Resolve RDP debugging: root cause + xrdp fix for gnome-remote-desktop (#41)
The "Server refused connection (wrong security type?)" failure was root-caused end-to-end: guacd 1.5.5 ships FreeRDP 2.11.5, whose NLA/CredSSP client cannot authenticate against gnome-remote-desktop, which mandates NLA (HYBRID_REQUIRED_ BY_SERVER) with no option to disable it. The earlier EGL/Mesa/Zink GPU theory was a red herring. Proven at every layer: direct xfreerdp v3 to the VM, the real guacd protocol path (all security modes fail identically), and guacd's own logs. Also verified guacd:1.6.0 still ships FreeRDP 2.11.7, so an image bump would NOT fix it. Fix applied to the test VM: replaced gnome-remote-desktop with xrdp (masked the GNOME user service so it can't re-grab port 3389), which interoperates with guacd's FreeRDP 2. Verified a real session streams through guacd with security=any. No ArchNest code change was needed — the existing security/ ignore-cert handling in guacamole.ts is correct. Documents this as a general finding since other users will hit GNOME's built-in RDP the same way. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
This commit is contained in:
Samuel James
GitHub
parent
74f8b9f705
commit
d1fefd3a63
1 changed files with 50 additions and 0 deletions
|
|
@ -1,5 +1,55 @@
|
||||||
# RDP Connection Debugging — Handoff Doc
|
# RDP Connection Debugging — Handoff Doc
|
||||||
|
|
||||||
|
## ✅ RESOLVED (2026-06-22) — root cause found, proven end-to-end
|
||||||
|
|
||||||
|
**Root cause: guacd 1.5.5 ships FreeRDP 2.11.5, whose NLA/CredSSP client cannot
|
||||||
|
complete authentication against gnome-remote-desktop, which *mandates* NLA.**
|
||||||
|
|
||||||
|
Proven at every layer (not a theory — the EGL/Mesa/Zink hypothesis below was a red herring):
|
||||||
|
|
||||||
|
1. **Server mandates NLA.** Direct `xfreerdp` (v3) from the Fedora VM to its own
|
||||||
|
gnome-remote-desktop returns, for `/sec:tls` and `/sec:rdp`:
|
||||||
|
`[WARN][com.freerdp.core.nego] Error: HYBRID_REQUIRED_BY_SERVER [0x00000005]` →
|
||||||
|
`Protocol Security Negotiation Failure`. `grdctl rdp set-auth-methods` only offers
|
||||||
|
`credentials` (NLA) and `kerberos` — **there is no non-NLA / plain-RDP mode** to turn off.
|
||||||
|
2. **guacd's FreeRDP 2 can't do NLA against it.** Driving the *real* guacd path
|
||||||
|
(guacd 172.18.0.2:4822 → VM) with `security` = `nla`, `tls`, `rdp`, AND `any` all return
|
||||||
|
the identical Guacamole error `Server refused connection (wrong security type?)` (code 519).
|
||||||
|
guacd's own log confirms it tried correctly: `Security mode: NLA` … then
|
||||||
|
`RDP server closed/refused connection: Server refused connection (wrong security type?)`.
|
||||||
|
The fact that all four modes fail *identically* was the tell — it's not a mode mismatch,
|
||||||
|
it's that FreeRDP 2's CredSSP handshake is incompatible with gnome-remote-desktop's.
|
||||||
|
3. **Bumping guacd does NOT fix it.** `guacamole/guacd:1.6.0` still ships FreeRDP **2.11.7**
|
||||||
|
(verified by inspecting the image). FreeRDP **3.x** is what fixes gnome-remote-desktop NLA
|
||||||
|
interop, and Apache's guacd image doesn't ship FreeRDP 3 yet. So an image bump is wasted.
|
||||||
|
|
||||||
|
### Fix / recommendation (general — other ArchNest users will hit this)
|
||||||
|
|
||||||
|
gnome-remote-desktop is **not a reliable RDP target for guacd-based gateways** (this affects
|
||||||
|
Fedora/Ubuntu 22.04+ desktops using GNOME's built-in "Remote Desktop"). The fix applied here,
|
||||||
|
plus the alternative considered:
|
||||||
|
|
||||||
|
- **Applied & verified (operational, per-VM): replaced gnome-remote-desktop with `xrdp`** on
|
||||||
|
the test VM. xrdp's RDP-security path interoperates with guacd's FreeRDP 2. Steps run:
|
||||||
|
`sudo dnf install -y xrdp && sudo systemctl enable --now xrdp`; then disabled + **masked**
|
||||||
|
gnome-remote-desktop's user service (`systemctl --user mask gnome-remote-desktop.service`)
|
||||||
|
and killed the lingering daemon that was still holding port 3389 so xrdp could bind it.
|
||||||
|
Verified end-to-end through the real guacd path: with `security=any`, guacd authenticates and
|
||||||
|
streams live desktop frames. **`security` MUST be `any` (or blank → defaults to `any`)** for
|
||||||
|
xrdp's default config — `nla` fails (`Security negotiation failed`) and `rdp` errors out.
|
||||||
|
Note: xrdp gives a fresh X login session, not a takeover of the existing Wayland session.
|
||||||
|
- **Alternative (infra, affects everyone): a custom guacd build with FreeRDP 3.** Not worth it
|
||||||
|
yet — it's a 30+ min from-source build to maintain in `docker-compose.yml`, for one upstream
|
||||||
|
gap that Apache will eventually close. Revisit if/when `guacamole/guacd` ships FreeRDP 3.
|
||||||
|
|
||||||
|
No ArchNest code change was required — the `security` field + `ignore-cert` handling in
|
||||||
|
`backend/src/routes/guacamole.ts` (added earlier this debugging arc) are correct and remain
|
||||||
|
useful for other RDP servers. The blocker was purely the guacd↔gnome NLA incompatibility.
|
||||||
|
|
||||||
|
The original investigation notes below are kept for history.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## Goal
|
## Goal
|
||||||
|
|
||||||
ArchNest is a self-hosted dashboard product. One of its integrations is a "Remote Desktop"
|
ArchNest is a self-hosted dashboard product. One of its integrations is a "Remote Desktop"
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue