Knowledge Base
All KB
Documents DT Documents
Articles & FAQs AR Articles
Trouble Reports TR Trouble Reports
Software Updates SU Software Updates
Searching in : Article
ID: AR12P01007
Applies to: NoMachine Server
Added on: 2018-12-03
Last Update: 2025-01-15

Connecting with NX protocol to a NoMachine server on Linux in an Active Directory domain

When the NoMachine Linux server host is part of an Active Directory domain and the user wishes to connect using their AD credentials, attempts to log-in by using the NX protocol can fail with 'access denied'. Authentication succeeds but the account validation fails.

To ensure that AD users can login successfully to their remote desktop using the NX protocol, it's necessary to edit the /etc/sssd/sssd.conf file on the system and add the following line:

ad_gpo_map_network = +nx
ad_gpo_access_control = permissive

NoMachine NX service is not recognized by the Active Directory Group Policy, hence why adding it to the sssd.conf file is necessary. Failing to do so will report messages in the system logs such as:

auth.log:Nov 27 11:06:37 lt01-lab nxexec: pam_krb5(nx:auth): user nxtest01 authenticated as nxtest01@nomachine.com
auth.log:Nov 27 11:06:37 lt01-lab nxexec: pam_sss(nx:account): Access denied for user nxtest01: 6 (Permission denied)
auth.log:Nov 27 11:06:37 lt01-lab nxexec: pam_unix(nx:session): session opened for user nxtest01 by (uid=117)
auth.log:Nov 27 11:06:38 lt01-lab nxexec: pam_unix(nx:session): session closed for user nxtest01

Below you can find a complete example on how to add and configure Linux with NoMachine in an Active Directory set-up. Instructions were tested on Fedora 36.

Let say that Active Directory Domain Controller hostname is: "addc" and it's IP is 10.0.0.10 and domain name is "NXDOMAIN.LOCAL".

On Linux which should be added to AD install necessary packages:

sudo dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools

Set DNS to refer to AD:

sudo nmcli connection modify "Wired connection 1" ipv4.dns 10.0.0.10

sudo nmcli connection down "Wired connection 1"; sudo nmcli connection up "Wired connection 1"

Add Domain controller to hosts:

sudo su -c 'echo "10.0.0.10      addc nxdomain nxdomain.local" >> /etc/hosts'

Check if domain can be reached from Linux:

realm discover NXDOMAIN

It should show something like this:

 nxdomain.local

         type: kerberos

	 realm-name: NXDOMAIN.LOCAL

	 domain-name: nxdomain.local

	 configured: kerberos-member

	 server-software: active-directory

	 client-software: sssd

	 required-package: oddjob

	 required-package: oddjob-mkhomedir

	 required-package: sssd

	 required-package: adcli

	 required-package: samba-common-tools

	 login-formats: %U@nxdomain.local

	 login-policy: allow-realm-logins

Join NXDOMAIN to AD:

Vsudo realm join NXDOMAIN.LOCAL -v

A message will be printed:

 * Successfully enrolled machine in realm

Verify if domain users are visible in the system:

id nxtest@nxdomain.local

It will show something similar to:

uid=741601111(nxtest@nxdomain.local) gid=741600513(domain users@nxdomain.local) groups=741600513(domain users@nxdomain.local)

To connect with NX protocol, the nx service needs to be recognized by Active Directory Group Policy. So add the line "ad_gpo_map_network = +nx" to :

sudo su -c 'echo "ad_gpo_map_network = +nx" >> /etc/sssd/sssd.conf

In the case domain name for AD users is omitted, set:

use_fully_qualified_names = False

in /etc/sssd/sssd.conf

Restart sssd service to save changes:

sudo systemctl restart sssd

To verify changes:

id nxtest

It will show:

uid=741601111(nxtest) gid=741600513(domain users) groups=741600513(domain users)

Now it's possible to connect with NoMachine as domain users to the Linux server.

In case NoMachine is installed on Active Directory Domain Controler check troubleshouting:
https://kb.nomachine.com/AR04O00925.