Forum Replies Created
-
AuthorPosts
-
GuroContributor
Hello,
no need for a debug package Britgirl.
When you install NoMachine, it creates user ‘nx’ in the admin group. This is an important account with specific privileges which is used for the internal handling of the program’s operations.
From your logs it appears the ‘nx’ user does not have enough privileges:
5388 7200 2024-04-24 09:28:49 522.932 ValidateNXAccount: ERROR! NX account doesn't have following required privileges:
5388 7200 2024-04-24 09:28:49 522.932 'SeTcbPrivilege'.
5388 7200 2024-04-24 09:28:49 522.932 'SeIncreaseQuotaPrivilege'.
5388 7200 2024-04-24 09:28:49 522.932 'SeAssignPrimaryTokenPrivilege'.This can happen when using a custom security policy on local workgroup or AD domain.
You can check that user privileges are correctly set using the following command:
secedit /export /areas USER_RIGHTS /cfg OUT.CFG
making sure to run it with local Windows admin account and then with domain administrator account if the Windows host is in an AD domain.
The OUT.CFG will show users by SID not username, but using this command
wmic useraccount get name,sid
allows you to find the username for SID association.
To add/assign privileges for the user you need to use (from Run, a powershell or command prompt)
gpedit.msc -> Windows Settings -> Security Settings -> User Rights Assignmentsor contact your administrator if your machine is part of an AD domain (if you cannot do this).
Running gpedit.msc shows the Local Group Policy Editor. In the policy list:
– click on ‘Act as part of the operating system’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Adjust memory quotas for a process’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Replace a process level token’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Obtain an impersonation token for another user in the same session’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
We recommend performing the login to Windows as a local workgroup Administrator, checking the NoMachine status and modifying privileges if NoMachine does not start.
If you are installing NoMachine as the domain administrator, then you need check that nx user is not already registered in domain to avoid conflict of user permissions.
GuroContributorhello
it seems issue is related to AD user recognition.
Could you check
/nxexec --auth
with sudo or root access account for mvladimirov like:sudo ./nxexec --auth
Also provide information about AD integration of macOS host, do you some third party tools or only macos standards?
Thanks
GuroContributorHello
We checked the sent logs and they are only from client side. Please send to us server side host logs and windows events related to nxserver/nxnode/nxservice.
Thanks
GuroContributorHello
Please also provide server side logs and check if nxtrace.log was generated in C:\ProgramData\NoMachine\var\log\ folder.
Also please check windows events and export nxservice/nxnode relate reports and send with nx logs, please.Thanks
GuroContributorHello
The NX protocol key authentication should be generated by nxkeygen command, or if it is generated by ssh-keygen, then should be converted in pem format.
You can convert the existing SSH private key by using this command:
ssh-keygen -p -m PEM -f path_to_the_key
We’s like to check the client side logs, can you send them to us? Please see the document here for instructions and then send them directly to forum[at]nomachine[dot]com making sure to use the title of this topic as the subject of your email. Thanks!
GuroContributorhello
I was looking in the forum, in the KB but couldn’t find where to go in app to setup 2FA for mac.
Please check next command result on your mac host after preparing PAM for 2AF.
(if install path is standard):
cd /Applications/NoMachine.app/Contents/Frameworks/bin
./nxexec –authTerminal will ask for username, then it should ask for password and probably verification code depending on your PAM nx configuration.
Please paste here a screenshot of the results or paste the output directly. Also pay attention to any errors showing in the log output.
Thanks
GuroContributorHello
The smart device is accessible by the user who forwarded it. Sharing the smart card among users is not supported (but planned) because personal information for smart card sharing are stored in the user’s home on server side, which is not accessible to a different user even if that other user is root.
Thanks
GuroContributorLogs from the NoMachine server would be useful as well. Please follow the instructions here: https://kb.nomachine.com/DT11R00182. You can send them directly to forum[at]nomachine[dot]com making sure to reference the title of your topic.
I tried checking CryptoPro on the fly and the installed version does not contain module rtPKCS11ECP. Please could you also tell us the exact version and whether you are using the free version or a subscription of CryptoPro?
Additionally would you be willing to run a NoMachine client debug package on your client host to get extended information from client side?
GuroContributorHello
Did you tried to read public key or certificate on server side after forward device?
Could you run in session terminal command like:
pkcs11-tool --module /usr/NX/lib/libpkcs11.so -l --read_object --type pubkey --id <key_id>
to check accept to generated key pair or certificate. Please send to us all error messages if they appear.
GuroContributorHello.
Please could you provide more detail about how you are using your smartcard in a NoMachine session, so we can understand the steps you are taking/have taken?
What NoMachine product server side are you using? What type of session is it? Can you tell us the Linux distribution and version?
programs don’t see that this smart card is connected
Which programs exactly? Do these programs support the path set to the NoMachine pkcs11 module?
GuroContributorHello.
As I see in logs AD user recognizes in later tests but server unable to check daemon status(this part logs are not full).
Please could you run one more test with new package which we can prepare?Thanks
GuroContributorHello
Do you still have login problems after install debug package on macOS?
Thanks
GuroContributorNoMachine checks user credentials through pam and got the error “Permission denied”.
1. Please check pam logs. There should be more detailed information on why pam refuses the user.
2. Is the user name correctly mapped to the local user? Could you try to use a username with domain name part?
GuroContributorCurrent known problem with Windows is related to NoMachine installation folder.
If you install Windows in a folder which is located in mounted disk (as shared folder), the service is unable to start because it can’t match NoMachine module path.
Please ensure that your NoMachine install path is located in the standard logical disk or allow NoMachine to choose default path.
For user DaveXS, could you send compressed NoMachine log data to us, so we can check?
You need to compress folder C:\ProgramData\NoMachine\var\log
GuroContributorHello
Could you reinstall NoMachine with disabled Firewall(if it enabled) and disabled Antivirus (if it installed)?
We try to reproduce this issue in our labs.
Thanks
-
AuthorPosts