Bug#1130917: freerdp3: version 3.24.0+dfsg-1 causes gnome-remote-desktop to be unable to authenticate remote RDP client

Sun, 15 Mar 2026 15:29:16 -0700 

Package: freerdp3
Version: 3.24.0+dfsg-1
Severity: important
Affects: gnome-remote-desktop

Dear Maintainer,

After a recent upgrade on sid I noticed that I could no longer connect to
the gnome remote desktop (g-r-d) from a Windows client.

The Windows RDP client reports that an authentication error occurred and
refuses to connect to the Gnome remote desktop.

Searching online, I found out that g-r-d might not be able to access the
keyring to find the authentication credentials, but the keyring was unlocked
and the credentials for g-r-d were in the keyring and correct.

I discovered that with this latest version of freerdp3, g-r-d cannot
find the user in the SAM database, as shown in the journal below.

In the journal, I see these error messages with version 3.24.0+dfsg-1 when
trying to connect from a Windows RDP client:

Mar 15 14:02:02 kolbe gnome-remote-desktop-daemon[17223]: RDP server started
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:696] 
[17223:00004373] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: 
Error: Could not find user in SAM database
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:696] 
[17223:00004373] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: 
AcceptSecurityContext status SEC_E_NO_CREDENTIALS [0x8009030e]
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:696] 
[17223:00004373] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: 
AcceptSecurityContext status SEC_E_NO_CREDENTIALS [0x8009030e]
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:696] 
[17223:00004373] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: 
client authentication failure
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:696] 
[17223:00004373] [ERROR][com.freerdp.core.peer] - 
[peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() 
fail
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:696] 
[17223:00004373] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: 
transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:696] 
[17223:00004347] [WARN][com.freerdp.core.rdp] - 
[rdp_send_deactivate_all][0x563f8e464e80]: rdpMcs::userId == 0, skip sending 
PDU_TYPE_DEACTIVATE_ALL
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [RDP] Network or 
intentional disconnect, stopping session
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:732] 
[17223:00004378] [WARN][com.freerdp.core.connection] - 
[rdp_server_accept_nego]: server supports only NLA Security
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:732] 
[17223:00004378] [ERROR][com.freerdp.core.connection] - 
[rdp_server_accept_nego]: Protocol security negotiation failure
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:742] 
[17223:00004378] [ERROR][com.freerdp.crypto] - [freerdp_tls_handshake]: 
BIO_do_handshake failed
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:742] 
[17223:00004378] [ERROR][com.freerdp.core.peer] - 
[peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() 
fail
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [14:02:39:743] 
[17223:00004378] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: 
transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Mar 15 14:02:39 kolbe gnome-remote-desktop-daemon[17223]: [RDP] Network or 
intentional disconnect, stopping session

Then I removed version 3.24.0+dfsg-1 of all the packages on my system that
were built from the freerdp3 source package, which also removed
gnome-remote-desktop. That removed four packages on my system:
libfreerdp-server3-3, libfreerdp3-3, libwinpr3-3, and gnome-remote-desktop.

Then I added forky to my sources (temporarily) and installed the forky version
of those three freerdp3 packages, which is 3.23.0+dfsg-1, and then I installed
gnome-remote-desktop which is now depending on the downgraded freerdp3 packages,
version 3.23.0+dfsg-1 from forky instead of version 3.24.0+dfsg-1 from sid.

After doing this the bug was fixed and g-r-d was able to authenticate the
Windows RDP client again.

So the the workaround for this bug:

Downgrade freerdp3 from version 3.24.0+dfsg-1 to version 3.23.0+dfsg-1.

The expectation is that the latest sid version of freerdp3 should also
allow g-r-d to authenticate the Windows RDP client.

-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.19.6+deb14-amd64 (SMP w/14 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to