Guro

[Guro]

Hello

Please provide results of the following:

1. ls -la /Applications/NoMachine.app/Contents/Frameworks/bin/nxexec

to be sure that nxexec had suid flag.

2. /Applications/NoMachine.app/Contents/Frameworks/bin/nxexec --auth

it will ask for user password input and allows to check if nxexec interacts correctly with PAM service.

Use local user credentials and network user too if you have.

 

[Guro]

Hello

We investigated provided log data and it seems that it is not a permission issue. For now we suspect that issue might be related to incorrect interpretation of user token, but standard logs cannot provide such information as for security reason disabled logging one. Please let us know if you are willing to install nomachine debug package on the server and collect verbose logs.

Thanks

[Guro]

Hello

please provide the results from running the following commands in power shell opened as Administrator.

1.  net user nx

in result should be listed if the user is still in admin group.

2.   wmic useraccount get name,sid | Select-String nx

to have nx user sid so that we can compare with the logs.

3. secedit /export /areas USER_RIGHTS /cfg privileges.txt

to have all permissions of user nx. and send to us privileges.txt file please.

If the default folder of power shell does not allow to save the file, then change path to file to another folder like:

secedit /export /areas USER_RIGHTS /cfg C:\Temp\ privileges.txt

4. Get-WinEvent -FilterHashtable @{LogName = 'Application'} | Where-Object {$_.Message -like '*nx*'}

will parse Windows application events and NX items.

I also have an additional question, how much time passed before the last Windows restart and the NoMachine service issues?

Thanks

 

[Guro]

Hello
please send server and client side logs of kerberos errors to as for more detailed test.

Usually problems relate to correct configuration. as alternate you can try use ssh connection protocol,

please don’t forget enable EnableNXKerberosAuthentication 1, on server configure file.

As you also have smartcard/PIN authentication, you also can extract public key from smartcard and register on server side as authorized_keys. for more details might be in:

https://kb.nomachine.com/DT11R00187

Thanks

[Guro]

Hello

there is no need for krb5 files. If you have kerberos ticket for windows, you can use select prefered library ‘Microsoft SSPI’ and if your user has kerberos ticket after Windows login, then this ticket might be used by NoMachine,

thanks

[Guro]

hello

“Authentication is done with a smartcard and a PIN or a user/password pair in an Active Directory.

ECS is connected to the same AD, I can get a ticket with kinit for my user/password.”

We can recommend use kerberos authentication as client and server host in same ad domain.

You need enable kerberos authentication on server by edit /usr/NX/etc/server.cfg and update keys

#EnableNXKerberosAuthentication 0

to

EnableNXKerberosAuthentication 1

Please ensure that AD user is correctly seen on server host:

if commands: id ,  getent passwd | grep , su

correctly list/switch on user. More details for kerberos authentication are available in https://kb.nomachine.com/DT07S00230

Thanks

[Guro]

Hello,
please send nomachine server side logs to us. You can extract them using the instructions here: https://kb.nomachine.com/DT07S00243. Send them to forum[at]nomachine[dot]com. Please use the title of this topic as the subject of your email.

 

[Guro]

Also could you provide result of next command in administrator rights power shell window, please:
net localgroup Administrators

We need to be sure that nx user in Administrators groups as we suspect. Logs show:

“6120 29444 2024-10-23 22:35:30 674.235 ImpersonationWorker: ERROR! Failed to launch nxserver process.

6120 66060 2024-10-25 10:34:10 075.469 ExecuteServer: ERROR! Failed to duplicate input.

6120 66060 2024-10-25 10:34:10 075.469 ExecuteServer: Error is ‘6’.”
might be related.

[Guro]

hello

Did you update Windows before noticing the fail on server side?

 

 

[Guro]

It’s also useful to know whether user Emile is a user of domain or windows AD?

[Guro]

hello

“If there are no security risks to installing the debug package, then I’m happy for you to send it to me and use it.” –  It’s safe to install and use. It’s a regular package with extra debug enabled to allow us to go much deeper into why a particular error is happening so they will contain information about exchange protocol flow data, ssh key fingerprints and accepted encryption methods.

” Is the ssh tunnelling method I mentioned earlier in this thread sensible?” – Yes it is. You can see details here: https://kb.nomachine.com/AR10K00728

“Is there a way to make the connection more stable with this approach?” – I think the session freeze needs further investigation. First, can you send us server side logs? Logs would also allow us to check why the connection is failing without an appropriate error even without adding yubikey as a device. You can extract them using the instructions here: https://kb.nomachine.com/DT07S00243.

Send them to forum[at]nomachine[dot]com. Please use the title of this topic as the subject of your email. Thanks!

[Guro]

Hello

Please could you provide exact information of NoMachine server you are trying to connect to?
The free NoMachine version does not support SSH connections.

Thanks

[Guro]

Hello

To be able to provide more advises there is need to have more detailed log data. As for security reason, authentication logs are disabled by default.
But if you are willing to install new debug package on your working machine and test the authentication process to provide us more detailed information about this error, we can send you a debug package.

Thanks

[Guro]

hello

As you use -i option for ssh to point to private key in system path, then you could point same path in the connection > ‘Use key-based authentication with a key you provided’.

“Does your advice still apply in that case?” – yes. Check key real path after modify player.cfg and set

 

thanks

[Guro]

Hello

ssh -I /pathtokeyfile

Usually -I uses to access to pkcs11 module. For Yubico probably it should be libykcs11.dylib.

If yes then you can use path to module in section “Use key-based authentication with PKCS11 smart card”,

“Set an alternate security module”. there you can select absolute path to libykcs11.dylib.

By default path might look like /usr/local/lib/libykcs11.dylib.

If connection still fails, then please leave all settings as it but close all nomachine windows.

Edit ~/.nx/config/player.cfg

find line:

<option key=”SSH client mode” value=”library” />

and replace “library” to “native” like:

<option key=”SSH client mode” value=”native” />

also check if
<option key=”SSH Client” value=”/usr/local/bin/ssh” />

contain valid path to default ssh client. Finish and save edit content.

Open nomachine windows again and do SSH protocol connection by smart card.

Please inform as if it will helps and report errors if some appears.

[Author]

Posts