Package: x2goserver Version: 4.0.1.3
Hi Sebastian,
(quoting your complete original mail, so we have it in the bug report
I create with this/my reply)
On Fr 26 Jul 2013 15:08:50 CEST Sebastian Flothow wrote:
I've just set up a Debian 7 box with X2Go. It does work in that it
is possible to start new sessions, however, resuming a previous
session does not work, it always results in this message: "The
remote proxy closed the connection while negotiating the session.
This may be due to the wrong authentication credentials passed to
the server."I suspect this is due to the fact that home directories are stored
in AFS (for regular users, that is; when logging in as root, whose
home directory is on a local ext4 FS, resume does work). Accessing
AFS requires an AFS token in the user's name, obtaining this in turn
requires a Kerberos ticket. PAM is set up to obtain both
automatically on login, but I guess something goes wrong there
during session resume.Is it possible to add custom commands to the X2Go login/resume
procedure? It would be quite helpful if the client could run klist
and tokens through the ssh session, and either log or display the
output.
Is there any environment variable that we have to set before we can
access the home directory of the user?
My guess is that we have to set at least
export KRB5CCNAME=???
Maybe any other env var for the AFS token?
We should get this issue fixed upstream, so I have switched over to
x2go-dev and our bug tracker (done by sending my reply). Please reply
to 272@bugs.x2go.org with your reply. Thanks.
Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Am 26.07.2013 16:40, schrieb Mike Gabriel:
Package: x2goserver Version: 4.0.1.3
By now it's 4.0.1.6-0~x2go1+wheezy~main~712~build1, but the problem persists.
Is there any environment variable that we have to set before we can access the home directory of the user?
My guess is that we have to set at least
export KRB5CCNAME=???
Maybe any other env var for the AFS token?
No, that should not be necessary. KRB5CCNAME is set by pam_krb5.so. pam_afs_session.so in turn uses this to obtain an AFS token, then associates it with a new Process Authentication Group. The PAG ID is stored in the group array for the session, i.e. "id" shows an additional artificial group id. In fact this all works flawlessly on initial login, it's only on resume where it fails.
It occurs to me now that both KRB5CCNAME and PAG are per-session rather than per-user, so that might be the cause for this problem (but I'm really just guessing here).
Is there a detailed description of the resume process? Does it involve any shell scripts or similar I could hook into in order to log additional information?
I'm attaching /var/log/user.log as well as the client output from a failed resume attempt, maybe this offers some clues.
Thanks, Sebastian
-
Mike Gabriel -
Sebastian Flothow