July 15, 2019 at 16:01 #22936
I have a MacBook Pro running macOS Mojave, and it’s joined to a domain. NoMachine v6.7.6 is running on it.
A local user can access the machine using the NX client. But when a domain user tries to access the machine the following error appears.
The session negotiation failed.
Error: Cannot create session directory: /Users/<username>/.nx Error is: Permission denied.
This article explains the issue but doesn’t provide a solution.July 16, 2019 at 09:36 #22950
Do you use dynamic home directory mounting? If so, can you provide some details of how it’s configured? What authentication method do you use when connecting with NoMachine? Can you successfully establish SSH session for domain user to your MacBook?July 23, 2019 at 12:27 #23016
Same/similar issue here but on EL 7.6
Linux domain joined machine. Local users are fine, domain users are fine, but if local user UID mapped to domain user then cannot logon, get the same error, but the path is different:
<p style=”margin: 0px;”>Error: Cannot create session directory: /usr/NX/var/log/node/C-MachineName-1002-A81E7D1AD8392DB3A0591EAD90AA937F Error is: Operation not permitted</p>
That directory (/usr/NX/var/log/node/) is owned by gdm and has 777 perms. It did also have the sticky bit specified, but I removed that (thinking it was the cause of the issue).
Monitoring that directory with auditctl and can see that when connecting a “chown” is issued for the directory (even though it does not exist), aureport:
448. 23/07/19 09:50:06 /usr/NX/var/log/node/C-MachineName-1002-A81E7D1AD8392DB3A0591EAD90AA937F chown no /usr/NX/bin/nxnode.bin LocalUsername 89729
449. 23/07/19 09:50:06 /usr/NX/var/log/node/ rename yes /usr/NX/bin/nxnode.bin LocalUsername 89730
450. 23/07/19 09:50:06 /usr/NX/var/log/node/ mkdir yes /usr/NX/bin/nxnode.bin LocalUsername 89728
I can see the new directory created is an “F-C” dir:
The owner is the local user, the group is “domain email@example.com” perms are rwxr-xr-x and the contents are empty.
Oh, and currently using Free version (just getting it setup before moving to terminal server edition). Nomachine 6.7.6_11 x86_64July 25, 2019 at 12:40 #23053
Please make sure that the local account mapping is correctly configured. Specifically, you should look into primary user’s group mapping: “domain firstname.lastname@example.org” looks strange. It appears that user’s process doesn’t have rights to modify permissions on the directory it created.
What’s the output of ‘id <user_name>’ command? Does it correctly report local ID for user, user’s primary group and all supplementary groups of user, including domain groups?
You must be logged in to reply to this topic.