Cato

[Cato]

Hi jonbelanger,

The direct reason of authentication failure is crash of nxexec process. Can you send us the crash report?
You should find it in ‘/Library/Logs/CrashReporter’.

[Cato]

Hello jonbelanger,

Please, answer the following questions:

1. Could you authenticate with the same account on troublesome host using previous NoMachine versions? If so, which version worked for you?

2. Are you using NX or SSH protocol? Does changing the protocol help?

3. Can you authenticate on El Captain server using other account?

4. Can you authenticate on El Captain host using other SSH client?

Logs will be also helpful. Reproduce the problem and gather logs according to https://www.nomachine.com/DT07M00098. Send them to forum[at]nomachine[dot]com.

[Cato]

Hello yakmo,

For some reasons nxnode process is unable to create ‘/usr/NX/var/run/nxdevice’ directory. I would like to see output of ‘stat /usr/NX/var/run’ command. Error during connection might be in some way related to ‘pam_mount’. Presence of such module in your PAM configuration suggests that there’re some dynamically mounted volumes in use. Can you describe your setup in more details? Do you use anything like Kerberos, AFS, NFS, LDAP? In addition to that, send us full set of server host logs, and not just nxserver.log.

[Cato]

Hi yakmo,

Check out this article about how Pluggable Authentication Modules (PAM) work:
http://www.tuxradar.com/content/how-pam-works.

These are step by step instructions of how to disable pam_mount for NX protocol. Module and file names used in this instruction are just an example, and might be different in your configuration.

Open ‘/etc/pam.d/nx’ file. Look for lines containing ‘session’ word.
This is default content of ‘/etc/pam.d/nx’ file:

auth       include       su
account    include       su
password   include       su
session    include       su

‘session include su’ means that modules list for session stack resides in ‘/etc/pam.d/su’ file. So let’s check content of ‘/etc/pam.d/su’. This is the interesting part of file:

session    optional   pam_mail.so nopen
session    required   pam_limits.so

@include common-auth
@include common-account
@include common-session

There are two pam modules listed here, and include directives pointing at common-auth, common-account and common-session files. Syntax is different here, it means that whole files are included instead of just session stack. Putting this all together, list of modules of session stack for NX protocol consists of pam_mail, pam_limits and all modules for session stack listed in common-auth, common-account and common-session. So we can replace

‘session include su’ in ‘/etc/pamd/nx’ file with:

session  optional  pam_mail.so   nopen
session  required  pam_limits.so

This is the first part of explicit list of session modules. The rest is still in common-auth, common-account and common-session files. We need to inspect them in the same way we checked ‘su’ file and copy lines with session modules to ‘/etc/pam.d/nx’, so it can resemble this:

auth    include       su
account include       su
session optional      pam_mail.so   nopen
session required      pam_limits.so
session [default=1]   pam_permit.so
session required      pam_mount.so
session requisite     pam_deny.so

Now you can remove the ‘session required pam_mount.so’ line or, following bakhtadze’s advice, modify it to:
‘session optional pam_mount.so disable_interactive’.

• This reply was modified 8 years, 10 months ago by Cato.

[Cato]

Hello yakmo,

Logs suggest that failure during session opening in pam_mount occurs. We’re currently investigating this issue. To possibly allow you to use NoMachine server, you can try to disable pam_mount in your pam configuration. These are the instructions:

Create backup of ‘/etc/pam.d/nx’ file and edit it’s content. Replace possible ‘include’ directive in session stack with explicit modules list. E.g. let’s assume this is content of your nx pam configuration:

auth         include       su
account    include       su
password  include       su
session      include       su

‘Include’ between ‘session’ and ‘su’ means that list of pam modules for session stack is imported from ‘/etc/pam.d/su’ file. It is possible that it contains ‘include’ too, in such case we need to follow them too until we find all pam modules names loaded during nx session startup. When you have such list in ‘/etc/pam.d/nx’ file, simply remove pam_mount entry.

[Cato]

Hello jgaalmeida,

NoMachine curently doesn’t support domain users log-in when there’s no active connection to domain controller. We’re currently working on enabling log-in based on local domain cache. You wrote that you’ve never been able to establish connection to your host using NoMachine, I assume that you tried when connection to Active Directory server was established too.

I recommend that you upgrade your NoMachine installation to the latest version. This might not fix your issue, but we will make sure that other already solved problems are gone. Next reproduce the problem when connected to domain controller, check also if similar problem occurs when local account is in use. After all send us new set of logs.

Replying to your question, location of user’s profile has no influence on obtaining user’s Security Identifier, access to DC is what matters.

• This reply was modified 9 years ago by Cato.

[Cato]

Hello KeddeX,

Answers to following questions might help us to solve your problem:

1. Is your Windows host part of Windows domain?
2. Are you logged on administrator account when you’re trying to disable NoMachine services?
3. Are you providing credentials of user who is currently logged to Windows desktop?

In addition, please gather client and server logs from affected host using manual from https://www.nomachine.com/AR10K00697.
You can send them to forum[at]nomachine[dot]com.

• This reply was modified 9 years, 1 month ago by Cato.

[Cato]

Hello alaios,

Please, reproduce the issue and gather both client and server logs according to instrunctions from https://www.nomachine.com/AR07K00677.
Send them to forum[at]nomachine[dot]com.

[Cato]

Hello noxav,

Please gather server and client logs, after authentication failure, using instructions from https://www.nomachine.com/AR07K00677 and send them to forum[at]nomachine[dot]com.

[Cato]

Hello Craig,

Make sure that you’re using credentials of current desktop owner. If you want to use domain administrator credentials, you need to log-on to Windows desktop as domain administrator and than authenticate in nxclient’s GUI, if you want to use local administrator credentials, you need to log-on as local administrator. Furthermore, it is not allowed to use blank password account. These constraints won’t be present in NoMachine 5 any more, which uses native Windows behaviour during nxclient’s authentication (if your system allows blank password auth, so will nxclient, the same applies to using credentials of other administrator).

If your problem is different, check these two threads describing similar issues:

https://www.nomachine.com/forums/topic/admin-changes
https://www.nomachine.com/forums/topic/windows7-to-windows7-authentication-issue,

If you still can’t find anything useful, please gather server and client logs using instructions from https://www.nomachine.com/AR07K00677 and send them to forum[at]nomachine[dot]com.

[Cato]

Hello ammar,

Logs indicate that Windows does not recognise account, you’re trying to use during NoMachine connection.

There are two possible reasons of such behaviour which are known to me:

1. You changed your account name and you’re trying to use new username.
Check this thread: https://www.nomachine.com/forums/topic/admin-changes for reference.

2. You’re trying to use domain account.
If this is the case, you need to provide username in one of two following formats:
‘<username>@<domainname>’, or ‘<domainname>\<username>’.

If you’re 100% sure that none of these applies to you, and you use administrator account for connection, do the following:

1. Physically log on Windows account you’re trying to use for NoMachine connection.

2. Click on grey NoMachine icon in toolbar. Select ‘Show the server status’, click on ‘Server preferences’.

3. Click on small padlock icon in the bottom left corner.

4. Provide the same credentials you’re using for NoMachine connection.

Let me know, if you’re able to unlock the padlock. List of processes you sent looks ok, however, these are instructions to properly restart nxserver:

1. Open command line as administrator. Open Windows ‘Start’ menu, type ‘cmd’ in search box, click right mouse button on ‘cmd’ icon,
click on ‘Run as administrator’.

2. Enter bin subdirectory of NoMachine installation dir: ‘cd <path_to_NoMachine_installation_dir>\bin’. Run ‘nxserver –restart’ command.

[Cato]

Hello ammar,

I would like to see more detailed list of NoMachine processes.
In Task Manager click on ‘View’, choose ‘Select columns’ and check ‘Command line’ option. Take screenshot of the list of processes as you did before, including content of ‘Command line’ column. Gather the logs following this guide: https://www.nomachine.com/AR07K00677.
Next, please restart nxserver. If the problem persists, gather the logs again. Send logs and list of processes to forum[at]nomachine[dot]com even if the problem is gone after restart.

• This reply was modified 9 years, 7 months ago by Cato.
• This reply was modified 9 years, 7 months ago by Britgirl.
• This reply was modified 9 years, 7 months ago by Britgirl.
• This reply was modified 4 years, 11 months ago by Britgirl.

[Cato]

Hello,

currently NoMachine virtual sessions don’t support pam_gnome_keyring functionality.
We’ll evaluate whether it’s possible to add support for it, but at a glance it would mean making architectural changes, which means adding such a feature isn’t as easy as it looks.

[Cato]

Hello PegasusRider,

Changing account name in Control Panel has only cosmetic effect, exactly as you noticed. Windows internally identifies users with Security
Identifiers, and SID of your user is still mapped to old username. It seems that there’s way of remapping it to the new one. Please, be aware that this solution wasn’t thoroughly tested, and might cause unexpected behaviour in the future.

1. Click on Start \ Run, type in ‘netplwiz’ and press ‘Enter’.
2. In the list of users, select username you want to modify (your old username should be there).
3. Select properties.
4. Modify ‘Username’ field and click on ‘Apply’ button.

You will have to log out and log in, for changes to take effect.
NoMachine authentication should work fine, with new name after changes.

[Cato]

Hello sethgali,

we need additional information to investigate the issue.
Please, enable debug logs in pam_krb5 module.

To do so:

Find file in which pam_krb5.so module is explicitly included. Default NoMachine configuration resides in ‘/etc/pam.d/nx’ file.
It contains ‘auth include su’ line, which means that auth stack is taken from su command configuration. Su configuration
most likely includes stacks from other files, so you need to follow ‘include’ instructions until you find the entry:

‘auth <control flag> pam_krb5.so <options>’

Add ‘debug’ as the last option.

Set the log levels to 7 in NoMachine server, according to instructions: https://www.nomachine.com/AR07K00677.
Reproduce the issue, gather NoMachine server-side logs, as well as system log file to which pam_krb5 writes (should be auth.log),
and send them to forum[at]nomachine[dot]com referencing your topic.

[Author]

Posts