Forum / NoMachine for Linux / Authentication failing with server configured for LDAP
- This topic has 2 replies, 2 voices, and was last updated 9 years, 10 months ago by sethgali.
-
AuthorPosts
-
February 13, 2015 at 09:15 #6280sethgaliParticipant
I’m trying to test v. 4.4.6 (free) on Ubuntu 14.04, both server and client. The package installs with no errors and the service starts and is listening on port 4000. When I try to connect, I don’t get any auth errors in the client, but I never get a remote desktop session, only a black screen. It never times out, it just sits there until I exit the client. On the server, here are some excerpts from relevant logs:
/usr/NX/var/log/nxserver.log:
2015-02-12 14:09:42 689.105 13047 NXSERVER User ‘testacct’ logged in from ‘<clientip>’.
/usr/NX/var/log/nxerror.log:
Info: Handler started with pid 13047 on Thu Feb 12 14:09:36 2015.
Info: Handling connection from <clientip> port 40851 on Thu Feb 12 14:09:36 2015.
Info: Connection from <clientip> port 40851 closed on Thu Feb 12 14:09:43 2015.
Info: Handler with pid 13047 terminated on Thu Feb 12 14:09:43 2015./var/log/auth.log:
Feb 12 14:09:42 avanti nxexec: pam_krb5(nx:auth): authentication failure; logname=testacct uid=126 euid=0 tty= ruser= rhost=
Feb 12 14:09:42 avanti nxexec: pam_krb5(nx:auth): authentication failure; logname=testacct uid=126 euid=0 tty= ruser= rhost=
Feb 12 14:09:42 avanti nxexec: pam_unix(nx:auth): authentication failure; logname= uid=126 euid=0 tty= ruser= rhost= user=testacct
Feb 12 14:09:42 avanti nxexec: pam_unix(nx:session): session opened for user testacct by (uid=126)
Feb 12 14:09:42 avanti nxexec: pam_ck_connector(nx:session): cannot determine display-device
Feb 12 14:09:42 avanti nxexec: pam_unix(nx:session): session closed for user testacctIn this case, uid 126 is for the local nx user account, not my testacct user. We already have LDAP+Kerberos auth against AD working correctly on the host, and have for several years now, so there is a breakdown in the auth stack with nx handing off to pam. Any suggestions on how to resolve this? I’ve been digging in documentation and forums and have yet to find anything helpful related to my situation. The goal would be to allow any enterprise user to get a remote desktop to the desired host.
Thanks.
Seth
February 17, 2015 at 10:22 #6307CatoParticipantHello sethgali,
we need additional information to investigate the issue.
Please, enable debug logs in pam_krb5 module.To do so:
Find file in which pam_krb5.so module is explicitly included. Default NoMachine configuration resides in ‘/etc/pam.d/nx’ file.
It contains ‘auth include su’ line, which means that auth stack is taken from su command configuration. Su configuration
most likely includes stacks from other files, so you need to follow ‘include’ instructions until you find the entry:‘auth <control flag> pam_krb5.so <options>’
Add ‘debug’ as the last option.
Set the log levels to 7 in NoMachine server, according to instructions: https://www.nomachine.com/AR07K00677.
Reproduce the issue, gather NoMachine server-side logs, as well as system log file to which pam_krb5 writes (should be auth.log),
and send them to forum[at]nomachine[dot]com referencing your topic.February 18, 2015 at 13:33 #6318sethgaliParticipantThank you for your response. I was finally able to resolve this by editing /etc/pam.d/nx and replacing its contents with @include lines that would bring in my existing working fragment files. I thought I had tried this the other day, but I must not have gotten it quite right. I am now able to authenticate to the nxserver service and get a desktop after that.
-
AuthorPosts
This topic was marked as solved, you can't post.