Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85423

Unable to connect to gnome-remote-desktop using Windows Remote Connection if AD is in use

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.0.beta
    • gnome-remote-desktop
    • None
    • No
    • Moderate
    • rhel-display-window-mgmt
    • ssg_display
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      Use the Windows Remote Desktop client to connect to linux using the gnome-remote-desktop service.

      What is the impact of this issue to you?

      Customer using Windows with Active Directory can't access the RHEL remote desktop.

      Please provide the package NVR for which the bug is seen:

      • Red Hat Enterprise Linux release 10.0 Beta (Coughlan)
      • gnome-remote-desktop-47.3-1.el10.x86_64
      • freerdp-3.10.3-2.el10.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      === Server Setup ===

1. Ensure that the packages required to run GNOME are installed

   # yum group install GNOME Fonts

2. Ensure that the gnome-remote-desktop and freerdp packages are installed

   # yum install gnome-remote-desktop freerdp

3. Generate a certificate to be used by the remote desktop service

   # sudo -u gnome-remote-desktop winpr-makecert -silent -rdp -path ~gnome-remote-desktop rdp-tls

   Notice that the command above will generate a self-signed certificate. You
   may wish to ask a Certification Authority to generate the certificate but
   let's use this method, for the moment.

4. Use the grdctl command line tool to configure the GNOME Remote Desktop service

   # RDP_USER="rdp"
   # RDP_PASS="rdp"
   # grdctl --system rdp enable
   # grdctl --system rdp set-credentials "${RDP_USER}" "${RDP_PASS}"
   # grdctl --system rdp set-tls-key ~gnome-remote-desktop/rdp-tls.key
   # grdctl --system rdp set-tls-cert ~gnome-remote-desktop/rdp-tls.crt

   The "set-credentials" subcommand sets the username and password that will
   be used to access the remote desktop service. It does not need to match an
   existing user account.

5. Allow access to the demote desktop service

   # firewall-cmd --permanent --add-service=rdp
   # sudo firewall-cmd --reload

6. Enable the service and restart the system

   # systemctl set-default graphical.target 

   # systemctl enable gnome-remote-desktop.service

7. Check if the plymouth-quit service keeps running. It may not stop if the
system does not have a graphics card (e.g. it has just a serial console)

    # systemctl list-jobs
    JOB UNIT                                 TYPE  STATE  
    135 multi-user.target                    start waiting
    285 getty.target                         start waiting
    281 systemd-update-utmp-runlevel.service start waiting
    134 graphical.target                     start waiting
    336 plymouth-quit-wait.service           start running
    286 serial-getty@ttyS0.service           start waiting

    6 jobs listed.

    Force it to stop with

    # plymouth quit

    This can be solved by adding an ExecStartPost item to the gdm service.

    # mkdir -p /etc/systemd/system/gdm.service.d/

    # printf '%s\n' '[Service]' 'ExecStartPost=-/usr/bin/plymouth quit' > /etc/systemd/system/gdm.service.d/plymouth-quit.conf

=== Client Setup ===

On RHEL 10, you can use gnome-connections to connect to the server:

   # yum install gnome-connections

   ...

   $ gnome-connections rdp://<server-name>

On RHEL 9 and earlier, you must use freerdp:

   # yum install freerdp

   ...

   $ RDP_USER="rdp"
   $ RDP_PASS="rdp"
   $ xfreerdp /u:"$RDP_USER" /p:"$RDP_PASS" /v:<server-name>

      On a Windows 10 system that authenticates uses via Active Directory, attempt to access the system using the Remote Desktop Connection app.

      Expected results

      Connection fails with error message shown in the attached screenshot. System journal shows this:

      Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [Stream_CheckAndLogRequiredLengthWLogExVa]: [ntlm_read_ntlm_v2_client_challenge(./winpr/libwinpr/sspi/NTLM/ntlm_compute.c:161)] invalid length, got 8, require at least 28 [element size=1]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 0: dli_fname=/lib64/libwinpr3.so.3 [0x7f19012e4000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 1: dli_fname=/lib64/libwinpr3.so.3 [0x7f19012e4000], dli_sname=winpr_log_backtrace_ex [0x7f19013336b0]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 2: dli_fname=/lib64/libwinpr3.so.3 [0x7f19012e4000], dli_sname=Stream_CheckAndLogRequiredLengthWLogExVa [0x7f1901334440]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 3: dli_fname=/lib64/libwinpr3.so.3 [0x7f19012e4000], dli_sname=Stream_CheckAndLogRequiredLengthEx [0x7f1901334680]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 4: dli_fname=/lib64/libwinpr3.so.3 [0x7f19012e4000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 5: dli_fname=/lib64/libwinpr3.so.3 [0x7f19012e4000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 6: dli_fname=/lib64/libwinpr3.so.3 [0x7f19012e4000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 7: dli_fname=/lib64/libfreerdp3.so.3 [0x7f1901400000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 8: dli_fname=/lib64/libfreerdp3.so.3 [0x7f1901400000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 9: dli_fname=/lib64/libfreerdp3.so.3 [0x7f1901400000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-de[903]: [RDP] Network or intentional disconnect, stopping session
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 10: dli_fname=/lib64/libfreerdp3.so.3 [0x7f1901400000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 11: dli_fname=/lib64/libfreerdp3.so.3 [0x7f1901400000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 12: dli_fname=/usr/libexec/gnome-remote-desktop-daemon [0x5647f4b4d000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 13: dli_fname=/lib64/libglib-2.0.so.0 [0x7f1901f4f000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 14: dli_fname=/lib64/libc.so.6 [0x7f19010de000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 15: dli_fname=/lib64/libc.so.6 [0x7f19010de000], dli_sname=(null) [(nil)]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi.NTLM] - [winpr_log_backtrace_ex]: 16: unresolvable, address=(nil)
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_TOKEN [0x80090308]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:534] [903:00001017] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_TOKEN [0x80090308]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:535] [903:00001017] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:535] [903:00001017] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:535] [903:00001017] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:708] [903:0000101a] [WARN][com.freerdp.core.connection] - [rdp_server_accept_nego]: server supports only NLA Security
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:708] [903:0000101a] [ERROR][com.freerdp.core.connection] - [rdp_server_accept_nego]: Protocol security negotiation failure
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:781] [903:0000101a] [ERROR][com.freerdp.crypto] - [freerdp_tls_handshake]: BIO_do_handshake failed
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:781] [903:0000101a] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
Mar 21 05:55:59 server.example.com gnome-remote-desktop-daemon[903]: [05:55:59:781] [903:0000101a] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Mar 21 05:55:59 server.example.com gnome-remote-de[903]: [RDP] Network or intentional disconnect, stopping session

      Actual results

      Connection should work.

              jadahl@redhat.com Jonas Ådahl
              rhn-support-casantos Carlos Santos
              Jonas Ådahl Jonas Ådahl
              Radek Duda Radek Duda
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: