Forum Replies Created
-
AuthorPosts
-
CatoParticipant
Hello,
We understood the problem and are working on proper solution. Thank you for cooperation. Fix will be officially released before Christmas. Perhaps you’re interested in trying out test packages in the meantime?
CatoParticipantHello basd,
It seems that nxservice64.exe process might be missing some privileges.
To verify this:
1. Download and install Process Explorer from:
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
2. Start Process Explorer as Administrator.
3. Right-click on nxservice64.exe process, select Properties, and go to Security tab.
4. In the lower pane you should now see privileges held by process.
Please, provide us the list of privileges with Flags Disabled.CatoParticipantHello dav36rye,
Number of open handles of lsass.exe process which you attached to previous reply is pretty big. This may be due to handles leak, which might be caused by some of custom authentication packages installed on your host. Is there anything specific about your setup which could affect authentication process and behavior of lsass.exe process? Can you check the number of open handles of lsass.exe shortly after OS reboot? Does this number grow over time? If so, could you estimate the rate of growth in time?
CatoParticipantHello bigtractor,
We experienced similar behaviour when AppArmor blocked access to ‘/proc/‘ directory of container. Possible solution is described in section TROUBLESHOOTING of the following article: https://www.nomachine.com/DT08M00100&dn=docker.
CatoParticipantHello yakmo,
What is your current Linux version? Can you send us logs from server host?
https://www.nomachine.com/DT07M00098
Send them to forum[at]nomachine[dot]com.
CatoParticipantHello stshadow,
The problem with dynamically mounted home directories and keys authentication is that keys are placed inside home directory which is not mounted yet, so authentication can’t be completed. The workaround could be to configure automount so that home directory is mounted on first access attempt. We are also working on allowing keys path configuration to allow keys storage outside home directory: https://www.nomachine.com/FR07N03139.
CatoParticipantHello stshadow,
I noticed that UID of your user is unusually high: 1112939. Is your system part of Kerberos, LDAP or Active Directory? Does it perhaps use dynamic mounting of user’s home directories (like AFS or NFS)?
CatoParticipantHello stshadow,
Can you please show us the output of the following commands?
test -f /home/username/.nx/config/authorized.crt && echo “YES” || echo “NO”;
test -f /home/username/.nx/config/authorized.crt && echo “YES” || echo “NO”;
stat /home/username/.nx/config/authorized.crt;
CatoParticipantHello al,
In order to limit access to given workstation open ‘Active Directory Users and Computers’ administrative tool on your Windows Server. You can operate on user groups or individual user accounts:
Limiting access for individual account:
Right click on user account and go to ‘Properties’. Choose ‘Account’ tab. Click on ‘Log On To’ button. Check ‘The following computers’ field and enter the list of workstations you want user to be able to log on.
Limiting access for group of users:
In ‘Active Directory Users and Computers’ right click on domain name, go to ‘New’ and choose ‘Group’. Provide name for new group.
Right click on newly created group, go to ‘Properties’. Choose ‘Members’ tab, click on ‘Add’ and enter the names of accounts you want to manage.
Now you need to go to your workstation and open ‘Local Group Policy Editor’. Click on ‘Computer Configuration’ -> ‘Windows Settings’ -> ‘Security Settings’ -> ‘Local Policies’ -> ‘User Right Assignment’. This should open list of security settings.
If you want to prevent access to this workstation you need to add the group you just created to ‘Deny access to this computer from network’ and ‘Deny log on locally’ security settings. You can also set ‘Access this computer from network’ and ‘Allow log on locally’ to limit access to workstation
only to some user accounts and groups. Remember that ‘Deny …’ settings have priority in case of contradicting rules.CatoParticipantHello christphe,
It seems that newly created nxserver process can’t load all necessary dependencies. This can be verified using Process Monitor.
Follow these instructions:
1. Download and install Process Monitor from this site:
https://technet.microsoft.com/pl-pl/sysinternals/processmonitor2. Shut down or kill all NoMachine processes.
3. Run Process Monitor as Administrator.
4. In Process Monitor Filter window:
– Expand ‘Column’ drop down list (default value is ‘Architecture’), change the value to ‘Command Line’.
– Expand ‘Relation’ drop down list (default value ‘is’), change the value to ‘contains’.
– Type ‘daemon’ in the ‘Value’ field.
– Set ‘Action’ field to ‘Include’.
This should create rule: ‘Command Line contains daemon than Include’.– Click on ‘Add’, ‘Apply’ and ‘Ok’.
5. In top bar of Process Monitor check ‘Show Registry Activity’, ‘Show File System Activity’, ‘Show Network Activity’,
‘Show Process and Thread Activity’ and ‘Show Profiling Events’ icons.6. Run ‘nxserver –startup’ from command line.
7. After 30 seconds click on ‘Save’ icon in Process Monitor top bar.
Save file using ‘Native Process Monitor Format’. Send us produced event file.CatoParticipantHello EduardoRL,
Please answer the following questions:
1. Is it possible to physically log on desktop using the same credentials?
2. Can you authenticate with the same credentials using any SSH client?
3. Is host part of AD/LDAP/Kerberos setup?
4. Are there any authentication errors printed in system logs after failed NoMachine authentication attempt?
If answer to 2. is yes, the problem is most likely related to PAM configuration. Create backup of ‘/etc/pam.d/nx’ and overwrite it with content of ‘/etc/pam.d/sshd’. Let us know if it helps.
CatoParticipantHello rob8861,
We managed to reproduce the problem. It seems that some upgrade operations are performed after reboot. Post-reboot configuration is done under ‘_mbsetupuser’ account. For some reasons this user is detected as desktop owner on login window and NoMachine Server waits until he accepts the incoming connection. Problem should disappear after next OS reboot. You can check this Stack Overflow thread for additional information:
http://stackoverflow.com/questions/33391174/who-or-what-is-mbsetupuser
CatoParticipantHello christphe,
Logs suggest that ‘nxlsa’ module wasn’t loaded by operating system. This can only be done during boot time, so please check if rebooting your Windows helps.
If the problem still persists:
1. Gather NoMachine logs using this guide: https://www.nomachine.com/DT07M00098.
2. Check the value of ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa’ registry key.
3. Check if ‘nxlsa’ module is loaded correctly using Process Explorer:
– Download and install package from https://technet.microsoft.com/pl-pl/sysinternals/processexplorer.
– Start Process Explorer as Administrator.
– Click on ‘Find’ and ‘Find handle or DLL’. Type ‘nxlsa’ in search box.
If the module is correctly loaded, search result will show that module belongs to ‘lsass.exe’ process.
Send logs, value of registry key and result of ‘nxlsa’ query to forum[at]nomachine[dot]com.
CatoParticipantHello mgda,
Authentication failure is most likely related to PAM configuration.
Is it possible to authenticate with NX using any other domain account? Since you are able to authenticate via SSH it is possible that SSH PAM cofiguration contains something that is missing in NX (pam_winbind, pam_centrify, pam_krb5…). By default NX protocol includes PAM configuration of ‘su’ command. Is it possible to successfully run ‘su mgda’ from another account? You can also try to backup current NX PAM configuration placed in ‘/etc/pam.d/nx’ and overwrite it with content of ‘/etc/pam.d/sshd’. If that doesn’t help check with UPN name format,
i.e. mgda@corp.mydomain.com.If still no success, please send us output of ‘tail -n 50 /var/log/secure.log’ after failed authentication attempt and content of ‘etc/pam.d’ directory.
Please submit it to forum[at]nomachine[dot]com.
CatoParticipantHello dco63,
Please answer the following questions:
1. Is the host on which you are trying to log part of Active Directory?
If it is, please make sure that you’re providing full name in correct format:
‘<user_name>@<domain_name>’ or ‘<domain_name>\<user_name>’.
2. Did you change your account name in the past?
If so, please check this thread for additional information: https://www.nomachine.com/forums/topic/admin-changes.
-
AuthorPosts