Linux VDA 7.12 Session Logs off Immediately

[Mohammad Noman Ovais1709155424]

Hello

 

I am trying to get a Linux VDA 7.12 to work with my XenApp 7.12 environment. The VDA is running SUSE Linux Enterprise Server 12 SP1. I have followed the guide provided by Citrix and have been able to get the machine to register with the controller. However, upon opening the Shared Desktop using receiver for web, the session window opens, loads and closes almost immediately. Upon looking at the VDA logs under /var/log/xdl/vda.log, i see:

 

2017-01-24 05:33:36.853 [iNFO ] - The Citrix Desktop Service detected that a user session has ended. Session '06bbb2ff-7944-47e7-87f2-4ff13697c939' for user 'testuser01' has ended; reason code 'Logoff'.

 

On the Delivery Controller side, i see an Event 45:BrokerSessionStartFailed event under Citrix-XenDesktop-BrokerMonitor/Operational.

 

Can anyone shed some light on the issue and help resolve it?

 

P.S. I am a linux noobie.

 

Thanks.

Noman.

 

 

 

 

 

[Guoyi Zhou]

Please install trace package(turn to Citrix support) and open debug for login/gfx/fm components. then check hdx.log to see what happened. thanks! --Guoyi

[Mohammad Noman Ovais1709155424]

Hi Guoyi,

 

I am currently working on a PoC and don't have Citrix Support. Can you please give me a link to the trace package along with steps to execute it?

 

Update:

 

As i go in the /var/log/messages file, i see the following:

 

2017-01-25T05:06:14.436929+05:00 ctx-linux-vda01 sshd[10361]: pam_winbind(sshd:auth): getting password (0x00000190)
2017-01-25T05:06:14.437207+05:00 ctx-linux-vda01 sshd[10361]: pam_winbind(sshd:auth): pam_get_item returned a password
2017-01-25T05:06:14.441492+05:00 ctx-linux-vda01 sshd[10361]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user

 

Any ideas?

 

Thanks in advance.

[Guoyi Zhou]

Please try the following actions:

1) Execute command "ssh localhost -l  <domain>\\<domain user>" on the shell of Linux VDA server to see what will happen.

2) Try to login into Linux VDA via console to see if xdesktop could be normally launched.

 

As for trace package, please turn to citrix support.

 

thanks

Guoyi

[Mohammad Noman Ovais1709155424]

Hi Guoyi

 

I can login using the domain user on CLI via the command you suggested. I can even login using the domain user on VNC into the Linux VDA.

 

Any Ideas?

 

Thanks.

[Guoyi Zhou]

Please let us know the following files:

 

/etc/pam.d/common-account

/etc/pam.d/common-auth

/etc/pam.d/common-password

/etc/pam.d/common-session

/etc/samba/smb.conf

/etc/krb5.conf

/etc/security/pam_winbind.conf

 

If you use SSSD to join the domain. please supply /etc/sssd/sssd.conf also.

 

My mail guoyi.zhou@citrix.com

 

thanks

Guoyi

[Mohammad Noman Ovais1709155424]

Hello Guoyi...

 

I am using Samba Winbind for AD Integration. Domain name is VDICLOUD.COM.

 

Here is the output you requested:

 

/etc/pam.d/common-account

 

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired.
#
account requisite       pam_unix.so     try_first_pass
account sufficient      pam_localuser.so
account required        pam_winbind.so  use_first_pass
 

 

 

/etc/pam.d/common-auth

 

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_unix.so     try_first_pass
auth    required        pam_winbind.so  use_first_pass
 

 

 

/etc/pam.d/common-password

 

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
# used to change user passwords.
#
password        sufficient      pam_winbind.so
password        requisite       pam_cracklib.so
password        optional        pam_gnome_keyring.so    use_authtok
password        required        pam_unix.so     use_authtok nullok shadow try_first_pass
 

 

/etc/pam.d/common-session

 

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session  optional       pam_mkhomedir.so
session required        pam_limits.so
session required        pam_unix.so     try_first_pass
session required        pam_winbind.so
session optional        pam_umask.so
session optional        pam_systemd.so
session optional        pam_gnome_keyring.so    auto_start only_if=gdm,gdm-password,lxdm,lightdm
session optional        pam_env.so
 

 

/etc/samba/smb.conf

 

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
        workgroup = VDICLOUD
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        security = ADS
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        kerberos method = secrets and keytab
        realm = VDICLOUD.COM
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind refresh tickets = yes
        winbind use default domain = yes
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
 

 

/etc/krb5.conf

 

[libdefaults]
        default_realm = VDICLOUD.COM
        clockskew = 300
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}
        dns_lookup_kdc = false

[realms]
VDICLOUD.COM = {
        kdc = ad01.vdicloud.com
        admin_server = ad01.vdicloud.com
        default_domain = vdicloud.com
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        vdicloud.com = VDICLOUD.COM
        .vdicloud.com = VDICLOUD.COM
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
}
 

 

 

/etc/security/pam_winbind.conf

 

#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
# For more details see man pam_winbind.conf(5)

[global]
        krb5_auth = yes
        krb5_ccache_type = FILE

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no

# authenticate using kerberos
;krb5_auth = no

# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =

# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =

# password expiry warning period in days
;warn_pwd_expire = 14

# omit pam conversations
;silent = no

# create homedirectory on the fly
;mkhomedir = no
 

[Guoyi Zhou]

Change line ";mkhomedir = no" to "mkhomedir = yes" in /etc/security/pam_winbind.conf

 

thanks

Guoyi

 

 

[Mohammad Noman Ovais1709155424]

Hi Guoyi

 

I made the change. Still facing the same issue with the log off message in vda.log :(

 

Is there any other way to identify whats causing this automatic log off?

 

Thanks.

[Matt Pound]

HI Norman,

 

Did you manage to get a fix for this please ?

 

I'm facing the same or similar issue. But what's odd is that it works fine on the non-prod farm, but logs off on the prod farm. Both are on the same revision of XenDesktop.

 

Thank you

 

Matt

[Guoyi Zhou]

Here are our suggestions:

 

1. Use XDP ing to check the configuration. CTX202015 - Linux XDPing Tool

2. Install trace package(Ask citrix support to supply the package), then enable Trace Logging(CTX220130 How to Enable Trace Logging for the Linux VDA)

 

3. Use xdlcollect to collect the log and seek help from LCM team. CTX202252 - xdlcollect - How to collect logs from XenDesktop Linux VDA

 

thanks

Guoyi

[Gerald Muller1709156932]

Hi,

 

I've the same issue with VDA 7.14. Did you finally find a solution?

 

[Guoyi Zhou]

We did not get any feedback from Norman, thanks ! 

[Matthieu BRETAUDEAU]

If it can helps...

 

It started from a minimal CentOS installation and I had the same issue.

My solution was to install Gnome with the following command :

yum -y groups install "GNOME Desktop"

[Tonny Andersson1709158460]

I am having the same issue on Ubuntu 16.04 with Linux VDA 1811.

 

It's an old post, would hope there was a solution to this by now.

 

[Tonny Andersson1709158460]

On Ubuntu Desktop I get the issues above.

On Ubuntu Server it works. 

Pretty obvious when you think about it?  

I have not tried but I guess it would work if you configure Single Session/VDI on Ubuntu Desktop.