Can no longer login to gnome-remote-desktop - kerberos error

Desktop
,
1

My gnome-remote-desktop server is also a Samba AD member server (using winbind not sssd, kinit works). This should not matter but regarding the error I get from gnome-remote-desktop it might.

But logging in to gnome-remote-desktop and sharing the desktop via Remmina on the client was working before (I believe with gnome-remote-desktop 48, but I switched from Debian Trixie to Debian Forky, so many things changed).

grdctl shows proper credentials and server enabled.

That is, since I switched, when I attempt to log in, I have this error on the server, and remmina fails to log in:

nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:047] [4833:000abdb5] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:047] [4833:000abdb5] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:048] [4833:000abdb5] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:048] [4833:000abdb5] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_HANDLE [0x80090301]
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:048] [4833:000abdb5] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:048] [4833:000abdb5] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:048] [4833:000abdb5] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:049] [4833:000012e1] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x564b22d2fbd0]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [RDP] Network or intentional disconnect, stopping session
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:076] [4833:000abdbf] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:076] [4833:000abdbf] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:078] [4833:000abdbf] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:078] [4833:000abdbf] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_HANDLE [0x80090301]
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:078] [4833:000abdbf] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:078] [4833:000abdbf] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:078] [4833:000abdbf] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [04:03:23:078] [4833:000012e1] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x564b22d2fbd0]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL
nov. 29 04:03:23 hermes gnome-remote-desktop-daemon[4833]: [RDP] Network or intentional disconnect, stopping session
2

Note that samab AD should not matter as its setup has not changed for years on these boxes and gnome-remote-desktop only started to fail a few weeks ago when I switched for Debian forky.

on gnome-remote-desktop server (I have the exact same Debian release and setup on the client):

libfreerdp and libwinpr were 3.18.0+dfsg-1 in my previous report, and I upgraded it to 3.19.0+dfsg-1 with same failure and errors from gnome-remote-deskop 49.1-2.

libei is 1.5.0-2

systems is 259~rc2-1

libmutter-17-0 and gnome-shell 49.2-1

I tried remmina 1.4.40+dfsg-2 and gnome-connections 49.0-1 on the client, same error on the gnome-remote-desktop server in sharing user session mode (and also same error for the login mode running as gnome-remote-desktop system user).

déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:513] [1470515:0016848a] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:513] [1470515:0016848a] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:514] [1470515:0016848a] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:514] [1470515:0016848a] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:514] [1470515:0016848a] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:514] [1470515:0016848a] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:514] [1470515:0016848a] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [RDP] Network or intentional disconnect, stopping session
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:514] [1470515:00167033] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x55b7dff21820]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:562] [1470515:0016848d] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:562] [1470515:0016848d] [ERROR][com.winpr.sspi.Kerberos] - [retrieveTgtForPrincipal]: krb5_kt_start_seq_get (Permission denied [13])
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:563] [1470515:0016848d] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:563] [1470515:0016848d] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:563] [1470515:0016848d] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:563] [1470515:0016848d] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:563] [1470515:0016848d] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [RDP] Network or intentional disconnect, stopping session
déc. 07 05:42:46 hermes gnome-remote-desktop-daemon[1470515]: [05:42:46:563] [1470515:00167033] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x55b7dff21820]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL

if I change /etc/Krb5.Keytab permissions from 600 to 644 I get the same failure’ without the kerberos permission error:

déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:395] [1470515:00169073] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:395] [1470515:00169073] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:395] [1470515:00169073] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:395] [1470515:00169073] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:395] [1470515:00169073] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:395] [1470515:00167033] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x55b7dff21820]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [RDP] Network or intentional disconnect, stopping session
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:430] [1470515:00169075] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:430] [1470515:00169075] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_HANDLE [0x80090301]
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:430] [1470515:00169075] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:430] [1470515:00169075] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:430] [1470515:00169075] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [05:51:21:430] [1470515:00167033] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x55b7dff21820]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL
déc. 07 05:51:21 hermes gnome-remote-desktop-daemon[1470515]: [RDP] Network or intentional disconnect, stopping session

Edit: I might have a clue: the client logs shows:

  • for remmina
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:980] [49584:0000c5d0] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:980] [49584:0000c5d0] [WARN][com.freerdp.crypto] - [verify_cb]: CN = GNOME, C = US
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:988] [49584:0000c5d0] [WARN][com.winpr.sspi] - [winpr_InitializeSecurityContextA]: InitializeSecurityContextA status SEC_E_INVALID_TOKEN [0x80090308]
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:988] [49584:0000c5d0] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: InitializeSecurityContext failed with SEC_E_INVALID_TOKEN [0x80090308]
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:991] [49584:0000c5d0] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x55f9c77b2130]: CONNECTION_STATE_NLA - nla_recv_pdu() fail
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:991] [49584:0000c5d0] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x55f9c77b2130]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1]
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:991] [49584:0000c5d0] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 05:58:08 cyclope org.remmina.Remmina.desktop[49584]: [05:58:08:991] [49584:0000c5d0] [ERROR][com.freerdp.core] - [rdp_client_wait_for_activation]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
déc. 07 05:58:09 cyclope org.remmina.Remmina.desktop[49584]: [05:58:09:018] [49584:0000c5d0] [WARN][com.winpr.sspi] - [winpr_InitializeSecurityContextA]: InitializeSecurityContextA status SEC_E_INVALID_TOKEN [0x80090308]
déc. 07 05:58:09 cyclope org.remmina.Remmina.desktop[49584]: [05:58:09:018] [49584:0000c5d0] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: InitializeSecurityContext failed with SEC_E_INVALID_TOKEN [0x80090308]
déc. 07 05:58:09 cyclope org.remmina.Remmina.desktop[49584]: [05:58:09:018] [49584:0000c5d0] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x55f9c77b2130]: CONNECTION_STATE_NLA - nla_recv_pdu() fail
déc. 07 05:58:09 cyclope org.remmina.Remmina.desktop[49584]: [05:58:09:018] [49584:0000c5d0] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x55f9c77b2130]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1]
déc. 07 05:58:09 cyclope org.remmina.Remmina.desktop[49584]: [05:58:09:018] [49584:0000c5d0] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 05:58:09 cyclope org.remmina.Remmina.desktop[49584]: [05:58:09:018] [49584:0000c5d0] [ERROR][com.freerdp.core] - [rdp_client_wait_for_activation]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
déc. 07 05:58:09 cyclope org.remmina.Remmina.desktop[49584]: [05:58:09:018] [49584:0000c5d0] [ERROR][com.freerdp.core] - [freerdp_connect]: freerdp_post_connect failed

  • for gnome-connections:

    déc. 07 06:00:41 cyclope org.gnome.Connections[50941]: [06:00:41:787] [50941:0000c6fd] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
déc. 07 06:00:41 cyclope org.gnome.Connections[50941]: [06:00:41:787] [50941:0000c6fd] [WARN][com.freerdp.crypto] - [verify_cb]: CN = GNOME, C = US

and I read on https://askubuntu.com/questions/1419705/gnome-remote-desktop-couldnt-retrieve-rdp-username-credentials-not-set-and|gnome-remote-desktop- Couldn’t retrieve RDP username- Credentials not set - AND MORE that

NLA has two possible providers NTLM and Kerberos. Only the former one is implemented in FreeRDP 2.x.

I conclude that maybe freerdp 3 introduced Kerberos support but might fallback to NTLM. So the kerberos errors are harmless but the self signed GNOEM certificate for gnome-remote-desktop is not.

I am the first user to use gnome-remote-desktop with freerdp 3 and it cannot work? Or is there another issue?

Edit2: Or is this GNOME certificate missing from Debian certificate chain?

Edit3: maybe the certificate is a red erring as it is only a warning and I found that gnome-connections errors is in its entirety:

déc. 07 06:22:36 cyclope org.gnome.Connections[60899]: [06:22:36:888] [60899:0000ede3] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
déc. 07 06:22:36 cyclope org.gnome.Connections[60899]: [06:22:36:888] [60899:0000ede3] [WARN][com.freerdp.crypto] - [verify_cb]: CN = GNOME, C = US
déc. 07 06:22:41 cyclope org.gnome.Connections[60899]: [06:22:41:663] [60899:0000ede3] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_InitializeSecurityContextA]: krb5_get_credentials (Server not found in Kerberos database [-1765328377])
déc. 07 06:22:41 cyclope org.gnome.Connections[60899]: [06:22:41:663] [60899:0000ede3] [WARN][com.winpr.sspi] - [winpr_InitializeSecurityContextA]: InitializeSecurityContextA status SEC_E_NO_CREDENTIALS [0x8009030E]
déc. 07 06:22:41 cyclope org.gnome.Connections[60899]: [06:22:41:663] [60899:0000ede3] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: InitializeSecurityContext failed with SEC_E_NO_CREDENTIALS [0x8009030E]
déc. 07 06:22:41 cyclope org.gnome.Connections[60899]: [06:22:41:663] [60899:0000ede3] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x560adfe8f510]: CONNECTION_STATE_NLA - nla_recv_pdu() fail
déc. 07 06:22:41 cyclope org.gnome.Connections[60899]: [06:22:41:663] [60899:0000ede3] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x560adfe8f510]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1]
déc. 07 06:22:41 cyclope org.gnome.Connections[60899]: [06:22:41:663] [60899:0000ede3] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 06:22:41 cyclope org.gnome.Connections[60899]: [06:22:41:663] [60899:0000ede3] [ERROR][com.freerdp.core] - [rdp_client_wait_for_activation]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]

with /etc/krb5.keytab I get from gnome-connections:

déc. 07 06:26:30 cyclope org.gnome.Connections[61524]: GtkFlowBox with a model will ignore sort and filter functions
déc. 07 06:26:37 cyclope org.gnome.Connections[61524]: [06:26:37:668] [61524:0000f054] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
déc. 07 06:26:37 cyclope org.gnome.Connections[61524]: [06:26:37:668] [61524:0000f054] [WARN][com.freerdp.crypto] - [verify_cb]: CN = GNOME, C = US
déc. 07 06:26:38 cyclope org.gnome.Characters[61284]: JS LOG: Characters Application exiting
déc. 07 06:26:40 cyclope org.gnome.Nautilus[61283]: Shutting down dropbox extension
déc. 07 06:26:40 cyclope org.gnome.Nautilus[61283]: Initializing Nextcloud-client-nautilus extension
déc. 07 06:26:40 cyclope org.gnome.Nautilus[61283]: Using python version sys.version_info(major=3, minor=13, micro=9, releaselevel='final', serial=0)
déc. 07 06:27:08 cyclope rtkit-daemon[1566]: Supervising 12 threads of 9 processes of 1 users.
déc. 07 06:27:08 cyclope rtkit-daemon[1566]: Supervising 12 threads of 9 processes of 1 users.
déc. 07 06:27:11 cyclope org.gnome.Connections[61524]: [06:27:11:950] [61524:0000f054] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_InitializeSecurityContextA]: krb5_get_credentials (Server not found in Kerberos database [-1765328377])
déc. 07 06:27:11 cyclope org.gnome.Connections[61524]: [06:27:11:950] [61524:0000f054] [WARN][com.winpr.sspi] - [winpr_InitializeSecurityContextA]: InitializeSecurityContextA status SEC_E_NO_CREDENTIALS [0x8009030E]
déc. 07 06:27:11 cyclope org.gnome.Connections[61524]: [06:27:11:950] [61524:0000f054] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: InitializeSecurityContext failed with SEC_E_NO_CREDENTIALS [0x8009030E]
déc. 07 06:27:11 cyclope org.gnome.Connections[61524]: [06:27:11:950] [61524:0000f054] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x55c4d41103e0]: CONNECTION_STATE_NLA - nla_recv_pdu() fail
déc. 07 06:27:11 cyclope org.gnome.Connections[61524]: [06:27:11:950] [61524:0000f054] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x55c4d41103e0]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1]
déc. 07 06:27:11 cyclope org.gnome.Connections[61524]: [06:27:11:950] [61524:0000f054] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 07 06:27:11 cyclope org.gnome.Connections[61524]: [06:27:11:950] [61524:0000f054] [ERROR][com.freerdp.core] - [rdp_client_wait_for_activation]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]

Note that when the connection fails, gnome-connections always segfaults.

3

Is this headless or screen sharing, or remote login? Does grdctl status –show-credentials show what you expect?

4

Both login and shared desktop fail with the same error and the same error on both sides (that is, if I use the first box as gnome-remote-desktop server or client, and the same for the second box).
Overall:
Unit status: active
RDP:
Status: enabled
Port: 3389
TLS certificate: /home/prahal/.local/share/gnome-remote-desktop/rdp-tls.crt
TLS fingerprint:
TLS key: /home/prahal/.local/share/gnome-remote-desktop/rdp-tls.key
View-only: no
Negotiate port: yes
and username and password have not changed and are the one I used to connect.

To me, this has to do with the freerdp 3 support for kerberos, but I have the same error with remmina RDP auth setting set to “!kerberos" (the default). So likely, kerberos is enforced by the server side, that is gnome-remote-desktop, even if the client disables it.

Note I have kerberos login setup in gnome-online-accounts, but I do not login with kerberos, kerberos is only used for NFSv4 and Samba AD (in fact the kerberos server is the Samba Active Directory server).

5

If remove the kerberos support disabler from remmina (remove !kerberos from its settings > RDP), remmina gives another error (the same than gnome-connections) and segfault while connecting (same as gnome-connections).
I also upgraded to gnome-remote-desktop 49.2 and restart this daemon, same issue.

gnome-remote-desktop side

déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001c049a] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read retries exceeded
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001c049a] [ERROR][com.freerdp.core.peer] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001c049a] [ERROR][com.freerdp.core.nla] - [nla_server_recv_stream]: nla_recv() error: -1
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001c049a] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001c049a] [WARN][com.winpr.sspi] - [winpr_DeleteSecurityContext]: DeleteSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001c049a] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001c049a] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:395] [1798163:001b7013] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x560e4eea6960]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [RDP] Network or intentional disconnect, stopping session
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001c049c] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read retries exceeded
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001c049c] [ERROR][com.freerdp.core.peer] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001c049c] [ERROR][com.freerdp.core.nla] - [nla_server_recv_stream]: nla_recv() error: -1
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001c049c] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001c049c] [WARN][com.winpr.sspi] - [winpr_DeleteSecurityContext]: DeleteSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001c049c] [ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001c049c] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [22:22:00:458] [1798163:001b7013] [WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all][0x560e4eea6960]: rdpMcs::userId == 0, skip sending PDU_TYPE_DEACTIVATE_ALL
déc. 14 22:22:00 hermes gnome-remote-desktop-daemon[1798163]: [RDP] Network or intentional disconnect, stopping session

remmina side:

remmina
remmina-Message: 22:21:54.805: Remmina does not log all output statements. Turn on more verbose output by using "G_MESSAGES_DEBUG=remmina" as an environment variable.
More info available on the Remmina wiki at:
https://gitlab.com/Remmina/Remmina/-/wikis/Usage/Remmina-debugging

(org.remmina.Remmina:855436): libayatana-appindicator-WARNING **: 22:21:57.409: libayatana-appindicator is deprecated. Please use libayatana-appindicator-glib in newly written code.

(org.remmina.Remmina:855436): Gtk-WARNING **: 22:21:57.687: gtk_menu_attach_to_widget(): menu already attached to GtkMenuItem
[22:22:00:370] [855436:000d0dd6] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
[22:22:00:370] [855436:000d0dd6] [WARN][com.freerdp.crypto] - [verify_cb]: CN = GNOME, C = US
[22:22:00:390] [855436:000d0dd6] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_InitializeSecurityContextA]: krb5_get_credentials (Server not found in Kerberos database [-1765328377])
[22:22:00:390] [855436:000d0dd6] [WARN][com.winpr.sspi] - [winpr_InitializeSecurityContextA]: InitializeSecurityContextA status SEC_E_NO_CREDENTIALS [0x8009030E]
[22:22:00:390] [855436:000d0dd6] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: InitializeSecurityContext failed with SEC_E_NO_CREDENTIALS [0x8009030E]
[22:22:00:390] [855436:000d0dd6] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x557aabdfe9d0]: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[22:22:00:390] [855436:000d0dd6] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x557aabdfe9d0]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1]
[22:22:00:390] [855436:000d0dd6] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
[22:22:00:390] [855436:000d0dd6] [ERROR][com.freerdp.core] - [rdp_client_wait_for_activation]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[22:22:00:453] [855436:000d0dd6] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_InitializeSecurityContextA]: krb5_get_credentials (Server not found in Kerberos database [-1765328377])
[22:22:00:453] [855436:000d0dd6] [WARN][com.winpr.sspi] - [winpr_InitializeSecurityContextA]: InitializeSecurityContextA status SEC_E_NO_CREDENTIALS [0x8009030E]
[22:22:00:453] [855436:000d0dd6] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: InitializeSecurityContext failed with SEC_E_NO_CREDENTIALS [0x8009030E]
[22:22:00:453] [855436:000d0dd6] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x557aabdfe9d0]: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[22:22:00:453] [855436:000d0dd6] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x557aabdfe9d0]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1]
[22:22:00:453] [855436:000d0dd6] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
[22:22:00:453] [855436:000d0dd6] [ERROR][com.freerdp.core] - [rdp_client_wait_for_activation]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[22:22:00:453] [855436:000d0dd6] [ERROR][com.freerdp.core] - [freerdp_connect]: freerdp_post_connect failed
Erreur de segmentation     (core dumped)remmina

so it really seems like gnome-remote-desktop attemps kerberos auth with freerdp 3

6

Think I’m hitting the same issue. I have Kerberos set up for NFS, and that’s all I use it for. The logs show Kerberos each time, but from my perspective it should have nothing to do with Kerberos. Then Gnome Connections or Remmina closes on the client side (unsure if that’s how those normally work or if they are crashing, not sure I’ve ever managed to get it to work in the first place).

7

With this I’m finally able to connect: sdl-freerdp /v:nas /u:austin /d: '/auth-pkg-list:!kerberos,!u2u'. Note the auth-pkg-list switch. Without both kerberos and u2u excluded it won’t connect. Somewhat related FreeRDP issue: FreeRDP version 3.17.0 seems to ignore the /auth-pkg-list command line switch · Issue #11818 · FreeRDP/FreeRDP · GitHub.

Also works if you add the same !kerberos,!u2u to Remmina. Go to global preferences, “RDP,” then next to “FreeRDP auth-pkg-list” input !kerberos,!u2u. Found via Make it posssible to disable Kerberos authentication (#3104) · Issues · Remmina / Remmina · GitLab.

8

@austin thanks a lot. I confirm that disabling u2u in Remmina Settings > RDP “FreeRDP auth-pkg-list !u2u” fixed the issue. It works even without disabling kerberos via !kerberos (are you confident you have to disable both kerberos and u2u ?).
But there is no way to disable u2u, as far as I know, for Gnome Connections. Only remmina or cli client.

Edit: I can connect to gnome-remote-desktop from Android aRDP without any tweaks.
Without !u2u, if I do not blacklist kerberos with “!kerberos” remmina segfauits connecting to gnome-remote-desktop.

As Android aRDP works, I guess the issue is with the RDP clients : remmina and GNOME Connections which are both broken.

9

Previous clients issue was with libfreerdp-server3-3 and libfreerdp-client3-3 3.21.0+dfsg-1. The issue is the same with new libfreerdp-server3-3 and libfreerdp-client3-3 3.22.0+dfsg-1 on both gnome-remote-client server (restarted before connection) and client (remmina and gnome-connections). aRDP Pro on Android still connects fine.

Edit: Maybe one could confirms if Windows RDP clients connects fine too?