;; See `man 5 sesman.ini` for details [Globals] ; listening port #ListenPort=sesman.socket EnableUserWindowManager=true ; Give in relative path to user's home directory UserWindowManager=startwm.sh ; Give in full path or relative path to @sesmansysconfdir@ DefaultWindowManager=startwm.sh ; Give in full path or relative path to @sesmansysconfdir@ ReconnectScript=reconnectwm.sh [Security] AllowRootLogin=true MaxLoginRetry=4 TerminalServerUsers=tsusers TerminalServerAdmins=tsadmins ; When AlwaysGroupCheck=false access will be permitted ; if the group TerminalServerUsers is not defined. AlwaysGroupCheck=false ; When RestrictOutboundClipboard=all clipboard from the ; server is not pushed to the client. ; In addition, you can control text/file/image transfer restrictions ; respectively. It also accepts comma separated list such as text,file,image. ; To keep compatibility, some aliases are also available: ; true: an alias of all ; false: an alias of none ; yes: an alias of all RestrictOutboundClipboard=none ; When RestrictInboundClipboard=all clipboard from the ; client is not pushed to the server. ; In addition, you can control text/file/image transfer restrictions ; respectively. It also accepts comma separated list such as text,file,image. ; To keep compatibility, some aliases are also available: ; true: an alias of all ; false: an alias of none ; yes: an alias of all RestrictInboundClipboard=none ; Set to 'no' to prevent users from logging in with alternate shells #AllowAlternateShell=true ; On Linux systems, the Xorg X11 server is normally invoked using ; no_new_privs to avoid problems if the executable is suid. This may, ; however, interfere with the use of security modules such as AppArmor. ; Leave this unset unless you need to disable it. #XorgNoNewPrivileges=true ; Specify the group which is to have read access to the directory where ; local sockets for the session are created. This is normally the GID ; which the xrdp process runs as. ; Default is 'root' #SessionSockdirGroup=root [Sessions] ;; X11DisplayOffset - x11 display number offset ; Type: integer ; Default: 10 X11DisplayOffset=10 ;; MaxSessions - maximum number of connections to an xrdp server ; Type: integer ; Default: 0 MaxSessions=50 ;; MaxDisplayNumer - maximum number considered for an X display ; Type: integer ; Default: 63 ; ; IANA only allocates TCP ports up to 6063 for X servers. If you are not ; allowing TCP connections to your X servers you may safely increase this ; number. #MaxDisplayNumber=63 ;; KillDisconnected - kill disconnected sessions ; Type: boolean ; Default: false ; if 1, true, or yes, every session will be killed within DisconnectedTimeLimit ; seconds after the user disconnects KillDisconnected=false ;; DisconnectedTimeLimit (seconds) - wait before kill disconnected sessions ; Type: integer ; Default: 0 ; if KillDisconnected is set to false, this value is ignored DisconnectedTimeLimit=0 ;; IdleTimeLimit (seconds) - wait before disconnect idle sessions ; Type: integer ; Default: 0 ; Set to 0 to disable idle disconnection. IdleTimeLimit=0 ;; Policy - session allocation policy ; ; Type: enum [ "Default" | "Separate" | Combination from {UBDI} ] ; "Default" Currently same as "UB" ; "Separate" All sessions are separate. Sessions can never be rejoined, ; and will need to be cleaned up manually, or automatically ; by setting other sesman options. ; ; Combination options:- ; U Sessions are separated per user ; B Sessions are separated by bits-per-pixel ; D Sessions are separated by initial display size ; I Sessions are separated by IP address ; ; The options U and B are always active, and cannot be de-selected. Policy=Default [Logging] ; Note: Log levels can be any of: core, error, warning, info, debug, or trace LogFile=xrdp-sesman.log LogLevel=INFO EnableSyslog=true #SyslogLevel=INFO #EnableConsole=false #ConsoleLevel=INFO #EnableProcessId=false [LoggingPerLogger] ; Note: per logger configuration is only used if xrdp is built with ; --enable-devel-logging #sesman.c=INFO #main()=INFO ; ; Session definitions - startup command-line parameters for each session type ; [Xorg] ; Specify the path of non-suid Xorg executable. It might differ depending ; on your distribution and version. Find out the appropriate path for your ; environment. The typical path is known as follows: ; ; Fedora 26 or later : param=/usr/libexec/Xorg ; Debian 9 or later : param=/usr/lib/xorg/Xorg ; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg ; Arch Linux : param=/usr/lib/Xorg ; CentOS 7 : param=/usr/bin/Xorg or param=Xorg ; CentOS 8 : param=/usr/libexec/Xorg ; FreeBSD (from 2022Q4) : param=/usr/local/libexec/Xorg ; param=Xorg ; Leave the rest parameters as-is unless you understand what will happen. param=-config param=xrdp/xorg.conf param=-noreset param=-nolisten param=tcp param=-logfile param=.xorgxrdp.%s.log [Xvnc] param=Xvnc param=-bs param=-nolisten param=tcp param=-localhost param=-dpi param=96 [Chansrv] ; drive redirection ; See sesman.ini(5) for the format of this parameter #FuseMountName=/run/user/%u/thinclient_drives #FuseMountName=/media/thinclient_drives/%U/thinclient_drives FuseMountName=thinclient_drives ; this value allows only the user to access their own mapped drives. ; Make this more permissive (e.g. 022) if required. FileUmask=077 ; Can be used to disable FUSE functionality - see sesman.ini(5) #EnableFuseMount=false ; Uncomment this line only if you are using GNOME 3 versions 3.29.92 ; and up, and you wish to cut-paste files between Nautilus and Windows. Do ; not use this setting for GNOME 4, or other file managers #UseNautilus3FlistFormat=true ; sound redirection ; workaround for Microsoft mstsc.exe to suppress noise. ; SoundNumSilentFramesAAC | SoundNumSilentFramesMP3 silent frames are sent before SNDC_CLOSE is sent. ; during SoundMsecDoNotSend mS after SNDC_CLOSE is sent, sound data is not send. ; depending on the environment, it might be necessary to increase values. ; Defaults: SoundNumSilentFramesAAC=4, SoundNumSilentFramesMP3=2, SoundMsecDoNotSend=1000 ; If set to 0, this workaround is not applied. #SoundNumSilentFramesAAC=4 #SoundNumSilentFramesMP3=2 #SoundMsecDoNotSend=1000 [ChansrvLogging] ; Note: one log file is created per display and the LogFile config value ; is ignored. The channel server log file names follow the naming convention: ; xrdp-chansrv.${DISPLAY}.log ; ; Note: Log levels can be any of: core, error, warning, info, debug, or trace LogLevel=INFO EnableSyslog=true #SyslogLevel=INFO #EnableConsole=false #ConsoleLevel=INFO #EnableProcessId=false [ChansrvLoggingPerLogger] ; Note: per logger configuration is only used if xrdp is built with ; --enable-devel-logging #chansrv.c=INFO #main()=INFO [SessionVariables] PULSE_SCRIPT=@sesmansysconfdir@/pulse/default.pa