Forum Replies Created
-
Posts
-
Hello
please send server and client side logs of kerberos errors to as for more detailed test.Usually problems relate to correct configuration. as alternate you can try use ssh connection protocol,
please don’t forget enable
EnableNXKerberosAuthentication 1, on server configure file.As you also have smartcard/PIN authentication, you also can extract public key from smartcard and register on server side as authorized_keys. for more details might be in:
https://kb.nomachine.com/DT11R00187
Thanks
Hello
there is no need for krb5 files. If you have kerberos ticket for windows, you can use select prefered library ‘Microsoft SSPI’ and if your user has kerberos ticket after Windows login, then this ticket might be used by NoMachine,
thanks
hello
“Authentication is done with a smartcard and a PIN or a user/password pair in an Active Directory.
ECS is connected to the same AD, I can get a ticket with kinit for my user/password.”
We can recommend use kerberos authentication as client and server host in same ad domain.
You need enable kerberos authentication on server by edit /usr/NX/etc/server.cfg and update keys
#EnableNXKerberosAuthentication 0
to
EnableNXKerberosAuthentication 1
Please ensure that AD user is correctly seen on server host:
if commands: id , getent passwd | grep , su
correctly list/switch on user. More details for kerberos authentication are available in https://kb.nomachine.com/DT07S00230
Thanks
Hello,
please send nomachine server side logs to us. You can extract them using the instructions here: https://kb.nomachine.com/DT07S00243. Send them to forum[at]nomachine[dot]com. Please use the title of this topic as the subject of your email.Also could you provide result of next command in administrator rights power shell window, please:
net localgroup AdministratorsWe need to be sure that nx user in Administrators groups as we suspect. Logs show:
“6120 29444 2024-10-23 22:35:30 674.235 ImpersonationWorker: ERROR! Failed to launch nxserver process.
6120 66060 2024-10-25 10:34:10 075.469 ExecuteServer: ERROR! Failed to duplicate input.
6120 66060 2024-10-25 10:34:10 075.469 ExecuteServer: Error is ‘6’.”
might be related.hello
“If there are no security risks to installing the debug package, then I’m happy for you to send it to me and use it.” – It’s safe to install and use. It’s a regular package with extra debug enabled to allow us to go much deeper into why a particular error is happening so they will contain information about exchange protocol flow data, ssh key fingerprints and accepted encryption methods.
” Is the ssh tunnelling method I mentioned earlier in this thread sensible?” – Yes it is. You can see details here: https://kb.nomachine.com/AR10K00728
“Is there a way to make the connection more stable with this approach?” – I think the session freeze needs further investigation. First, can you send us server side logs? Logs would also allow us to check why the connection is failing without an appropriate error even without adding yubikey as a device. You can extract them using the instructions here: https://kb.nomachine.com/DT07S00243.
Send them to forum[at]nomachine[dot]com. Please use the title of this topic as the subject of your email. Thanks!
Hello
Please could you provide exact information of NoMachine server you are trying to connect to?
The free NoMachine version does not support SSH connections.Thanks
Hello
To be able to provide more advises there is need to have more detailed log data. As for security reason, authentication logs are disabled by default.
But if you are willing to install new debug package on your working machine and test the authentication process to provide us more detailed information about this error, we can send you a debug package.Thanks
hello
As you use -i option for ssh to point to private key in system path, then you could point same path in the connection > ‘Use key-based authentication with a key you provided’.
“Does your advice still apply in that case?” – yes. Check key real path after modify player.cfg and set
thanks
Hello
ssh -I /pathtokeyfile
Usually -I uses to access to pkcs11 module. For Yubico probably it should be libykcs11.dylib.
If yes then you can use path to module in section “Use key-based authentication with PKCS11 smart card”,
“Set an alternate security module”. there you can select absolute path to libykcs11.dylib.
By default path might look like /usr/local/lib/libykcs11.dylib.
If connection still fails, then please leave all settings as it but close all nomachine windows.
Edit ~/.nx/config/player.cfg
find line:
<option key=”SSH client mode” value=”library” />
and replace “library” to “native” like:
<option key=”SSH client mode” value=”native” />
also check if
<option key=”SSH Client” value=”/usr/local/bin/ssh” />contain valid path to default ssh client. Finish and save edit content.
Open nomachine windows again and do SSH protocol connection by smart card.
Please inform as if it will helps and report errors if some appears.
Hello,
“My keys are resident keys stored on the Yubikey. I do have the public keys in ~/.ssh/authorized_keys on the server I’m trying to access.” – it looks good.
Could you please provide us the command of poor ssh you use to login to the server (hiding all sensitive data)?
Thanks
Regarding the logs, we notice that you try to install NoMachine on the D:\ disk space, instead of the default C:\Program Files.
Have you tested to install on the default path to compare the result?
And is the D: space a real local disk partition, or some network drive mounted with some service?