Система - Ubuntu 18.04, в домене Active Directory (samba + winbind).
При подключении сессии RDP после ввода пароля показывает только голубой (сине-зеленый) экран и сессия не открывается.
При этом буквально вчера всё работало отлично! Некоторые пользователи нормально логинятся и всё работает.
В логе /var/log/xrdp-sesman.log примерно такое:
[20201204-10:44:55] [INFO ] A connection received from ::ffff:127.0.0.1 port 47690 [20201204-10:44:56] [INFO ] ++ created session (access granted): username username, ip ::ffff:10.77.178.183:62533 - socket: 12 [20201204-10:44:56] [INFO ] starting Xorg session... [20201204-10:44:56] [DEBUG] Closed socket 9 (AF_INET6 :: port 5911) [20201204-10:44:56] [DEBUG] Closed socket 9 (AF_INET6 :: port 6011) [20201204-10:44:56] [DEBUG] Closed socket 9 (AF_INET6 :: port 6211) [20201204-10:44:56] [DEBUG] Closed socket 5 (AF_INET6 ::ffff:127.0.0.1 port 3350) [20201204-10:44:56] [INFO ] calling auth_start_session from pid 23453 [20201204-10:44:56] [DEBUG] Closed socket 8 (AF_INET6 ::ffff:127.0.0.1 port 3350) [20201204-10:44:56] [DEBUG] Closed socket 5 (AF_INET6 ::ffff:127.0.0.1 port 3350) [20201204-10:45:06] [ERROR] X server for display 11 startup timeout [20201204-10:45:06] [ERROR] X server for display 11 startup timeout [20201204-10:45:06] [ERROR] another Xserver might already be active on display 11 - see log [20201204-10:45:06] [CORE ] waiting for window manager (pid 23471) to exit [20201204-10:45:06] [DEBUG] aborting connection... [20201204-10:45:06] [CORE ] window manager (pid 23471) did exit, cleaning up session [20201204-10:45:06] [INFO ] calling auth_stop_session and auth_end from pid 23453 [20201204-10:45:06] [DEBUG] cleanup_sockets: [20201204-10:45:06] [INFO ] shutting down sesman 1 [20201204-10:45:06] [INFO ] ++ terminated session: username username, display :11.0, session_pid 23453, ip ::ffff:10.77.178.183:62533 - socket: 12 [20201204-10:45:16] [INFO ] /usr/lib/xorg/Xorg :11 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log
То есть системе не удается выполнить команду:
/usr/lib/xorg/Xorg :11 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log
При исследовании выяснилось, что проблема в маппинге пользователей домена на UID в linux. Номера uid и gid почему-то изменились и некоторые доменные пользователи потеряли права на запись в свои домашние директории.
В smb.conf за мапинг отвечали параметры:
idmap gid = 10000-20000 idmap uid = 10000-20000
Но это было до версии Samba 4.6. У меня версия 4.7 и там все иначе - https://wiki.samba.org/index.php/Idmap_config_ad
security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999 idmap config SAMDOM:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
В итоге помогло следующее:
sudo chown username /home/DOMAIN/username -R