NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR09N00902
Applies to: NoMachine Software
Added on: 2016-09-23
Last update: 2019-02-01
How to solve hanging problems when creating a NoMachine session (pam_mount module is in use)

This article applies to all connection types, regardless if users connect by NX or SSH protocol and independently from which authentication method is used. It provides hints for verifying if the pam_module is present and modify its configuration when it's used.

NoMachine relies on its own PAM configuration to load and initialize PAM during the creation of the NoMachine user's session, which happens just after the authentication has been completed. 

The NoMachine configuration for PAM resides in the /etc/pam.d/nx file, which provides the following directive:

session    include       su

This implies that the stack of modules configured on the system for the 'su' command, including the pam_mount  module, is loaded. 

If the pam_mount module is configured to ask for interactive password, which is the default, the initialization of the user's session cannot be completed.

A possible solution is to configure the pam_mount  module to not ask for interactive password. There are two ways for doing that. The following examples, made on Linux, illustrate how to proceed for applying the necessary changes. Settings for PAM may be placed in different files or the configuration key may be named differently on other platforms or PAM versions. A pre-requisite is that the pam_mount module accepts the 'disable_interactive' option.


First method

Disable the interactive mode for the pam_mount module in the proper configuration file on the system.

Drawback of this solution is that these changes will apply to all services including the configuration file in which pam_mount is explicitly listed. This may be not desired.


First of all we need to find the system PAM configuration file which includes the pam_mount module. We are interested at the 'session' stack of PAM modules.

1. The /etc/pam.d/nx has set:

      session include su

2.  Look for lines containing 'session' in  the /etc/pam.d/su file, they may be similar to:

      session required pam_loginuid.so
      session optional pam_env.so

      session include common-session

      However, none of these lines explicitly mentions pam_mount, so we need to look further in the /etc/pam.d/common-session file.

3. In the common-session file on our test machine there are these lines:

      session optional  pam_umask.so
      session required  pam_unix.so
      session optional  pam_mount.so

4.  Let's add  the 'disable_interactive' option to pam_mount. Configuration looks now like:

      session optional  pam_umask.so
      session required  pam_unix.so
      session optional  pam_mount.so disable_interactive
 

 

Second method

Create an explicit list of modules in the /etc/pam.d/nx file and then disable the interactive mode for the pam_mount module. This method allows to narrow down changes of PAM configuration only to the NoMachine service. Drawback of this solution is that changes made in the file in which pam_mount is listed will not apply to NoMachine PAM configuration and require to update the /etc/pam.d/nx file accordingly. System administrators need to update /etc/pam.d/nx separately.


First of all we need to find the system PAM configuration file which includes the pam_mount module. We are interested at the 'session' stack of PAM modules.

1. The /etc/pam.d/nx has set:

    session include su

2. In the /etc/pam.d/su file on our test machine there are the following lines set:

    session required pam_loginuid.so
    session optional pam_env.so

    session include common-session

There are two modules which are explicitly named: pam_loginuid and pam_env.

We copy them to '/etc/pam.d/nx' and proceed to inspect content of common-session.

3. In the common-session file on our test machine there are these lines set:

    session optional  pam_umask.so
    session required  pam_unix.so
    session optional  pam_mount.so

    These are all entries with module names specified, so we copy them to the /etc/pam.d/nx file.

    Session stack of NoMachine PAM configuration in the /etc/pam.d/nx file is now:

    session include   su
    session required  pam_loginuid.so
    session optional  pam_env.so
    session optional  pam_umask.so
    session required  pam_unix.so
    session optional  pam_mount.so

4. Finally, let's remove the  'include su' line and add the 'disable_interactive' option to pam_mount, achieving the following PAM configuration of session stack:

    session required  pam_loginuid.so
    session optional  pam_env.so
    session optional  pam_umask.so
    session required  pam_unix.so
    session optional  pam_mount.so disable_interactive