Hi Andrey,
kerberos authentication is not really working properly with FreeRDP 2. There have been huge advancements on master regarding that though. regards Armin On 01.02.23 09:44, Andrey Af via FreeRDP-devel wrote:
Hi All! I build a freerdp 2.8.1 with the flag WITH_GSSAPI=ON. And for the freerdp-shadow, I made a keytab with the TERMSRV/hostname@REALM principal. I use the environment variable KRB5_KTNAME. I run freerdp-shadow-cli and I don't see gss_xxx in the logs. I can conclude that the use of kerberos is not implemented for freerdp-shadow? freerdp-shadow 2.8.1 log: [16:40:17:140] [18512:18512] [INFO][com.freerdp.server.shadow.x11] - X11 Extensions: XFixes: 1 Xinerama: 1 XDamage: 0 XShm: 0 [16:40:17:147] [18512:18512] [INFO][com.freerdp.core.listener] - Listening on [0.0.0.0]:3389 [16:40:31:786] [18512:18513] [DEBUG][com.winpr.thread] - Thread running, setting to detached state! [16:40:31:794] [18512:18515] [DEBUG][com.freerdp.core.nego] - received cookie [Cookie: mstshash=demo1] [16:40:31:794] [18512:18515] [DEBUG][com.freerdp.core.nego] - RDP_NEG_REQ: RequestedProtocol: 0x00000003 [16:40:31:794] [18512:18515] [INFO][com.freerdp.core.connection] - Client Security: NLA:1 TLS:1 RDP:0 [16:40:31:794] [18512:18515] [INFO][com.freerdp.core.connection] - Server Security: NLA:1 TLS:1 RDP:1 [16:40:31:794] [18512:18515] [INFO][com.freerdp.core.connection] - Negotiated Security: NLA:1 TLS:0 RDP:0 [16:40:31:862] [18512:18515] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA [16:40:34:242] [18512:18515] [DEBUG][com.freerdp.core.nla] - CredSSP protocol support 6, peer supports 6 [16:40:34:242] [18512:18515] [DEBUG][com.freerdp.core.nla] - [nla_recv] Receiving Authentication Token [16:40:34:242] [18512:18515] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 1314): [16:40:34:242] [18512:18515] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_INITIAL [16:40:34:243] [18512:18515] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_NEGOTIATE [16:40:34:243] [18512:18515] [ERROR][com.winpr.sspi.NTLM] - NTLM_MESSAGE_HEADER Invalid signature, got `� *�H��, expected NTLMSSP [16:40:34:243] [18512:18515] [WARN][com.winpr.negotiate] - AcceptSecurityContext status SEC_E_INVALID_TOKEN [0x80090308] [16:40:34:243] [18512:18515] [WARN][com.winpr.sspi] - AcceptSecurityContext status SEC_E_INVALID_TOKEN [0x80090308] [16:40:34:243] [18512:18515] [ERROR][com.freerdp.core.nla] - AcceptSecurityContext status SEC_E_INVALID_TOKEN [0x80090308] [16:40:34:243] [18512:18515] [DEBUG][com.freerdp.core.nla] - Server: Sending AcceptSecurityContext error status [16:40:34:243] [18512:18515] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 12256): [16:40:34:244] [18512:18515] [ERROR][com.freerdp.core.transport] - client authentication failure [16:40:34:244] [18512:18515] [ERROR][com.freerdp.core.peer] - peer_recv_callback: CONNECTION_STATE_INITIAL - rdp_server_accept_nego() fail [16:40:34:244] [18512:18515] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1 [16:40:34:244] [18512:18515] [DEBUG][com.freerdp.core.rdp] - transport_check_fds() - -1 [16:40:34:244] [18512:18515] [ERROR][com.freerdp.client.shadow] - Failed to check FreeRDP file descriptor At the same time, GSSAPI support is implemented in the client. xfreerdp 2.6.1 log: [16:40:31:357] [23782:23783] [DEBUG][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state [16:40:31:357] [23782:23783] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpdr [16:40:31:357] [23782:23783] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd [16:40:31:357] [23782:23783] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx [16:40:31:357] [23782:23783] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx cliprdr [16:40:31:391] [23782:23783] [DEBUG][com.freerdp.primitives] - primitives benchmark result: [16:40:31:545] [23782:23783] [DEBUG][com.freerdp.primitives] - * generic= 60 [16:40:31:697] [23782:23783] [DEBUG][com.freerdp.primitives] - * optimized= 111 [16:40:31:697] [23782:23783] [DEBUG][com.freerdp.primitives] - primitives autodetect, using optimized [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: TRUE [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA [16:40:31:698] [23782:23783] [DEBUG][com.freerdp.core.nego] - Attempting NLA security [16:40:31:699] [23782:23783] [DEBUG][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state [16:40:31:699] [23782:23783] [DEBUG][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state [16:40:31:699] [23782:23783] [DEBUG][com.freerdp.core] - connecting to peer 192.168.1.1 [16:40:31:699] [23782:23783] [DEBUG][com.freerdp.core.nego] - RequestedProtocols: 3 [16:40:31:715] [23782:23783] [DEBUG][com.freerdp.core.nego] - RDP_NEG_RSP [16:40:31:715] [23782:23783] [DEBUG][com.freerdp.core.nego] - selected_protocol: 2 [16:40:31:715] [23782:23783] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_FINAL [16:40:31:715] [23782:23783] [DEBUG][com.freerdp.core.nego] - Negotiated NLA security [16:40:31:715] [23782:23783] [DEBUG][com.freerdp.core.nego] - nego_security_connect with PROTOCOL_HYBRID [16:40:31:790] [23782:23783] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0 [16:40:31:805] [23782:23783] [DEBUG][com.winpr.utils] - Could not open SAM file! Password: [16:40:34:146] [23782:23783] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA [16:40:34:146] [23782:23783] [DEBUG][com.freerdp.core.nla] - nla_client_init 411 : packageName=Kerberos ; cbMaxToken=48000 [16:40:34:146] [23782:23783] [DEBUG][com.winpr.sspi.gss] - gss_import_name: SEC_E_OK (0x00000000) [16:40:34:160] [23782:23783] [DEBUG][com.winpr.sspi.gss] - gss_init_sec_context: STATUS_WAIT_1 (0x00000001) [16:40:34:160] [23782:23783] [DEBUG][com.winpr.sspi.gss] - gss_release_buffer: SEC_E_OK (0x00000000) [16:40:34:160] [23782:23783] [DEBUG][com.freerdp.core.nla] - Client: Sending Authentication Token [16:40:34:160] [23782:23783] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 1314): [16:40:34:260] [23782:23783] [DEBUG][com.freerdp.core.nla] - CredSSP protocol support 6, peer supports 6 [16:40:34:260] [23782:23783] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: (nil) [0xC00700EA] from server [16:40:34:260] [23782:23783] [ERROR][com.freerdp.core.nla] - SPNEGO failed with NTSTATUS: (nil) [0xC00700EA] [16:40:34:260] [23782:23783] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_AUTHENTICATION_FAILED [0x00020009] [16:40:34:260] [23782:23783] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail [16:40:34:260] [23782:23783] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1 [16:40:34:260] [23782:23783] [DEBUG][com.freerdp.core.rdp] - transport_check_fds() - -1 [16:40:34:264] [23782:23782] [DEBUG][com.winpr.sspi.gss] - gss_release_name: SEC_E_OK (0x00000000) [16:40:34:265] [23782:23782] [DEBUG][com.winpr.sspi.gss] - gss_delete_sec_context: SEC_E_OK (0x00000000) _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel
_______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel
