We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Debug VNC connection on CentOS7 server

Brian S
Brian S asked
on
Medium Priority
1,595 Views
Last Modified: 2016-12-28
Server: CentOS 7 (Linux centos7.local 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux)
Client: OSX 10.12.1 (VNC client Chicken v2.2b2) and Windows 10 RealVNC v6.0.1

How can you debug VNC on the server side? I need to debug where issues are occurring. I do a tcpdump for port 5901 to see the connection, and tail the /home/vncuser/.vnc/host:1.log and  /var/log/messages files. None of these allow me to debug what is occurring.

I see the vnc clients connect to the linux host using Display or Port "1" AKA port 5901, the client shows a black window and this is closes. the xstart and other files are all default from the OS load,

I followed the installation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-TigerVNC.html

Open in new window

Which is great if everything works without any issues

vnc log file:
Wed Nov 30 21:50:49 2016
 Connections: accepted: 192.168.1.8::63145
 SConnection: Client needs protocol version 3.8
 SConnection: Client requests security type VncAuth(2)
 VNCSConnST:  Server default pixel format depth 24 (32bpp) little-endian rgb888
 VNCSConnST:  Client pixel format depth 24 (32bpp) little-endian rgb888
 Connections: closed: 192.168.1.8::63145 (Clean disconnection)
 SMsgWriter:  framebuffer updates 1
 SMsgWriter:    Tight rects 1, bytes 16
 SMsgWriter:    raw bytes equivalent 5242892, compression ratio 327680.750000

Wed Nov 30 22:01:07 2016
 Connections: accepted: 192.168.1.8::63315
 SConnection: Client needs protocol version 3.8
 SConnection: Client requests security type VncAuth(2)
 VNCSConnST:  Server default pixel format depth 24 (32bpp) little-endian rgb888
 VNCSConnST:  Client pixel format depth 24 (32bpp) little-endian rgb888
 Connections: closed: 192.168.1.8::63315 (Clean disconnection)
 SMsgWriter:  framebuffer updates 1
 SMsgWriter:    Tight rects 1, bytes 16
 SMsgWriter:    raw bytes equivalent 5242892, compression ratio 327680.750000

Open in new window


xstart:
#!/bin/sh

unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec /etc/X11/xinit/xinitrc

Open in new window




# cat /etc/systemd/system/vncserver@\:1.service
# The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/vncserver@.service
# 2. Edit <USER> and vncserver parameters appropriately
#   ("runuser -l <USER> -c /usr/bin/vncserver %i -arg1 -arg2")
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable vncserver@:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, you should
# limit connections to the local host and then tunnel from
# the machine you want to view VNC on (host A) to the machine
# whose VNC output you want to view (host B)
#
# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB
#
# this will open a connection on port 590N of your hostA to hostB's port 590M
# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB).
# See the ssh man page for details on port forwarding)
#
# You can then point a VNC client on hostA at vncdisplay N of localhost and with
# the help of ssh, you end up seeing what hostB makes available on port 590M
#
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
#
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.


[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i -geometry 1280x1024"
PIDFile=/home/vncuser/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

Open in new window

Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
what is the output of running the command runlevel on your centos 7 server box?
If it is N 3, normal multi-user (non-graphical) N 5 Normal multi-user graphical.
Depending on what it is you want to do, it is best to consider using ssh to connect to the server and if needed to use X-windows system and X11 tunneling on the ssh part to redirect graphical tools back to the client workstation.
ssh -X or -y user@remotehost
while on the local system you have xming (for windows) OS X is a BSD based unix ref Apple's link to XQuartz: https://support.apple.com/en-us/HT201341
screen is a tool where you can have multiple "session" over one connection.
CERTIFIED EXPERT
Most Valuable Expert 2012

Commented:
I had numerous / similar problems with the regular VNC package, but solved by it by using X11Vnc. See if centos has that package (I'm on Debian).
Brian Sretired geek

Author

Commented:
Runlevel returns: N 5

I do not want to replace the chosen VNC Server on the system — I'd like to learn how to debug what it is doing. I feel like I am missing something obvious that I have forgotten or that has moved — the curse of Free and Open Source.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
make sure you are not blocking it with the builtin software firewall (firewalld or iptables)
you have to open the service up
firewall-cmd --permanent --add-service=vnc
or firewall-cmd --permanent --add-port=5900/tcp
iptables -I INPUT 4 -port 5900  -j ACCEPT

Or something like that.
Brian Sretired geek

Author

Commented:
Thank you.

I believe that I have the ports configured:

# firewall-cmd --get-default-zone 
internal
# firewall-cmd --permanent --zone=public --list-all
public (active)
  interfaces: enp2s0
  sources: 
  services: dhcpv6-client https ssh vnc-server
  ports: 5902/tcp 5900/tcp 5901/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
# firewall-cmd --permanent --zone=internal --list-all
internal (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client splunk ssh vnc-server
  ports: 5900-5902/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

Open in new window


But again if it was firewall related then I would have expected the tcpdump to have shown that. Since I see the packets arrive and then see the VNC log start and then close the port this tells me it is not firewall but application related.
Brian Sretired geek

Author

Commented:
Oh and I do have a GUI Console up on the server.

So I do know that the GNOME is up and running and as stated it confirms that I'm in run level 5.
Brian Sretired geek

Author

Commented:
And as a sanity check:

 # iptables -S | grep 590
-A IN_internal_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 5900:5902 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5902 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5900 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5901 -m conntrack --ctstate NEW -j ACCEPT

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
please run iptables -L --line-numbers

Where are you running this, what is the function of this system, if this is a router, you need an INPUT entry and a FORWARD entry with the --to-address --to-port if port forwarding......

Are you certain that your system runs iptables and not firewalld?
ps -ef | grep iptables
ps -ef | grep firewalld

netstat -an | grep -i ':59'
Brian Sretired geek

Author

Commented:
The system is newly built to act as a generic server — nothing special. I wants to make this syslog.

iptables -L --line-numbers
# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
5    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
6    ACCEPT     all  --  anywhere             anywhere            
7    INPUT_direct  all  --  anywhere             anywhere            
8    INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
9    INPUT_ZONES  all  --  anywhere             anywhere            
10   ACCEPT     icmp --  anywhere             anywhere            
11   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  192.168.122.0/24     anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
5    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
6    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
7    ACCEPT     all  --  anywhere             anywhere            
8    FORWARD_direct  all  --  anywhere             anywhere            
9    FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
10   FORWARD_IN_ZONES  all  --  anywhere             anywhere            
11   FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
12   FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
13   ACCEPT     icmp --  anywhere             anywhere            
14   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
2    OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
num  target     prot opt source               destination         
1    FWDI_internal  all  --  anywhere             anywhere            [goto] 
2    FWDI_internal  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
num  target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
num  target     prot opt source               destination         
1    FWDO_internal  all  --  anywhere             anywhere            [goto] 
2    FWDO_internal  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num  target     prot opt source               destination         

Chain FORWARD_direct (1 references)
num  target     prot opt source               destination         

Chain FWDI_internal (2 references)
num  target     prot opt source               destination         
1    FWDI_internal_log  all  --  anywhere             anywhere            
2    FWDI_internal_deny  all  --  anywhere             anywhere            
3    FWDI_internal_allow  all  --  anywhere             anywhere            

Chain FWDI_internal_allow (1 references)
num  target     prot opt source               destination         

Chain FWDI_internal_deny (1 references)
num  target     prot opt source               destination         

Chain FWDI_internal_log (1 references)
num  target     prot opt source               destination         

Chain FWDI_public (0 references)
num  target     prot opt source               destination         
1    FWDI_public_log  all  --  anywhere             anywhere            
2    FWDI_public_deny  all  --  anywhere             anywhere            
3    FWDI_public_allow  all  --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)
num  target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
num  target     prot opt source               destination         

Chain FWDI_public_log (1 references)
num  target     prot opt source               destination         

Chain FWDO_internal (2 references)
num  target     prot opt source               destination         
1    FWDO_internal_log  all  --  anywhere             anywhere            
2    FWDO_internal_deny  all  --  anywhere             anywhere            
3    FWDO_internal_allow  all  --  anywhere             anywhere            

Chain FWDO_internal_allow (1 references)
num  target     prot opt source               destination         

Chain FWDO_internal_deny (1 references)
num  target     prot opt source               destination         

Chain FWDO_internal_log (1 references)
num  target     prot opt source               destination         

Chain FWDO_public (0 references)
num  target     prot opt source               destination         
1    FWDO_public_log  all  --  anywhere             anywhere            
2    FWDO_public_deny  all  --  anywhere             anywhere            
3    FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
num  target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
num  target     prot opt source               destination         

Chain FWDO_public_log (1 references)
num  target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
num  target     prot opt source               destination         
1    IN_internal  all  --  anywhere             anywhere            [goto] 
2    IN_internal  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
num  target     prot opt source               destination         

Chain INPUT_direct (1 references)
num  target     prot opt source               destination         

Chain IN_internal (2 references)
num  target     prot opt source               destination         
1    IN_internal_log  all  --  anywhere             anywhere            
2    IN_internal_deny  all  --  anywhere             anywhere            
3    IN_internal_allow  all  --  anywhere             anywhere            

Chain IN_internal_allow (1 references)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns ctstate NEW
2    ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipp ctstate NEW
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:rfb:5903 ctstate NEW
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:irdmi ctstate NEW
6    ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns ctstate NEW
7    ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm ctstate NEW
8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:rfb:5902 ctstate NEW

Chain IN_internal_deny (1 references)
num  target     prot opt source               destination         

Chain IN_internal_log (1 references)
num  target     prot opt source               destination         

Chain IN_public (0 references)
num  target     prot opt source               destination         
1    IN_public_log  all  --  anywhere             anywhere            
2    IN_public_deny  all  --  anywhere             anywhere            
3    IN_public_allow  all  --  anywhere             anywhere            

Chain IN_public_allow (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:rfb:5903 ctstate NEW
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5902 ctstate NEW
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:rfb ctstate NEW
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5901 ctstate NEW

Chain IN_public_deny (1 references)
num  target     prot opt source               destination         

Chain IN_public_log (1 references)
num  target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
num  target     prot opt source               destination
# 

Open in new window


System is running firewalld
# ps -ef | grep iptables 
root      3634  6527  0 17:11 pts/1    00:00:00 grep --color=auto iptables
# ps -ef | grep firewalld
root      1064     1  0 Dec01 ?        00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
root      3636  6527  0 17:11 pts/1    00:00:00 grep --color=auto firewalld
#

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Your system is using firewalld and not iptables so all your iptables rules do not apply/processed.
 1  0 Dec01 ?        00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
root      3636  6527  0 17:11 pts/1    00:00:00 grep --color=auto firewalld

You have to decide which. Use the firewall-cmd example with port and see if that solves your issue, or ho through the process to change your system from using firewalld to iptables....

But the answer, your system's firewall is blocking your access.
Brian Sretired geek

Author

Commented:
I'm not sure I agree that firewalld is blocking the ports. Hence one of the reasons I'm looking for the "right" log file.....

As I have show in the sixth previous post the filewall is configured to allow the 5901 port through:

# firewall-cmd --permanent --zone=internal --list-all
internal (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client splunk ssh vnc-server
  ports: 5900-5902/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
#

Open in new window

If you have a command or other proof I am more than will to look and try.  

Using the VNC client I have tried to use the wrong password just as a test to see if the firewall was blocking. The clients only allow the correct VNC password access — in my mind that tells me that the firewall IS NOT blocking the ports.

5900 is the general normal port for registration and 5901 is for the first current session if memory serves.

Again not arguing — just trying to learn and understand what is going on with the system.

Cheers!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
OK, so that is out of the way,

You establish a VNC connection, did you set a password that you will use to authenticate via VNC?

I am not clear what your issue is.
on the client, you run vncview, connect to remoteserver, prompted for password? after password provided the displays opens and closes?

The log shows the client, "Client needs protocol version 3.8"

Login on the console of the system do you have desktop layout?
xstart is likely the cause of your issue. which desktop env are you using?
Brian Sretired geek

Author

Commented:
Yes I have the GNOME desktop on my console on the server.

Yes password is set and is correct. I can validate that by using a bad password and it prompts me for the correct one.

In this code from the VNC log file:
Sat Dec  3 09:08:55 2016
 Connections: accepted: 192.168.1.8::56010
 SConnection: Client needs protocol version 3.8
 SConnection: Client requests security type VncAuth(2)
 SConnection: AuthFailureException: Authentication failure
 Connections: closed: 192.168.1.8::56010 (Authentication failure)

Sat Dec  3 09:09:11 2016
 Connections: accepted: 192.168.1.8::56011
 SConnection: Client needs protocol version 3.8
 SConnection: Client requests security type VncAuth(2)
 VNCSConnST:  Server default pixel format depth 24 (32bpp) little-endian rgb888

Sat Dec  3 09:09:12 2016
 VNCSConnST:  Client pixel format depth 24 (32bpp) little-endian rgb888
 Connections: closed: 192.168.1.8::56011 (Clean disconnection)
 SMsgWriter:  framebuffer updates 1
 SMsgWriter:    Tight rects 1, bytes 16
 SMsgWriter:    raw bytes equivalent 5242892, compression ratio 327680.750000

Open in new window


I can see the authentication failure and the next one is successful — this is very good. And as you note it the log does tell me that the *CLIENT* needs protocol version 3.8 — this is the interesting part does RealVNC and OS X Chicken (the two popular clients for Windows and OS X both need to be upgraded for RHEL7???  Or is there something else on my server?

I am now looking for the log of where and how xstart puts its logging.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I think the issue is that your xstart script that run xinitrc from the VNC can not actually run/launch the Graphical Environment  and this is why the connection terminates, the desktop startup fails.

Try adding GDM to your xstart script to see if xinitrc will launch/load GDM (GNOME DISPLAY MANAGER)

On the line
exec /etc/X11/xinit/xinitrc
change to
exec /etc/X11/xinit/xinitrc GDM

and try again.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Or Gnome ..... versus GDM

ref centos 6 config guide, deals with setting .... it up
https://wiki.centos.org/HowTos/VNC-Server

You might have missed a step in the guide you followed to set it up.
Brian Sretired geek

Author

Commented:
So I amended the /home/vncuser/.vnc/xstart :

# ls -l xstartup
-rwxr-xr-x. 1 vncuser vncuser 96 Dec  3 14:47 xstartup
# cat xstartup
#!/bin/sh

unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec /etc/X11/xinit/xinitrc GDM
# 

Open in new window


no change

# ls -la /lib/systemd/system/vncserve*
-rw-r--r--. 1 root root 1738 Dec  3 14:55 /lib/systemd/system/vncserver@:1.service
-rw-r--r--. 1 root root 1738 Mar 31  2016 /lib/systemd/system/vncserver@.service
#
# cat /lib/systemd/system/vncserver@\:1.service 
# The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/vncserver@.service
# 2. Edit <USER> and vncserver parameters appropriately
#   ("runuser -l <USER> -c /usr/bin/vncserver %i -arg1 -arg2")
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable vncserver@:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, you should
# limit connections to the local host and then tunnel from
# the machine you want to view VNC on (host A) to the machine
# whose VNC output you want to view (host B)
#
# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB
#
# this will open a connection on port 590N of your hostA to hostB's port 590M
# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB).
# See the ssh man page for details on port forwarding)
#
# You can then point a VNC client on hostA at vncdisplay N of localhost and with
# the help of ssh, you end up seeing what hostB makes available on port 590M
#
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
#
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.


[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i"
PIDFile=/home/vncuser/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target
# 

Open in new window

Brian Sretired geek

Author

Commented:
Sorry I got tired. I changed the /usr/lib/systemd/system files back to orig.

These are the files I mean to post. I did try and add some debugging to the "vncserver@:1.service" file — but did not get any output sent to vnc log file or any place else.

# ls -la /etc/systemd/system/vncserver@*
-rw-r--r--. 1 root root 1935 Dec  3 16:23 /etc/systemd/system/vncserver@:1.service
-rw-r--r--. 1 root root 1760 Nov 30 15:48 /etc/systemd/system/vncserver@:2.service
-rw-r--r--. 1 root root 1760 Nov 30 15:44 /etc/systemd/system/vncserver@.service
#
# more /etc/systemd/system/vncserver@*
::::::::::::::
/etc/systemd/system/vncserver@:1.service
::::::::::::::
# The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/vncserver@.service
# 2. Edit <USER> and vncserver parameters appropriately
#   ("runuser -l <USER> -c /usr/bin/vncserver %i -arg1 -arg2")
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable vncserver@:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, you should
# limit connections to the local host and then tunnel from
# the machine you want to view VNC on (host A) to the machine
# whose VNC output you want to view (host B)
#
# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB
#
# this will open a connection on port 590N of your hostA to hostB's port 590M
# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB).
# See the ssh man page for details on port forwarding)
#
# You can then point a VNC client on hostA at vncdisplay N of localhost and with
# the help of ssh, you end up seeing what hostB makes available on port 590M
#
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
#
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.


[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking

# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/echo \"base: $0 isrunning \"; /usr/bin/vncserver -kill %i || :'
#ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i"
PIDFile=/home/vncuser/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/echo \"base: $0 isrunning \"; /usr/bin/vncserver -kill %i || :'
#ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target
::::::::::::::
/etc/systemd/system/vncserver@:2.service
::::::::::::::
# The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/vncserver@.service
# 2. Edit <USER> and vncserver parameters appropriately
#   ("runuser -l <USER> -c /usr/bin/vncserver %i -arg1 -arg2")
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable vncserver@:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, you should
# limit connections to the local host and then tunnel from
# the machine you want to view VNC on (host A) to the machine
# whose VNC output you want to view (host B)
#
# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB
#
# this will open a connection on port 590N of your hostA to hostB's port 590M
# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB).
# See the ssh man page for details on port forwarding)
#
# You can then point a VNC client on hostA at vncdisplay N of localhost and with
# the help of ssh, you end up seeing what hostB makes available on port 590M
#
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
#
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.


[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i -geometry 1280x1024"
PIDFile=/home/vncuser/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target
::::::::::::::
/etc/systemd/system/vncserver@.service
::::::::::::::
# The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/vncserver@.service
# 2. Edit <USER> and vncserver parameters appropriately
#   ("runuser -l <USER> -c /usr/bin/vncserver %i -arg1 -arg2")
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable vncserver@:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, you should
# limit connections to the local host and then tunnel from
# the machine you want to view VNC on (host A) to the machine
# whose VNC output you want to view (host B)
#
# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB
#
# this will open a connection on port 590N of your hostA to hostB's port 590M
# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB).
# See the ssh man page for details on port forwarding)
#
# You can then point a VNC client on hostA at vncdisplay N of localhost and with
# the help of ssh, you end up seeing what hostB makes available on port 590M
#
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
#
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.


[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i -geometry 1280x1024"
PIDFile=/home/vncuser/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target# 

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Please look at the centos VNC setup guide for the version 6 of the OS.
Section 2.5 ..
Which guide did you follow to setup? or did you just follow the yum install vncserver, etc. and that is as far as it went ....

The startx/xstart would be run by the local user with whose rights you will be running, not the vnc user with which rights the vncserver is running...

At this point, I think the issue is that after the VNC session is established it fails to start the GUI for the local user under whose rights it will run.

i.e. johnd, janed, maryp, etc. each has to have a .vnc..... directive on what their desktop environment is to be like....
Brian Sretired geek

Author

Commented:
The installation that I followed was:  

RHEL 7 Basic Installation - CHAPTER 11. Tiger VNC

I am trying to setup the system just for one simple user (me) to do the remote console access. So the vncuser should work for me. The TigerVNC seems to be configure starting RHEL6. If it was a permissions problem for the GUI where would those errors be found? I'd think at one point I'd see access or permission errors in the log files.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
It is not a question of permission, but the xinitrc not starting the GUI environment at all and possibly terminating, severing the connection.

The link I posted includes sone info section 2.5 that might help resolve your situation.

IMHO, ssh with X-windowing requires no significant change. But it is true I do not know what you are planing for ......

Ssh is built/included with Mac, putty us a nice little utility for Windows..

If there is a log, look within van user/.X* or within VNC folder.

Try before initiating the VNC connection, on the server run ps -ef | grep  vnc
strace -f -p <PID of vnc server>
#this will look at the server is doing....
Now on the client initiate a vnc connection to the server.
See what error is output on the server window where strace looking what error caused the session termination.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Duncan RoeSoftware Developer
CERTIFIED EXPERT
Commented:
Just a quick note regarding tcpdump - it will show you packets that the firewall is going to drop. tcpdump gets in earlier than iptables
Brian Sretired geek

Author

Commented:
Thank you one and all -- this has been a rough road for me. What I did was totally reloaded my CentOS 7 with RHEL 7 developers license. Reinstalled Tiger-VNC and it all seems to be working!

The only weird part is that from OSX non of the VNC connections would connect, *BUT* when I used a Fedora VNC client it did connect and the session was looking for a prompt for a proxy session, that I cancelled (not using proxies). Every time *AFTER* that the VNC sessions all worked.

I wonder if the CentOS 7 has the same issue -- that first connection needs to be a Fedora (or whatever Linux client)

More testing for that later.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.