Guro

Forum Replies Created

Viewing 15 posts - 16 through 30 (of 41 total)
  • Author
    Posts
  • in reply to: Mac – Authentication failed, please try again #49159
    Guro
    Contributor

    hello

    Is ‘remote one ‘ mac based? If yes then let’s check how remote side recognize username/password.

    Open terminal window on remote side and run command:

    /Applications/NoMachine.app/Contents/Frameworks/bin/nxexec --auth

    input username <enter>, then password <enter>

    and check result please. If username is not local system user like ldap, AD etc command nxexec might run as sudo or root user.

    thanks

    Guro
    Contributor

    Please open powershell on the server side as admin and run the following command:
    get-childitem \\.\pipe\ and provide all lines which contain pipe name as nx*

    Guro
    Contributor

    Hello,

    no need for a debug package Britgirl.

    When you install NoMachine, it creates user ‘nx’ in the admin group. This is an important account with specific privileges which is used for the internal handling of the program’s operations.

    From your logs it appears the ‘nx’ user does not have enough privileges:

    5388 7200 2024-04-24 09:28:49 522.932 ValidateNXAccount: ERROR! NX account doesn't have following required privileges:
    5388 7200 2024-04-24 09:28:49 522.932 'SeTcbPrivilege'.
    5388 7200 2024-04-24 09:28:49 522.932 'SeIncreaseQuotaPrivilege'.
    5388 7200 2024-04-24 09:28:49 522.932 'SeAssignPrimaryTokenPrivilege'.

    This can happen when using a custom security policy on local workgroup or AD domain.

    You can check that user privileges are correctly set using the following command:

    secedit /export /areas USER_RIGHTS /cfg OUT.CFG

    making sure to run it with local Windows admin account and then with domain administrator account if the Windows host is in an AD domain.

    The OUT.CFG will show users by SID not username, but using this command

    wmic useraccount get name,sid

    allows you to find the username for SID association.

    To add/assign privileges for the user you need to use (from Run, a powershell or command prompt)

    gpedit.msc -> Windows Settings -> Security Settings -> User Rights Assignments

    or contact your administrator if your machine is part of an AD domain (if you cannot do this).

    Running gpedit.msc shows the Local Group Policy Editor. In the policy list:

    – click on ‘Act as part of the operating system’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.

    – click on ‘Adjust memory quotas for a process’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.

    – click on ‘Replace a process level token’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.

    – click on ‘Obtain an impersonation token for another user in the same session’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.

    We recommend performing the login to Windows as a local workgroup Administrator, checking the NoMachine status and modifying privileges if NoMachine does not start.

    If you are installing NoMachine as the domain administrator, then you need check that nx user is not already registered in domain to avoid conflict of user permissions.

    in reply to: 2FA on Mac #47913
    Guro
    Contributor

    hello

    it seems issue is related to AD user recognition.

    Could you check /nxexec --auth with sudo or root access account for mvladimirov like:

    sudo ./nxexec --auth

    Also provide information about AD integration of macOS host, do you some third party tools or only macos standards?

    Thanks

    in reply to: When trying to connect to server, it disconnects #47611
    Guro
    Contributor

    Hello

    We checked the sent logs and they are only from client side. Please send to us server side host logs and windows events related to nxserver/nxnode/nxservice.

    Thanks

    in reply to: When trying to connect to server, it disconnects #47464
    Guro
    Contributor

    Hello

    Please also provide server side logs and check if nxtrace.log was generated in C:\ProgramData\NoMachine\var\log\ folder.
    Also please check windows events and export nxservice/nxnode relate reports and send with nx logs, please.

    Thanks

    in reply to: NoMachine asking for username and passphrase #47390
    Guro
    Contributor

    Hello

    The NX protocol key authentication should be generated by nxkeygen command, or if it is generated by ssh-keygen, then should be converted in pem format.

    You can convert the existing SSH private key by using this command:

    ssh-keygen -p -m PEM -f path_to_the_key

    We’s like to check the client side logs, can you send them to us? Please see the document here for instructions and then send them directly to forum[at]nomachine[dot]com making sure to use the title of this topic as the subject of your email. Thanks!

    https://kb.nomachine.com/DT07S00244#2

    in reply to: 2FA on Mac #47014
    Guro
    Contributor

    hello

    I was looking in the forum, in the KB but couldn’t find where to go in app to setup 2FA for mac.

    Please check next command result on your mac host after preparing PAM for 2AF.

    (if install path is standard):
    cd /Applications/NoMachine.app/Contents/Frameworks/bin
    ./nxexec –auth

    Terminal will ask for username, then it should ask for password and probably verification code depending on your PAM nx configuration.

    Please paste here a screenshot of the results or paste the output directly. Also pay attention to any errors showing in the log output.

    Thanks

    in reply to: Accessing forwarded smart card as root user #44678
    Guro
    Contributor

    Hello

    The smart device is accessible by the user who forwarded it. Sharing the smart card among users is not supported (but planned) because personal information for smart card sharing are stored in the user’s home on server side, which is not accessible to a different user even if that other user is root.

    Thanks

    in reply to: Programs don’t use smart card on server #39504
    Guro
    Contributor

    Logs from the NoMachine server would be useful as well. Please follow the instructions here: https://kb.nomachine.com/DT11R00182. You can send them directly to forum[at]nomachine[dot]com making sure to reference the title of your topic.

    I tried checking CryptoPro on the fly and the installed version does not contain module rtPKCS11ECP. Please could you also tell us the exact version and whether you are using the free version or a subscription of CryptoPro?

    Additionally would you be willing to run a NoMachine client debug package on your client host to get extended information from client side?

    in reply to: Programs don’t use smart card on server #39421
    Guro
    Contributor

    Hello

    Did you tried to read public key or certificate on server side after forward device?

    Could you run in session terminal command like:

    pkcs11-tool --module /usr/NX/lib/libpkcs11.so -l --read_object --type pubkey --id <key_id>

    to check accept to generated key pair or certificate.  Please send to us all error messages if they appear.

    in reply to: Programs don’t use smart card on server #39040
    Guro
    Contributor

    Hello.

    Please could you provide more detail about how you are using your smartcard in a NoMachine session, so we can understand the steps you are taking/have taken?

    What NoMachine product server side are you using? What type of session is it? Can you tell us the Linux distribution and version?

    programs don’t see that this smart card is connected

    Which programs exactly? Do these programs support the path set to the NoMachine pkcs11 module?

    in reply to: Server settings authentication fails for domain users #37280
    Guro
    Contributor

    Hello.

    As I see in logs AD user recognizes in later tests but server unable to check daemon status(this part logs are not full).
    Please could you run one more test with new package which we can prepare?

    Thanks

    in reply to: Server settings authentication fails for domain users #37242
    Guro
    Contributor

    Hello

    Do you still have login problems after install debug package on macOS?

    Thanks

    in reply to: NM 7.6.2 from Windows -> Mac #34174
    Guro
    Contributor

    NoMachine checks user credentials through pam and got the error “Permission denied”.

    1. Please check pam logs. There should be more detailed information on why pam refuses the user.

    2. Is the user name correctly mapped to the local user?  Could you try to use a username with domain name part?

Viewing 15 posts - 16 through 30 (of 41 total)