Debian (Bookworm) - Non-Root Users Unable To Start Xrdp Session

I can connect to server with sudo user but not non-sudo user. /var/log/xrdp-sesman.log indicates X server is not starting up.

Failed Login: xrdp-sesman.log

[20231018-13:08:12] [INFO ] Socket 12: AF_INET6 connection received from ::1 port 45494 [20231018-13:08:13] [INFO ] ++ created session (access granted): username testuser, ip ::ffff:192.168.1.146:49982 - socket: 12 [20231018-13:08:13] [INFO ] starting Xorg session... [20231018-13:08:13] [INFO ] Starting session: session_pid 2557, display :11.0, width 1920, height 1080, bpp 24, client ip ::ffff:192.168.1.146:49982 - socket: 12, user name testuser [20231018-13:08:13] [INFO ] [session start] (display 11): calling auth_start_session from pid 2557 [20231018-13:08:13] [ERROR] sesman_data_in: scp_process_msg failed [20231018-13:08:13] [ERROR] sesman_main_loop: trans_check_wait_objs failed, removing trans [20231018-13:08:13] [INFO ] Starting X server on display 11: /usr/lib/xorg/Xorg :11 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log [20231018-13:08:23] [WARN ] Timed out waiting for X server on display 11 to startup [20231018-13:08:23] [INFO ] Session started successfully for user testuser on display 11 [20231018-13:08:23] [INFO ] Starting the xrdp channel server for display 11 [20231018-13:08:23] [INFO ] Session in progress on display 11, waiting until the window manager (pid 2614) exits to end the session [20231018-13:08:23] [WARN ] Timed out waiting for X server on display 11 to startup [20231018-13:08:23] [ERROR] There is no X server active on display 11 [20231018-13:08:23] [ERROR] A fatal error has occurred attempting to start the window manager on display 11, aborting connection [20231018-13:08:23] [WARN ] Window manager (pid 2614, display 11) exited quickly (0 secs). This could indicate a window manager config problem [20231018-13:08:23] [INFO ] Calling auth_stop_session and auth_end from pid 2557 [20231018-13:08:23] [INFO ] Terminating X server (pid 2615) on display 11 [20231018-13:08:23] [INFO ] Terminating the xrdp channel server (pid 2820) on display 11 [20231018-13:08:23] [INFO ] X server on display 11 (pid 2615) returned exit code 1 and signal number 0 [20231018-13:08:23] [INFO ] xrdp channel server for display 11 (pid 2820) exit code 1 and signal number 0 [20231018-13:08:23] [INFO ] cleanup_sockets: [20231018-13:08:23] [INFO ] Process 2557 has exited [20231018-13:08:23] [INFO ] ++ terminated session: username testuser, display :11.0, session_pid 2557, ip ::ffff:192.168.1.146:49982 - socket: 12

[20231018-13:08:10] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.1.146 port 49981 
[20231018-13:08:10] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem [20231018-13:08:10] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem [20231018-13:08:10] [ERROR] Cannot read private key file /etc/xrdp/key.pem: Permission denied [20231018-13:08:10] [WARN ] Cannot accept TLS connections because certificate or private key file is not readable. certificate file: [/etc/xrdp/cert.pem], private key file: [/etc/xrdp/key.pem] [20231018-13:08:10] [INFO ] Security protocol: configured [RDP], requested [SSL|HYBRID|HYBRID_EX|RDP], selected [RDP] [20231018-13:08:10] [ERROR] libxrdp_force_read: header read error [20231018-13:08:10] [ERROR] Processing [ITU-T T.125] Connect-Initial failed [20231018-13:08:10] [ERROR] [MCS Connection Sequence] receive connection request failed [20231018-13:08:10] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.1.146 port 49982 [20231018-13:08:10] [ERROR] xrdp_sec_incoming: xrdp_mcs_incoming failed [20231018-13:08:10] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem [20231018-13:08:10] [ERROR] xrdp_rdp_incoming: xrdp_sec_incoming failed [20231018-13:08:10] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem [20231018-13:08:10] [ERROR] xrdp_process_main_loop: libxrdp_process_incoming failed [20231018-13:08:10] [ERROR] Cannot read private key file /etc/xrdp/key.pem: Permission denied [20231018-13:08:10] [ERROR] xrdp_iso_send: trans_write_copy_s failed [20231018-13:08:10] [WARN ] Cannot accept TLS connections because certificate or private key file is not readable. certificate file: [/etc/xrdp/cert.pem], private key file: [/etc/xrdp/key.pem] [20231018-13:08:10] [ERROR] Sending [ITU T.125] DisconnectProviderUltimatum failed [20231018-13:08:10] [INFO ] Security protocol: configured [RDP], requested [RDP], selected [RDP] [20231018-13:08:10] [INFO ] Connected client computer name: L60P05S2 [20231018-13:08:10] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc006 is unknown (ignored) [20231018-13:08:10] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc00a is unknown (ignored) [20231018-13:08:10] [INFO ] xrdp_load_keyboard_layout: Keyboard information sent by the RDP client, keyboard_type:[0x04], keyboard_subtype:[0x00], keylayout:[0x00000409] [20231018-13:08:10] [INFO ] xrdp_load_keyboard_layout: model [] variant [] layout [us] options [] [20231018-13:08:10] [INFO ] Non-TLS connection established from ::ffff:192.168.1.146 port 49982: with security level : high [20231018-13:08:10] [INFO ] xrdp_caps_process_pointer: client supports new(color) cursor [20231018-13:08:10] [INFO ] xrdp_process_offscreen_bmpcache: support level 1 cache size 5242880 MB cache entries 100 [20231018-13:08:10] [INFO ] xrdp_caps_process_codecs: nscodec, codec id 1, properties len 3 [20231018-13:08:10] [WARN ] xrdp_caps_process_codecs: unknown codec id 5 [20231018-13:08:10] [INFO ] xrdp_caps_process_codecs: RemoteFX, codec id 3, properties len 49 [20231018-13:08:10] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini [20231018-13:08:10] [WARN ] local keymap file for 0x00000409 found and doesn't match built in keymap, using local keymap file [20231018-13:08:12] [INFO ] connecting to sesman on 127.0.0.1:3350 [20231018-13:08:13] [INFO ] xrdp_wm_log_msg: sesman connect ok [20231018-13:08:13] [INFO ] sesman connect ok [20231018-13:08:13] [INFO ] sending login info to session manager. Please wait... [20231018-13:08:13] [INFO ] xrdp_wm_log_msg: login successful for user testuser on display 11 [20231018-13:08:13] [INFO ] login successful for user testuser on display 11 [20231018-13:08:13] [INFO ] loaded module 'libxup.so' ok, interface size 10296, version 4 [20231018-13:08:13] [INFO ] started connecting [20231018-13:08:13] [INFO ] lib_mod_connect: connecting via UNIX socket [20231018-13:09:55] [INFO ] connection problem, giving up [20231018-13:09:55] [INFO ] some problem [20231018-13:09:55] [ERROR] xrdp_sec_send_fastpath: xrdp_fastpath_send failed [20231018-13:09:55] [ERROR] xrdp_rdp_send_fastpath: xrdp_sec_send_fastpath failed [20231018-13:09:55] [ERROR] xrdp_orders_send: xrdp_rdp_send_fastpath failed [20231018-13:09:55] [ERROR] xrdp_sec_send_fastpath: xrdp_fastpath_send failed [20231018-13:09:55] [ERROR] xrdp_rdp_send_fastpath: xrdp_sec_send_fastpath failed [20231018-13:09:55] [ERROR] xrdp_orders_send: xrdp_rdp_send_fastpath failed [20231018-13:09:55] [ERROR] xrdp_sec_send_fastpath: xrdp_fastpath_send failed [20231018-13:09:55] [ERROR] xrdp_rdp_send_fastpath: xrdp_sec_send_fastpath failed [20231018-13:09:55] [ERROR] xrdp_orders_send: xrdp_rdp_send_fastpath failed [20231018-13:09:55] [ERROR] xrdp_wm_log_msg: Error connecting to user session [20231018-13:09:55] [INFO ] Error connecting to user session

Globals] ListenAddress=127.0.0.1 ListenPort=3350 EnableUserWindowManager=true ; Give in relative path to user's home directory UserWindowManager=startwm.sh ; Give in full path or relative path to /etc/xrdp DefaultWindowManager=startwm.sh ; Give in full path or relative path to /etc/xrdp ReconnectScript=reconnectwm.sh
 
[Security] AllowRootLogin=false MaxLoginRetry=4 #TerminalServerUsers=tsusers TerminalServerUsers=TerminalServerUsers TerminalServerAdmins=tsadmins ; When AlwaysGroupCheck=false access will be permitted ; if the group TerminalServerUsers is not defined. AlwaysGroupCheck=true ; When RestrictOutboundClipboard=all clipboard from the ; server is not pushed to the client. ; In addition, you can control text/file/image transfer restrictions ; respectively. It also accepts comma separated list such as text,file,image. ; To keep compatibility, some aliases are also available: ; true: an alias of all ; false: an alias of none ; yes: an alias of all RestrictOutboundClipboard=none ; When RestrictInboundClipboard=all clipboard from the ; client is not pushed to the server. ; In addition, you can control text/file/image transfer restrictions ; respectively. It also accepts comma separated list such as text,file,image. ; To keep compatibility, some aliases are also available: ; true: an alias of all ; false: an alias of none ; yes: an alias of all RestrictInboundClipboard=none
 
[Sessions] ;; X11DisplayOffset - x11 display number offset ; Type: integer ; Default: 10 X11DisplayOffset=10
 
;; MaxSessions - maximum number of connections to an xrdp server ; Type: integer ; Default: 0 MaxSessions=50
 
;; KillDisconnected - kill disconnected sessions ; Type: boolean ; Default: false ; if 1, true, or yes, every session will be killed within DisconnectedTimeLimit ; seconds after the user disconnects KillDisconnected=false
 
;; DisconnectedTimeLimit (seconds) - wait before kill disconnected sessions ; Type: integer ; Default: 0 ; if KillDisconnected is set to false, this value is ignored DisconnectedTimeLimit=0
 
;; IdleTimeLimit (seconds) - wait before disconnect idle sessions ; Type: integer ; Default: 0 ; Set to 0 to disable idle disconnection. IdleTimeLimit=0
 
;; Policy - session allocation policy ; Type: enum [ "Default" | "UBD" | "UBI" | "UBC" | "UBDI" | "UBDC" ] ; "Default" session per <User,BitPerPixel> ; "UBD" session per <User,BitPerPixel,DisplaySize> ; "UBI" session per <User,BitPerPixel,IPAddr> ; "UBC" session per <User,BitPerPixel,Connection> ; "UBDI" session per <User,BitPerPixel,DisplaySize,IPAddr> ; "UBDC" session per <User,BitPerPixel,DisplaySize,Connection> Policy=Default
 
[Logging] ; Note: Log levels can be any of: core, error, warning, info, debug, or trace LogFile=xrdp-sesman.log LogLevel=INFO EnableSyslog=true #SyslogLevel=INFO #EnableConsole=false #ConsoleLevel=INFO #EnableProcessId=false
 
[LoggingPerLogger] ; Note: per logger configuration is only used if xrdp is built with ; --enable-devel-logging #sesman.c=INFO #main()=INFO
 
; ; Session definitions - startup command-line parameters for each session type ;
 
[Xorg] ; Specify the path of non-suid Xorg executable. It might differ depending ; on your distribution and version. Find out the appropriate path for your ; environment. The typical path is known as follows: ; ; Fedora 26 or later : param=/usr/libexec/Xorg ; Debian 9 or later : param=/usr/lib/xorg/Xorg ; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg ; Arch Linux : param=/usr/lib/Xorg ; CentOS 7 : param=/usr/bin/Xorg or param=Xorg ; CentOS 8 : param=/usr/libexec/Xorg ; FreeBSD (from 2022Q4) : param=/usr/local/libexec/Xorg ; param=/usr/lib/xorg/Xorg ; Leave the rest parameters as-is unless you understand what will happen. param=-config param=xrdp/xorg.conf param=-noreset param=-nolisten param=tcp param=-logfile param=.xorgxrdp.%s.log
 
[Xvnc] param=Xvnc param=-bs param=-nolisten param=tcp param=-localhost param=-dpi param=96
 
[Chansrv] ; drive redirection ; See sesman.ini(5) for the format of this parameter #FuseMountName=/run/user/%u/thinclient_drives #FuseMountName=/media/thinclient_drives/%U/thinclient_drives FuseMountName=thinclient_drives ; this value allows only the user to access their own mapped drives. ; Make this more permissive (e.g. 022) if required. FileUmask=077 ; Can be used to disable FUSE functionality - see sesman.ini(5) #EnableFuseMount=false ; Uncomment this line only if you are using GNOME 3 versions 3.29.92 ; and up, and you wish to cut-paste files between Nautilus and Windows. Do ; not use this setting for GNOME 4, or other file managers #UseNautilus3FlistFormat=true
 
[ChansrvLogging] ; Note: one log file is created per display and the LogFile config value ; is ignored. The channel server log file names follow the naming convention: ; xrdp-chansrv.${DISPLAY}.log ; ; Note: Log levels can be any of: core, error, warning, info, debug, or trace LogLevel=INFO EnableSyslog=true #SyslogLevel=INFO #EnableConsole=false #ConsoleLevel=INFO #EnableProcessId=false
 
[ChansrvLoggingPerLogger] ; Note: per logger configuration is only used if xrdp is built with ; --enable-devel-logging #chansrv.c=INFO #main()=INFO
 
[SessionVariables] PULSE_SCRIPT=/etc/xrdp/pulse/default.pa