Cato

Forum Replies Created

Viewing 15 posts - 91 through 105 (of 119 total)
  • Author
    Posts
  • in reply to: Cannot login with key using nx protocol #11965
    AvatarCato
    Contributor

    Hello stshadow,

    The problem with dynamically mounted home directories and keys authentication is that keys are placed inside home directory which is not mounted yet, so authentication can’t be completed. The workaround could be to configure automount so that home directory is mounted on first access attempt. We are also working on allowing keys path configuration to allow keys storage outside home directory: https://www.nomachine.com/FR07N03139.

    in reply to: Cannot login with key using nx protocol #11753
    AvatarCato
    Contributor

    Hello stshadow,

    I noticed that UID of your user is unusually high: 1112939. Is your system part of Kerberos, LDAP or Active Directory? Does it perhaps use dynamic mounting of user’s home directories (like AFS or NFS)?

    in reply to: Cannot login with key using nx protocol #11591
    AvatarCato
    Contributor

    Hello stshadow,

    Can you please show us the output of the following commands?

    test -f /home/username/.nx/config/authorized.crt && echo “YES” || echo “NO”;

    test -f /home/username/.nx/config/authorized.crt && echo “YES” || echo “NO”;

    stat /home/username/.nx/config/authorized.crt;

    in reply to: Only allow specific Windows domain users to login #11551
    AvatarCato
    Contributor

    Hello al,

    In order to limit access to given workstation open ‘Active Directory Users and Computers’ administrative tool on your Windows Server. You can operate on user groups or individual user accounts:

    Limiting access for individual account:

    Right click on user account and go to ‘Properties’. Choose ‘Account’ tab. Click on ‘Log On To’ button. Check ‘The following computers’ field and enter the list of workstations you want user to be able to log on.

    Limiting access for group of users:

    In ‘Active Directory Users and Computers’ right click on domain name, go to ‘New’ and choose ‘Group’. Provide name for new group.

    Right click on newly created group, go to ‘Properties’. Choose ‘Members’ tab, click on ‘Add’ and enter the names of accounts you want to manage.

    Now you need to go to your workstation and open ‘Local Group Policy Editor’. Click on ‘Computer Configuration’ -> ‘Windows Settings’ -> ‘Security Settings’ -> ‘Local Policies’ -> ‘User Right Assignment’. This should open list of security settings.

    If you want to prevent access to this workstation you need to add the group you just created to ‘Deny access to this computer from network’ and ‘Deny log on locally’ security settings. You can also set ‘Access this computer from network’ and ‘Allow log on locally’ to limit access to workstation
    only to some user accounts and groups. Remember that ‘Deny …’ settings have priority in case of contradicting rules.

    in reply to: Clean install – service doesn’t start Win 10 #10881
    AvatarCato
    Contributor

    Hello christphe,

    It seems that newly created nxserver process can’t load all necessary dependencies. This can be verified using Process Monitor.

    Follow these instructions:

    1. Download and install Process Monitor from this site:
    https://technet.microsoft.com/pl-pl/sysinternals/processmonitor

    2. Shut down or kill all NoMachine processes.

    3. Run Process Monitor as Administrator.

    4. In Process Monitor Filter window:

    – Expand ‘Column’ drop down list (default value is ‘Architecture’), change the value to ‘Command Line’.

    – Expand ‘Relation’ drop down list (default value ‘is’), change the value to ‘contains’.

    – Type ‘daemon’ in the ‘Value’ field.

    – Set ‘Action’ field to ‘Include’.
    This should create rule: ‘Command Line contains daemon than Include’.

    – Click on ‘Add’, ‘Apply’ and ‘Ok’.

    5. In top bar of Process Monitor check ‘Show Registry Activity’, ‘Show File System Activity’, ‘Show Network Activity’,
    ‘Show Process and Thread Activity’ and ‘Show Profiling Events’ icons.

    6. Run ‘nxserver –startup’ from command line.

    7. After 30 seconds click on ‘Save’ icon in Process Monitor top bar.
    Save file using ‘Native Process Monitor Format’. Send us produced event file.

    in reply to: Authentication error #10719
    AvatarCato
    Contributor

    Hello EduardoRL,

    Please answer the following questions:

    1. Is it possible to physically log on desktop using the same credentials?

    2. Can you authenticate with the same credentials using any SSH client?

    3. Is host part of AD/LDAP/Kerberos setup?

    4. Are there any authentication errors printed in system logs after failed NoMachine authentication attempt?

    If answer to 2. is yes, the problem is most likely related to PAM configuration. Create backup of ‘/etc/pam.d/nx’ and overwrite it with content of ‘/etc/pam.d/sshd’. Let us know if it helps.

    in reply to: Failed to connect after OS upgrade #10693
    AvatarCato
    Contributor

    Hello rob8861,

    We managed to reproduce the problem. It seems that some upgrade operations are performed after reboot. Post-reboot configuration is done under ‘_mbsetupuser’ account. For some reasons this user is detected as desktop owner on login window and NoMachine Server waits until he accepts the incoming connection. Problem should disappear after next OS reboot. You can check this Stack Overflow thread for additional information:

    http://stackoverflow.com/questions/33391174/who-or-what-is-mbsetupuser

    in reply to: Clean install – service doesn’t start Win 10 #10560
    AvatarCato
    Contributor

    Hello christphe,

    Logs suggest that ‘nxlsa’ module wasn’t loaded by operating system. This can only be done during boot time, so please check if rebooting your Windows helps.

    If the problem still persists:

    1. Gather NoMachine logs using this guide: https://www.nomachine.com/DT07M00098.

    2. Check the value of ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa’ registry key.

    3. Check if ‘nxlsa’ module is loaded correctly using Process Explorer:

    – Download and install package from https://technet.microsoft.com/pl-pl/sysinternals/processexplorer.

    – Start Process Explorer as Administrator.

    – Click on ‘Find’ and ‘Find handle or DLL’. Type ‘nxlsa’ in search box.

    If the module is correctly loaded, search result will show that module belongs to ‘lsass.exe’ process.

    Send logs, value of registry key and result of ‘nxlsa’ query to forum[at]nomachine[dot]com.

    in reply to: Authentication failure for one user Linux #10503
    AvatarCato
    Contributor

    Hello mgda,

    Authentication failure is most likely related to PAM configuration.

    Is it possible to authenticate with NX using any other domain account? Since you are able to authenticate via SSH it is possible that SSH PAM cofiguration contains something that is missing in NX (pam_winbind, pam_centrify, pam_krb5…). By default NX protocol includes PAM configuration of ‘su’ command. Is it possible to successfully run ‘su mgda’ from another account? You can also try to backup current NX PAM configuration placed in ‘/etc/pam.d/nx’ and overwrite it with content of ‘/etc/pam.d/sshd’. If that doesn’t help check with UPN name format,
    i.e. mgda@corp.mydomain.com.

    If still no success, please send us output of ‘tail -n 50 /var/log/secure.log’ after failed authentication attempt and content of ‘etc/pam.d’ directory.

    Please submit it to forum[at]nomachine[dot]com.

    in reply to: Windows account won’t accept my password #10016
    AvatarCato
    Contributor

    Hello dco63,

    Please answer the following questions:

    1. Is the host on which you are trying to log part of Active Directory?

    If it is, please make sure that you’re providing full name in correct format:

    ‘<user_name>@<domain_name>’  or ‘<domain_name>\<user_name>’.

    2. Did you change your account name in the past?

    If so, please check this thread for additional information: https://www.nomachine.com/forums/topic/admin-changes.

    AvatarCato
    Contributor

    Hi jonbelanger,

    The direct reason of authentication failure is crash of nxexec process. Can you send us the crash report?
    You should find it in ‘/Library/Logs/CrashReporter’.

    AvatarCato
    Contributor

    Hello jonbelanger,

    Please, answer the following questions:

    1. Could you authenticate with the same account on troublesome host using previous NoMachine versions? If so, which version worked for you?

    2. Are you using NX or SSH protocol? Does changing the protocol help?

    3. Can you authenticate on El Captain server using other account?

    4. Can you authenticate on El Captain host using other SSH client?

    Logs will be also helpful. Reproduce the problem and gather logs according to https://www.nomachine.com/DT07M00098. Send them to forum[at]nomachine[dot]com.

    in reply to: No available session on this server #9483
    AvatarCato
    Contributor

    Hello yakmo,

    For some reasons nxnode process is unable to create ‘/usr/NX/var/run/nxdevice’ directory. I would like to see output of ‘stat /usr/NX/var/run’ command. Error during connection might be in some way related to ‘pam_mount’. Presence of such module in your PAM configuration suggests that there’re some dynamically mounted volumes in use. Can you describe your setup in more details? Do you use anything like Kerberos, AFS, NFS, LDAP? In addition to that, send us full set of server host logs, and not just nxserver.log.

    in reply to: Server does not start properly on Jessie #9410
    AvatarCato
    Contributor

    Hi yakmo,

    Check out this article about how Pluggable Authentication Modules (PAM) work:
    http://www.tuxradar.com/content/how-pam-works.

    These are step by step instructions of how to disable pam_mount for NX protocol. Module and file names used in this instruction are just an example, and might be different in your configuration.

    Open ‘/etc/pam.d/nx’ file. Look for lines containing ‘session’ word.
    This is default content of ‘/etc/pam.d/nx’ file:

    auth       include       su
    account    include       su
    password   include       su
    session    include       su

    ‘session include su’ means that modules list for session stack resides in ‘/etc/pam.d/su’ file. So let’s check content of ‘/etc/pam.d/su’. This is the interesting part of file:

    session    optional   pam_mail.so nopen
    session    required   pam_limits.so

    @include common-auth
    @include common-account
    @include common-session

    There are two pam modules listed here, and include directives pointing at common-auth, common-account and common-session files. Syntax is different here, it means that whole files are included instead of just session stack. Putting this all together, list of modules of session stack for NX protocol consists of pam_mail, pam_limits and all modules for session stack listed in common-auth, common-account and common-session. So we can replace

    ‘session include su’ in ‘/etc/pamd/nx’ file with:

    session  optional  pam_mail.so   nopen
    session  required  pam_limits.so

    This is the first part of explicit list of session modules. The rest is still in common-auth, common-account and common-session files. We need to inspect them in the same way we checked ‘su’ file and copy lines with session modules to ‘/etc/pam.d/nx’, so it can resemble this:

    auth    include       su
    account include       su
    session optional      pam_mail.so   nopen
    session required      pam_limits.so
    session [default=1]   pam_permit.so
    session required      pam_mount.so
    session requisite     pam_deny.so

    Now you can remove the ‘session required pam_mount.so’ line or, following bakhtadze’s advice, modify it to:
    ‘session optional pam_mount.so disable_interactive’.

    • This reply was modified 5 years, 2 months ago by AvatarCato.
    in reply to: Server does not start properly on Jessie #9375
    AvatarCato
    Contributor

    Hello yakmo,

    Logs suggest that failure during session opening in pam_mount occurs. We’re currently investigating this issue. To possibly allow you to use NoMachine server, you can try to disable pam_mount in your pam configuration. These are the instructions:

    Create backup of ‘/etc/pam.d/nx’ file and edit it’s content. Replace possible ‘include’ directive in session stack with explicit modules list. E.g. let’s assume this is content of your nx pam configuration:

    auth         include       su
    account    include       su
    password  include       su
    session      include       su

    ‘Include’ between ‘session’ and ‘su’ means that list of pam modules for session stack is imported from ‘/etc/pam.d/su’ file. It is possible that it contains ‘include’ too, in such case we need to follow them too until we find all pam modules names loaded during nx session startup. When you have such list in ‘/etc/pam.d/nx’ file, simply remove pam_mount entry.

Viewing 15 posts - 91 through 105 (of 119 total)