Forum Replies Created
-
Posts
-
One additional information: if you have access on Yubikey keys and are able to extract the public key for ssh to place in ~/.ssh/authorized_keys , then you might use NoMachine SSH protocol connection and choose authentication with smartcard reader.
By default it works only to PKCS#11 compatible smartcard readers, but it might also recognize Yubikey.
Please try and let us know.
Hello,
“note that I am not using port 22 for ssh, will this be a problem?” – no, it shouldn’t be a problem.
“Do you have further suggestions to get login secured with Yubikey without an online server involved?” – not yet, as I suspect that it needs additional implementation.
“Here is the log output as requested:” – these logs are from the client side and mostly report about the connection problem then ‘Yubikey’ use.
Could you please provide us the server side logs, for a more clear information, and send them to forum[at]nomachine[dot]com, making sure to reference the topic as the subject of the email?
Hello
please bit more details about “After resetting Windows 11”. What did you exactly? Did you restart?
Additionally:
1. check whether after installing nomachine and restarting, the file C:\Windows\System32\nxlsa.dll is present in system.
2. open power shell as admin and run command
get-childitem “\\.\pipe\”
and provide lines containing nx* pattern. like: nxdevice, nxfsd, nxserver, nxsspi.
3. As administrator in power shell window try the next commands
net stop nxservice
net start nxservice
then check if in C:/ProgramData/NoMachine/var/logs an nxtrace.log appears.
Check windows Event Viewer and in section “Windows Logs” check (Application, System) and provide error/warning events generated by nxservice, nxserver, nxnode if they are present.
Inside Event Viewer check section “Applications and Services Logs > Microsoft > Windows > LSA” if it contains some events,
If yes, send content to us.Remember that some event viewer data might contain sensitive data and so please avoid sharing to public here. You can redact the file by removing sensitive data.
Thanks
hello
“Doesn’t this approach require internet access to the Yubico cloud server?” – yes, there is need.
but
“I use this with FIDO2 resident keys for ssh already” – if you have updated ssh server configuration then
there is possible to try use ssh pam configuration to nx on server and check.
sudo cp /etc/pam.d/nx /etc/pam.d/nx.bak
sudo cp /etc/pam.d/sshd /etc/pam.d/nx
if login fails send server side logs to us, please.
thanks
hello
Is ‘remote one ‘ mac based? If yes then let’s check how remote side recognize username/password.
Open terminal window on remote side and run command:
/Applications/NoMachine.app/Contents/Frameworks/bin/nxexec --authinput username <enter>, then password <enter>
and check result please. If username is not local system user like ldap, AD etc command nxexec might run as sudo or root user.
thanks
Please open powershell on the server side as admin and run the following command:
get-childitem \\.\pipe\and provide all lines which contain pipe name as nx*Hello,
no need for a debug package Britgirl.
When you install NoMachine, it creates user ‘nx’ in the admin group. This is an important account with specific privileges which is used for the internal handling of the program’s operations.
From your logs it appears the ‘nx’ user does not have enough privileges:
5388 7200 2024-04-24 09:28:49 522.932 ValidateNXAccount: ERROR! NX account doesn't have following required privileges:
5388 7200 2024-04-24 09:28:49 522.932 'SeTcbPrivilege'.
5388 7200 2024-04-24 09:28:49 522.932 'SeIncreaseQuotaPrivilege'.
5388 7200 2024-04-24 09:28:49 522.932 'SeAssignPrimaryTokenPrivilege'.This can happen when using a custom security policy on local workgroup or AD domain.
You can check that user privileges are correctly set using the following command:
secedit /export /areas USER_RIGHTS /cfg OUT.CFG
making sure to run it with local Windows admin account and then with domain administrator account if the Windows host is in an AD domain.
The OUT.CFG will show users by SID not username, but using this command
wmic useraccount get name,sidallows you to find the username for SID association.
To add/assign privileges for the user you need to use (from Run, a powershell or command prompt)
gpedit.msc -> Windows Settings -> Security Settings -> User Rights Assignmentsor contact your administrator if your machine is part of an AD domain (if you cannot do this).
Running gpedit.msc shows the Local Group Policy Editor. In the policy list:
– click on ‘Act as part of the operating system’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Adjust memory quotas for a process’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Replace a process level token’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Obtain an impersonation token for another user in the same session’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
We recommend performing the login to Windows as a local workgroup Administrator, checking the NoMachine status and modifying privileges if NoMachine does not start.
If you are installing NoMachine as the domain administrator, then you need check that nx user is not already registered in domain to avoid conflict of user permissions.
hello
it seems issue is related to AD user recognition.
Could you check
/nxexec --authwith sudo or root access account for mvladimirov like:sudo ./nxexec --authAlso provide information about AD integration of macOS host, do you some third party tools or only macos standards?
Thanks
Hello
We checked the sent logs and they are only from client side. Please send to us server side host logs and windows events related to nxserver/nxnode/nxservice.
Thanks
Hello
Please also provide server side logs and check if nxtrace.log was generated in C:\ProgramData\NoMachine\var\log\ folder.
Also please check windows events and export nxservice/nxnode relate reports and send with nx logs, please.Thanks
Hello
The NX protocol key authentication should be generated by nxkeygen command, or if it is generated by ssh-keygen, then should be converted in pem format.
You can convert the existing SSH private key by using this command:
ssh-keygen -p -m PEM -f path_to_the_key
We’s like to check the client side logs, can you send them to us? Please see the document here for instructions and then send them directly to forum[at]nomachine[dot]com making sure to use the title of this topic as the subject of your email. Thanks!
hello
I was looking in the forum, in the KB but couldn’t find where to go in app to setup 2FA for mac.
Please check next command result on your mac host after preparing PAM for 2AF.
(if install path is standard):
cd /Applications/NoMachine.app/Contents/Frameworks/bin
./nxexec –authTerminal will ask for username, then it should ask for password and probably verification code depending on your PAM nx configuration.
Please paste here a screenshot of the results or paste the output directly. Also pay attention to any errors showing in the log output.
Thanks
Hello
The smart device is accessible by the user who forwarded it. Sharing the smart card among users is not supported (but planned) because personal information for smart card sharing are stored in the user’s home on server side, which is not accessible to a different user even if that other user is root.
Thanks
Logs from the NoMachine server would be useful as well. Please follow the instructions here: https://kb.nomachine.com/DT11R00182. You can send them directly to forum[at]nomachine[dot]com making sure to reference the title of your topic.
I tried checking CryptoPro on the fly and the installed version does not contain module rtPKCS11ECP. Please could you also tell us the exact version and whether you are using the free version or a subscription of CryptoPro?
Additionally would you be willing to run a NoMachine client debug package on your client host to get extended information from client side?
Hello
Did you tried to read public key or certificate on server side after forward device?
Could you run in session terminal command like:
pkcs11-tool --module /usr/NX/lib/libpkcs11.so -l --read_object --type pubkey --id <key_id>to check accept to generated key pair or certificate. Please send to us all error messages if they appear.