HOWTO: Set up VNC server with resumable sessions

**Crass Spektakel** · May 5th, 2010

Lucid Lynx: Works out of the box with very little work!

I'll do a sum up of all options required to make VNC over XDMCP managed log in session displaying X11 applications on a perfectly fresh Lucid Lynx.

On Port 5920 you'll get a dynamic login session, that means, several clients can connect to this vnc port, getting a gdm login and a session running as long as the window is open. Closing the window is synonymous for logging out or killing your window manager. Very convenient to allow for "lots of normal users" to log into a computer at once.

On Port 5925 you'll get a static login session, one person can connect and works on a persistant screen which keeps its data between disconnects. Very helpful for administration purposes.

Code:

aptitude install vnc4server xinetd
vncpasswd /etc/vncpasswd-semipublic

edit /etc/services and add something like

Code:

vnc1024         5920/tcp
SV1024          5925/tcp

create /etc/xinetd.d/Xvnc containing something like:

Code:

root@boni:/etc/gdm# cat /etc/xinetd.d/Xvnc
service vnc1024
{
  disable = no
  socket_type = stream
  protocol = tcp
  wait = no
  user = nobody
  server = /usr/bin/Xvnc4
  server_args = -inetd -desktop boni-loginvnc-1024 -query localhost -geometry 1024x768  -once -depth 16 -fp /usr/share/fonts/X11/misc -SecurityTypes=none
}

service SV1024
{
  disable = no
  socket_type = stream
  protocol = tcp
  wait = yes
  user = root
  server = /usr/bin/Xvnc4
  server_args = -inetd :25 -desktop boni-staticvnc-1024 -query localhost -geometry 1024x768 -depth 16 -once -fp /usr/share/fonts/X11/misc/ -DisconnectClients=0 -NeverShared passwordFile=/etc/vncpasswd-semipublic
}

next create or edit /etc/gdm/custom.conf:
edit: I insert jocko_johnson settings here, they avoid several problems.

Code:

[daemon]
[security]
DisallowTCP=false
[xdmcp]
Enable=true
HonorIndirect=false
#following line fixes a problem with login/logout
DisplaysPerHost=2
MaxSessions=16
[greeter]
[chooser]
[debug]
Enable=true

You might try creating /etc/X11/xserver/SecurityPolicy but I think it might be useless/harmful:

Code:

version-1 

# $Xorg: SecurityPolicy,v 1.3 2000/08/17 19:47:56 cpqbld Exp $

# The site policy fields are interpreted by the XC-QUERY-SECURITY-1
# authorization protocol.  The values are arbitrary and site-specific.
# Refer to the Security Extension Specification for the usage of the policies.
#sitepolicy A
#sitepolicy B
#sitepolicy C

# Property access rules:
# property <property> <window> <permissions>
# <window> ::= any | root | <propertyselector>
# <propertyselector> ::= <property> | <property>=<value>
# <permissions> :== [ <operation> | <action> | <space> ]*
# <operation> :== r | w | d
#	r	read
#	w	write
#	d	delete
# <action> :== a | i | e
#	a	allow
#	i	ignore
#	e	error

# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER	root	ar iw
property SCREEN_RESOURCES	root	ar iw

# Ignore attempts to use cut buffers.  Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0	root	irw
property CUT_BUFFER1	root	irw
property CUT_BUFFER2	root	irw
property CUT_BUFFER3	root	irw
property CUT_BUFFER4	root	irw
property CUT_BUFFER5	root	irw
property CUT_BUFFER6	root	irw
property CUT_BUFFER7	root	irw

# If you are using Motif, you probably want these.
property _MOTIF_DEFAULT_BINDINGS	root	ar iw
property _MOTIF_DRAG_WINDOW	root	ar iw
property _MOTIF_DRAG_TARGETS	any 	ar iw
property _MOTIF_DRAG_ATOMS	any 	ar iw
property _MOTIF_DRAG_ATOM_PAIRS	any 	ar iw

# If you are running CDE you also need these
property _MOTIF_WM_INFO		root	arw
property TT_SESSION		root	irw
property WM_ICON_SIZE		root	irw
property "SDT Pixel Set"	any	irw

# The next two rules let xwininfo -tree work when untrusted.
property WM_NAME	any	ar

# Allow read of WM_CLASS, but only for windows with WM_NAME.
# This might be more restrictive than necessary, but demonstrates
# the <required property> facility, and is also an attempt to
# say "top level windows only."
property WM_CLASS	WM_NAME	ar

# These next three let xlsclients work untrusted.  Think carefully
# before including these; giving away the client machine name and command
# may be exposing too much.
property WM_STATE	WM_NAME	ar
property WM_CLIENT_MACHINE	WM_NAME	ar
property WM_COMMAND	WM_NAME	ar

# To let untrusted clients use the standard colormaps created by
# xstdcmap, include these lines.
property RGB_DEFAULT_MAP	root	ar
property RGB_BEST_MAP	root	ar
property RGB_RED_MAP	root	ar
property RGB_GREEN_MAP	root	ar
property RGB_BLUE_MAP	root	ar
property RGB_GRAY_MAP	root	ar

# To let untrusted clients use the color management database created
# by xcmsdb, include these lines.
property XDCCC_LINEAR_RGB_CORRECTION	root	ar
property XDCCC_LINEAR_RGB_MATRICES	root	ar
property XDCCC_GRAY_SCREENWHITEPOINT	root	ar
property XDCCC_GRAY_CORRECTION	root	ar

# To let untrusted clients use the overlay visuals that many vendors
# support, include this line.
property SERVER_OVERLAY_VISUALS	root	ar

additional infos:

-sometimes you have to add "-extension XFIXES" to /etc/xinetd.d/Xvnc at "server_args".
-if telnet <system> 5920 fails with "can't connect" then you xinetd doesn't work
-if telnet <system> 5920 closes fast or your VNC client reports "unknown Plugin/whatever" then your X "-extension XFIXES" must be changed.
-if telnet <system> 5920 hangs completely try restarting your system
-if your vnc session is showing nothing except the default X11 pattern then your gdm isn't listening, see /etc/gdm/custom.conf
-always check /var/log/syslog
-change the resolutions in /etc/xinetd.d/Xvnc with -geometry
-there you'll also find color depth, depth 16 sometimes falls back to depth 8 with a 233 mapping, ugly colors result. Try using depth 8 "flat color" or "color tables" (TODO) or depth 24 which might work better or worse. Your milage may vary.
-play around with vncconfig for copy-and-paste and other nifty stuff.

About me: I think I have been one of the very first users getting a XDM/GDM-Login over VNC, a long time ago, before Xvnc, sometimes around 1999, running SuSE 6.3. Most nowadays FAQs are more or less based on my old FAQ. So if you have a question I might be the best person to ask - though I must admit that a lot of things have changed, a lot more since Ubuntu8.04 than all the time before, lots of configs have totally changed or changed position, patches no longer working and so on. Therefore I would suggest to make this topic a new one.

**liquidonline** · May 6th, 2010

Wow, thanks for the feedback. While your point about starting a new thread is valid, I think many people still come to this thread, and it's worthwhile to update this. Once I have a fully documented process, I'll gladly start up a new thread as a reliable Howto for lucid (and really, gdm > 2.28 ).

Your post motivated me. Likely due to everything I had been tinkering with, and likely why nothing was working anymore when I decided to post this, I couldn't get this to work at first. I figured, it's a 4-day old install, I hadn't even restored backups, so I decided to reinstall ubuntu-server. My experience is summarized below. I'm hoping you can lend a helping hand. I'm a bsd sysadmin by trade, I never really used X for anything, so I know very little of it. I just know enough to know doing it within the confines of what's available ported to BSD is painful

==========

Post reinstall, it still didn't work at first. My needs don't require two vnc server sessions running, I went with one based on my needs. No matter what I did, xfixes there or not, restart gdm, it wouldn't go. Tried matching more closely yours (the second of the two), still didn't work.

So next, I tried using your exact /etc/xinetd.d/Xvnc file (besides obvious necessary changes to reflect my system), only one service would start, the other would (quietly) fail. Consistently, the one setup to run as nobody would not start up. Changing the "wait" to yes and user to root did not help this. Interestingly though, the second one suddenly worked (after putting the two services, prior to any modifications)! I have no explanation for this, but one would be nice, as it would help understand more what's going on. Here is what the /etc/xinetd.d/Xvnc file looks like now (/etc/services reflects screen numbers used). I can access the "service vncbig" using this. Regardless if I used -extension XFIXES or not, the first one would time out on telnet instantly, as you'll see below the snippet from my syslog

Code:

service vncsmall
{
  disable = no
  socket_type = stream
  protocol = tcp
  wait = no
  user = nobody
  server = /usr/bin/Xvnc4
server_args = -inetd -desktop zeus-1024x768 -query localhost -geometry \
1100x800  -once -depth 15 -fp /usr/share/fonts/X11/misc \
-SecurityTypes=none -extension XFIXES
}

service vncbig
{
  disable = no
  socket_type = stream
  protocol = tcp
  wait = yes
  user = root
  server = /usr/bin/Xvnc4
  server_args = -inetd :5 -desktop zeus-HiQ -query localhost -geometry \
1280x1024 -depth 16 -once -fp /usr/share/fonts/X11/misc/ \
-DisconnectClients=0 -NeverShared -SecurityTypes=none
}

From syslog:

May 5 21:11:15 zeus xinetd[20950]: bind failed (Address already in use (errno = 98)). service = vncbig
May 5 21:11:15 zeus xinetd[20950]: Service vncbig failed to start and is deactivated.
May 5 21:11:15 zeus xinetd[20950]: xinetd Version 2.3.14 started with libwrap loadavg options compiled in.
May 5 21:11:15 zeus xinetd[20950]: Started working: 1 available service
May 5 21:11:25 zeus xinetd[20953]: warning: can't get client address: Transport endpoint is not connected
May 5 21:12:59 zeus gdm-session-worker[20689]: GLib-GObject-CRITICAL: g_value_get_boolean: assertion `G_VALUE_HOLDS_BOOLEAN (value)' failed
May 5 21:13:03 zeus gnome-session[20978]: WARNING: GSIdleMonitor: IDLETIME counter not found
May 5 21:13:03 zeus rtkit-daemon[21046]: Sucessfully called chroot.
May 5 21:13:03 zeus rtkit-daemon[21046]: Sucessfully dropped privileges.
May 5 21:13:03 zeus rtkit-daemon[21046]: Sucessfully limited resources.
May 5 21:13:03 zeus rtkit-daemon[21046]: Running.
May 5 21:13:03 zeus rtkit-daemon[21046]: Watchdog thread running.
May 5 21:13:03 zeus rtkit-daemon[21046]: Canary thread running.

Not out of the woods yet though. Seems like the fast-user-switching (or something related to it anyway) fails when I login. I only mention this because I wonder if it's related to the following problem: If I log out of the session to close vnc server, I can no longer log back in, until I reboot. restarting gdm or restarting xinetd is of no help. If I simply "X" the window closed, then I can log back into it. Is this something that an Xstartup file would be able to help with by any chance?

Here's what I get on each login:

So. While there's signifcant progress made, the one thing above all that really gets to me is why I need to run two vnc servers, in order to get one to work!?!?!?

update: Upon reboot, now I noticed in syslog that it reports both of them as up and running, though ps shows only the second of the two, and I still get an instant timeout on connect to the first one (running as user nobody)

**liquidonline** · May 6th, 2010

OK, regarding the whole "unable to vnc back in if I logout" thing, it's worth noting that I'm running ubuntu-server on this machine, and I simply installed gnome-desktop-environment instead of the clunkier ubuntu-desktop. Not knowing whether or not this is responsible for that odd behaviour, I'm now in the process of installing ubuntu-deskstop and we'll see if that makes any sort of difference in the morning.

Some other stuff I've noticed:

For clarity: In /etc/xinetd.d/Xvnc, when I went to setting up two services as was shown to us by crass, I named the first one "vncsmall" and the second "vncbig," the latter of which is the one which runs as root. BTW, still not sure how the one running unprivileged as nobody runs exactly. Ok, moving right along...

In syslog, the error msgs indicate the service "vncbig" (see above) couldn't bind to the requested port because it's already in use. However, when I connected to :5, which is the one designated for "vncbig" I was able to connect: Here's what I'm talking about:

May 5 20:58:06 zeus xinetd[20767]: Reading included configuration file: /etc/xinetd.d/Xvnc [file=/etc/xinetd.conf] [line=14]

***SNIP*** (other services)

May 5 20:58:06 zeus xinetd[20767]: bind failed (Address already in use (errno = 98.)). service = vncbig
May 5 20:58:06 zeus xinetd[20767]: Service vncbig failed to start and is deactivated.
May 5 20:58:06 zeus xinetd[20767]: xinetd Version 2.3.14 started with libwrap loadavg options compiled in.
May 5 20:58:06 zeus xinetd[20767]: Started working: 1 available service
May 5 20:58:21 zeus xinetd[20767]: Exiting...

==============================================

Now, back to my observation that the two VNC's started up according to syslog on reboot. Here's what I mean:

May 5 21:18:30 zeus xinetd[21315]: Reading included configuration file: /etc/xinetd.d/Xvnc [file=/etc/xinetd.conf] [line=14]

**SNIP** same again

May 5 21:18:30 zeus xinetd[21315]: xinetd Version 2.3.14 started with libwrap loadavg options compiled in.
May 5 21:18:30 zeus xinetd[21315]: Started working: 2 available services
May 5 21:19:23 zeus xinetd[21323]: warning: can't get client address: Transport endpoint is not connected
May 5 21:19:27 zeus xinetd[21325]: warning: can't get client address: Transport endpoint is not connected

Those warning messages are what appears at the same time as I get the connection reset by peer when I try to telnet or vnc to the server.

**muhnkee** · May 13th, 2010

Hey I went through and installed vnc4server, xinetd and set everything up as in this guide on an Ubuntu 10.04 Lucid Lynx machine. Everything worked phenominally.

Then I made what is apparently a huge mistake and did a sudo apt-get upgrade. Now I get the gray screen with the old style x cursor. It even gives me the gray screen when I run the vncserver from the desktop and try to login.

If I try to do it with vnc4server straight from the command line and attempt to connect, I get the additional "Could not acquire name on session bus."

If I use the Xvnc4 command, I get "error opening security policy file /etc/X11/xserver/SecurityPolicy" in the terminal and get the gray screen when I try to VNC to the display.

The ~/.vnc/passwd file is there and being referenced in /etc/xinetd.d/Xvnc file.

Now if I login as root and run through things manually it works like a charm.

I've read through a majority of the 60 pages of this posting, some other ones and still can't find a solution to my problem. Any ideas?

**errodrigues** · May 29th, 2010

Thanks a lot Crass Spektakel!!! Ihad already spent more than 1 day trying to make this thing work on my Lucid and your instructions did the trick.

I don't need 2 services running so I just created 1 and it works like a charm now. Only thing I added was including "gdm: localhost" to file /etc/hosts.allow

Thanks again!

**vyath** · June 21st, 2010

I managed to set things up like Spektakel and it works great, only now if I remotely login and try to access a connected USB drive (from "places", for example) I get
"Unable to mount X filesystem, Not authorized"

How do I fix it?

**KillerPancake** · July 14th, 2010

After trying a lot of different things, I was FINALLY able to get a VNC server up and working reliably (sort of!) on 10.04. It was the sage advice of Crass Spektakel and PHDLinux that did the trick.

My goal is to setup a headless server that can live in the basement, toiling in obscurity while not taking up any space or generating heat in prime living space. Having gotten everything set up and working well, I dragged the box downstairs and started it up. Fired up the VNC viewer on my laptop and only got the X11 screen when connecting to the server, so I dragged the box back upstairs to investigate. Started up the box again, and this time no problems with the VNC viewer on the laptop. So, back downstairs with the machine, and again only got the X11 screen in the VNC viewer. What, is the machine lonely in the basement and protesting!? Other than this issue, the machine seems fine and I can access shares without problems, no matter where the server is.

So one of two things is happening:
1) Something is happening due to the difference in location - main difference in the basement is that keyboard, monitor and mouse are not connected and a different Ethernet cable connects the server to a switch
2) Some problem is occurring intermittently and its just coincidence that it shows up when the computer is moved to the basement

I would appreciate anyone's insight as to what might be happening here! Below are the outputs of the VNC viewer during a good connection, followed by a failed connection with X11 screen only.

Successful connection:
Tue Jul 13 23:29:34 2010
CConn: connected to host 192.168.1.105 port 5920
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
TXImage: Using default colormap and visual, TrueColor, depth 24.
CConn: Using pixel format depth 6 (8bpp) rgb222
CConn: Using ZRLE encoding

Tue Jul 13 23:29:37 2010
CConn: Throughput 4000 kbit/s - changing to hextile encoding
CConn: Throughput 4000 kbit/s - changing to full colour
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConn: Using hextile encoding

Failed connection (note the last 5 lines are missing compared to above):
Wed Jul 14 00:02:25 2010
CConn: connected to host 192.168.1.105 port 5920
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
TXImage: Using default colormap and visual, TrueColor, depth 24.
CConn: Using pixel format depth 6 (8bpp) rgb222
CConn: Using ZRLE encoding

**popzero** · September 24th, 2010

Originally Posted by KillerPancake

After trying a lot of different things, I was FINALLY able to get a VNC server up and working reliably (sort of!) on 10.04. It was the sage advice of Crass Spektakel and PHDLinux that did the trick.

My goal is to setup a headless server that can live in the basement, toiling in obscurity while not taking up any space or generating heat in prime living space. Having gotten everything set up and working well, I dragged the box downstairs and started it up. Fired up the VNC viewer on my laptop and only got the X11 screen when connecting to the server, so I dragged the box back upstairs to investigate. Started up the box again, and this time no problems with the VNC viewer on the laptop. So, back downstairs with the machine, and again only got the X11 screen in the VNC viewer. What, is the machine lonely in the basement and protesting!? Other than this issue, the machine seems fine and I can access shares without problems, no matter where the server is.

So one of two things is happening:
1) Something is happening due to the difference in location - main difference in the basement is that keyboard, monitor and mouse are not connected and a different Ethernet cable connects the server to a switch
2) Some problem is occurring intermittently and its just coincidence that it shows up when the computer is moved to the basement

I would appreciate anyone's insight as to what might be happening here! Below are the outputs of the VNC viewer during a good connection, followed by a failed connection with X11 screen only.

Successful connection:
Tue Jul 13 23:29:34 2010
CConn: connected to host 192.168.1.105 port 5920
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
TXImage: Using default colormap and visual, TrueColor, depth 24.
CConn: Using pixel format depth 6 (8bpp) rgb222
CConn: Using ZRLE encoding

Tue Jul 13 23:29:37 2010
CConn: Throughput 4000 kbit/s - changing to hextile encoding
CConn: Throughput 4000 kbit/s - changing to full colour
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConn: Using hextile encoding

Failed connection (note the last 5 lines are missing compared to above):
Wed Jul 14 00:02:25 2010
CConn: connected to host 192.168.1.105 port 5920
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
TXImage: Using default colormap and visual, TrueColor, depth 24.
CConn: Using pixel format depth 6 (8bpp) rgb222
CConn: Using ZRLE encoding

I think I hit the same issue as you did with this one, mine was after doing an upgrade from 8.04 LTS to 10.04 LTS for my headless/mouseless/keyboardless server.

Took me a while to figure this one out; finally found it by forcing my system to disable kernel mode setting. There's a description of what is needed to disable it here: https://wiki.ubuntu.com/X/KernelModeSetting
I used the change listed for radeon cards and then it forced my X system to use the vesa setup. (Note: in my /etc/modprobe.d/ directory it didn't have any of the file names listed under "Turning it off"; the purpose of the link is to create the files using the echo command...the webpage didn't really make that clear so I like to be extra explicit

). This little gem of an issue drove me crazy for a day wondering WTH was going on with that dam grey X display mouse doing remote vnc access.

Oh one other thing I've found that might be helpful is putting "DisplaysPerHost=2" in my /etc/gdm/custom.conf file under the [xdmcp] section so it looks like this:
[security]
DisallowTCP=false
[xdmcp]
Enable=true
HonorIndirect=false
DisplaysPerHost=2

If I don't have this in my config each time I logout using the UI it won't let me log back in (gives that stupid timeout "111" error in the terminal). That might be why PhDLinux added that into the custom.conf file.

Hope this helps some of my fellow Ubuntu users

**jocko_johnson** · October 9th, 2010

I am only able to get the grey X11 screen. can someone please look at my setup and point me in a direction to resolve this?

I am running 10.04, fresh install, all updates current.

Here are my files:

/etc/xinetd.d/Xvnc

Code:

service xvnc
{
	disable = no
	socket_type = stream
	protocol = tcp
	wait = no
	user = nobody
	server = /usr/bin/Xvnc4
	server_args = -inetd -desktop xvncDesk -query localhost -geometry 1024x768 -once -depth 16 -fp /usr/share/fonts/X11/misc -SecurityTypes=none
	log_type = SYSLOG daemon info
	log_on_failure = HOST
	log_on_success = PID HOST EXIT
}

service xvncResumable
{
	disable = no
	socket_type = stream
	protocol = tcp
	wait = yes
	user = me
	server = /usr/bin/Xvnc4
	server_args = -inetd :88 -desktop xvnc-resumableDesk -query localhost -geometry 1024x768 -depth 16 -once -fp /usr/share/fonts/X11/misc/ -DisconnectClients=0 -NeverShared passwordFile=/home/me/.vnc/passwd
	log_type = SYSLOG daemon info
	log_on_failure = HOST
	log_on_success = PID HOST EXIT
}

/etc/gdm/custom.conf

Code:

[daemon]

[security]
DisallowTCP=false

[xdmcp]
Enable=true
HonorIndirect=false
#following line fixes a problem with login/logout
DisplaysPerHost=2
MaxSessions=16

[greeter]

[chooser]

[debug]
Enable=true

/etc/services
I added these lines

Code:

#added by me 10.6.2010 for xvnc server
xvnc		5908/tcp
xvncResumable	5988/tcp

/etc/hosts.allow
I added this line

Code:

gdm: localhost

I am testing this locally on the server with the commands:

Code:

 Xvnc :4 -query localhost -geometry 1024x768 -once -depth 16 -fp /usr/share/fonts/X11/misc -SecurityTypes=none

and

Code:

sudo Xvnc :3 -query localhost -geometry 1024x768 -once -depth 16 -fp /usr/share/fonts/X11/misc -SecurityTypes=none passwordFile=/home/me/.vnc/passwd

as well as trying to connect from a different machine within my LAN and also from my work computer via ssh tunnelling/x11 forwarding ( ssh is configured to allow x11forwarding ).

no matter what the results are the same:

I get the x11 window but I only seethe grey speckled screen with the giant "X" for a cursor - no login window

would really appreciate if someone knows how to fix this.

**r0ck3t** · October 24th, 2010

Originally Posted by jocko_johnson

I am only able to get the grey X11 screen. can someone please look at my setup and point me in a direction to resolve this?

Hi,

just registered, hope this helps: I had exactly the same setup and the same problem, some of the last updates broke it...
I disabled IPV6 and everything works as expected (saw some strange errors in the gdm logs).

Cheers