Hi all,
I've installed a Debian Wheezy virtual machine (KVM) with KDE.
If I log on using the console, I can use Network Manager to succesfully add a VPN connection.
If I log on to the same machine via X2Go, I can't add a new VPN connection (and the one added from the console session isn't there). When I try to save it I get "No session found for uid 1000".
I've spent hours googling and there seems to be a problem with dbus and/or ConsoleKit. If I use the console to logon, KDM does something that makes Network Manager/dbus/ConsoleKit happy, if I use X2Go that "something" is missing.
KWallet may also be a factor, when I'm logged on to the console it pops up at the same step that I get the error message in X2Go.
Is there any X2Go user out there that has a solution to this problem?
Cheers, Daniel
Installing x2gserver-xsession seems to solve the problem. Perhaps it should be a dependency when installing x2goserver?
Cheers, Daniel
2012/12/23 Daniel Lindgren <bd.dali@gmail.com>
Hi all,
I've installed a Debian Wheezy virtual machine (KVM) with KDE.
If I log on using the console, I can use Network Manager to succesfully add a VPN connection.
If I log on to the same machine via X2Go, I can't add a new VPN connection (and the one added from the console session isn't there). When I try to save it I get "No session found for uid 1000".
I've spent hours googling and there seems to be a problem with dbus and/or ConsoleKit. If I use the console to logon, KDM does something that makes Network Manager/dbus/ConsoleKit happy, if I use X2Go that "something" is missing.
KWallet may also be a factor, when I'm logged on to the console it pops up at the same step that I get the error message in X2Go.
Is there any X2Go user out there that has a solution to this problem?
Cheers, Daniel
... and these steps are also necessary to be able to fully use Network Manager:
Add user to the netdev group.
Create /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla with these settings:
[nm-applet] Identity=unix-group:netdev Action=org.freedesktop.NetworkManager.* ResultAny=yes ResultInactive=no ResultActive=yes
- Reboot.
Dear Daniel,
Network manager defines a default security policy that allows altering networking-related settings only when the user sits in front of the computer. This policy in general does make sense, otherwise users would be able to break their active session.
It seems unfortunate that this policy seems to affect VPN settings as well. This issue should definitely be discussed with the Network Manager maintainers. However before doing that, I think should learn more about the current situation. For instance, I'm not sure if x2go registers a proper console-kit session besides the one that is created as part of the ssh connection. I could imagine having a configuration switch to consider 'x2go' remote sessions as "local" at least for testing purposes. I fear we in x2go should really revisit and properly document the design of session management - it is not trivial at all!
Unfortunately, none of the current developers seem to have the resources to do this properly. For instance, as you have noticed yourself, x2goserver-xsession is not installed by default, but TBH, I think this is a bug that is related to the overly strict recommend relationship declaration on the x2goserver package (another wtf from my side). The only documentation for this package is here: http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver-xsession/do...
- Unfortunately, it leaves a lot of questions (such as "what is a Xsession config file", etc.). I'm not sure how to proceed from here, hence, I copy the x2go-dev mailing list as I feel that this user issue indicates a larger, conceptional problem.
What you propose is to introduce a completely new security policy: everyone in a certain group 'netdev' may change everything. This may be appropriate in your scenario, but may not be in others. For instance, have you considered what other packages "use" the netdev group? Are you fully aware about the consequences in terms of additional privileges users gain by being put in that group? Moreover, in a managed environment, where all users are in a network directory such as NIS or LDAP, it is not that simple to add a user to a computer-local group, as the group may have a different group ID on different machines. Such scenarios are not uncommon for larger x2go deployments at all!
Merry Holidays!
On Mon, Dec 24, 2012 at 9:39 AM, Daniel Lindgren <bd.dali@gmail.com> wrote:
... and these steps are also necessary to be able to fully use Network Manager:
Add user to the netdev group.
Create /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla with these settings:
[nm-applet] Identity=unix-group:netdev Action=org.freedesktop.NetworkManager.* ResultAny=yes ResultInactive=no ResultActive=yes
- Reboot.
X2Go-User mailing list X2Go-User@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-user
-- regards, Reinhard
Hi Reinhard,
What you propose is to introduce a completely new security policy:
everyone in a certain group 'netdev' may change everything. This may be appropriate in your scenario, but may not be in others. For instance, have you considered what other packages "use" the netdev group? Are you fully aware about the consequences in terms of additional privileges users gain by being put in that group? Moreover, in a managed environment, where all users are in a network directory such as NIS or LDAP, it is not that simple to add a user to a computer-local group, as the group may have a different group ID on different machines. Such scenarios are not uncommon for larger x2go deployments at all!
The netdev group change is not a proposal for something I think should be included in X2Go, more like "if someone has the same issue, I got it working by doing this". I agree that adding the netdev group is not ideal from a security perspective, someone who fully understands what's going on could probably come up with a much safer solution.
Cheers, Daniel
-
Daniel Lindgren -
Reinhard Tartler