Forum Replies Created
-
AuthorPosts
-
CatoParticipant
Hello Gatos,
Please, make sure to enable use of ‘native’ SSH client in player.cfg as described here:
https://www.nomachine.com/AR09L00813
You also need to provide port on which OpenSSH Windows server is listening during connection creation (not nxsshd). When both of above conditions are met, NoMachine connection works the same as if you used ‘ssh -i <path_to_private_key> <user_name>@<server>’ command from client’s terminal.
We checked two authentication scenarios: one in which CA’s public key is stored in file specified by TrustedCAKeys setting from sshd_config and one in which it’s stored as cert-authority entry in user’s authorized_keys file in <user_home>/.ssh directory. Both of these scenarios worked fine for ed25519 keys. If your user is member of Administrators group, his authorized_keys file should reside in path specified by AuthorizedKeysFile under ‘Match Group administrators’ section of sshd_config.
CatoParticipantHello Gatos,
NoMachine currently doesn’t support authentication based on signed certificates for NX protocol. Support of this feature will be added in the future with implementation of this FR:
https://www.nomachine.com/FR02L02810
You can use SSH protocol instead. On Windows this will additionally require from you installation and configuration of Windows OpenSSH server. It seems that currently it’s only available on Windows 10.
Instructions for OpenSSH server and client installation and configuration:
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configurationConfiguring CA certificates is almost exactly the same as on Linux, just remember to use ed25519 key types for authentication, those are supported on Windows.
On client side you need to enable usage of native SSH client by NoMachine Player:
https://www.nomachine.com/AR09L00813
Choose SSH protocol with private key or authentication agent when creating connection in NoMachine Player. Authentication with private key paired with signed certificate should work fine.
CatoParticipantHello munsen70,
Please, check permissions on nxexec file in <NoMachine_install_dir>/bin directory. Proper permissions should look like this:
-r-sr-xr-x 1 root root
If the ‘s’ permission is missing you can fix this by running ‘chmod u+s nxexec’ from terminal as root user.
If permissions are correct and the problem persists, see what’s logged inside /var/log/secure or /var/log/messages after failed authentication attempt.
You can also try reusing sshd’s PAM configuration with NX protocol. To do so, run the following commands in terminal:sudo cp /etc/pam.d/nx /etc/pam.d/nx.ori
sudo cp /etc/pam.d/sshd /etc/pam.d/nxCatoParticipantHello jowski,
For some reason permissions on your nxexec binary are incorrect. To fix the issue you need run ‘chmod u+s nxexec’ from terminal, inside NoMachine\bin directory, as root. Proper permissions look like this:
-r-sr-xr-x 1 root root
CatoParticipantHello jowski,
What’s the output of ‘ls -la nxexec’ command executed in terminal in bin subdirectory of NoMachine installation directory?
CatoParticipantHello palmersu,
NoMachine doesn’t currently support two-factor authentication to Windows machines. We suggest using public-key authentication which provides better security than password auth. This article describes how to set it up:
CatoParticipantHello munsen70,
Can you show us the output of following command ran in terminal on affected machine:
stat /Applications/NoMachine.app/Contents/Frameworks/bin/nxexec
You can also try to reuse SSH PAM configuration with NX protocol.
To do so, run as root in terminal:cp /etc/pam.d/nx /etc/pam.d/nx.bak
cp /etc/pam.d/sshd /etc/pam.d/nxDoes it solve the issue?
CatoParticipantHello cngc,
may you please answer to the following questions?
1) Do you use dynamic mounting of user’s home directory?
2) If yes, can you share some details about your configuration?
3) Do you use pam_mount or perhaps AFS?
4) Does the problem occur when SELinux is disabled?
5) Does the problem occur when you’are physically logged-in on the account of the problematic user on server host?
6) To rule out possible problems with domain accounts binding, please execute in a terminal on the server host:
id <user_name>
Does it correctly report local ID for user, user’s primary group and all supplementary groups of user, including domain groups?
August 30, 2019 at 15:48 in reply to: How to implement LDAP Authentication on a Linux machine? #23475CatoParticipantHello Thonno,
NoMachine does not make a distinction between domain and local users during authentication process. If you want to perform authentication against LDAP server your system needs to be configured properly. These two articles describe how to setup OpenLDAP server and configure client machine for LDAP authentication.
https://www.howtoforge.com/linux_ldap_authentication
https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
It’s also possible to integrate Linux with Windows AD domain. Winbind and sssd are examples
of technologies you can use to achieve that.CatoParticipantHello bpowell,
Logs indicate that there’s a problem with obtaining security context of user nx. This might be related to incorrectly installed nxlsa module.
To reinstall nxlsa module:
1. Start cmd as Administrator.
2. Change directory to bin subdirectory of NoMachine installation directory:‘cd <path_to_nomachine_installation>\bin’
3. Execute:
nxservice64.exe –uninstall nxlsa
4. Restart Windows.
5. Repeat points 1. and 2.
6. Execute:nxservice64.exe –install nxlsa
7. Restart Windows.
Alternatively you can simply uninstall NoMachine, perform restart, install NoMachine and restart Windows again.
Let us know if you still experience the issue.CatoParticipantHello allywilson,
Please make sure that the local account mapping is correctly configured. Specifically, you should look into primary user’s group mapping: “domain users@our.domain” looks strange. It appears that user’s process doesn’t have rights to modify permissions on the directory it created.
What’s the output of ‘id <user_name>’ command? Does it correctly report local ID for user, user’s primary group and all supplementary groups of user, including domain groups?CatoParticipantHello Jim,
It’s not necessary for your workstation to be running kerberos server. It’s only required that NoMachine client host and NoMachine server host are properly configured members of the same, already existing, kerberos realm. Make sure that NoMachine player has access to valid kerberos ticket and that kerberos authentication is enabled in server.cfg on NoMachine server host.
CatoParticipantHello x8009,
We reproduced the issue with slow Windows reboot and created the TR:
https://www.nomachine.com/TR03Q09214
We’re also keen to fix it 🙂 We’re currently investigating how much faster can we make NoMachine services respond to Windows preshutdown event.
CatoParticipantHello neal,
NoMachine’s key authentication can’t be used for domain accounts. This limitation comes from the fact that it’s not possible to create domain user’s security context inside LSA (Local Security Authority) module. The alternative which you could use is Kerberos authentication method. However, this can only work if your client machine is part of the domain. We hope to add support for fingerprint authentication on Windows 10 later this year.
CatoParticipantHello ebrandsberg,
Please execute md5 command on private key files on both client NoMachine hosts, make sure that the results are exactly the same. With the release of version 7.8p1-1, openSSH introduced a new private key format (which is not currently compatible with NoMachine). We have opened a Trouble Report, which you can see here and it includes a workaround.
https://www.nomachine.com/TR02Q09140
What’s the header of private key on your Mojave host? On which host did you generate key-pair?
-
AuthorPosts