"Authentication is required to create a color managed device" dialog when launching GNOME 3 or Unity 7.4 using TurboVNC #47
Comments
dcommander
changed the title
dcommander
changed the title
|
Verified that a similar issue also exists under Ubuntu 16.04 with Unity 7.4. The workaround is identical, except that you add to /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf instead of /etc/polkit-1/rules.d/02-allow-colord.rules. (NOTE: I personally use vglusers for |
Launch Unity in a fake DM environment similar to the one we use for the 2D Ubuntu window managers. This ensures that the compiz OpenGL plugin won't be disabled automatically under U14 if it encounters a fatal OpenGL error (such as failing to launch the TurboVNC Server session with -3dwm), and this fake DM environment is necessary to make Unity 7.4 under U16 work at all with TurboVNC (NOTE: there are still some issues with that, including #56 and #47.)
Launch Unity in a fake DM environment similar to the one we use for the 2D Ubuntu window managers. This ensures that the compiz OpenGL plugin won't be disabled automatically under U14 if it encounters a fatal OpenGL error (such as failing to launch the TurboVNC Server session with -3dwm), and this fake DM environment is necessary to make Unity 7.4 under U16 work at all with TurboVNC (NOTE: there are still some issues with that, including #56 and #47.)
|
Thank you @dcommander I was able to fix this problem after struggling for months! Just one note, the extension of the file has to be .rules, not .conf, at least on my system (Fedora 26). |
|
A little side note: That workaround does not work for LDAP users because of a problem with group policies and PAM: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1281700 |
|
Really wish the various O/S and window manager developers would do a better job of supporting remote desktop solutions, in general. It boggles my mind that Red Hat and Ubuntu are allegedly providing enterprise support on an O/S with a default WM configuration that simply doesn't work with the remote desktop solution they also allegedly support. You guys would do well to lodge a complaint with your O/S vendor of choice regarding this, because it's not the only issue that occurs when trying to run these newer WM's in a VNC environment: https://github.com/TurboVNC/turbovnc/issues?q=is%3Aissue+is%3Aclosed+label%3A%22GNOME+3%22 https://github.com/TurboVNC/turbovnc/issues?q=unity+label%3A%22Unity+7.4%22 |
dcommander
changed the title
|
Verified that the same issue exists with GNOME 3 under Ubuntu 18.04. Use the workaround described in #47 (comment). |
|
Btw this policy kit file fixes the color profile issues for LDAP users as well: Note: the file MUST have the ending .pkla. Otherwise it will not work |
|
Here (Desktop LTS 18.04.1) it works only with following configuration in With yes in I found that info in here. I'm not using TurboVNC. I'm using standard Windows RDP Client. I've posted because the info could be useful. |
|
Ah, OK. I see what the issue is. As described in http://c-nergy.be/blog/?p=12043, the procedure in #47 (comment) (creating /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf) gets rid of the dialog but causes PolKit to crash. The procedure described in #47 (comment) (creating /etc/polkit-1/localauthority/50-local.d/45-allow.colord.pkla) gets rid of the dialog with no crash. Verified on Ubuntu 16.04 and 18.04. |
|
Verified that either procedure works properly with RHEL 7 or Fedora. |
|
@shibumi can you verify that it also works for you with |
|
@dcommander haven't tested it. But I guess setting |
|
I honestly have no idea how that option interacts with LDAP. The description is not very enlightening: |
|
Hi all, I just want confirm here, that jramos-br's solution under #47 (comment) works fine (for me) under Ubuntu 18.04 with Gnome 3. Best regards |
|
The #47 comment does not work for me with Fedora 29. |
|
Works fine for me, but in Fedora, there is an additional dialog that you have to squelch: Folks, I cannot emphasize this enough: these are hackish workarounds necessitated by the fact that GNOME 3 simply doesn't provide proper support for running in a user-level X server such as Xvnc. I have done everything I can do to support it, but there are limits to what I can do. I strongly recommend using MATE instead, or any other non-compositing window manager. GNOME 3 has performance issues in a remote display environment as well. The best I can say about it vis-a-vis TurboVNC is: "It works, but I don't recommend it." If someone comes up with a solution to the new dialog, feel free to post it here. Since these issues also exist with TigerVNC, the flavor of VNC that ships with Fedora, my opinion is that it should be incumbent upon the Fedora/Red Hat developers to fix them, not us. |
|
@dcommander about the colord authentication dialog. This should not happen as long as you name the Output device with a VNC- prefix. i.e see https://gitlab.gnome.org/GNOME/gnome-settings-daemon/blob/master/plugins/color/gsd-color-state.c#L1032 |
|
@nacho Thanks for the tip. I modified our server code so that the X RANDR output devices are named "VNC-*". Problems still persist on some platforms, but the situation is at least improved. The color management dialog no longer pops up on RHEL 8, Ubuntu 18, or Fedora. (Where possible, all platforms were updated to the latest patches available as of today.)
|
... from popping up on Fedora, RHEL 8, and Ubuntu 18+. The dialog still pops up on RHEL 7.x. Refer to #47
|
The workaround described here: |
dcommander
added
fixed
and removed
workaround available
SEP (somebody else's problem)
labels
|
This should now be fixed in dev/3.0 evolving. The RPM and DEB packages now include That fixes this issue on all of the platforms I tested, but please let me know if I missed something. |
|
I've encountered this issue myself with xrdp, and have made use of the workaround in the 2018-08-12 comment above. I'd like to add a few remarks. First, the workaround appears to be overriding a PolicyKit policy file, which on my (Ubuntu) system is located at The first proposed (Incidentally, for those who need it, the meaning of the three permissions is documented in the Second, I would point out that Third, to @nacho: It is good that there is a way to get around this issue by way of the device naming convention. Would it be feasible to add similar support for xrdp? It may be worthwhile to discuss with their upstream a convention for this (I would have expected |
|
After thorough testing, and since I now have a better understanding of the security ramifications, the PKLA file has been pushed to master (the upcoming 2.2.5 release) as well. |
When launching GNOME 3 (including Classic) in TurboVNC or resizing the remote desktop under GNOME 3, a dialog pops up ("Authentication is required to create a color managed device"), and it cannot be dismissed without authenticating using the root password. This seems to be a problem endemic to all X proxies running on recent Linux distros that use GNOME 3 (yet another reason to use MATE instead, at least with TurboVNC.)
Refer to:
https://bugzilla.redhat.com/show_bug.cgi?id=1149893
for further information, as well as a workaround.
Filing this issue to track it.
I've personally verified that the issue exists with TurboVNC 2.1 beta and TigerVNC 1.6 (both the "el5" flavor, which is based on the same X.org 7.7/xorg-xserver 1.12 code as TurboVNC, and the "el6" flavor, which is based on xorg-xserver 1.15.) Verified that the workaround listed at the above link solves the problem, but since that workaround requires specifying a group to which to grant colord permissions, it isn't exactly a generic solution.
This issue is known to exist in current versions of RHEL 7, SLES 12, Fedora 22, and Fedora 24 as of this writing. On Fedora 24, an additional dialog pops up ("Authentication is required to access to PC/SC daemon.") Refer to #52 for the workaround to that issue.
The text was updated successfully, but these errors were encountered: