have at

Code:

active =

or

Code:

is-local =

it can be TRUE or FALSE. If its FALSE, you have to modify the policykit permission files in the /usr/share/polkit-1/actions/ folder.

hwyhobo · 07-31-2013, 05:20 PM

I just tried that. I rebooted the machine to make sure it was clean. Then I rdp'ed to it and executed ck-list-sessions:

Code:

$ ck-list-sessions
Session1:
	unix-user = '42'
	realname = '(null)'
	seat = 'Seat1'
	session-type = 'LoginWindow'
	active = TRUE
	x11-display = ':0'
	x11-display-device = '/dev/tty1'
	display-device = ''
	remote-host-name = ''
	is-local = TRUE
	on-since = '2013-07-31T21:54:05.528130Z'
	login-session-id = '4294967295'
Session2:
	unix-user = '501'
	realname = 'Training Attendee'
	seat = 'Seat2'
	session-type = ''
	active = FALSE
	x11-display = ':10.0'
	x11-display-device = ''
	display-device = ''
	remote-host-name = ''
	is-local = TRUE
	on-since = '2013-07-31T21:57:08.529246Z'
	login-session-id = '4294967295'

The second session, for the rdp user, showed inactive (the first one appears to for gdm:x:42:42::/var/lib/gdm:/sbin/nologin). I modified two network manager policy files to allow inactive (changed <allow_inactive>no<allow_inactive> to yes), but even after a reboot it made no difference.

There a lot more files in there:

Code:

# ls /usr/share/polkit-1/actions/
net.reactivated.fprint.device.policy                    org.freedesktop.policykit.examples.pkexec.policy
org.fedoraproject.config.firewall.policy                org.freedesktop.policykit.policy
org.fedoraproject.config.services.policy                org.freedesktop.RealtimeKit1.policy
org.fedoraproject.systemconfig.kdump.policy             org.freedesktop.udisks.policy
org.freedesktop.consolekit.policy                       org.gnome.clockapplet.mechanism.policy
org.freedesktop.devicekit.power.policy                  org.gnome.control-center.defaultbackground.policy
org.freedesktop.devicekit.power.qos.policy              org.gnome.cpufreqselector.policy
org.freedesktop.modem-manager.policy                    org.gnome.gconf.defaults.policy
org.freedesktop.NetworkManager.policy                   org.gnome.settings-daemon.plugins.wacom.policy
org.freedesktop.network-manager-settings.system.policy  org.gnome.system-monitor.policy
org.freedesktop.packagekit.policy

but they don't seem to be related specifically to this.

gradinaruvasile · 08-01-2013, 02:49 AM

Some more info here:

http://scarygliders.net/2011/11/17/x...omment-page-1/

Here are some possible solutions:

http://askubuntu.com/questions/47942...ger-privileged

This command will list your permissions, check for network manager related stuff:

Code:

pkaction --verbose

hwyhobo · 08-01-2013, 02:28 PM

I have changed all the policy files. All inactive permissions are now identical to active according to pkaction -verbose. Still no change. I wish there was just a way to cause new session to be marked as active and get it over with. There has to be a way. Obviously NetworkManager does not do what is expected.

I am beginning to understand also why most normal people do not want to touch Linux. I've been using it on the side since 0.99 pl 7, and it still causes me to gasp in frustration.

hwyhobo · 08-01-2013, 03:34 PM

Consider this closed. Decided the simplest solution was to disable NetworkManager and use network. Then I will have participants edit the interface in gedit and restart it. Works every time. Simple solutions work best. The more bloat is being introduced, the more like Windows this is becoming.

Thank you, gradinaruvasile, for all your help.

hwyhobo · 08-01-2013, 04:46 PM

Alas, I spoke too soon. Even though network brings up all interfaces as expected, xrdp no longer accepts connections. Apparently something depends on NetworkManager. I have to manually log in from the console and do:

# /etc/sysconfig/network-scripts/ifdown-eth eth0
# /etc/sysconfig/network-scripts/ifup-eth eth0

(yes, it has to be done via ifup-eth, not ifup, and not by restarting network)

and then everything works. I think it is time to kick it to the curb and install Windows as a landing VM to my dismay.

gradinaruvasile · 08-01-2013, 05:12 PM

1. Network Manager is crap. It doesnt make sense to be used with fixed computers at all. Its ok for laptops.
2. Network Manager is NOT integral part of the Linux networking stack - if disabled for good it should not interfere.
3. Try Wicd - it does what NM does only it is a wrapper for the standard Linux tools instead of trying to replace them.

julmarqu · 12-25-2015, 08:03 PM

I had been looking for a solution to this problem (use xrdp to login) and this is what I did to make it work:

1. I edited file /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf as follows:
a. cloned the policy user="root" below it and changed it to my user by changing the clone's first line to policy user="myUser"
b. cloned the policy at_console="true" below it and changed the first line of the clone to policy at_console="false"

2. Needed to start NetworkManager using dbus by changing /etc/xdg/autostart/nm-applet.desktop line EXEC=nm-applet to EXEC=dbus-launch nm-applet

3. Changed all the permissions in the default section of the /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy to this:
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>

Without the allow_any it did not work. I also changed those set to auth_admin_keep to yes. Didn't do an intermediate step so not sure if both the allow_any and the yes instead of auth_admin_keep are needed.

v4r3l0v · 12-26-2015, 12:51 PM

Something depends on Network Manager- correct, firewalld for one depends on Network Manager. Network Manager uses dbus, it is better solution than what we had previously.
If you haven't solved it already, this looks like permissions problem, how is the remote system seeing you- as its local user or as the default user under which rdp service works?