"Authentication failed" connecting to v6.4.6 on Ubuntu 18.04.2 LTS

[dhfrx]

I installed 6.4.6 on a Linux box running Ubuntu 18.04.2 LTS. When attempting from two other systems to log in to a connection, I get “Authentication failed; please try again.” Both the other systems (one Win10, one Linux Mint 17.2) are running 6.4.6 also.

I looked in the logs and found “Authentication failed with error 6.” Searching on this led me to a forum entry from March 6,2014 opened by Maccas. This mentioned the  /etc/pam.d/nx  file; I looked at mine (on the Ubuntu 18.04 box) and saw
auth       include       su
account    include       su
password   include       su
session    include       su

Following a suggestion in the Maccas post thread, I tried replacing this with

auth       include       system-auth
account    include       system-auth
password   include       system-auth
session    include       system-auth

which had no effect.

Following the procedure in  https://www.nomachine.com/DT10O00163  I gathered the logs – see attached. Any assistance will be appreciated.

 

Attachments:

1. NoMachine-log.tar.gz

[Cato]

Hello dhfrx,

Is your Ubuntu host part of Active Directory domain? If that’s the case, you are most likely experiencing the problem with AD Group Policy described here:

https://www.nomachine.com/AR12P01007

If that’s not the case, please check system authentication log (/var/log/auth.log) for entries referencing nxexec. Could you post auth log messages added during failed authentication attempt? You can also send them to forum[at]nomachine[dot]com.

[dhfrx]

Tried a new authentication event, then checked  /var/log/auth.log  and found the line

Feb 20 16:32:07 JN561T2 nxexec: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth

In  /usr/NX/var/log/nxerror.log  for the same timestamp I found:

Info: Handler started with pid 2695 on Wed Feb 20 16:31:58 2019.
Info: Handling connection from 10.14.232.108 port 61193 on Wed Feb 20 16:31:58 2019.
2714 2714 16:32:07 579 nxexecPAMCheckCredentials: ERROR!Authentication failed with error 6.
Info: Connection from 10.14.232.108 port 61193 closed on Wed Feb 20 16:32:07 2019.
Info: Handler with pid 2695 terminated on Wed Feb 20 16:32:07 2019.

When I entered “ls -l /etc/pam.d/system-auth” I got

ls: cannot access ‘/etc/pam.d/system-auth’: No such file or directory

Repeating the command with sudo gave the same response.

Hope this is helpful.    – dhfrx

 

 

[Cato]

Hello dhfrx,

Please, run this command from terminal as root user:

cp /etc/pam.d/sshd /etc/pam.d/nx

Reproduce the problem and check again auth.log for nxexec entries.

[dhfrx]

Ran the  cp  command with sudo, tried again to connect from the Win10 machine, found the following in auth.log:

Feb 21 17:51:10 JN561T2 nxexec: pam_unix(nx:auth): authentication failure; logname= uid=127 euid=0 tty= ruser= rhost=  user=dfriedman
Feb 21 17:51:10 JN561T2 nxexec: pam_sss(nx:auth): authentication success; logname= uid=127 euid=0 tty= ruser= rhost= user=dfriedman
Feb 21 17:51:10 JN561T2 nxexec: pam_sss(nx:account): Access denied for user dfriedman: 6 (Permission denied)
Feb 21 17:51:10 JN561T2 nxexec: pam_unix(nx:session): session opened for user dfriedman by (uid=127)
Feb 21 17:51:10 JN561T2 nxexec: pam_unix(nx:session): session closed for user dfriedman

Hope this helps; thanks for your efforts so far.   – dhfrx

 

[Cato]

Hello dhfrx,

So now we can see that the problem is ‘access denied’ from pam_sss.
Please apply the instructions from:

https://www.nomachine.com/AR12P01007

and see if this helps.

[dhfrx]

Edited  /etc/sssd/sssd.conf  to add the  “ad_gpo_map_network = +nx”  line to the  [sssd}  section (hope this is correct).

Tried connecting to NoMachine from the Win10 box. Still get “Authentication failed.” Looked at  /var/log/auth.log  and found

Feb 22 10:24:44 JN561T2 nxexec: pam_unix(nx:auth): authentication failure; logname= uid=127 euid=0 tty= ruser= rhost=  user=dfriedman
Feb 22 10:24:44 JN561T2 nxexec: pam_sss(nx:auth): authentication success; logname= uid=127 euid=0 tty= ruser= rhost= user=dfriedman
Feb 22 10:24:44 JN561T2 nxexec: pam_sss(nx:account): Access denied for user dfriedman: 6 (Permission denied)
Feb 22 10:24:44 JN561T2 nxexec: pam_unix(nx:session): session opened for user dfriedman by (uid=127)
Feb 22 10:24:44 JN561T2 nxexec: pam_unix(nx:session): session closed for user dfriedman

Tried adding the  “ad_gpo_map_network = +nx”  command to the  [domain/  ]  section of   /etc/sssd/sssd.conf  as well;

still get “Authentication failed.” – /var/log/auth.log  again has

Feb 22 10:36:34 JN561T2 nxexec: pam_unix(nx:auth): authentication failure; logname= uid=127 euid=0 tty= ruser= rhost=  user=dfriedman
Feb 22 10:36:34 JN561T2 nxexec: pam_sss(nx:auth): authentication success; logname= uid=127 euid=0 tty= ruser= rhost= user=dfriedman
Feb 22 10:36:34 JN561T2 nxexec: pam_sss(nx:account): Access denied for user dfriedman: 6 (Permission denied)
Feb 22 10:36:34 JN561T2 nxexec: pam_unix(nx:session): session opened for user dfriedman by (uid=127)
Feb 22 10:36:34 JN561T2 nxexec: pam_unix(nx:session): session closed for user dfriedman

Below is a copy of the edited  sssd.conf  file (slightly redacted to remove domain identification):

[sssd]
domains = ####
config_file_version = 2
services = nss, pam
override_storage = _
ad_gpo_map_network = +nx

[domain/####]
ad_domain = ####
krb5_realm = ####
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
ad_gpo_map_network = +nx

 

Thanks again for your patience. Please note that I will be away from this setup until March 1.   – dhfrx

[dhfrx]

I’m back. What additional suggestions can anyone offer?

 

[Cato]

Hello dhfrx,

Can you connect to the NoMachine server host using terminal ssh client? Is it possible to establish ssh session for user experiencing the problem with NX? From information gathered so far, it appears that the host is part of the domain. What exact technology do you use? Is it Windows AD, LDAP server or something else? If this is Windows AD, did you make sure that domain group policy settings like, NetworkLogonRight are properly set in domain controller? Does the problem affect all domain users or just this one specific user?

[dhfrx]

Yes, I am able to ssh into the NoMachine server box. Is this helpful? As for what domain technology is used here, I don’t know but I can try to find out.

[dhfrx]

Well, surprise! I updated NX on the Ubuntu server box to 6.5.6 and was able to connect from the client. Go figure. So that solves my problem. Thanks for the suggestions – if it happens again, I’ll have some ideas on where to look.   – dhfrx

[Britgirl]

Great news! Thanks for letting us know 🙂

[Author]

Posts