Can no longer connect to GNOME Remote Desktop

Community
,
1

I’m experiencing a really weird issue. I deployed a Fedora 39 Server two months back. I immediately upgraded to Fedora 40. I generated the TLS certs and setup RDP credentials thanks to Vladislav Grigoryev’s advice, and I could connect fine. Every now and again, GRD would stop accepting connections so I just restarted the GDM/GRD services and it would be okay again.

However, lately, even restarting the services doesn’t fix it. The package is gnome-remote-desktop-0:46.3-1.fc40.x86_64.

In an effort to debug this issue, I would attach gdb to the /usr/libexec/gnome-remote-desktop-daemon --system process, then try to connect via Remmina. While it was connecting, I’d hit c and wait for it to fail to connect. But it always connects if I’m attached to gdb at the time.

Even weirder, while I am presently connected to the server on one Remmina instance and can open applications, etc, I can no longer make new connections.

I’m really struggling to figure out what to do because I can’t generate a backtrace, as the problem doesn’t show up while I’m connected to the process via gdb. Users can only connect to the server if we time it just right and I’m around to run gdb on the process to let them in.

As soon as I detach from the process with gdb, it stops working. And then gnome-remote-desktop.service just keeps spamming my system journal every second for many minutes with this:

GRD Service Logs 
Aug 20 12:46:24 fedora-remote gnome-remote-de[27034]: [RDP] Network or intentional disconnect, stopping session
Aug 20 12:46:24 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:24:776] [27034:0000ac8c] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() >
Aug 20 12:46:24 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:24:776] [27034:0000ac8c] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego(>
Aug 20 12:46:24 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:24:776] [27034:0000ac8c] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 20 12:46:24 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:24:776] [27034:0000ac8c] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_>
Aug 20 12:46:24 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:24:776] [27034:0000ac8c] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80>
Aug 20 12:46:24 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:24:775] [27034:0000ac8c] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 20 12:46:24 fedora-remote gnome-remote-de[27034]: g_atomic_ref_count_dec: assertion 'old_value > 0' failed
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:180] [27034:0000699a] [ERROR][com.freerdp.core.transport] - [transport_default_write]: BIO_should_retry returned an error: error:0A00>
Aug 20 12:46:22 fedora-remote gnome-remote-de[27034]: [RDP] Network or intentional disconnect, stopping session
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:176] [27034:0000ac17] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() >
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:176] [27034:0000ac17] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego(>
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:175] [27034:0000ac17] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:175] [27034:0000ac17] [ERROR][com.freerdp.core.peer] - [transport_default_write]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:175] [27034:0000ac17] [ERROR][com.freerdp.core.transport] - [transport_default_write]: BIO_should_retry returned a system error 9: Ba>
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:175] [27034:0000ac17] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_>
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:175] [27034:0000ac17] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80>
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:175] [27034:0000ac17] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 20 12:46:22 fedora-remote gnome-remote-de[27034]: [RDP] Network or intentional disconnect, stopping session
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:054] [27034:0000ac0a] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() >
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:054] [27034:0000ac0a] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego(>
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:053] [27034:0000ac0a] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:053] [27034:0000ac0a] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_>
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:053] [27034:0000ac0a] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80>
Aug 20 12:46:22 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:22:053] [27034:0000ac0a] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 20 12:46:20 fedora-remote gnome-remote-de[27034]: [RDP] Network or intentional disconnect, stopping session
Aug 20 12:46:20 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:20:422] [27034:0000ab47] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() >
Aug 20 12:46:20 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:20:422] [27034:0000ab47] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego(>
Aug 20 12:46:20 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:20:420] [27034:0000ab47] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 20 12:46:20 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:20:420] [27034:0000ab47] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_>
Aug 20 12:46:20 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:20:420] [27034:0000ab47] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80>
Aug 20 12:46:20 fedora-remote gnome-remote-desktop-daemon[27034]: [12:46:20:420] [27034:0000ab47] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 20 12:46:20 fedora-remote gnome-remote-de[27034]: [RDP] Network or intentional disconnect, stopping session

Also, I’m able to connect via waypipe ssh when RDP is failing.

2

gnome-remote-desktop is unfortunately broken in Fedora. Solution is to disable selinux.

3

SELinux is already in Permissive mode for me:

$ getenforce
Permissive

I haven’t disabled it entirely as that requires setting a boot parameter, but my understanding is this should work in Permissive mode. In fact, it has been working for the most part for the past few months.

4

Does grdctl --system status --show-credentials show the credentials you would expect?

5

Yes, it shows as expected.

So, knock on wood here, but I think I’ve figured out what the problem was and the symptoms seem to line up. I think the RDP port on the server was being hit by certain IPs making endless attempts to get in, which lead to almost complete denial of service most of the time. To the point that the GRD service would stop offering to make new connections at all and needed to be restarted. Running gdb probably slowed it down enough such that a user could actually get in if they attempted a connection at the right time.

What I’ve done now is completely blocked the RDP port on the firewall and only made it accessible locally, so the only way to access the RDP server is through an SSH tunnel. It seems to be working fine now. I’ll continue to observe it for a few days.

Awful configuration on my side either way :slight_smile:

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.