Secure Global Desktop 4.40 Administration Guide > Applications, Documents, and Application Servers > Applications Fail To Start When X Authorization Is Enabled

Applications Fail To Start When X Authorization Is Enabled

In a default SGD installation, X authorization is enabled. If there are any problems with X authorization, users cannot start applications. If applications fail to launch because of X authorization, the message "Failed to find xauth" or "Attempt to run xauth failed" displays in the application launch details dialog and in the log files.

Use the following checklist to establish why X authorization causes application launches to fail:

Is X authorization installed on the application server?

Is X authorization installed on the application server?	For SGD to be able to use X authorization, xauth must be installed on every application server. If xauth is not installed, you must either install it or deselect the X Authorization for X Display checkbox on the Global Settings » Security tab in the SGD Administration Console. Note This disables X authorization for the entire array.
Can SGD find the xauth binary?	If the message "Failed to find xauth" displays in the application launch dialog or log files, SGD cannot find the xauth binary. By default, SGD searches the following locations for the xauth binary: `/usr/bin/X11/xauth` `/usr/X/bin/xauth` `/usr/X11R6/bin/xauth` `/usr/bin/X/xauth` `/usr/openwin/bin/xauth` If the xauth binary is in a different location, you must add its location to the `/opt/tarantella/var/serverresources/expect/vars.exp` login script. Look for the line beginning "`set xauthcmds`". Note If the xauth binary is only in one location, you can speed up application launches by removing the unnecessary locations from the `vars.exp` login script.
Does the user have a UNIX account on the application server?	When the user starts an application, the SGD X Protocol Engine generates a cookie and stores it in the `.Xauthority` file in the user's home directory on the application server. The cookie is used to validate whether or not the user has permission to connect to the X display. If the user does not have a home directory, the cookie cannot be stored in the user's `.Xauthority` file and so the user cannot be validated. You can do any of the following: Create a UNIX account for the user on the application server Disable X authorization by deselect the X Authorization for X Display checkbox on the Global Settings » Security tab in the SGD Administration Console Edit the login script so that the cookie is stored in a temporary directory The launch script you need to edit is `/opt/tarantella/var/serverresources/expect/procs.exp`. Change the following line: `execute "[lindex $xauthcmds $i] add $XDISPLAY . $xauthcookie\n"` to something like: `execute "[lindex $xauthcmds $i] -f /tmp/.xauth$username add $XDISPLAY . $xauthcookie\n"`

For SGD to be able to use X authorization, xauth must be installed on every application server.

If xauth is not installed, you must either install it or deselect the X Authorization for X Display checkbox on the Global Settings » Security tab in the SGD Administration Console.

Note This disables X authorization for the entire array.

Can SGD find the xauth binary?

If the message "Failed to find xauth" displays in the application launch dialog or log files, SGD cannot find the xauth binary. By default, SGD searches the following locations for the xauth binary:

/usr/bin/X11/xauth
/usr/X/bin/xauth
/usr/X11R6/bin/xauth
/usr/bin/X/xauth
/usr/openwin/bin/xauth

If the xauth binary is in a different location, you must add its location to the /opt/tarantella/var/serverresources/expect/vars.exp login script. Look for the line beginning "set xauthcmds".

Note If the xauth binary is only in one location, you can speed up application launches by removing the unnecessary locations from the vars.exp login script.

Does the user have a UNIX account on the application server?

When the user starts an application, the SGD X Protocol Engine generates a cookie and stores it in the .Xauthority file in the user's home directory on the application server. The cookie is used to validate whether or not the user has permission to connect to the X display.

If the user does not have a home directory, the cookie cannot be stored in the user's .Xauthority file and so the user cannot be validated.

You can do any of the following:

Create a UNIX account for the user on the application server
Disable X authorization by deselect the X Authorization for X Display checkbox on the Global Settings » Security tab in the SGD Administration Console
Edit the login script so that the cookie is stored in a temporary directory

The launch script you need to edit is /opt/tarantella/var/serverresources/expect/procs.exp.
Change the following line:
execute "[lindex $xauthcmds $i] add $XDISPLAY . $xauthcookie\n"
to something like:
execute "[lindex $xauthcmds $i] -f /tmp/.xauth$username add $XDISPLAY . $xauthcookie\n"

Further Logging

If the checklist above does not help you resolve problems with X authorization, check the log file in /opt/tarantella var/log. The log file is execpePID_error.log.

If this does not help, you can increase the amount of information that is logged. To do this, you amend the log filter for the SGD array and enable debugging in the login script.

Yo amend the log filter you use the following command:

$ tarantella config edit --tarantella-config-execpeconfig-logfilter

In a default installation, the following filters are set:

execpe/*/*error,pem/*/*error,launchhelper/*/*error

Change the filters to:

execpe/*/*,pem/*/*,launchhelper/*/*error

To enable debugging in the login script, edit the /opt/tarantella/var/serverresources/expect/unix.exp file and uncomment out the startdebug line.

Related Topics
Security and SGD