Comments (31)
@giox069 @fredizzimo ok, I´ve found a way to fix this for my case here with the following /etc/krb5.conf
:
[libdefaults]
rdns = false
dns_lookup_kdc = 0
this effectively disables DNS
lookup, failing kerberos immediately.
from freerdp.
Ok, I will try that out now, and come back to you with the results.
from freerdp.
Ah, I just double checked, all of the activation of that was by myself through systemctl restart
, not by the system.
- I did it before rebooting in the hope that the configuration was not reloaded.
- And then after it had failed to connect after the reboot. That restart was in the middle of the 10 minute wait according to the timestamp, so I think we can assume that it's unrelated.
from freerdp.
No, my response was just about the krb5-kdc.service
. So the original problem remains.
I understand that it's hard to know what the problem is with this little information, so I can try to debug it during the weekend, to at least provide more information.
from freerdp.
@fredizzimo @giox069 can you add a full log of your failed connections with kerberos debugging enabled? (see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/env_variables.html for details for kerberos debugging)
[note] you can PM me in our matrix chat if you don´t want to publish the logs.
from freerdp.
@akallabeth my /ectkrb5.conf does not exists. I will able to produce debug trace later this night (CET), not now. If you need, I can open a remote TCP port from a fixed IP address/subnet so you can do tests by yourself. I can setup it this night.
Remember that the error appears when:
/v: contains a numeric IP address
/d: contains an internet domain (with at least a dot). Both resolvable or not in my case.
from freerdp.
@giox069 @fredizzimo ok, I´ve found a way to fix this for my case here with the following
/etc/krb5.conf
:[libdefaults] rdns = false dns_lookup_kdc = 0
this effectively disables
DNS
lookup, failing kerberos immediately.
This workaround is working! 👍
from freerdp.
what is written in your /etc/krb5.conf
?
we had several reports that arch
ships a example configuration as the actual thing (and that leads to unreachable KDC
which then needs to time out for each kerberos request)
from freerdp.
Yes, it definitely looks like some example
❯ cat /etc/krb5.conf
[libdefaults]
default_realm = ATHENA.MIT.EDU
[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
ATHENA.MIT.EDU = {
admin_server = kerberos.mit.edu
}
ANDREW.CMU.EDU = {
admin_server = kdc-01.andrew.cmu.edu
}
[domain_realm]
mit.edu = ATHENA.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.ucsc.edu = CATS.UCSC.EDU
[logging]
# kdc = CONSOLE
Is it enough to comment out everything, or do I need to create a proper configuration, I don't know how to do at the moment, but I can probably figure it out? I'm currently on freerdp 2 again, so it takes a while to switch and test, therefore I'm asking instead of testing it myself.
from freerdp.
@fredizzimo no, an empty file (or commented) is ok.
from freerdp.
Unfortunately, it did not help, not even after restarting the system.
But I see the following in the journal log now
apr 24 17:15:40 fredarch krb5kdc[5592]: Configuration file does not specify default realm - while attempting to retrieve default realm
apr 24 17:15:40 fredarch krb5kdc[5592]: krb5kdc: Configuration file does not specify default realm, attempting to retrieve default realm
apr 24 17:15:40 fredarch systemd[1]: krb5-kdc.service: Main process exited, code=exited, status=1/FAILURE
apr 24 17:15:40 fredarch systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
apr 24 17:15:40 fredarch systemd[1]: krb5-kdc.service: Scheduled restart job, restart counter is at 1.
apr 24 17:15:40 fredarch systemd[1]: Started Kerberos 5 KDC.
I also tried restarting the service after I joined the VPN, but it gives the same result. So maybe I need to try to configure it?
Also while doing that I noticed that after 10 minutes, the xfreerdp printed this in the log, but was still hanging
[17:20:25:492] [3958:00000f77] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "DOMAIN.ORG" [-1765328230])
The domain name is the correct, so it got that right at least. Maybe it's misconfiguration on the workplace side? I can try to contact the IT support there.
from freerdp.
no, that is ok (it should fail fast if you are not using kerberos
to authenticate, which is the case most of the time if you are not directly in the same network
from freerdp.
@fredizzimo also, why is your system trying to start a KDC
? are you hosting a kerberos server instance?
from freerdp.
@fredizzimo so, does your initial use case work now or is there still something to look at?
from freerdp.
a debug build with a running debugger to have a backtrace
on where the application is hanging would be really helpful here.
from freerdp.
I don't have the symbols for the system libraries at the moment, but this is the callstack
libc.so.6!connect (Unknown Source:0)
libc.so.6![Unknown/Just-In-Time compiled code] (Unknown Source:0)
libc.so.6!__res_context_send (Unknown Source:0)
libc.so.6!__res_context_query (Unknown Source:0)
libc.so.6!__res_context_search (Unknown Source:0)
libc.so.6!res_nsearch (Unknown Source:0)
libkrb5.so.3![Unknown/Just-In-Time compiled code] (Unknown Source:0)
libkrb5.so.3!krb5_sendto_kdc (Unknown Source:0)
libkrb5.so.3![Unknown/Just-In-Time compiled code] (Unknown Source:0)
libkrb5.so.3!krb5_init_creds_get (Unknown Source:0)
libwinpr3.so.3!krb5glue_get_init_creds(krb5_context ctx, krb5_principal princ, krb5_ccache ccache, krb5_prompter_fct prompter, char * password, SEC_WINPR_KERBEROS_SETTINGS * krb_settings) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/Kerberos/krb5glue_mit.c:237)
libwinpr3.so.3!kerberos_AcquireCredentialsHandleA(SEC_CHAR * pszPrincipal, SEC_CHAR * pszPackage, ULONG fCredentialUse, void * pvLogonID, void * pAuthData, SEC_GET_KEY_FN pGetKeyFn, void * pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/Kerberos/kerberos.c:341)
libwinpr3.so.3!negotiate_AcquireCredentialsHandleA(SEC_CHAR * pszPrincipal, SEC_CHAR * pszPackage, ULONG fCredentialUse, void * pvLogonID, void * pAuthData, SEC_GET_KEY_FN pGetKeyFn, void * pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/Negotiate/negotiate.c:1457)
libwinpr3.so.3!winpr_AcquireCredentialsHandleA(SEC_CHAR * pszPrincipal, SEC_CHAR * pszPackage, ULONG fCredentialUse, void * pvLogonID, void * pAuthData, SEC_GET_KEY_FN pGetKeyFn, void * pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/sspi_winpr.c:1299)
libfreerdp3.so.3!credssp_auth_setup_client(rdpCredsspAuth * auth, const char * target_service, const char * target_hostname, const SEC_WINNT_AUTH_IDENTITY_W * identity, const char * pkinit) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/credssp_auth.c:291)
libfreerdp3.so.3!nla_client_init(rdpNla * nla) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nla.c:451)
libfreerdp3.so.3!nla_client_begin(rdpNla * nla) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nla.c:475)
libfreerdp3.so.3!transport_connect_nla(rdpTransport * transport, BOOL earlyUserAuth) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/transport.c:381)
libfreerdp3.so.3!nego_try_connect(rdpNego * nego) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nego.c:315)
libfreerdp3.so.3!nego_security_connect(rdpNego * nego) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nego.c:347)
libfreerdp3.so.3!nego_connect(rdpNego * nego) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nego.c:282)
libfreerdp3.so.3!rdp_client_connect(rdpRdp * rdp) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/connection.c:430)
libfreerdp3.so.3!freerdp_connect_begin(freerdp * instance) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/freerdp.c:156)
libfreerdp3.so.3!freerdp_connect(freerdp * instance) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/freerdp.c:174)
xf_client_thread(LPVOID param) (/home/fredizzimo/proj/FreeRDP/client/X11/xf_client.c:1501)
libwinpr3.so.3!thread_launcher(void * arg) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/thread/thread.c:528)
libc.so.6![Unknown/Just-In-Time compiled code] (Unknown Source:0)
So it looks like it's the Kerberos connection that fails to connect. I will try to check if freerdp 2 does something different, since that works.
from freerdp.
I bisected it down to this commit c9e61ff (cmake] simplify krb5 detection)
NOTE: I had to do the bisecting with a clean build directory each time, if I just tried incremental builds then event the latest version would work, which also indicate that there might be something wrong with the cmake configuration.
Probably detecting the wrong type of Kerberos implementation
from freerdp.
Ah, now I see, before that commit it defaulted to OFF
, and now it defaults to ON
. And indeed if I set -DWITH_KRB5=OFF
it works on master.
And it also works with /auth-pkg-list:!kerberos
. But I don't see how to pass that option when, using remmina right now.
If it can be disabled, I guess it "fixes" my problem, not sure if it's worth trying to dig further into this and found out the cause for the hang though.
from freerdp.
Very similar problem here. I have just switched to (K)Ubuntu 24.04 on a couple of PC, and I can no longer connect by numeric IP address to AD domain member machines with Remmina.
xfreerdp3 /v:192.168.98.1 /d:mydom.dom /u:xxxxx
The error is:
[09:15:07:823] [1348:00000545] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_InitializeSecurityContextA]: krb5_get_credentials (Configuration file does not specify default realm [-1765328160])
The problem disappear by using a FQDN hostname instead of a numeric IP address, or by adding /auth-pkg-list:!kerberos
to the xfreerdp3 command line.
Same problem when manually compiling master branch of FreeRDP3 on a Ubuntu 22.04 or Ubuntu 20.04
from freerdp.
I opened a Remmina feature request for being able to disable Kerberos. https://gitlab.com/Remmina/Remmina/-/issues/3104
from freerdp.
Some more information, by just looking at my callstack and the krb5 code, it's this nameserver lookup called from this that fail
https://github.com/krb5/krb5/blob/0a3acc20564e82ba33741248cf25ca4d085d777f/src/lib/krb5/os/locate_kdc.c#L823
My guess is that some parts of the company internal network are not reachable through the VPN, and therefore fail.
from freerdp.
@fredizzimo can you try with the short netbios domain /d:mydom
(no DNS domain name, no dots) ?
In my case it works as workaround. But I'm still having a customer that has NETBIOS doman identical to DNS domain (with dot inside). So I cannot use this workaround.
from freerdp.
@giox069 @fredizzimo the krb5
stuff must fail in your cases, but there should be a NTLM
fallback in place.
for some reason it does not trigger for you and that would be interesting why.
the issue I mentioned before (krb5.conf
being some default) leads to incredibly high timeouts for the fallback to trigger, but if it does not trigger in your case then something else is off.
@giox069 you run a build with ntlm
fallback enabled, right?
from freerdp.
I'm using two xfreerdp 3: the stock version of Ubuntu 24.04, and my own compiled version from master branch on Ubuntu 22.04. In CMakeCache.txt of the compiled version can find WITH_KRB5_NO_NTLM_FALLBACK:BOOL=OFF
Other ways to check if ntlm fallback is enabled?
from freerdp.
@giox069 seems active.
would be interesting where the error exit is coming from, to identify the branch that does not fall back to NTLM
from freerdp.
I did some bisecting, the commit that introduced the problem is c9e61ff
I will try to understand where is the problem, but that commit is quite large.
from freerdp.
... and it's the same commit bisected by @fredizzimo ;)
from freerdp.
@giox069 and as @fredizzimo already found out the commit that enabled krb5
support.
no surprise there, but the interesting part is why your connectin attempt does not fall back to NTLM
...
from freerdp.
@giox069 also, do you have some stuff in your krb5.conf
? did a test on my debian machine to a domain member and that instantly connects.
only message is [13:15:55:50] [97473:00017cc2] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "RDTEST" [-1765328230])
which is expected (aka no kerberos available and fall back to NTLM
) while your message suggests that this stepp succeeded and only later on aborts in the following calls.
from freerdp.
@fredizzimo ok, did manage to get a slowdown (DNS lookup delay) but no hang.
what did I do:
- connect with
xfreerdp /v:ip /u:user /d:domain.local
- the
.local
is not resolvable from local environment
[13:29:57:889] [99619:00018525] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
[13:29:57:889] [99619:00018525] [WARN][com.freerdp.crypto] - [verify_cb]: CN = RD2.rdtest.local
[99619] 1714994997.396297: Matching [email protected] in collection with result: -1765328243/Can't find client principal [email protected] in cache collection
[99619] 1714994997.396298: Resolving unique ccache of type MEMORY
[99619] 1714994997.396299: Initializing MEMORY:wLqbmfR with default princ [email protected]
[99619] 1714994997.396300: Getting initial credentials for [email protected]
[99619] 1714994997.396301: Retrieving [email protected] -> krb5_ccache_conf_data/pa_type/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:wLqbmfR with result: -1765328243/Matching credential not found
[99619] 1714994997.396303: Retrieving [email protected] -> krb5_ccache_conf_data/pa_config_data/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:wLqbmfR with result: -1765328243/Matching credential not found
[99619] 1714994997.396304: Sending unauthenticated request
[99619] 1714994997.396305: Sending request (185 bytes) to RDTEST.LOCAL
[99619] 1714994997.396306: Sending DNS URI query for _kerberos.RDTEST.LOCAL.
[99619] 1714995007.408895: No URI records found
[99619] 1714995007.408896: Sending DNS SRV query for _kerberos._udp.RDTEST.LOCAL.
[99619] 1714995017.419469: Sending DNS SRV query for _kerberos._tcp.RDTEST.LOCAL.
[99619] 1714995027.429896: No SRV records found
[13:30:27:927] [99619:00018525] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "RDTEST.LOCAL" [-1765328230])
[99619] 1714995027.429897: Destroying ccache MEMORY:wLqbmfR
[99619] 1714995027.429898: Matching [email protected] in collection with result: -1765328243/Can't find client principal [email protected] in cache collection
[99619] 1714995027.429899: Resolving unique ccache of type MEMORY
[99619] 1714995027.429900: Initializing MEMORY:dM7nvS9 with default princ [email protected]
[99619] 1714995027.429901: Getting initial credentials for [email protected]
[99619] 1714995027.429902: Retrieving [email protected] -> krb5_ccache_conf_data/pa_type/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:dM7nvS9 with result: -1765328243/Matching credential not found
[99619] 1714995027.429904: Retrieving [email protected] -> krb5_ccache_conf_data/pa_config_data/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:dM7nvS9 with result: -1765328243/Matching credential not found
[99619] 1714995027.429905: Sending unauthenticated request
[99619] 1714995027.429906: Sending request (185 bytes) to RDTEST.LOCAL
[99619] 1714995027.429907: Sending DNS URI query for _kerberos.RDTEST.LOCAL.
[99619] 1714995037.440758: No URI records found
[99619] 1714995037.440759: Sending DNS SRV query for _kerberos._udp.RDTEST.LOCAL.
[99619] 1714995047.449855: Sending DNS SRV query for _kerberos._tcp.RDTEST.LOCAL.
[99619] 1714995057.456781: No SRV records found
[13:30:57:954] [99619:00018525] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "RDTEST.LOCAL" [-1765328230])
[99619] 1714995057.456782: Destroying ccache MEMORY:dM7nvS9
[13:30:57:226] [99619:00018525] [WARN][com.freerdp.core.license] - [license_read_binary_blob_data]: license binary blob::type BB_ERROR_BLOB, length=0, skipping.
from freerdp.
@giox069 ok, I´ll wait.
the sample above was exactly such a setup, /v:192.168.xx.yy /u:user /d:domain.local
from freerdp.
Related Issues (20)
- wlfreerdp and sdl-freerdp crashing with segfault in plasma6 when connecting to windows11 HOT 6
- How to implement USB device redirection in wfreerdp? HOT 1
- Nightly builds segfaults on Ubuntu 22.04.4 HOT 5
- Card Reader/Writer Redirection as "low-level" USB device is not working HOT 8
- The master branch fails to compile with GCC 14.1 HOT 1
- Wiki Documentation update needed for CLI command options listing HOT 1
- Ubuntu 24.04 - xfreerdp2 works with the /app: option but xfreerdp3 does not HOT 1
- Compilation with jpeg-turbo and GCC14 requires changing in winpr/libwinpr/utils/image.c HOT 1
- TimeZoneIanaAbbrevMap.c requires patching to compile with GCC14 HOT 1
- FreeRDP-2.11.6 fails to compile with GCC-14: incompatible pointer types in unicode.c HOT 2
- Black Screen? HOT 6
- Build fails with trying to link shared lib to static gstreamer lib (fPIC) HOT 1
- 3.5.1 build fails with fPIC linker error HOT 2
- How to start Windows applications form Linux short cut?(Or does FreeRDP have this feature?) HOT 5
- 3.5.1 build fails with fPIC linker error HOT 1
- kerberos doesn't work in FreeRDP3 HOT 3
- --from-stdin does not work in xfreerdp3 HOT 1
- Could not capture all the windows desktop dialog in server side HOT 2
- TestWinPRUtils "TestBacktrace" fails on 32-bit arm HOT 3
- Due to large number of Freerdp CLI options can't a YAML config file make life easier HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from freerdp.