Configuring an Ubuntu Workstation with XRDP, SSHD, VNC, FreeIPA, SSSD, Java, NetBeans
Building an Ubuntu Workstation for development and general use, one that can be accessed remotely with central authentication. Most of the commands below will be ran as the root user, hence
# sudo su –
to root will be needed. Let’s get going:
ALIAS SETUP
Personally, the following alias just makes it a tad easier to get around:
$ grep -Ei altri ~/.bashrc
alias lt=’ls -altri’
$
Some of the other commands that can come in handy is the bash search CTRL + r, allowing history searches and recalling previous commands.
NETWORK IP
# nmcli con add type ethernet con-name ens160 ifname ens160 ipv4.addresses 192.168.0.30/24 ipv4.gateway 192.168.0.1 ipv4.dns “192.168.0.46 192.168.0.51 192.168.0.224” ipv4.method manual ipv4.dns-search “mds.xyz nix.mds.xyz mws.mds.xyz”
# nmcli con up ens160
Associate the interface name that exists on your machine to the profile named ens160.
# (optional) nmcli con modify ens160 connection.interface-name INTERFACE-NAME # Interface name determined by running ip a command.
# nmcli con show
Create a /etc/resolv.conf with the following contents:
$ cat /etc/resolv.conf
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
domain nix.mds.xyz
search mds.xyz nix.mds.xyz mds.xyz
Or use the GUI. Test by pinging google.com or another site. Disable the other usual systemd network services:
# systemctl stop systemd-resolved
# systemctl stop resolveconf
SSHD
Install the SSHD server using:
apt install openssh-server
Test using PuTTy.
XRDP
Install XRDP using:
# apt install xrdp
Check that the service is running and port is open:
root@fr-ubuntu-01:~# netstat -pnltu|grep -Ei xrdp
tcp6 0 0 :::3389 :::* LISTEN 64884/xrdp
tcp6 0 0 ::1:3350 :::* LISTEN 64874/xrdp-sesman
root@fr-ubuntu-01:~#
Test using Windows Remote Desktop Connection:
SOFTWARE CENTER
Install the software center. It may be missing:
# apt install synaptic # apt install gnome-software
Check that the icons now exist in the Ubuntu start menu.
TIGER VNC
Install packages:
# apt list|grep -Ei tigervnc
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
tigervnc-common/jammy,now 1.12.0+dfsg-4 amd64 [installed,automatic]
tigervnc-scraping-server/jammy 1.12.0+dfsg-4 amd64
tigervnc-standalone-server/jammy,now 1.12.0+dfsg-4 amd64 [installed]
tigervnc-tools/jammy,now 1.12.0+dfsg-4 amd64 [installed,automatic]
tigervnc-viewer/jammy,now 1.12.0+dfsg-4 amd64 [installed]
tigervnc-xorg-extension/jammy,now 1.12.0+dfsg-4 amd64 [installed]
One line command to install the above is:
# apt install tigervnc-common tigervnc-scraping-server tigervnc-standalone-server tigervnc-tools tigervnc-viewer tigervnc-xorg-extension
Setup VNC for a number of users. This file is global and hence, owned by root:
# cat /etc/tigervnc/vncserver.users
# TigerVNC User assignment
#
# This file assigns users to specific VNC display numbers.
# The syntax is <display>=<username>. E.g.:
#
# :2=andrew
# :3=lisa
:1=root
:2=vncuser
Create the configs such as these for each users:
root@fr-ubuntu-01:~/.vnc# cat config
# create new
# session=(display manager you use)
# securitytypes=(security options)
# geometry=(screen resolution)
session=gnome
securitytypes=vncauth,tlsvnc
geometry=2048×1152
depth=24
root@fr-ubuntu-01:~/.vnc#
Set the ~/.vnc/xstartup as follows:
#!/bin/bash -x
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
unset DBUS_SESSION_BUS_ADDRESS
unset SESSION_MANAGER
exec /usr/bin/gnome-session
Start TigerVNC as root first to test that a VNC server on port 5901 starts up:
# /usr/bin/tigervncserver –depth 32 –geometry 1680×1050 –localhost no :1 2>&1
Check with:
root@fr-ubuntu-01:~/.vnc# netstat -pnltu|grep -Ei 590
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 8021/Xtigervnc
tcp6 0 0 :::5901 :::* LISTEN 8021/Xtigervnc
root@fr-ubuntu-01:~/.vnc#
This will work but won’t allow root direct login via VNC. Next, configure multiple instances to start on bootup, one for a non-privileged user. To do so, the following line can be used to start sessions for each user:
/usr/sbin/tigervncsession “root” “:1”
/usr/sbin/tigervncsession “vncuser” “:2”
The above in turn is called from the TigerVNC startup scripts here in green (blue lines are extra added to stopping a server):
root@fr-ubuntu-01:~/.vnc# grep -Eiv “#” /lib/systemd/system/tigervncserver@.service
[Unit]
Description=Remote desktop service (VNC)
After=network.target
[Service]
User=root
Group=root
Type=forking
ExecStart=/usr/libexec/tigervncsession-start %i
ExecStop=/usr/bin/tigervncserver –kill :%i
PIDFile=/run/tigervncsession-:%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0
[Install]
WantedBy=multi-user.target
root@fr-ubuntu-01:~/.vnc#
The systemd startup script calls yet another, this time, a bash script. The below copy is highly modified for the purpose of this article:
# cat -n /usr/libexec/tigervncsession-start
1 #!/bin/bash
2 #
3 # Copyright 2019 Pierre Ossman for Cendio AB
4 #
5 # This is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 2 of the License, or
8 # (at your option) any later version.
9 #
10 # This software is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this software; if not, write to the Free Software
17 # Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307,
18 # USA.
19 #
20
21 USERSFILE=”/etc/tigervnc/vncserver.users”
22 echo “Using configuration file $USERSFILE … ”
23
24 if [[ $# -ne 1 ]]; then
25 echo “Syntax:” >&2
26 echo ” $0 <display>” >&2
27 echo “Example:”
28 echo ” $0 \”:1\”” >&2
29 exit 1
30 fi
31
32 if [[ ! -f “${USERSFILE}” ]]; then
33 echo “Users file ${USERSFILE} is missing. Exiting!” >&2
34 exit 1
35 fi
36
37 DISPLAY=”$1″
38
39 # Check if that server is already running.
40 for VNCENTRY in $(/usr/bin/tigervncserver –list|awk ‘{ if ( $1 ~ /[0-9]+/ ) print $1 }’); do
41 echo “Checking if $VNCENTRY is already running …”;
42 if [[ $VNCENTRY -eq $DISPLAY ]]; then
43 echo “ERROR: Server $VNCENTRY is already running. If intent is to restart, issue a stop and start on that server:”;
44 echo ” systemctl stop tigervncserver@1″;
45 echo ” systemctl start tigervncserver@1″;
46 echo “OR issue the following”;
47 echo ” /usr/bin/tigervncserver –kill :$DISPLAY”;
48 exit 1;
49 fi
50 done
51
52 USER=$(grep “^[ ]*:${DISPLAY}=” “${USERSFILE}” 2>/dev/null | head -1 | cut -d = -f 2- | sed ‘s/ *$//g’)
53
54 echo “User for display $DISPLAY identified as \”$USER\” from file $USERSFILE …”;
55 echo “Users defined in config file are:”
56 echo “———————————”
57 grep -Eiv “#” $USERSFILE;
58 echo “———————————”
59
60 if [[ -z “${USER}” ]]; then
61 echo “No user configured for display ${DISPLAY}” >&2
62 exit 1
63 else
64 echo “Starting VNC Server as user ${USER} … ”
65 fi
66
67 # exec “/usr/sbin/tigervncsession” “${USER}” “:${DISPLAY}”
68 /usr/sbin/tigervncsession “${USER}” “:${DISPLAY}”;
69 echo “Return code from running /usr/sbin/tigervncsession is: $?”;
70
71 echo “Checking if PID file has been created.”
72 vnccount=0;
73 while [[ true ]]; do
74 vnccount=$((vnccount + 1))
75 if [[ -r /run/tigervncsession-:$DISPLAY.pid ]]; then
76 echo “PID File created by /usr/sbin/tigervncsession exists in /run/tigervncsession-:$DISPLAY.pid …”;
77 echo “Successfully started the TigerVNC Server on display port $DISPLAY. “;
78 break;
79 else
80 echo “PID Process file /run/tigervncsession-:$DISPLAY.pid not yet created. Waiting …”;
81 sleep 1;
82 fi
83
84 if [[ $vnccount -gt 10 ]]; then
85 echo “ERROR: TigerVNC process startup failed to create a PID file in /run/tigervncsession-:$DISPLAY.pid …”;
86 echo “ERROR: This indicares issues in startup. Exiting!”;
87 exit 1;
88 fi
89 done
At this point, looks like everything has a decent chance of working when started up. Before plowing ahead, check and kill any previous VNC sessions that might still be hanging around started manually. Need to do this to prevent errors particularly with port conflicts.
root@fr-ubuntu-01:~/.vnc# /usr/bin/tigervncserver –list
TigerVNC server sessions:
X DISPLAY # RFB PORT # RFB UNIX PATH PROCESS ID # SERVER
root@fr-ubuntu-01:~/.vnc#
root@fr-ubuntu-01:~/.vnc#
root@fr-ubuntu-01:~/.vnc# /usr/bin/tigervncserver –kill :*
tigervncserver: No VNC server running for this user!
root@fr-ubuntu-01:~/.vnc#
Let’s try and start up the service via systemd:
systemctl enable tigervncserver@1
systemctl enable tigervncserver@2
And start them:
systemctl start tigervncserver@1
systemctl start tigervncserver@2
check the status:
systemctl status tigervncserver@1
systemctl status tigervncserver@2
check ports:
root@fr-ubuntu-01:~# netstat -pnltu|grep -Ei 590
tcp 0 0 127.0.0.1:5902 0.0.0.0:* LISTEN 72393/Xtigervnc
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 51235/Xtigervnc
tcp6 0 0 ::1:5902 :::* LISTEN 72393/Xtigervnc
tcp6 0 0 :::5901 :::* LISTEN 51235/Xtigervnc
root@fr-ubuntu-01:~#
And connect using a VNC Viewer application installed on your Windows 10/11 or installed on a Linux Desktop. A few options exist including RealVNC and TightVNC:
PROBLEMS and FIXES
When encountering the following:
Jan 20 20:14:35 fr-ubuntu-01 systemd[40475]: tigervncserver@1.service: Failed to determine user credentials: No such process
Jan 20 20:14:35 fr-ubuntu-01 systemd[40475]: tigervncserver@1.service: Failed at step USER spawning /usr/libexec/tigervncsession-start: No such process
Fix the above by adding a user to the service:
# cat /lib/systemd/system/tigervncserver@.service
[Unit]
Description=Remote desktop service (VNC)
After=network.target
[Service]
User=root
Group=root
Type=forking
ExecStart=/usr/libexec/tigervncsession-start %i
PIDFile=/run/tigervncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0
[Install]
WantedBy=multi-user.target
If getting this error:
Jan 20 20:16:49 fr-ubuntu-01 tigervncsession-start[40631]: No user configured for display 1
Fix by adding a user to this file:
# cat /etc/tigervnc/vncserver.users
# TigerVNC User assignment
#
# This file assigns users to specific VNC display numbers.
# The syntax is <display>=<username>. E.g.:
#
# :2=andrew
# :3=lisa
:1=root
:2=vncuser
Next issue:
# tail -f /var/log/syslog /var/log/auth.log
Jan 21 10:09:04 fr-ubuntu-01 gdm-password]: pam_succeed_if(gdm-password:auth): requirement “user != root” not met by user “root”
Means that the system is not configured to allow direct root login. This is a security feature, worth having. There are ways to enable this but it’s not recommended. Best to configure access to a non-privileged user. Hence, let’s configure for that above.
Another issue that can be seen is:
Jan 21 13:03:24 fr-ubuntu-01 systemd[1]: tigervncserver@1.service: Can’t open PID file /run/tigervncsession-1.pid (yet?) after start: Operation not permitted
this required a small update to the startup script:
/usr/libexec/tigervncsession-start
by adding in the following lines and removing the exec:
52 # exec "/usr/sbin/tigervncsession" "${USER}" ":${DISPLAY}" 53 /usr/sbin/tigervncsession "${USER}" ":${DISPLAY}" 54 echo "Return code from running /usr/sbin/tigervncsession is: $?" 55 echo "Checking if PID file has been created." 56 vnccount=0 57 while [[ true ]]; do 58 vnccount=$((vnccount + 1)) 59 if [[ -r /run/tigervncsession-:$DISPLAY.pid ]]; then 60 echo "PID File created by /usr/sbin/tigervncsession exists in /run/tigervncsession-:$DISPLAY.pid ..."; 61 echo "Successfully started the TigerVNC Server on display port $DISPLAY. "; 62 else 63 echo "PID Process file /run/tigervncsession-:$DISPLAY.pid not yet created. Waiting ..."; 64 sleep 1; 65 fi 66 67 if [[ $vnccount -gt 10 ]]; then 68 echo "ERROR: TigerVNC process startup failed to create a PID file in /run/tigervncsession-:$DISPLAY.pid ..."; 69 echo "ERROR: This indicares issues in startup. Exiting!"; 70 exit 1; 71 fi 72 done
and modify the startup script as follows since the services append a ‘:’ to the file name:
# vi /lib/systemd/system/tigervncserver@.service
PIDFile=/run/tigervncsession-:%i.pid
then retry to start / restart the service.
Connectivity issue such as this:
# telnet fr-ubuntu-01.nix.mds.xyz 5902
Connecting To fr-ubuntu-01.nix.mds.xyz…Could not open connection to the host, on port 5902: Connect failed
is not due to the F/W, however, it’s good to check:
root@fr-ubuntu-01:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~# ufw status
Status: inactive
root@fr-ubuntu-01:~#
but it has a lot to do with missing startup files in the USER/.vnc/ folder, such as these, with the correct permissions:
root@fr-ubuntu-01:/home/francesco/.vnc# lt
total 40
500 -rw——- 1 francesco francesco 8 Jan 14 23:57 passwd
1462 -rwx—— 1 francesco francesco 121 Jan 21 00:31 xstartup
1464 -rw——- 1 francesco francesco 177 Jan 21 12:20 config
34 drwxr-x— 15 francesco francesco 23 Jan 21 16:24 ..
1814 -rw-rw-r– 1 francesco francesco 6 Jan 21 16:24 fr-ubuntu-01.nix.mds.xyz:5902.pid
16 -rw-r–r– 1 francesco francesco 205 Jan 21 16:24 fr-ubuntu-01:2.log
504 -rw-rw-r– 1 francesco francesco 6083 Jan 21 16:27 fr-ubuntu-01.nix.mds.xyz:5902.log
496 drwxrwxr-x 2 francesco francesco 8 Jan 21 16:41 .
root@fr-ubuntu-01:/home/francesco/.vnc# cat xstartup
#!/bin/bash -x
PATH=/usr/bin:/usr/sbin
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec /usr/bin/gnome-session
root@fr-ubuntu-01:/home/francesco/.vnc# cat config
# create new
# session=(display manager you use)
# securitytypes=(security options)
# geometry=(screen resolution)
session=gnome
securitytypes=vncauth,tlsvnc
geometry=2048×1152
root@fr-ubuntu-01:/home/francesco/.vnc#
Whenever files are modified, restart the service.
SSSD / AD AUTHENTICATION
Install the SSSD Daemon to connect with central authentication, to, amongst other things, use a central user and
# apt install sssd-ad-common sssd-ad sssd-common sssd-dbus sssd-ipa sssd-kcm sssd-krb5-common sssd-krb5 sssd-ldap sssd-proxy sssd-tools sssd freeipa-client oddjob-mkhomedir libpam-sss libnss-sss sssd sssd-tools sssd-ldap ldap-utils openssl ca-certificates sssd-ad realmd adcli -y
# apt install libnfsidmap1 libnfsidmap-regex libnfsidmap-dev libnfs13 libnfs-utils libnfs-dev autofs nfs-common
# ipa-client-install –uninstall; ipa-client-install –force-join -p autojoin -w “<PASS>” –fixed-primary –server=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U
# ipa-client-automount –location=UserHomeDir01 -U
Configure the /etc/nsswitch.conf file for automount:
root@fr-ubuntu-01:/var/log# grep -Ei automount /etc/nsswitch.conf
automount: files sss
root@fr-ubuntu-01:/var/log#
Before using the service, a few tweaks are likely needed. Update /etc/sssd/sssd.conf to add the lines in green:
root@fr-ubuntu-01:/var/log# cat /etc/sssd/sssd.conf
[domain/nix.mds.xyz]
id_provider = ipa
ipa_server = idmipa01.nix.mds.xyz, idmipa02.nix.mds.xyz
ipa_domain = nix.mds.xyz
ipa_hostname = fr-ubuntu-01.nix.mds.xyz
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
sudo_provider = ipa
autofs_provider = ipa
subdomains_provider = ipa
session_provider = ipa
hostid_provider = ipa
ipa_automount_location = UserHomeDir01
dyndns_update = True
dyndns_update_ptr = True
ldap_schema = ad
ldap_id_mapping = True
sudo_provider = ipa
ldap_uri = ldap://idmipa01.nix.mds.xyz, ldap://idmipa02.nix.mds.xyz
ldap_sudo_search_base = ou=sudoers,dc=nix,dc=mds,dc=xyz
override_homedir = /n/%d/%u
# fallback_homedir = /n/%d/%u
# ldap_user_home_directory = unixHomeDirectory
[sssd]
services = nss, pam, ssh, sudo, autofs
domains = nix.mds.xyz
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
root@fr-ubuntu-01:/var/log#
Adjust the /etc/krb5.conf file by adding in these additional entries:
root@fr-ubuntu-01:/var/log# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = NIX.MDS.XYZ
dns_lookup_realm = false
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NIX.MDS.XYZ = {
kdc = idmipa01.nix.mds.xyz:88
master_kdc = idmipa01.nix.mds.xyz:88
admin_server = idmipa01.nix.mds.xyz:749
kpasswd_server = idmipa01.nix.mds.xyz:464
kdc = idmipa02.nix.mds.xyz:88
master_kdc = idmipa02.nix.mds.xyz:88
admin_server = idmipa02.nix.mds.xyz:749
kpasswd_server = idmipa02.nix.mds.xyz:464
default_domain = nix.mds.xyz
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
MDS.XYZ = {
kdc = ad.mds.xyz
default_domain = mds.xyz
}
[domain_realm]
.nix.mds.xyz = NIX.MDS.XYZ
nix.mds.xyz = NIX.MDS.XYZ
fr-ubuntu-01.nix.mds.xyz = NIX.MDS.XYZ
.mds.xyz = MDS.XYZ
mds.xyz = MDS.XYZ
root@fr-ubuntu-01:/var/log#
Check the remote AD user and the NFS mount:
root@fr-ubuntu-01:/n/mds.xyz# id remoteuser@mds.xyz
uid=155612345(remoteuser@mds.xyz) gid=155612345(remoteuser@mds.xyz) ………………………………..
root@fr-ubuntu-01:/n/mds.xyz#
Adjust the VNC configuration to allow extra AD / Kerberos / LDAP users access:
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc# ls -altri xstartup config passwd
12410600697251477469 -rwx—— 1 remoteuser@mds.xyz remoteuser@mds.xyz 121 Jan 21 00:31 xstartup
9668247031218421920 -rw——- 1 remoteuser@mds.xyz remoteuser@mds.xyz 177 Jan 21 12:20 config
12896900723358409448 -rw——- 1 remoteuser@mds.xyz remoteuser@mds.xyz 8 Jan 21 18:41 passwd
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc#
Adjust the VNC servers allowed for the users:
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc# grep -Eiv “#” /etc/tigervnc/vncserver.users
:1=root
:2=vncuser
:3=vncuser@mds.xyz
:4=remoteuser@mds.xyz
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc#
JDK JAVA DEVELOPMENT KIT
Run the following to install openjdk:
root@fr-ubuntu-01:~# apt install openjdk-21-jdk
root@fr-ubuntu-01:~# java –version
openjdk 21.0.1 2023-10-17
OpenJDK Runtime Environment (build 21.0.1+12-Ubuntu-222.04)
OpenJDK 64-Bit Server VM (build 21.0.1+12-Ubuntu-222.04, mixed mode, sharing)
root@fr-ubuntu-01:~#
NETBEANS
Installing through the software center, bring in a version that’s dated and may have issues on newer OS versions like Ubuntu 22.04. Therefore, install directly from the latest package version from the following site:
https://netbeans.apache.org/front/main/download/nb20/
Install using the following steps:
# cd /tmp
# wget https://dlcdn.apache.org/netbeans/netbeans-installers/20/apache-netbeans_20-1_all.deb
# apt install ./apache-netbeans_20-1_all.deb
Start NetBeans via the UI.
CONCLUSION
Confirm all services are working by logging into your Ubuntu Server with the remote user, via VNC and start NetBeans:
Enjoy!
Cheers,