From 3c1a92a4b69de38dda955aa748fdf398a785c590 Mon Sep 17 00:00:00 2001 From: Thomas Basler Date: Fri, 15 Mar 2024 21:50:52 +0100 Subject: [PATCH] xrdp_apphost: Upgrade configs from bullseye to bookworm --- roles/xrdp_apphost/templates/sesman.ini.j2 | 88 ++++++++++++++--- roles/xrdp_apphost/templates/smb.conf.j2 | 4 +- roles/xrdp_apphost/templates/xrdp.ini.j2 | 107 +++++++++++++++++++-- 3 files changed, 173 insertions(+), 26 deletions(-) diff --git a/roles/xrdp_apphost/templates/sesman.ini.j2 b/roles/xrdp_apphost/templates/sesman.ini.j2 index 24b32b5..48bb869 100644 --- a/roles/xrdp_apphost/templates/sesman.ini.j2 +++ b/roles/xrdp_apphost/templates/sesman.ini.j2 @@ -21,9 +21,24 @@ TerminalServerAdmins=tsadmins ; When AlwaysGroupCheck=false access will be permitted ; if the group TerminalServerUsers is not defined. AlwaysGroupCheck=false -; When RestrictOutboundClipboard=true clipboard from the +; When RestrictOutboundClipboard=all clipboard from the ; server is not pushed to the client. -RestrictOutboundClipboard=false +; In addition, you can control text/file/image transfer restrictions +; respectively. It also accepts comma separated list such as text,file,image. +; To keep compatibility, some aliases are also available: +; true: an alias of all +; false: an alias of none +; yes: an alias of all +RestrictOutboundClipboard=none +; When RestrictInboundClipboard=all clipboard from the +; client is not pushed to the server. +; In addition, you can control text/file/image transfer restrictions +; respectively. It also accepts comma separated list such as text,file,image. +; To keep compatibility, some aliases are also available: +; true: an alias of all +; false: an alias of none +; yes: an alias of all +RestrictInboundClipboard=none [Sessions] ;; X11DisplayOffset - x11 display number offset @@ -39,17 +54,17 @@ MaxSessions={{ xrdp_maxsessions }} ;; KillDisconnected - kill disconnected sessions ; Type: boolean ; Default: false -; if 1, true, or yes, kill session after 60 seconds +; if 1, true, or yes, every session will be killed within DisconnectedTimeLimit +; seconds after the user disconnects KillDisconnected={{ xrdp_killdisconnected }} -;; DisconnectedTimeLimit - when to kill idle sessions +;; DisconnectedTimeLimit (seconds) - wait before kill disconnected sessions ; Type: integer ; Default: 0 -; if not zero, the seconds before a disconnected session is killed -; min 60 seconds +; if KillDisconnected is set to false, this value is ignored DisconnectedTimeLimit=0 -;; IdleTimeLimit (specify in second) - wait before disconnect idle sessions +;; IdleTimeLimit (seconds) - wait before disconnect idle sessions ; Type: integer ; Default: 0 ; Set to 0 to disable idle disconnection. @@ -57,7 +72,7 @@ IdleTimeLimit=0 ;; Policy - session allocation policy ; Type: enum [ "Default" | "UBD" | "UBI" | "UBC" | "UBDI" | "UBDC" ] -; Default: Xrdp: and Xvnc: +; "Default" session per ; "UBD" session per ; "UBI" session per ; "UBC" session per @@ -66,10 +81,20 @@ IdleTimeLimit=0 Policy={{ xrdp_policy }} [Logging] +; Note: Log levels can be any of: core, error, warning, info, debug, or trace LogFile=xrdp-sesman.log -LogLevel=DEBUG -EnableSyslog=1 -SyslogLevel=DEBUG +LogLevel=INFO +EnableSyslog=true +#SyslogLevel=INFO +#EnableConsole=false +#ConsoleLevel=INFO +#EnableProcessId=false + +[LoggingPerLogger] +; Note: per logger configuration is only used if xrdp is built with +; --enable-devel-logging +#sesman.c=INFO +#main()=INFO ; ; Session definitions - startup command-line parameters for each session type @@ -77,16 +102,19 @@ SyslogLevel=DEBUG [Xorg] ; Specify the path of non-suid Xorg executable. It might differ depending -; on your distribution and version. The typical path is shown as follows: +; on your distribution and version. Find out the appropriate path for your +; environment. The typical path is known as follows: ; ; Fedora 26 or later : param=/usr/libexec/Xorg ; Debian 9 or later : param=/usr/lib/xorg/Xorg ; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg -; Arch Linux : param=/usr/lib/xorg-server/Xorg +; Arch Linux : param=/usr/lib/Xorg ; CentOS 7 : param=/usr/bin/Xorg or param=Xorg +; CentOS 8 : param=/usr/libexec/Xorg +; FreeBSD (from 2022Q4) : param=/usr/local/libexec/Xorg ; param=/usr/lib/xorg/Xorg -; Leave the rest paramaters as-is unless you understand what will happen. +; Leave the rest parameters as-is unless you understand what will happen. param=-config param=xrdp/xorg.conf param=-noreset @@ -105,11 +133,39 @@ param=-dpi param=96 [Chansrv] -; drive redirection, defaults to xrdp_client if not set +; drive redirection +; See sesman.ini(5) for the format of this parameter +#FuseMountName=/run/user/%u/thinclient_drives +#FuseMountName=/media/thinclient_drives/%U/thinclient_drives FuseMountName=thinclient_drives -; this value allows only the user to acess their own mapped drives. +; this value allows only the user to access their own mapped drives. ; Make this more permissive (e.g. 022) if required. FileUmask=077 +; Can be used to disable FUSE functionality - see sesman.ini(5) +#EnableFuseMount=false +; Uncomment this line only if you are using GNOME 3 versions 3.29.92 +; and up, and you wish to cut-paste files between Nautilus and Windows. Do +; not use this setting for GNOME 4, or other file managers +#UseNautilus3FlistFormat=true + +[ChansrvLogging] +; Note: one log file is created per display and the LogFile config value +; is ignored. The channel server log file names follow the naming convention: +; xrdp-chansrv.${DISPLAY}.log +; +; Note: Log levels can be any of: core, error, warning, info, debug, or trace +LogLevel=INFO +EnableSyslog=true +#SyslogLevel=INFO +#EnableConsole=false +#ConsoleLevel=INFO +#EnableProcessId=false + +[ChansrvLoggingPerLogger] +; Note: per logger configuration is only used if xrdp is built with +; --enable-devel-logging +#chansrv.c=INFO +#main()=INFO [SessionVariables] PULSE_SCRIPT=/etc/xrdp/pulse/default.pa diff --git a/roles/xrdp_apphost/templates/smb.conf.j2 b/roles/xrdp_apphost/templates/smb.conf.j2 index 73a7764..a989243 100644 --- a/roles/xrdp_apphost/templates/smb.conf.j2 +++ b/roles/xrdp_apphost/templates/smb.conf.j2 @@ -130,7 +130,7 @@ # This allows Unix users to be created on the domain controller via the SAMR # RPC pipe. The example command creates a user account with a disabled Unix # password; please adapt to your needs -; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u +; add user script = /usr/sbin/useradd --create-home %u # This allows machine accounts to be created on the domain controller via the # SAMR RPC pipe. @@ -215,7 +215,7 @@ ;[printers] ; comment = All Printers ; browseable = no -; path = /var/spool/samba +; path = /var/tmp ; printable = yes ; guest ok = no ; read only = yes diff --git a/roles/xrdp_apphost/templates/xrdp.ini.j2 b/roles/xrdp_apphost/templates/xrdp.ini.j2 index 766fbad..8f45f5d 100644 --- a/roles/xrdp_apphost/templates/xrdp.ini.j2 +++ b/roles/xrdp_apphost/templates/xrdp.ini.j2 @@ -10,6 +10,7 @@ fork=true ; ports to listen on, number alone means listen on all interfaces ; 0.0.0.0 or :: if ipv6 is configured ; space between multiple occurrences +; ALL specified interfaces must be UP when xrdp starts, otherwise xrdp will fail to start ; ; Examples: ; port=3389 @@ -62,6 +63,16 @@ ssl_protocols=TLSv1.2, TLSv1.3 ; set TLS cipher suites #tls_ciphers=HIGH +; concats the domain name to the user if set for authentication with the separator +; for example when the server is multi homed with SSSd +#domain_user_separator=@ + +; The following options will override the keyboard layout settings. +; These options are for DEBUG and are not recommended for regular use. +#xrdp.override_keyboard_type=0x04 +#xrdp.override_keyboard_subtype=0x01 +#xrdp.override_keylayout=0x00000409 + ; Section name to use for automatic login if the client sends username ; and password. If empty, the domain name sent by the client is used. ; If empty and no domain name is given, the first suitable section in @@ -80,6 +91,8 @@ new_cursors=true use_fastpath=both ; when true, userid/password *must* be passed on cmd line #require_credentials=true +; when true, the userid will be used to try to authenticate +#enable_token_login=true ; You can set the PAM error text in a gateway setup (MAX 256 chars) #pamerrortxt=change your password according to policy at http://url @@ -108,18 +121,39 @@ ls_title={{ xrdp_ls_title }} ls_top_window_bg_color={{ xrdp_ls_top_window_bg_color }} ; width and height of login screen +; +; The default height allows for about 5 fields to be comfortably displayed +; above the buttons at the bottom. To display more fields, make +; larger, and also increase and +; below +; ls_width={{ xrdp_ls_width }} ls_height={{ xrdp_ls_height }} ; login screen background color in RGB format ls_bg_color={{ xrdp_ls_bg_color }} -; optional background image filename (bmp format). +; optional background image filename. BMP format is always supported, +; but other formats will be supported if xrdp is build with imlib2 +; The transform can be one of the following:- +; none : No transformation. Image is placed in bottom-right corner +; of the screen. +; scale : Image is scaled to the screen size. The image aspect +; ratio is not preserved. +; zoom : Image is scaled to the screen size. The image aspect +; ratio is preserved by clipping the image. #ls_background_image= +#ls_background_transform=none ; logo -; full path to bmp-file or file in shared folder +; full path to file or file in shared folder. BMP format is always supported, +; but other formats will be supported if xrdp is build with imlib2 +; For transform values, see 'ls_background_transform'. The logo width and +; logo height are ignored for a transform of 'none'. ls_logo_filename=/usr/local/share/xrdp/{{ xrdp_ls_logo_filename }} +#ls_logo_transform=none +#ls_logo_width=240 +#ls_logo_height=140 ls_logo_x_pos={{ xrdp_ls_logo_x_pos }} ls_logo_y_pos={{ xrdp_ls_logo_y_pos }} @@ -147,11 +181,20 @@ ls_btn_cancel_width=85 ls_btn_cancel_height=30 [Logging] +; Note: Log levels can be any of: core, error, warning, info, debug, or trace LogFile=xrdp.log -LogLevel=DEBUG +LogLevel=INFO EnableSyslog=true -SyslogLevel=DEBUG -; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug +#SyslogLevel=INFO +#EnableConsole=false +#ConsoleLevel=INFO +#EnableProcessId=false + +[LoggingPerLogger] +; Note: per logger configuration is only used if xrdp is built with +; --enable-devel-logging +#xrdp.c=INFO +#main()=INFO [Channels] ; Channel names not listed here will be blocked by XRDP. @@ -171,9 +214,6 @@ tcutils=true ; for debugging xrdp, in section xrdp1, change port=-1 to this: #port=/tmp/.xrdp/xrdp_display_10 -; for debugging xrdp, add following line to section xrdp1 -#chansrvport=/tmp/.xrdp/xrdp_chansrv_socket_7210 - ; ; Session types @@ -211,7 +251,17 @@ code=20 #port=-1 ##xserverbpp=24 ##delay_ms=2000 +#; Disable requested encodings to support buggy VNC servers +#; (1 = ExtendedDesktopSize) +##disabled_encodings_mask=0 +#; Use this to connect to a chansrv instance created outside of sesman +#; (e.g. as part of an x11vnc console session). Replace '0' with the +#; display number of the session +##chansrvport=DISPLAY(0) +; Generic VNC Proxy +; Tailor this to specific hosts and VNC instances by specifying an ip +; and port and setting a suitable name. #[vnc-any] #name=vnc-any #lib=libvnc.so @@ -224,13 +274,54 @@ code=20 ##pamsessionmng=127.0.0.1 ##delay_ms=2000 +; Generic RDP proxy using NeutrinoRDP +; Tailor this to specific hosts by specifying an ip and port and setting +; a suitable name. #[neutrinordp-any] #name=neutrinordp-any +#; To use this section, you should build xrdp with configure option +#; --enable-neutrinordp. #lib=libxrdpneutrinordp.so #ip=ask #port=ask3389 #username=ask #password=ask +#; Uncomment the following lines to enable PAM authentication for proxy +#; connections. +##pamusername=ask +##pampassword=ask +##pamsessionmng=127.0.0.1 +#; Currently NeutrinoRDP doesn't support dynamic resizing. Uncomment +#; this line if you're using a client which does. +##enable_dynamic_resizing=false +#; By default, performance settings requested by the RDP client are ignored +#; and chosen by NeutrinoRDP. Uncomment this line to allow the user to +#; select performance settings in the RDP client. +##perf.allow_client_experiencesettings=true +#; Override any experience setting by uncommenting one or more of the +#; following lines. +##perf.wallpaper=false +##perf.font_smoothing=false +##perf.desktop_composition=false +##perf.full_window_drag=false +##perf.menu_anims=false +##perf.themes=false +##perf.cursor_blink=false +#; By default NeutrinoRDP supports cursor shadows. If this is giving +#; you problems (e.g. cursor is a black rectangle) try disabling cursor +#; shadows by uncommenting the following line. +#perf.cursor_shadow=false +#; By default, NeutrinoRDP uses the keyboard layout of the remote RDP Server. +#; If you want to tell the remote the keyboard layout of the RDP Client, +#; by uncommenting the following line. +##neutrinordp.allow_client_keyboardLayout=true +#; The following options will override the remote keyboard layout settings. +#; These options are for DEBUG and are not recommended for regular use. +##neutrinordp.override_keyboardLayout_mask=0x0000FFFF +##neutrinordp.override_kbd_type=0x04 +##neutrinordp.override_kbd_subtype=0x01 +##neutrinordp.override_kbd_fn_keys=12 +##neutrinordp.override_kbd_layout=0x00000409 ; You can override the common channel settings for each session type #channel.rdpdr=true