Authenticate NX server with Winbind (Redhat)

Forum / NoMachine for Linux / Authenticate NX server with Winbind (Redhat)

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #15326
    elad.azary
    Participant

    Hi,

    In order to authenticate users with Active Directory I’ve configured a redhat instance with Winbind.

    Currently AD users can authenticate using ssh, but it doesn’t work with NXClient.

    * I can login using ssh public key

    I’ve configured a connection on the NXClient using Kerberos authentication, but when I try to access the server with my username I receive the following error:

    NXSERVER WARNING! gssOpenAuth: Default kerberos ticket is absent.

    NXSERVER ERROR! Sending error message ‘NX> 500 ERROR: Kerberos GSS token is not verified.’

     

    Configuration files:

    /etc/pam.d/nx:

    auth       include       su

    account    include       su

    password   include       su

    session    optional      pam_loginuid.so

    session    include       su
    /etc/samba/smb.conf:

    workgroup = MYDOMAIN

    password server = dc-server.mydomain.com

    realm = MYDOMAIN.COM

    security = ads

    idmap config * : range = 16777216-33554431

    template homedir = /home/%U

    template shell = /bin/bash

    kerberos method = secrets only

    winbind use default domain = true

    winbind offline logon = false

     

    #–authconfig–end-line–

    ;       workgroup = SAMBA

    ;       security = user

     

    passdb backend = tdbsam

     

    printing = cups

    printcap name = cups

    load printers = yes

    cups options = raw

     

    /etc/nsswitch.conf:

    passwd:     files sss winbind

    shadow:     files sss winbind

    group:      files sss winbind

    #initgroups: files sss

     

    /etc/pam.d/sshd:

    #%PAM-1.0

    auth       include      system-auth

    account    required     pam_nologin.so

    account    include      system-auth

    password   include      system-auth

    session    optional     pam_keyinit.so force revoke

    session    include      system-auth

    session    required     pam_loginuid.so

     

    Any other configuration files will be added by request.

     

    Please assist.

    #15377
    Cato
    Participant

    Hello elad.azary,

    When you authenticate using SSH from terminal, is it Kerberos authentication or public-key authentication?

    If you used public-key authentication with terminal SSH client so far, please try Kerberos authentication to check if it’s not just Winbind configuration issue.

    #15383
    elad.azary
    Participant

    Hi Cato,

     

    Thank you for your reply.

    Yes, I managed to authenticate through ssh using Kerberos.

    If you are using NoMachine for the same use case can you please share your config files? I want compare them with mine.

     

    Thanks,

    #15410
    Cato
    Participant

    Hello elad.azary,

    Make sure that you start nxplayer on the desktop of user who currently owns a valid Kerberos ticket. You also need to enable Kerberos authentication in /usr/NX/etc/server.cfg on NoMachine server host.

    You need to change:

    #EnableNXKerberosAuthentication 0

    to:

    EnableNXKerberosAuthentication 1

    If this doesn’t help, gather NoMachine server logs according to

    https://www.nomachine.com/DT07M00098#1

    and send them to forum[at]nomachine[dot]com.

Viewing 4 posts - 1 through 4 (of 4 total)

This topic was marked as solved, you can't post.