I’ve been scouring posts and blogs about understanding gnome remote desktop, and I think I have my head wrapped around it, but the solution isn’t finished yet and I think I’ve reached the point where I understand the limits of the system. I’m looking for feedback on if I’m missing something.
For understanding, we’re using apache guacamole as existing “vdi” for users to connect to windows workstations. Both the computers (windows and linux) authenticate to a directory, and apache guacamole also uses the same directory auth. A couple of features that I want to highlight there which I haven’t been able to accomplish on gnome:
-
When there is an existing RDP session open from one computer, and I try to reconnect from another computer, on windows I take over the existing session and the original session is logged off. On gnome, a new session is initiated, or rejected.
-
When I connect via RDP to windows, authentication can pass-through and I am brought directly to the desktop. On gnome, I am brought to the GDM login screen, then I authenticate to the system, requiring entering my credentials twice.
The future state we are experimenting with is Ubuntu vm workstations with Gnome 47+ on Proxmox connected to via guacamole, but for now that means they’re not truly “headless” as the Proxmox console provides the “head.” Below is the code block I have which is working (with dummy credentials). I can run this, create a guacamole directory entry with the credentials below, add multiple members to this object, and it shows up in guacamole and successfully connects. Multiple users can connect to the same vm, and they’re prompted to login with gdm and get different sessions. If I am logged into a session on one computer and try to log in as myself from another computer, a new gnome session is started, but if I remember to close the first session (not log out, but just close) I re-join the existing session (which is the behavior I want).
sudo rm ~gnome-remote-desktop/rdp*
sudo -u gnome-remote-desktop winpr-makecert -silent -rdp -path ~gnome-remote-desktop rdp-tls
sudo grdctl --system rdp set-tls-key ~gnome-remote-desktop/rdp-tls.key
sudo grdctl --system rdp set-tls-cert ~gnome-remote-desktop/rdp-tls.crt
sudo grdctl --system rdp set-credentials rdpuser abcdefg_____abcdefg
sudo grdctl --system rdp enable
sudo systemctl enable --now gnome-remote-desktop.service
sudo systemctl start --now gnome-remote-desktop.service
sudo systemctl restart --now gnome-remote-desktop.service
sudo ufw allow 3389
So, this works, but it’s not the same experience people get now around reconnecting to existing sessions and I am fairly certain this won’t pass user testing.
Another option I considered was initiating user-specific gnome-remote-desktop sessions, running as user, running on a different port. This is way more overhead as user-port-hostname sets become locked in, but I thought it may be a path to allow direct login from guacamole and to allow easier reconnecting to existing sessions, but it’s not working. Here’s the example setup, with my username here as dummy credentials:
sudo whoami # cache passwordless sudo
gsettings set org.gnome.desktop.remote-desktop.rdp enable 'true' # likely redundant
gsettings set org.gnome.desktop.remote-desktop.rdp port '3390' # likely redundant
mkdir -p ~/.config/RDP
sudo loginctl enable-linger surfrock66
rm ~/.config/RDP/rdp-tls*
winpr-makecert -silent -rdp -path ~/.config/RDP rdp-tls
grdctl --headless rdp set-tls-cert ~/.config/RDP/rdp-tls.crt
grdctl --headless rdp set-tls-key ~/.config/RDP/rdp-tls.key
grdctl --headless rdp set-port 3390
grdctl --headless rdp set-credentials surfrock66 abcd3fg________abcdefg
grdctl --headless rdp enable
systemctl --user enable gnome-remote-desktop-headless.service
systemctl --user start gnome-remote-desktop-headless.service
sudo ufw allow 3390
This doesn’t work at all. The user session doesn’t start, and I can confirm this by looking for a service listening on 3390 with ‘netstat -tulpn’. If I log in with the “rdpuser” session on 3389 and auth to the surfrock66 account, suddenly a listener on 3390 appears, but it’s a different gnome session (though it skips gdm, which is good). My understanding is I’d have to enable autologin for this to work (which I think would solve skipping GDM?), but that’s NOT what I want. All the systemctl stuff I’ve tried has failed to have sessions start with no connection, though I’m open to there being a solution I’ve missed other than making 1 VM per user and enabling auto-login. I can’t get some version of headless autologin to work, so I’m pretty sure this is a full non-starter.
So I’m looking for feedback as to if my understanding of this is correct, and if my understanding of the limitations of having multi-user vm’s as VDI endpoints with gnome is correct.