This article applies to connections by NX protocol to a NoMachine server on Linux, when PAM is configured to use the pam_wheel module. Connections by NoMachine via SSH protocol are not affected.
The nx user is a reserved system account necessary to NoMachine for performing internal operations, included the execution of NoMachine suid-ed programs. Note that the nx account, which is also a hidden account, cannot be used by users (privileged or not) to log-in directly to the system (e.g. via the login window or via a SSH client that is not NoMachine).
The nx user is added to the 'wheel' group (or to 'root' group if 'wheel' is not present) only when the pam_wheel module is enabled on the system. Administrators use the pam_wheel module to control access to commands by granting or revoking group membership to users. The most typical use-case is adopting this way for the 'su' command.
NoMachine by default uses the PAM configuration of 'su' when users connect. If /etc/pam.d/su contains the pam_wheel entry and the nx user is not member of 'wheel' (or 'root') group, authentication for every user connecting by NoMachine will fail. The pam_wheel module by default checks if the real uid of the caller (nx in this case) is member of the 'wheel' group (or 'root' group). If not, failure is returned.
How to prevent that the nx user is in the 'wheel' group and allow users to connect by NX protocol
1. Make a copy of the NoMachine PAM configuration, e.g. run in a terminal as root or run the command with 'sudo':
cp /etc/pam.d/nx /etc/pam.d/nx.ori
2. Copy the system PAM configuration to the NoMachine PAM configuration:
cp /etc/pam.d/su /etc/pam.d/nx
3. Edit the new NoMachine PAM configuration and remove the 'pam_wheel' entry or comment it by prepending a '#' to the line.
4. Remove the nx user from the 'wheel' (or 'root') group.