Header Shadow Image


Configuring an Ubuntu Workstation with XRDP, SSHD, VNC, FreeIPA, SSSD, Java, NetBeans

Building an Ubuntu Workstation for development and general use, one that can be accessed remotely with central authentication.  Most of the commands below will be ran as the root user, hence

# sudo su –

to root will be needed.  Let’s get going:

ALIAS SETUP

Personally, the following alias just makes it a tad easier to get around:

$ grep -Ei altri ~/.bashrc
alias lt=’ls -altri’
$

Some of the other commands that can come in handy is the bash search CTRL + r, allowing history searches and recalling previous commands.

NETWORK IP

# nmcli con add type ethernet con-name ens160 ifname ens160 ipv4.addresses 192.168.0.30/24 ipv4.gateway 192.168.0.1 ipv4.dns “192.168.0.46 192.168.0.51 192.168.0.224” ipv4.method manual ipv4.dns-search “mds.xyz nix.mds.xyz mws.mds.xyz” 

# nmcli con up ens160 

Associate the interface name that exists on your machine to the profile named ens160.

# (optional) nmcli con modify ens160 connection.interface-name INTERFACE-NAME             # Interface name determined by running ip a command.

# nmcli con show

Create a /etc/resolv.conf with the following contents:

$ cat /etc/resolv.conf
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
domain nix.mds.xyz
search mds.xyz nix.mds.xyz mds.xyz

Or use the GUI.  Test by pinging google.com or another site.  Disable the other usual systemd network services:

# systemctl stop systemd-resolved
# systemctl stop resolveconf

 

SSHD

Install the SSHD server using:

apt install openssh-server

Test using PuTTy.

XRDP

Install XRDP using:

# apt install xrdp

Check that the service is running and port is open:

root@fr-ubuntu-01:~# netstat -pnltu|grep -Ei xrdp
tcp6 0 0 :::3389 :::* LISTEN 64884/xrdp
tcp6 0 0 ::1:3350 :::* LISTEN 64874/xrdp-sesman
root@fr-ubuntu-01:~#

Test using Windows Remote Desktop Connection:

SOFTWARE CENTER

Install the software center.  It may be missing:

# apt install synaptic
# apt install gnome-software

Check that the icons now exist in the Ubuntu start menu.

TIGER VNC

Install packages:

# apt list|grep -Ei tigervnc

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

tigervnc-common/jammy,now 1.12.0+dfsg-4 amd64 [installed,automatic]
tigervnc-scraping-server/jammy 1.12.0+dfsg-4 amd64
tigervnc-standalone-server/jammy,now 1.12.0+dfsg-4 amd64 [installed]
tigervnc-tools/jammy,now 1.12.0+dfsg-4 amd64 [installed,automatic]
tigervnc-viewer/jammy,now 1.12.0+dfsg-4 amd64 [installed]
tigervnc-xorg-extension/jammy,now 1.12.0+dfsg-4 amd64 [installed]

One line command to install the above is:

# apt install tigervnc-common tigervnc-scraping-server tigervnc-standalone-server tigervnc-tools tigervnc-viewer tigervnc-xorg-extension

Setup VNC for a number of users.  This file is global and hence, owned by root:

# cat /etc/tigervnc/vncserver.users
# TigerVNC User assignment
#
# This file assigns users to specific VNC display numbers.
# The syntax is <display>=<username>. E.g.:
#
# :2=andrew
# :3=lisa

:1=root
:2=vncuser

Create the configs such as these for each users:

root@fr-ubuntu-01:~/.vnc# cat config
# create new
# session=(display manager you use)
# securitytypes=(security options)
# geometry=(screen resolution)
session=gnome
securitytypes=vncauth,tlsvnc
geometry=2048×1152
depth=24
root@fr-ubuntu-01:~/.vnc#

Set the ~/.vnc/xstartup as follows:

#!/bin/bash -x

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
unset DBUS_SESSION_BUS_ADDRESS

unset SESSION_MANAGER
exec /usr/bin/gnome-session

Start TigerVNC as root first to test that a VNC server on port 5901 starts up:

# /usr/bin/tigervncserver –depth 32 –geometry 1680×1050 –localhost no :1 2>&1

Check with:

root@fr-ubuntu-01:~/.vnc# netstat -pnltu|grep -Ei 590
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 8021/Xtigervnc
tcp6 0 0 :::5901 :::* LISTEN 8021/Xtigervnc
root@fr-ubuntu-01:~/.vnc#

This will work but won’t allow root direct login via VNC.  Next, configure multiple instances to start on bootup, one for a non-privileged user.  To do so, the following line can be used to start sessions for each user:

/usr/sbin/tigervncsession “root” “:1”
/usr/sbin/tigervncsession “vncuser” “:2”

The above in turn is called from the TigerVNC startup scripts here in green (blue lines are extra added to stopping a server):

root@fr-ubuntu-01:~/.vnc# grep -Eiv “#” /lib/systemd/system/tigervncserver@.service
[Unit]
Description=Remote desktop service (VNC)
After=network.target

[Service]
User=root
Group=root
Type=forking
ExecStart=/usr/libexec/tigervncsession-start %i
ExecStop=/usr/bin/tigervncserver –kill :%i

PIDFile=/run/tigervncsession-:%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0

[Install]
WantedBy=multi-user.target
root@fr-ubuntu-01:~/.vnc#

The systemd startup script calls yet another, this time, a bash script.  The below copy is highly modified for the purpose of this article:

# cat -n /usr/libexec/tigervncsession-start
1 #!/bin/bash
2 #
3 # Copyright 2019 Pierre Ossman for Cendio AB
4 #
5 # This is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 2 of the License, or
8 # (at your option) any later version.
9 #
10 # This software is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this software; if not, write to the Free Software
17 # Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307,
18 # USA.
19 #
20
21 USERSFILE=”/etc/tigervnc/vncserver.users”
22 echo “Using configuration file $USERSFILE … ”
23
24 if [[ $# -ne 1 ]]; then
25   echo “Syntax:” >&2
26   echo ” $0 <display>” >&2
27   echo “Example:”
28   echo ” $0 \”:1\”” >&2
29   exit 1
30 fi
31
32 if [[ ! -f “${USERSFILE}” ]]; then
33   echo “Users file ${USERSFILE} is missing. Exiting!” >&2
34   exit 1
35 fi
36
37 DISPLAY=”$1″
38
39 # Check if that server is already running.
40 for VNCENTRY in $(/usr/bin/tigervncserver –list|awk ‘{ if ( $1 ~ /[0-9]+/ ) print $1 }’); do
41   echo “Checking if $VNCENTRY is already running …”;
42     if [[ $VNCENTRY -eq $DISPLAY ]]; then
43       echo “ERROR: Server $VNCENTRY is already running. If intent is to restart, issue a stop and start on that server:”;
44       echo ” systemctl stop tigervncserver@1″;
45       echo ” systemctl start tigervncserver@1″;
46       echo “OR issue the following”;
47       echo ” /usr/bin/tigervncserver –kill :$DISPLAY”;
48       exit 1;
49     fi
50 done
51
52 USER=$(grep “^[ ]*:${DISPLAY}=” “${USERSFILE}” 2>/dev/null | head -1 | cut -d = -f 2- | sed ‘s/ *$//g’)
53
54 echo “User for display $DISPLAY identified as \”$USER\” from file $USERSFILE …”;
55 echo “Users defined in config file are:”
56 echo “———————————”
57 grep -Eiv “#” $USERSFILE;
58 echo “———————————”
59
60 if [[ -z “${USER}” ]]; then
61   echo “No user configured for display ${DISPLAY}” >&2
62   exit 1
63 else
64   echo “Starting VNC Server as user ${USER} … ”
65 fi
66
67 # exec “/usr/sbin/tigervncsession” “${USER}” “:${DISPLAY}”
68 /usr/sbin/tigervncsession “${USER}” “:${DISPLAY}”;
69 echo “Return code from running /usr/sbin/tigervncsession is: $?”;
70
71 echo “Checking if PID file has been created.”
72 vnccount=0;
73 while [[ true ]]; do
74   vnccount=$((vnccount + 1))
75   if [[ -r /run/tigervncsession-:$DISPLAY.pid ]]; then
76     echo “PID File created by /usr/sbin/tigervncsession exists in /run/tigervncsession-:$DISPLAY.pid …”;
77     echo “Successfully started the TigerVNC Server on display port $DISPLAY. “;
78     break;
79   else
80     echo “PID Process file /run/tigervncsession-:$DISPLAY.pid not yet created. Waiting …”;
81     sleep 1;
82   fi
83
84   if [[ $vnccount -gt 10 ]]; then
85     echo “ERROR: TigerVNC process startup failed to create a PID file in /run/tigervncsession-:$DISPLAY.pid …”;
86     echo “ERROR: This indicares issues in startup. Exiting!”;
87     exit 1;
88   fi
89 done

At this point, looks like everything has a decent chance of working when started up.  Before plowing ahead, check and kill any previous VNC sessions that might still be hanging around started manually.  Need to do this to prevent errors particularly with port conflicts.

root@fr-ubuntu-01:~/.vnc# /usr/bin/tigervncserver –list

TigerVNC server sessions:

X DISPLAY # RFB PORT # RFB UNIX PATH PROCESS ID # SERVER
root@fr-ubuntu-01:~/.vnc#
root@fr-ubuntu-01:~/.vnc#
root@fr-ubuntu-01:~/.vnc# /usr/bin/tigervncserver –kill :*
tigervncserver: No VNC server running for this user!
root@fr-ubuntu-01:~/.vnc#

Let’s try and start up the service via systemd:

systemctl enable tigervncserver@1
systemctl enable tigervncserver@2

And start them:

systemctl start tigervncserver@1
systemctl start tigervncserver@2

check the status:

systemctl status tigervncserver@1
systemctl status tigervncserver@2

check ports:

root@fr-ubuntu-01:~# netstat -pnltu|grep -Ei 590
tcp 0 0 127.0.0.1:5902 0.0.0.0:* LISTEN 72393/Xtigervnc
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 51235/Xtigervnc
tcp6 0 0 ::1:5902 :::* LISTEN 72393/Xtigervnc
tcp6 0 0 :::5901 :::* LISTEN 51235/Xtigervnc
root@fr-ubuntu-01:~#

And connect using a VNC Viewer application installed on your Windows 10/11 or installed on a Linux Desktop.  A few options exist including RealVNC and TightVNC:

RealVNC Viewer

PROBLEMS and FIXES

When encountering the following:

Jan 20 20:14:35 fr-ubuntu-01 systemd[40475]: tigervncserver@1.service: Failed to determine user credentials: No such process
Jan 20 20:14:35 fr-ubuntu-01 systemd[40475]: tigervncserver@1.service: Failed at step USER spawning /usr/libexec/tigervncsession-start: No such process

Fix the above by adding a user to the service:

# cat /lib/systemd/system/tigervncserver@.service
[Unit]
Description=Remote desktop service (VNC)
After=network.target

[Service]
User=root
Group=root
Type=forking
ExecStart=/usr/libexec/tigervncsession-start %i
PIDFile=/run/tigervncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0

[Install]
WantedBy=multi-user.target

If getting this error:

Jan 20 20:16:49 fr-ubuntu-01 tigervncsession-start[40631]: No user configured for display 1

Fix by adding a user to this file:

# cat /etc/tigervnc/vncserver.users
# TigerVNC User assignment
#
# This file assigns users to specific VNC display numbers.
# The syntax is <display>=<username>. E.g.:
#
# :2=andrew
# :3=lisa

:1=root
:2=vncuser

Next issue:

# tail -f /var/log/syslog /var/log/auth.log
Jan 21 10:09:04 fr-ubuntu-01 gdm-password]: pam_succeed_if(gdm-password:auth): requirement “user != root” not met by user “root”

Means that the system is not configured to allow direct root login.  This is a security feature, worth having.  There are ways to enable this but it’s not recommended.  Best to configure access to a non-privileged user.  Hence, let’s configure for that above.

Another issue that can be seen is:

Jan 21 13:03:24 fr-ubuntu-01 systemd[1]: tigervncserver@1.service: Can’t open PID file /run/tigervncsession-1.pid (yet?) after start: Operation not permitted

this required a small update to the startup script:

/usr/libexec/tigervncsession-start

by adding in the following lines and removing the exec:

52 # exec "/usr/sbin/tigervncsession" "${USER}" ":${DISPLAY}"
53 /usr/sbin/tigervncsession "${USER}" ":${DISPLAY}"
54 echo "Return code from running /usr/sbin/tigervncsession is: $?"
55 echo "Checking if PID file has been created."
56 vnccount=0
57 while [[ true ]]; do
58     vnccount=$((vnccount + 1))
59     if [[ -r /run/tigervncsession-:$DISPLAY.pid ]]; then
60         echo "PID File created by /usr/sbin/tigervncsession exists in /run/tigervncsession-:$DISPLAY.pid ...";
61         echo "Successfully started the TigerVNC Server on display port $DISPLAY. ";
62     else
63         echo "PID Process file /run/tigervncsession-:$DISPLAY.pid not yet created. Waiting ...";
64         sleep 1;
65     fi
66
67     if [[ $vnccount -gt 10 ]]; then
68         echo "ERROR: TigerVNC process startup failed to create a PID file in /run/tigervncsession-:$DISPLAY.pid ...";
69         echo "ERROR: This indicares issues in startup. Exiting!";
70         exit 1;
71     fi
72 done

and modify the startup script as follows since the services append a ‘:’ to the file name:

# vi /lib/systemd/system/tigervncserver@.service
PIDFile=/run/tigervncsession-:%i.pid

then retry to start / restart the service.

Connectivity issue such as this:

# telnet fr-ubuntu-01.nix.mds.xyz 5902
Connecting To fr-ubuntu-01.nix.mds.xyz…Could not open connection to the host, on port 5902: Connect failed

is not due to the F/W, however, it’s good to check:

root@fr-ubuntu-01:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~#
root@fr-ubuntu-01:~# ufw status
Status: inactive
root@fr-ubuntu-01:~#

but it has a lot to do with missing startup files in the USER/.vnc/ folder, such as these, with the correct permissions:

root@fr-ubuntu-01:/home/francesco/.vnc# lt
total 40
500 -rw——- 1 francesco francesco 8 Jan 14 23:57 passwd
1462 -rwx—— 1 francesco francesco 121 Jan 21 00:31 xstartup
1464 -rw——- 1 francesco francesco 177 Jan 21 12:20 config
34 drwxr-x— 15 francesco francesco 23 Jan 21 16:24 ..
1814 -rw-rw-r– 1 francesco francesco 6 Jan 21 16:24 fr-ubuntu-01.nix.mds.xyz:5902.pid
16 -rw-r–r– 1 francesco francesco 205 Jan 21 16:24 fr-ubuntu-01:2.log
504 -rw-rw-r– 1 francesco francesco 6083 Jan 21 16:27 fr-ubuntu-01.nix.mds.xyz:5902.log
496 drwxrwxr-x 2 francesco francesco 8 Jan 21 16:41 .
root@fr-ubuntu-01:/home/francesco/.vnc# cat xstartup
#!/bin/bash -x

PATH=/usr/bin:/usr/sbin
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec /usr/bin/gnome-session
root@fr-ubuntu-01:/home/francesco/.vnc# cat config
# create new
# session=(display manager you use)
# securitytypes=(security options)
# geometry=(screen resolution)
session=gnome
securitytypes=vncauth,tlsvnc
geometry=2048×1152
root@fr-ubuntu-01:/home/francesco/.vnc#

Whenever files are modified, restart the service.

SSSD / AD AUTHENTICATION

Install the SSSD Daemon to connect with central authentication, to, amongst other things, use a central user and

# apt install sssd-ad-common sssd-ad sssd-common sssd-dbus sssd-ipa sssd-kcm sssd-krb5-common sssd-krb5 sssd-ldap sssd-proxy sssd-tools sssd freeipa-client oddjob-mkhomedir libpam-sss libnss-sss sssd sssd-tools sssd-ldap ldap-utils openssl ca-certificates sssd-ad realmd adcli -y

# apt install libnfsidmap1 libnfsidmap-regex libnfsidmap-dev libnfs13 libnfs-utils libnfs-dev autofs nfs-common

# ipa-client-install –uninstall; ipa-client-install –force-join -p autojoin -w “<PASS>” –fixed-primary –server=idmipa01.nix.mds.xyz –server=idmipa02.nix.mds.xyz –domain=nix.mds.xyz –realm=NIX.MDS.XYZ -U

# ipa-client-automount –location=UserHomeDir01 -U

Configure the /etc/nsswitch.conf file for automount:

root@fr-ubuntu-01:/var/log# grep -Ei automount /etc/nsswitch.conf
automount: files sss
root@fr-ubuntu-01:/var/log#

Before using the service, a few tweaks are likely needed.  Update /etc/sssd/sssd.conf to add the lines in green:

root@fr-ubuntu-01:/var/log# cat /etc/sssd/sssd.conf
[domain/nix.mds.xyz]

id_provider = ipa
ipa_server = idmipa01.nix.mds.xyz, idmipa02.nix.mds.xyz
ipa_domain = nix.mds.xyz
ipa_hostname = fr-ubuntu-01.nix.mds.xyz
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
sudo_provider = ipa
autofs_provider = ipa
subdomains_provider = ipa
session_provider = ipa
hostid_provider = ipa
ipa_automount_location = UserHomeDir01

dyndns_update = True
dyndns_update_ptr = True
ldap_schema = ad
ldap_id_mapping = True

sudo_provider = ipa
ldap_uri = ldap://idmipa01.nix.mds.xyz, ldap://idmipa02.nix.mds.xyz
ldap_sudo_search_base = ou=sudoers,dc=nix,dc=mds,dc=xyz

override_homedir = /n/%d/%u
# fallback_homedir = /n/%d/%u
# ldap_user_home_directory = unixHomeDirectory

[sssd]
services = nss, pam, ssh, sudo, autofs

domains = nix.mds.xyz
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[session_recording]

root@fr-ubuntu-01:/var/log#

Adjust the /etc/krb5.conf file by adding in these additional entries:

root@fr-ubuntu-01:/var/log# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = NIX.MDS.XYZ
  dns_lookup_realm = false
  rdns = false
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  NIX.MDS.XYZ = {
    kdc = idmipa01.nix.mds.xyz:88
    master_kdc = idmipa01.nix.mds.xyz:88
    admin_server = idmipa01.nix.mds.xyz:749
    kpasswd_server = idmipa01.nix.mds.xyz:464
    kdc = idmipa02.nix.mds.xyz:88
    master_kdc = idmipa02.nix.mds.xyz:88
    admin_server = idmipa02.nix.mds.xyz:749
    kpasswd_server = idmipa02.nix.mds.xyz:464
    default_domain = nix.mds.xyz
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }

  MDS.XYZ = {
    kdc = ad.mds.xyz
    default_domain = mds.xyz
  }

[domain_realm]
  .nix.mds.xyz = NIX.MDS.XYZ
  nix.mds.xyz = NIX.MDS.XYZ
  fr-ubuntu-01.nix.mds.xyz = NIX.MDS.XYZ
  .mds.xyz = MDS.XYZ
  mds.xyz = MDS.XYZ

root@fr-ubuntu-01:/var/log#

Check the remote AD user and the NFS mount:

root@fr-ubuntu-01:/n/mds.xyz# id remoteuser@mds.xyz
uid=155612345(remoteuser@mds.xyz) gid=155612345(remoteuser@mds.xyz) ………………………………..
root@fr-ubuntu-01:/n/mds.xyz#

Adjust the VNC configuration to allow extra AD / Kerberos / LDAP users access:

root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc# ls -altri xstartup config passwd
12410600697251477469 -rwx—— 1 remoteuser@mds.xyz remoteuser@mds.xyz 121 Jan 21 00:31 xstartup
9668247031218421920 -rw——- 1 remoteuser@mds.xyz remoteuser@mds.xyz 177 Jan 21 12:20 config
12896900723358409448 -rw——- 1 remoteuser@mds.xyz remoteuser@mds.xyz 8 Jan 21 18:41 passwd
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc#

Adjust the VNC servers allowed for the users:

root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc# grep -Eiv “#” /etc/tigervnc/vncserver.users
:1=root
:2=vncuser
:3=vncuser@mds.xyz
:4=remoteuser@mds.xyz
root@fr-ubuntu-01:/n/mds.xyz/remoteuser/.vnc#

JDK JAVA DEVELOPMENT KIT

Run the following to install openjdk:

root@fr-ubuntu-01:~# apt install openjdk-21-jdk
root@fr-ubuntu-01:~# java –version
openjdk 21.0.1 2023-10-17
OpenJDK Runtime Environment (build 21.0.1+12-Ubuntu-222.04)
OpenJDK 64-Bit Server VM (build 21.0.1+12-Ubuntu-222.04, mixed mode, sharing)
root@fr-ubuntu-01:~#

NETBEANS

Installing through the software center, bring in a version that’s dated and may have issues on newer OS versions like Ubuntu 22.04.  Therefore, install directly from the latest package version from the following site:

https://netbeans.apache.org/front/main/download/nb20/

Install using the following steps:

# cd /tmp
# wget https://dlcdn.apache.org/netbeans/netbeans-installers/20/apache-netbeans_20-1_all.deb

# apt install ./apache-netbeans_20-1_all.deb

Start NetBeans via the UI.

CONCLUSION

Confirm all services are working by logging into your Ubuntu Server with the remote user, via VNC and start NetBeans:

Ubuntu Desktop Configuration Verification

Enjoy!

Cheers,

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License