Authentication failing with server configured for LDAP

Forum / NoMachine for Linux / Authentication failing with server configured for LDAP

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #6280
    sethgali
    Participant

    I’m trying to test v. 4.4.6 (free) on Ubuntu 14.04, both server and client. The package installs with no errors and the service starts and is listening on port 4000. When I try to connect, I don’t get any auth errors in the client, but I never get a remote desktop session, only a black screen. It never times out, it just sits there until I exit the client. On the server, here are some excerpts from relevant logs:

    /usr/NX/var/log/nxserver.log:

    2015-02-12 14:09:42 689.105 13047 NXSERVER User ‘testacct’ logged in from ‘<clientip>’.

    /usr/NX/var/log/nxerror.log:

    Info: Handler started with pid 13047 on Thu Feb 12 14:09:36 2015.
    Info: Handling connection from <clientip> port 40851 on Thu Feb 12 14:09:36 2015.
    Info: Connection from <clientip> port 40851 closed on Thu Feb 12 14:09:43 2015.
    Info: Handler with pid 13047 terminated on Thu Feb 12 14:09:43 2015.

    /var/log/auth.log:

    Feb 12 14:09:42 avanti nxexec: pam_krb5(nx:auth): authentication failure; logname=testacct uid=126 euid=0 tty= ruser= rhost=
    Feb 12 14:09:42 avanti nxexec: pam_krb5(nx:auth): authentication failure; logname=testacct uid=126 euid=0 tty= ruser= rhost=
    Feb 12 14:09:42 avanti nxexec: pam_unix(nx:auth): authentication failure; logname= uid=126 euid=0 tty= ruser= rhost=  user=testacct
    Feb 12 14:09:42 avanti nxexec: pam_unix(nx:session): session opened for user testacct by (uid=126)
    Feb 12 14:09:42 avanti nxexec: pam_ck_connector(nx:session): cannot determine display-device
    Feb 12 14:09:42 avanti nxexec: pam_unix(nx:session): session closed for user testacct

    In this case, uid 126 is for the local nx user account, not my testacct user. We already have LDAP+Kerberos auth against AD working correctly on the host, and have for several years now, so there is a breakdown in the auth stack with nx handing off to pam. Any suggestions on how to resolve this? I’ve been digging in documentation and forums and have yet to find anything helpful related to my situation. The goal would be to allow any enterprise user to get a remote desktop to the desired host.

    Thanks.

    Seth

    #6307
    Cato
    Participant

    Hello sethgali,

    we need additional information to investigate the issue.
    Please, enable debug logs in pam_krb5 module.

    To do so:

    Find file in which pam_krb5.so module is explicitly included. Default NoMachine configuration resides in ‘/etc/pam.d/nx’ file.
    It contains ‘auth include su’ line, which means that auth stack is taken from su command configuration. Su configuration
    most likely includes stacks from other files, so you need to follow ‘include’ instructions until you find the entry:

    ‘auth <control flag> pam_krb5.so <options>’

    Add ‘debug’ as the last option.

    Set the log levels to 7 in NoMachine server, according to instructions: https://www.nomachine.com/AR07K00677.
    Reproduce the issue, gather NoMachine server-side logs, as well as system log file to which pam_krb5 writes (should be auth.log),
    and send them to forum[at]nomachine[dot]com referencing your topic.

    #6318
    sethgali
    Participant

    Thank you for your response. I was finally able to resolve this by editing /etc/pam.d/nx and replacing its contents with @include lines that would bring in my existing working fragment files. I thought I had tried this the other day, but I must not have gotten it quite right. I am now able to authenticate to the nxserver service and get a desktop after that.

Viewing 3 posts - 1 through 3 (of 3 total)

This topic was marked as solved, you can't post.