[X2go-dev] can't start ssh tunnel / integration with existing ldap

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Jan 25 17:39:05 CET 2011 

On Tue, 2011-01-25 at 16:52 +0100, Martin Steigerwald wrote:
> Hi!
> 
> I installed X2goserver one into a Debian Squeeze VM under VMware ESX today. 
> Since we use a LDAP server to central user management I integrated it via 
> libpam-ldap and libnss-ldap manually. We also use NFS for home directory so I 
> added that too. Logging into the server via SSH works as expected.
> 
> But I get "can't start SSH tunnel" when trying to open a new X2go session with 
> x2goclient.
> 
> When I use a SSH key I get messages like this:
> 
> Verbindung fehlgeschlagen intraws.of.teamix.net: Unable to connect: 
> /home/ms/.x2go/ssh/socaskpass-M31562 Unable to connect: 
> /home/ms/.x2go/ssh/socaskpass-M31562 Permission denied, please try again. 
> Unable to connect: /home/ms/.x2go/ssh/socaskpass-M31562 Permission denied, 
> please try again. Unable to connect: /home/ms/.x2go/ssh/socaskpass-M31562 
> Permission denied (publickey,password). 
> 
> I guess this has to do with the usage of NFS.
> 
> ~/.x2go/ssh is 750 and root is squashed to nobody:nogroup. Thus it is neither 
> the user nor the group. Since
> 
> chmod 777 ~/.x2go/ssh
> 
> fixes key based login for me, it seems that something of x2go server is using 
> root privileges to access files in the home directory of the user.
> 
> Could this be changed to use user rights - root can su to any ? This would 
> work with NFS.
> 
> Other questions:
> 
> 1) Can X2go client be told to use an existing ssh agent which has the right 
> identidy added? A ssh user at intraws works already without asking for the key 
> password, thus if x2goclient uses this ssh-agent it wouldn't need to ask for 
> the passphrase as well.
> 
> 2) What steps are necessary to integrate x2go with an *existing* LDAP server? 
> x2goldaptools depends on slapd and samba and since we use NFS with an existing 
> LDAP server I want neither of those. LDAP authentification via PAM works 
> already. I can login with SSH and LDAP password of a user. I thought this 
> would be enough for x2go *when* users that use x2go are in the group 
> x2gousers. They are. But in the local group. What additinional steps are 
> necessary?
<snip>
Hi, Martin. I suspect your problems may be more NFS related.  We are
using a separate LDAP server (Centos Directory Server) and have not
integrated with the X2Go LDAP tools.  All works fine with X2Go.  We do
use local x2gousers, fuse, and the various pulse groups and simply add
the LDAP defined users to them.

Just for kicks, have you tried it with a local home directory rather
than NFS? We use iSCSI for ours so all the file system semantics and
security are as if our storage was local.  Good luck - John

More information about the x2go-dev mailing list