Sadly my setup is centos only.
The login works fine for ad-accounts when using ssh.
Allow_all policy is enabled in ipa


It seems that authentication to xrdp works, but when it switches to vnc and tries to set up the display it fails.
because it says => Window manager config problem?
the errors for libxrdp_query_channels are also present when a working session is started, so I'm ignoring those

anyway I'm gonna see if I can set up a fedora ipa server and client to test this.

[20210401-09:21:52] [DEBUG] xrdp_wm_log_msg: connecting to sesman ip 127.0.0.1 port 3350

==> /var/log/xrdp-sesman.log <==
[20210401-09:21:52] [INFO ] A connection received from 127.0.0.1 port 34514

==> /var/log/xrdp.log <==
[20210401-09:21:53] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: sending login info to session manager, please wait...
[20210401-09:21:53] [DEBUG] return value from xrdp_mm_connect 0

==> /var/log/xrdp-sesman.log <==
[20210401-09:21:53] [INFO ] Terminal Server Users group is disabled, allowing authentication
[20210401-09:21:53] [INFO ] ++ created session (access granted): username rob@windows.test, ip 172.16.1.10:59237 - socket: 12
[20210401-09:21:53] [INFO ] starting Xvnc session...
[20210401-09:21:53] [INFO ] calling auth_start_session from pid 1573414

==> /var/log/xrdp.log <==
[20210401-09:21:53] [INFO ] xrdp_wm_log_msg: login successful for display 16
[20210401-09:21:53] [DEBUG] Layout from client_info (geom=1920x1080 #screens=1) : 0:(1920x1080+0+0)
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC started connecting
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC connecting to 127.0.0.1 5916

==> /var/log/xrdp-sesman.log <==
[20210401-09:21:53] [INFO ] Xvnc :16 -auth .Xauthority -geometry 1920x1080 -depth 32 -rfbauth /home/rob/.vnc/sesman_passwd-rob@windows.test@desktop.linux.test:16 -bs -nolisten tcp -localhost -dpi 96

==> /var/log/xrdp.log <==
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC tcp connected
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC security level is 2 (1 = none, 2 = standard)
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC password ok
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC sending share flag
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC receiving server init
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC receiving pixel format
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC receiving name length
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC receiving name
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC sending pixel format
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC sending cursor
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: VNC connection complete, connected ok
[20210401-09:21:53] [DEBUG] xrdp_wm_log_msg: connected ok

==> /var/log/xrdp-sesman.log <==
[20210401-09:21:53] [INFO ] waiting for window manager (pid 1573428) to exit

==> /var/log/xrdp.log <==
[20210401-09:21:53] [ERROR] libxrdp_query_channel - Channel 0 name rdpdr
[20210401-09:21:53] [ERROR] libxrdp_query_channel - Channel 1 name rdpsnd
[20210401-09:21:53] [ERROR] libxrdp_query_channel - Channel 2 name cliprdr
[20210401-09:21:53] [ERROR] libxrdp_query_channel - Channel 3 name drdynvc
[20210401-09:21:53] [ERROR] libxrdp_query_channel - Channel out of range 4
[20210401-09:21:53] [DEBUG] xrdp_mm_connect_chansrv: chansrv connect successful
[20210401-09:21:53] [DEBUG] Skipping ENC_CURSOR encoding
[20210401-09:21:53] [DEBUG] VNC matched ExtendedDesktopSize rectangle x=0, y=0 geom=1920x1080
[20210401-09:21:53] [DEBUG] VNC server supports resizing
[20210401-09:21:53] [INFO ] Layout from OldLayout (geom=1920x1080 #screens=1) : 1804289383:(1920x1080+0+0)
[20210401-09:21:53] [DEBUG] VNC setting screen id to 1804289383 from server
[20210401-09:21:53] [DEBUG] Server layout is the same as the client layout
[20210401-09:21:53] [DEBUG] Closed socket 18 (AF_INET 127.0.0.1:34514)
[20210401-09:21:53] [DEBUG] VNC got clip data

==> /var/log/xrdp-sesman.log <==
[20210401-09:21:54] [CORE ] window manager exited quickly (1 secs). Window manager config problem?
[20210401-09:21:54] [INFO ] Cleaning up session. Calling auth_stop_session and auth_end from pid 1573414

==> /var/log/xrdp.log <==
[20210401-09:21:54] [DEBUG] Closed socket 12 (AF_INET 172.16.1.100:3389)
[20210401-09:21:54] [DEBUG] xrdp_mm_module_cleanup
[20210401-09:21:54] [DEBUG] VNC mod_exit

==> /var/log/xrdp-sesman.log <==
[20210401-09:21:54] [INFO ] ++ terminated session:  username rob@windows.test, display :16.0, session_pid 1573414, ip 172.16.1.10:59237
 - socket: 12

==> /var/log/xrdp.log <==
[20210401-09:21:54] [DEBUG] Closed socket 19 (AF_INET 127.0.0.1:53726)
[20210401-09:21:54] [DEBUG] Closed socket 20 (AF_UNIX)




Op di 30 mrt. 2021 om 15:57 schreef Alexander Bokovoy <abokovoy@redhat.com>:
On ti, 30 maalis 2021, Rob Verduijn via FreeIPA-users wrote:
>I just noticed that xrdp works fine for ipa idm users.
>
>However for users that login with ad accounts from the ad that has a trust
>relation with ipa xrdp fails.

Do you have more details? What do you see in the logs?

I am not sure it is going to work at all but if you can reproduce with
Fedora 33, then I'd look at it. The reason for F33 is that we had quite
some changes in FreeIPA 4.9.2 merged related to AD interoperability.

I am not interested in this happening with FreeIPA 4.6 or with FreeIPA
4.8 as those will not be updated with these changes.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland