Discussion:
Arch Linux PC as a Remote Desktop Node
(too old to reply)
Foxtrot Mike via arch-general
2018-07-27 17:07:42 UTC
Permalink
Raw Message
Hi all,

Currently we have around 10 employees who develop software using Visual
Studio. The idea is to install the development tools on the Windows
Server system, and to have all the developers connect to the server over
RDP using low-end low-power computers. The server is pretty beefy
though. The low end client PCs will save up-front cost as well as power
bills. The network backend will not have any issue with the increased
RDP traffic.

I have been using Arch Linux for some years now, so I undertook this as
a research project. I  want to use the Arch system as a Remote Desktop
node. The Arch system would use a login manager (such as lightdm) to
authenticate users from Windows Domain. Once the user has been
authenticated, the system is supposed to automatically open a RDP
connection (using freerdp) to the Windows Server (if possible, using the
credentials provided to lightdm so the user doesn't have to enter his
password twice). As soon as the user quits the RDP session, his
X-session should also be closed automatically.

Here are the major tasks:

1- Ask LightDM to use Windows Domain (Kerberos) authentication. I am a
little confused. There are supposedly many different ways with little
changes to do this. [1] is one solution. LDAP is also a possibility. I
need advice from someone who knows this field better than me :p

2- How to ask i3-wm (my default wm) to run freerdp at login? I guess [2]
will get this done.

3- How to ask freerdp to authenticate using the ticket received from TGT
during LightDM Domain authentication? If I could somehow configure
freerdp to use Kerberos Tickets then the user won't have to enter his
Domain password again.

4- How to ask i3-wm to close the X-session when freeRDP quits? I read
something a while ago about .xsession files to achieve this
functionality, but can't find it now.

Any help would be appreciated!

Regards.

[1]
https://wiki.archlinux.org/index.php/Active_Directory_Integration#Join_the_domain

[2]
https://i3wm.org/docs/userguide.html#_automatically_starting_a
Giancarlo Razzolini via arch-general
2018-07-27 17:16:11 UTC
Permalink
Raw Message
Post by Foxtrot Mike via arch-general
1- Ask LightDM to use Windows Domain (Kerberos) authentication. I am a
little confused. There are supposedly many different ways with little
changes to do this. [1] is one solution. LDAP is also a possibility. I
need advice from someone who knows this field better than me :p
2- How to ask i3-wm (my default wm) to run freerdp at login? I guess [2]
will get this done.
3- How to ask freerdp to authenticate using the ticket received from TGT
during LightDM Domain authentication? If I could somehow configure
freerdp to use Kerberos Tickets then the user won't have to enter his
Domain password again.
4- How to ask i3-wm to close the X-session when freeRDP quits? I read
something a while ago about .xsession files to achieve this
functionality, but can't find it now.
Hi Mike,

You have some options here. I suggest you look into x2go and ltsp for starters.
I don't suggest you use plain X over the network.

With those 2 options you can have this kiosk mode you want, for the users to only
be able to access windows.

Regards,
Giancarlo Razzolini
Foxtrot Mike via arch-general
2018-07-27 17:46:14 UTC
Permalink
Raw Message
Post by Giancarlo Razzolini via arch-general
Post by Foxtrot Mike via arch-general
1- Ask LightDM to use Windows Domain (Kerberos) authentication. I am
a little confused. There are supposedly many different ways with
little changes to do this. [1] is one solution. LDAP is also a
possibility. I need advice from someone who knows this field better
than me :p
2- How to ask i3-wm (my default wm) to run freerdp at login? I guess
[2] will get this done.
3- How to ask freerdp to authenticate using the ticket received from
TGT during LightDM Domain authentication? If I could somehow
configure freerdp to use Kerberos Tickets then the user won't have to
enter his Domain password again.
4- How to ask i3-wm to close the X-session when freeRDP quits? I read
something a while ago about .xsession files to achieve this
functionality, but can't find it now.
Hi Mike,
You have some options here. I suggest you look into x2go and ltsp for starters.
I don't suggest you use plain X over the network.
With those 2 options you can have this kiosk mode you want, for the users to only
be able to access windows.
Regards,
Giancarlo Razzolini
Thanks for the reply.

The issue with x2go and ltsp is that I'll have to separately manage
username and passwords for local Linux login. The solution that I'd
rather prefer would use Active directory authentication so the current
system administrator won't have to do anything extra. The group policies
are already there. Once the Arch system is properly configured, I'd
disable local logins so there will be very limited chance for a user to
corrupt/modify Arch system. And ideally, the user would have no way to
interact with the local system. Thats why I want to limit the user to
freeRDP. Anything else, and the X-session expires.

Plus, I am very much into embedded linux systems (routers, SBCs, etc). I
think putting the various pieces together would be give me a lot more to
learn as compared to using a third party specialized software such as a
kiosk script.
Bardur Arantsson
2018-07-27 18:07:23 UTC
Permalink
Raw Message
Post by Foxtrot Mike via arch-general
The issue with x2go and ltsp is that I'll have to separately manage
username and passwords for local Linux login. The solution that I'd
rather prefer would use Active directory authentication so the current
system administrator won't have to do anything extra. The group policies
are already there. Once the Arch system is properly configured, I'd
disable local logins so there will be very limited chance for a user to
corrupt/modify Arch system. And ideally, the user would have no way to
interact with the local system. Thats why I want to limit the user to
freeRDP. Anything else, and the X-session expires.
I'm not up to speed on the windows world, but could PAM LDAP
authentication perhaps be of help here?

Regards,
Giancarlo Razzolini via arch-general
2018-07-27 18:17:07 UTC
Permalink
Raw Message
Post by Foxtrot Mike via arch-general
The issue with x2go and ltsp is that I'll have to separately manage
username and passwords for local Linux login. The solution that I'd
rather prefer would use Active directory authentication so the current
system administrator won't have to do anything extra. The group policies
are already there. Once the Arch system is properly configured, I'd
disable local logins so there will be very limited chance for a user to
corrupt/modify Arch system. And ideally, the user would have no way to
interact with the local system. Thats why I want to limit the user to
freeRDP. Anything else, and the X-session expires.
You have more than one option to authenticate to windows AD servers [0] . You
have PAM Ldap, winbind, making a samba server the secondary controller, etc.

You will probably need a local home dir for storing session data, but this can
be created/destroyed on demand.
Post by Foxtrot Mike via arch-general
Plus, I am very much into embedded linux systems (routers, SBCs, etc). I
think putting the various pieces together would be give me a lot more to
learn as compared to using a third party specialized software such as a
kiosk script.
Why reinvent the wheel here? I understand the need for learning, but I wouldn't
do this on something that is intended as a production system. Again, don't use
plain X protocol over the network, it's very wasteful.

Regards,
Giancarlo Razzolini

[0] https://wiki.archlinux.org/index.php/Active_Directory_Integration
Foxtrot Mike via arch-general
2018-07-29 13:03:21 UTC
Permalink
Raw Message
Post by Giancarlo Razzolini via arch-general
Post by Foxtrot Mike via arch-general
The issue with x2go and ltsp is that I'll have to separately manage
username and passwords for local Linux login. The solution that I'd
rather prefer would use Active directory authentication so the
current system administrator won't have to do anything extra. The
group policies are already there. Once the Arch system is properly
configured, I'd disable local logins so there will be very limited
chance for a user to corrupt/modify Arch system. And ideally, the
user would have no way to interact with the local system. Thats why I
want to limit the user to freeRDP. Anything else, and the X-session
expires.
You have more than one option to authenticate to windows AD servers [0] . You
have PAM Ldap, winbind, making a samba server the secondary
controller, etc.
I thought these options worked together, i.e, I'd to use samba PAM and
winbing all together. Thanks for the info. I'll look deeper into it.
Post by Giancarlo Razzolini via arch-general
You will probably need a local home dir for storing session data, but this can
be created/destroyed on demand.
Post by Foxtrot Mike via arch-general
Plus, I am very much into embedded linux systems (routers, SBCs,
etc). I think putting the various pieces together would be give me a
lot more to learn as compared to using a third party specialized
software such as a kiosk script.
Why reinvent the wheel here? I understand the need for learning, but I wouldn't
do this on something that is intended as a production system. Again, don't use
plain X protocol over the network, it's very wasteful.
I plan to use RDP. I think it's not the same as using 'plain X protocol
over the network' since RDP includes encryption and compression, afaik.
Please correct me if I'm wrong.
Post by Giancarlo Razzolini via arch-general
Regards,
Giancarlo Razzolini
[0] https://wiki.archlinux.org/index.php/Activ
ProgAndy
2018-07-27 19:24:15 UTC
Permalink
Raw Message
Post by Foxtrot Mike via arch-general
Post by Giancarlo Razzolini via arch-general
Post by Foxtrot Mike via arch-general
1- Ask LightDM to use Windows Domain (Kerberos) authentication. I am
a little confused. There are supposedly many different ways with
little changes to do this. [1] is one solution. LDAP is also a
possibility. I need advice from someone who knows this field better
than me :p
2- How to ask i3-wm (my default wm) to run freerdp at login? I guess
[2] will get this done.
3- How to ask freerdp to authenticate using the ticket received from
TGT during LightDM Domain authentication? If I could somehow
configure freerdp to use Kerberos Tickets then the user won't have to
enter his Domain password again.
4- How to ask i3-wm to close the X-session when freeRDP quits? I read
something a while ago about .xsession files to achieve this
functionality, but can't find it now.
Hi Mike,
You have some options here. I suggest you look into x2go and ltsp for starters.
I don't suggest you use plain X over the network.
With those 2 options you can have this kiosk mode you want, for the users to only
be able to access windows.
Regards,
Giancarlo Razzolini
Thanks for the reply.
The issue with x2go and ltsp is that I'll have to separately manage
username and passwords for local Linux login. The solution that I'd
rather prefer would use Active directory authentication so the current
system administrator won't have to do anything extra. The group policies
are already there. Once the Arch system is properly configured, I'd
disable local logins so there will be very limited chance for a user to
corrupt/modify Arch system. And ideally, the user would have no way to
interact with the local system. Thats why I want to limit the user to
freeRDP. Anything else, and the X-session expires.
Plus, I am very much into embedded linux systems (routers, SBCs, etc). I
think putting the various pieces together would be give me a lot more to
learn as compared to using a third party specialized software such as a
kiosk script.
Regards.
The Arctica Project seems to be in the process of implementing exactly
what you want.

https://arctica-project.org/

https://github.com/ArcticaProject/remote-logon-service


Regards,
Andy
Giancarlo Razzolini via arch-general
2018-07-27 19:33:59 UTC
Permalink
Raw Message
Post by ProgAndy
The Arctica Project seems to be in the process of implementing exactly
what you want.
https://arctica-project.org/
https://github.com/ArcticaProject/remote-logon-service
It looks they are using Nomachine's nx libraries, the same x2go uses. And, the fact
the transport is over SSH, makes it look a lot like x2go. But, it seems to me that the
project is very much on the beginning, I wouldn't use it also for production.

Regards,
Giancarlo Razzolini
cyelae via arch-general
2018-07-27 21:52:59 UTC
Permalink
Raw Message
Post by Foxtrot Mike via arch-general
Hi all,
Currently we have around 10 employees who develop software using Visual
Studio. The idea is to install the development tools on the Windows
Server system, and to have all the developers connect to the server over
RDP using low-end low-power computers. The server is pretty beefy
though. The low end client PCs will save up-front cost as well as power
bills. The network backend will not have any issue with the increased
RDP traffic.
I'm not sure about the auth part given my little experience with it, but
if you're going to log into a server via RDP, can't you simply have your
lightweight machine automatically open a default session [1], connect to
the windows server, and authenticate users there?

If you're going to only have one app running on the client machines, you
don't need a window manager; xinit do that [2] [3]

[1] https://wiki.archlinux.org/index.php/Xinit#Autostart_X_at_login
[2]
https://wiki.archlinux.org/index.php/Xinit#Starting_applications_without_a_window_manager
[3] https://bbs.archlinux.org/viewtopic.php?id=107319
Ralph Corderoy
2018-07-28 09:55:51 UTC
Permalink
Raw Message
Hi Mike,
Post by cyelae via arch-general
I'm not sure about the auth part given my little experience with it,
but if you're going to log into a server via RDP, can't you simply
have your lightweight machine automatically open a default session
[1], connect to the windows server, and authenticate users there?
That would be my suggestion. It sounds like you don't want the local
user to be able to access anything but the remote Windows server anyway.
I realise you want to know how to fit the parts together yourself,
but it would still be worth a look at existing solutions for ideas,
e.g. should a user be able to shutdown the PC?

https://thinstation.github.io/thinstation/
http://porteus-kiosk.org/
http://users.telenet.be/mydotcom/howto/linuxkiosk/rdpterm.html
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
Foxtrot Mike via arch-general
2018-07-29 13:08:40 UTC
Permalink
Raw Message
Post by cyelae via arch-general
Post by Foxtrot Mike via arch-general
Hi all,
Currently we have around 10 employees who develop software using Visual
Studio. The idea is to install the development tools on the Windows
Server system, and to have all the developers connect to the server over
RDP using low-end low-power computers. The server is pretty beefy
though. The low end client PCs will save up-front cost as well as power
bills. The network backend will not have any issue with the increased
RDP traffic.
I'm not sure about the auth part given my little experience with it,
but if you're going to log into a server via RDP, can't you simply
have your lightweight machine automatically open a default session
[1], connect to the windows server, and authenticate users there?
You mean I should have something like a guest account on Linux for
opening an X session, and then the RDP application would connect to the
Windows Server and ask for Windows Domain password? I think it could be
done, but I'll have to severely limit the guest account from security
point of view.
Post by cyelae via arch-general
If you're going to only have one app running on the client machines,
you don't need a window manager; xinit do that [2] [3]
I tried opening Firefox using init, without any window manager. Firefox
did open but there were some issues with graphics. Such as upon right
clicking, the options menu wouldn't show. Also, youtube for some reason
didn't show any thumbnail. After some research it seemed that directly
running an application from xinit without a window manager is not a good
idea if the application is graphically complex.
Post by cyelae via arch-general
[1] https://wiki.archlinux.org/index.php/Xinit#Autostart_X_at_login
[2]
https://wiki.archlinux.org/index.php/Xinit#Starting_applications_without_a_window_manager
[3] https://bbs.arc
Chris Warrick via arch-general
2018-07-29 17:01:29 UTC
Permalink
Raw Message
On Fri, 27 Jul 2018 at 19:07, Foxtrot Mike via arch-general
Post by Foxtrot Mike via arch-general
Hi all,
Currently we have around 10 employees who develop software using Visual
Studio. The idea is to install the development tools on the Windows
Server system, and to have all the developers connect to the server over
RDP using low-end low-power computers. The server is pretty beefy
though. The low end client PCs will save up-front cost as well as power
bills. The network backend will not have any issue with the increased
RDP traffic.
If I were one of the employees, I wouldn’t be very happy about the
idea. RDP will never be as reliable and snappy as working on a
physical machine, even if the server was more powerful. Developers
aren’t the best employees to make savings on. Do note that the savings
will be limited due to eg. Windows Server licensing. Also, have you
tested it and made sure that all the software is compatible with
concurrent use via RDP?

But if you have to, here’s an idea:

One Linux user account, auto-login into X. That user account runs
Openbox (as something more user-friendly), which auto-starts a RDP
client.
After the user ends their Windows session, a dialog box (eg. from
Zenity) appears, asking to restart the Windows session or shut down
the computer, perhaps with a timeout.
--
Chris Warrick <https://chriswarrick.com/>
PGP: 5EAAEA16
Foxtrot Mike via arch-general
2018-07-30 13:49:59 UTC
Permalink
Raw Message
Post by Chris Warrick via arch-general
On Fri, 27 Jul 2018 at 19:07, Foxtrot Mike via arch-general
Post by Foxtrot Mike via arch-general
Hi all,
Currently we have around 10 employees who develop software using Visual
Studio. The idea is to install the development tools on the Windows
Server system, and to have all the developers connect to the server over
RDP using low-end low-power computers. The server is pretty beefy
though. The low end client PCs will save up-front cost as well as power
bills. The network backend will not have any issue with the increased
RDP traffic.
If I were one of the employees, I wouldn’t be very happy about the
idea. RDP will never be as reliable and snappy as working on a
physical machine, even if the server was more powerful. Developers
aren’t the best employees to make savings on. Do note that the savings
will be limited due to eg. Windows Server licensing. Also, have you
tested it and made sure that all the software is compatible with
concurrent use via RDP?
Well, the decision to use RDP comes from higher management. There was a
suggestion to use proprietary thin clients (such as from HP), but I
thought I could make the 'system' myself with some tinkering. The
network backend is enough for these RDP sessions. May be the lag won't
be that bad. If the worst happens,  I'll write all this effort and time
off as 'experience'.
Post by Chris Warrick via arch-general
One Linux user account, auto-login into X. That user account runs
Openbox (as something more user-friendly), which auto-starts a RDP
client.
After the user ends their Windows session, a dialog box (eg. from
Zenity) appears, asking to restart the Windows session or shut down
the computer, perhaps with a timeout.
Thanks. That's the approach I have decided would be the best, based on
the  very helpful comments from other users.
One thing though. How can I automatically detect that FreeRDP session
has been closed so that I can run a small Zenity script?
Ralph Corderoy
2018-07-30 14:00:44 UTC
Permalink
Raw Message
Hi Mike,
How can I automatically detect that FreeRDP session has been closed so
that I can run a small Zenity script?
Well, a script is probably being run, just like a .xinitrc might be,
and instead of its normal

xclock &
xbiff &
xterm &
exec twm

to start a bunch of X clients in the background and then replace xinit
with the window manager, ending the session when the WM quits, you could

twm &
rdp-client
timeout 30 zenity ...
# ...conditionally reboot, shutdown, or just re-start X server when
# it exits to get a fresh rdp-client.

so sh(1) waits for rdp-client to exit before executing further commands.
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
Chris Warrick via arch-general
2018-07-30 14:24:10 UTC
Permalink
Raw Message
Post by Giancarlo Razzolini via arch-general
Hi Mike,
How can I automatically detect that FreeRDP session has been closed so
that I can run a small Zenity script?
Well, a script is probably being run, just like a .xinitrc might be,
and instead of its normal
xclock &
xbiff &
xterm &
exec twm
to start a bunch of X clients in the background and then replace xinit
with the window manager, ending the session when the WM quits, you could
twm &
rdp-client
timeout 30 zenity ...
# ...conditionally reboot, shutdown, or just re-start X server when
# it exits to get a fresh rdp-client.
so sh(1) waits for rdp-client to exit before executing further commands.
One issue here: it’s possible that the RDP client returns control to
the shell immediately (as some GUI apps will do). In that case, you’ll
need a different solution.
--
Chris Warrick <https://chriswarrick.com/>
PGP: 5EAAEA16
David C. Rankin
2018-07-30 00:38:36 UTC
Permalink
Raw Message
Post by Foxtrot Mike via arch-general
I  want to use the Arch system as a Remote Desktop
node. The Arch system would use a login manager (such as lightdm) to
authenticate users from Windows Domain. Once the user has been
authenticated, the system is supposed to automatically open a RDP
connection (using freerdp) to the Windows Server (if possible, using the
credentials provided to lightdm so the user doesn't have to enter his
password twice). As soon as the user quits the RDP session, his
X-session should also be closed automatically.
FM,

I am totally confused as to what and why you are wanting to put your Arch
server between the employees and the RDP session to the windows server?? Where
is the code they produce stored? Windows? Arch Server?

Why not just have them open a single RDP session to the windows server
directly? Are they actually using something from the Linux box?

If there is a reason why they need the Arch server, do they each have a
Linux user account there? If they do, why not use vncserver (TigerVNC) to
provide a Linux desktop to them using ssh tunneling. The vncserver can handle
the X startup (it provides a nice short configuration file you can tweak to
start whatever desktop you like. I3 is fine, fluxbox is another excellent
choice). You likely could launch the additional RDP session there, or have the
desktop startup file do it for you.

Sorry for the additional questions, but I am not clear on what you are
trying to achieve and there may be simpler ways of doing it -- if I understood
what you were trying to do.

I use RDP to both Linux and Windows, but each are virtualized with
VirtualBox and made available over the network. That would be a bit resource
intensive for the server depending on your RAM -- I run guests with 2G.

If both the all employees and both the Arch and Windows servers are being a
secure firewall, then XDMCP is another option for providing a remote Xsession
to your employees. It has its valid uses, but is generally frowned upon from a
security standpoint.

If all your employees need is the VS install on the windows server -- then I
don't see how the Arch server would be a benefit to have in the middle. (of
course I don't see the benefit of coding in VS... but to each his own...)
--
David C. Rankin, J.D.,P.E.
Ralph Corderoy
2018-07-30 07:32:11 UTC
Permalink
Raw Message
Hi David,
Post by David C. Rankin
I want to use the Arch system as a Remote Desktop node. The Arch
system would use a login manager (such as lightdm) to authenticate
users from Windows Domain. Once the user has been authenticated, the
system is supposed to automatically open a RDP connection (using
freerdp) to the Windows Server (if possible, using the credentials
provided to lightdm so the user doesn't have to enter his password
twice). As soon as the user quits the RDP session, his X-session
should also be closed automatically.
I am totally confused as to what and why you are wanting to put your
Arch server between the employees and the RDP session to the windows
server?? Where is the code they produce stored? Windows? Arch Server?
Mike didn't mention an Arch server. He has a Windows server and ten
PCs. He wants each PC to be a dumb RDP terminal to the server. He is
considering running `the Arch system' on each dumb PC to provide the
RDP-terminal functionality, e.g. an X server and RDP client.
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
Foxtrot Mike via arch-general
2018-07-30 13:51:00 UTC
Permalink
Raw Message
Post by Ralph Corderoy
Hi David,
Post by David C. Rankin
I want to use the Arch system as a Remote Desktop node. The Arch
system would use a login manager (such as lightdm) to authenticate
users from Windows Domain. Once the user has been authenticated, the
system is supposed to automatically open a RDP connection (using
freerdp) to the Windows Server (if possible, using the credentials
provided to lightdm so the user doesn't have to enter his password
twice). As soon as the user quits the RDP session, his X-session
should also be closed automatically.
I am totally confused as to what and why you are wanting to put your
Arch server between the employees and the RDP session to the windows
server?? Where is the code they produce stored? Windows? Arch Server?
Mike didn't mention an Arch server. He has a Windows server and ten
PCs. He wants each PC to be a dumb RDP terminal to the server. He is
considering running `the Arch system' on each dumb PC to provide the
RDP-terminal functionality, e.g. an X server and RDP client.
Thank
David C. Rankin
2018-07-31 00:53:11 UTC
Permalink
Raw Message
Post by Ralph Corderoy
Post by David C. Rankin
I am totally confused as to what and why you are wanting to put your
Arch server between the employees and the RDP session to the windows
server?? Where is the code they produce stored? Windows? Arch Server?
Mike didn't mention an Arch server. He has a Windows server and ten
PCs. He wants each PC to be a dumb RDP terminal to the server. He is
considering running `the Arch system' on each dumb PC to provide the
RDP-terminal functionality, e.g. an X server and RDP client.
Ralph,

Oh, oh, that makes sense. Yes, just load arch, load whatever lightweight
desktop you like. I like both i3 and fluxbox, but prefer fluxbox. A lightdm
type DM is fine. With fluxbox, I would just configure the autologin to the
windows RDP session via the ~/.fluxbox/startup file. I don't use AD/kerbose,
etc.., but I see no reason you couldn't do something similar. As long as you
can invoke the RDP session from the command line -- you can put it in a
startup file. I've always just used the rdesktop package from the community
repository. Always worked fine.

FM

Good luck on the project and sorry for the confusion.
--
David C. Rankin, J.D.,P.E.
Loading...