March 6, 2014 at 10:08 #2653MaccasParticipant
I’m connecting from a Windows 7 machine running NXSERVER-4.1.29 to a CentOS 6.5 virtual machine server running NXSERVER-4.1.29 with GNOME.
I’m unable to connect to the server, I keep getting “Authentication Failed. This is despite using account details that I know are definitely correct.
SELinux and IPTables are disabled. I see the following in the nxerror.log:
Info: Handler started with pid 2778 on Wed Mar 5 21:33:33 2014.
Info: Handling connection from 10.50.0.9 port 49649 on Wed Mar 5 21:33:33 2014.
nxexecPAMCheckCredentials: Authentication failed with error 6.
Info: Connection from 10.50.0.9 port 49649 closed on Wed Mar 5 21:33:41 2014.
Info: Handler with pid 2778 terminated on Wed Mar 5 21:33:41 2014.
Info: Handler started with pid 2797 on Wed Mar 5 21:33:42 2014.
Info: Handling connection from 10.50.0.9 port 49654 on Wed Mar 5 21:33:42 2014.
Any ideas what authentication failed with error 6 means?
ThanksMarch 7, 2014 at 18:47 #2669adpParticipant
Error 6 means that permission is denied for the user. If you say that you enter the proper credentials then we might need some more info to figure out what goes wrong. If you could send us to issues [at] nomachine [dot] com the following information from your CentOS host:
1) /etc/pam.d/nx, /etc/pam.d/su, /etc/pam.d/system-auth, /etc/pam.d/sshd, /etc/pam.d/password-auth files
2) output of the command (after reproducing the issue):
sudo grep -r nxexec /var/log/*
Thank you.March 19, 2014 at 10:58 #2738MaccasParticipant
Just to update this – we discussed this further offline and the developers found the issue is because PAM had been configured to enforce membership of the wheel group to allow su usage. /etc/pam.d/su contained:
auth required pam_wheel.so use_uid
The information I received was:
Our user “nx” is not in the wheel group while this PAM configuration requires
that nx is in that group to allow authentication working properly.
We now ship our own /etc/pam.d/nx module which can separate PAM
configuration that is used by NoMachine from the one used by SU service.
So, possible solutions are:
1) Comment out the problematic line in /etc/pam.d/su.
2) If you don’t want to change the su configuration, please replace the
/etc/pam.d/nx module with the file attached to this mail.
It’s a clean copy of your “su” configuration file just with the problematic line removed.
In this way you can use a custom policy only for NoMachine and don’t need to change
your “su” configuration. Feel free to edit the nx file according to your needs.
I wanted this restriction to remain so I created the specific nx module suggested, which contained:
auth sufficient pam_rootok.so
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
Can’t fault the developers who responded. Excellent support to help troubleshoot this issue.
This topic was marked as solved, you can't post.