SSO-like Auth to XRDP...

[jsanderson104]

I've been trying to get any form of SSO-like authentication to a Rocky Linux endpoint with XRDP and I'm just running into "problems"
Maybe I'm not understanding the process or getting things confused.....would like some help/input.

Just trying to better understand, I guess, the real limitations of the auth mechanics and what actually works in the most recent builds.
I've read several pages on the internet about smartcard auth and kerberos auth but I've not had any luck. I also feel like I'm reading mixed responses on whether it actually works or not. FWIW some of the information is old.

The best scenario would obviously be a seamless login experience where it would be accepting the Kerberos ticket from the Windows realm automatically. I could put something like Apache Guacamole in front of the Linux boxes but I think I would still end up with the same "problem". Heck I would just be happy if it would prompt for a PIV cert/pin haha

I always get a login prompt when I connect to the "xrdp server" in this case and can't understand why none of the existing authentication (kerberos TGT, smartcard pin prompt) stuff doesn't work (for me atleast).

I've been trying to do various methods to get this working in any form.

1. Built the latest source and enabled kerberos (ie disabled pam)
2. Built the latest source and used pam instead of kerberos.
   2a) PAM auth is including sssd
   2b) SSSD talks to FreeIPA
   2c) FreeIPA talks to Windows AD via trust
   2d) AD matches a PIV cert on the AD account
   * This seems to be the most promising way so far.

Everything else works - tty logins, gui logins, web console logins, email, ssh, cifs mounts, etc. ... just not RDP :(
It's driving me bonkers.

I have been able to see some promising information in the sssd debug level logs that shows that it successfully found my UID on the AD-side of the house; so I know that account information lookup that occurs is solid/working.

This is over-simplyifing it but its like " If only XRDP (or sesman) knew where to look for the KRB5 ticket instead of asking me for a password" seems to be what i wish would happen.

Has anyone been able to pull this off at all... ?

[akallabeth]

well, FreeRDP does support kerberos (client and server side).

• does xrdp support it?
• I think recent versions of gnome-remote-desktop also support kerberos

[jsanderson104]

1. Supposedly xrdp does support kerberos but I must be doing something wrong. The latest configure.ac has the option for it and the build completed when i used ./configure --enable-kerberos

2. You bring up a good point, I may try it from Linux-to-Linux on the same realm/domain to see if the behavior is any different. Just may be an extra datapoint to consider. However, for most of my use-case, the users will likely be coming from a Windows client (mstsc)

I feel like I'm so close.

Thanks for the reply btw.