[arch,kerberos] Freerdp 3 authentication hangs due to broken krb5.conf

[fredizzimo]

Describe the bug
After the Arch Linux remmina package was updated to use freerdp3 the remote connection to my workplace Windows 11 computer stopped working. I first thought that it was a remmina problem, but it does seem to be freerdp one, since I can repeat it with xfreerdp. Freerdp 2 works fine.

To Reproduce

1. run xfreerdp /v:computer.domain.org /u:user.name@domain.org /p:password /log-level:TRACE +auth-only
2. Observe that it hangs after a short time, with no more logs being printed. CTRL-c does not kill it either, it has to be killed the hard way.

Expected behavior
It should login and exit

Application details

• FreeRDP version (xfreerdp /version): 3.5.2-dev0 (c172713)
• Command line used: xfreerdp /v:computer.domain.org /u:user.name@domain.org /p:password /log-level:TRACE +auth-only
• Output of xfreerdp /buildconfig

buildconfig

``` [15:25:21:504] [335632:00051f10] [INFO][com.winpr.timezone] - [winpr_detect_windows_time_zone]: tzid: Europe/Helsinki This is FreeRDP version 3.5.2-dev0 (c172713) Build configuration: BUILD_TESTING=OFF WINPR_HAVE_AIO_H=1 WINPR_HAVE_EXECINFO_BACKTRACE=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 WINPR_HAVE_EXECINFO_HEADER=1 WINPR_HAVE_FCNTL_H=1 WINPR_HAVE_GETLOGIN_R=1 WINPR_HAVE_GETPWUID_R=1 WINPR_HAVE_INTTYPES_H=1 WINPR_HAVE_POLL_H=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIB=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 WINPR_HAVE_STDBOOL_H=1 WINPR_HAVE_STDINT_H=1 WINPR_HAVE_STRNDUP=1 WINPR_HAVE_SYSLOG_H=1 WINPR_HAVE_SYS_EVENTFD_H=1 WINPR_HAVE_SYS_FILIO_H= WINPR_HAVE_SYS_SELECT_H=1 WINPR_HAVE_SYS_SOCKIO_H= WINPR_HAVE_SYS_TIMERFD_H=1 WINPR_HAVE_TM_GMTOFF=1 WINPR_HAVE_UNISTD_H=1 WINPR_HAVE_UNWIND_H=1 WITH_AAD=ON WITH_ABSOLUTE_PLUGIN_LOAD_PATHS=ON WITH_ADD_PLUGIN_TO_RPATH=OFF WITH_ALSA=ON WITH_BINARY_VERSIONING=OFF WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CLIENT_SDL=ON WITH_CLIENT_SDL_AVAILABLE=1 WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_CODECS=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_EVENTS=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SCHANNEL=OFF WITH_DEBUG_SDL_EVENTS=OFF WITH_DEBUG_SDL_KBD_EVENTS=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_DSP_FFMPEG_AVAILABLE=1 WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=ON WITH_FREERDP_DEPRECATED=OFF WITH_FREERDP_DEPRECATED_COMMANDLINE=OFF WITH_FUSE=ON WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_INTERNAL_RC4=OFF WITH_JPEG=ON WITH_KRB5=ON WITH_KRB5_NO_NTLM_FALLBACK=OFF WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBRESSL=OFF WITH_LODEPNG=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_NATIVE_SSPI=OFF WITH_NEON=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSSL=ON WITH_OPUS=OFF WITH_OSS=ON WITH_PCSC=ON WITH_PKCS11=ON WITH_PLATFORM_SERVER=ON WITH_POLL=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_APP=ON WITH_PROXY_EMULATE_SMARTCARD=OFF WITH_PROXY_MODULES=ON WITH_PULSE=ON WITH_RDTK=ON WITH_SAMPLE=ON WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SDL_IMAGE_DIALOGS=OFF WITH_SDL_LINK_SHARED=ON WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_EMULATE=ON WITH_SMARTCARD_INSPECT=OFF WITH_SMARTCARD_PCSC=ON WITH_SOXR=OFF WITH_SSE2=OFF WITH_SWSCALE=ON WITH_SYSTEMD=ON WITH_THIRD_PARTY=OFF WITH_UNICODE_BUILTIN=OFF WITH_URIPARSER=OFF WITH_VAAPI=OFF WITH_VAAPI_AVAILABLE=1 WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_VIDEO_FFMPEG=ON WITH_VIDEO_FFMPEG_AVAILABLE=1 WITH_WAYLAND=ON WITH_WEBVIEW=ON WITH_WEBVIEW_QT=OFF WITH_WINPR_DEPRECATED=OFF WITH_WINPR_TOOLS=ON WITH_WIN_CONSOLE=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XV=ON Build type: Release CFLAGS: -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/build/freerdp-git/src=/usr/src/debug/freerdp-git -flto=auto -Wall -Wpedantic -Wno-padded -Wno-cast-align -Wno-declaration-after-statement -fPIC -Wall -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -fno-omit-frame-pointer Compiler: GNU, 13.2.1 Target architecture: x64 Keyboard Shortcuts: releases keyboard and mouse grab ++ toggles fullscreen state of the application ++c toggles remote control in a remote assistance session Action Script Executes a predefined script on key press. Should the script not exist it is ignored. Scripts can be provided at the default localtion ~/.config/freerdp/action.sh or as command line argument /action:script: The script will receive the current key combination as argument. The output of the script is parsed for 'key-local' which tells that the script used the key combination, otherwise the combination is forwarded to the remote. ```

• OS version connecting to (server side): Windows 11 Enterprise 22000.2836
• If available the log output from a run with /log-level:trace 2>&1 | tee log.txt
  freerdp3

freerdp3

[14:59:18:312] [282370:00044f02] [INFO][com.winpr.timezone] - [winpr_detect_windows_time_zone]: tzid: Europe/Helsinki
[14:59:18:315] [282370:00044f02] [DEBUG][com.freerdp.client.common] - [freerdp_client_settings_parse_command_line]: This is 3.5.2-dev0 Build configuration: BUILD_TESTING=OFF WINPR_HAVE_AIO_H=1 WINPR_HAVE_EXECINFO_BACKTRACE=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 WINPR_HAVE_EXECINFO_HEADER=1 WINPR_HAVE_FCNTL_H=1 WINPR_HAVE_GETLOGIN_R=1 WINPR_HAVE_GETPWUID_R=1 WINPR_HAVE_INTTYPES_H=1 WINPR_HAVE_POLL_H=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIB=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 WINPR_HAVE_STDBOOL_H=1 WINPR_HAVE_STDINT_H=1 WINPR_HAVE_STRNDUP=1 WINPR_HAVE_SYSLOG_H=1 WINPR_HAVE_SYS_EVENTFD_H=1 WINPR_HAVE_SYS_FILIO_H= WINPR_HAVE_SYS_SELECT_H=1 WINPR_HAVE_SYS_SOCKIO_H= WINPR_HAVE_SYS_TIMERFD_H=1 WINPR_HAVE_TM_GMTOFF=1 WINPR_HAVE_UNISTD_H=1 WINPR_HAVE_UNWIND_H=1 WITH_AAD=ON WITH_ABSOLUTE_PLUGIN_LOAD_PATHS=ON WITH_ADD_PLUGIN_TO_RPATH=OFF WITH_ALSA=ON WITH_BINARY_VERSIONING=OFF WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CLIENT_SDL=ON WITH_CLIENT_SDL_AVAILABLE=1 WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_CODECS=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_EVENTS=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SCHANNEL=OFF WITH_DEBUG_SDL_EVENTS=OFF WITH_DEBUG_SDL_KBD_EVENTS=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_DSP_FFMPEG_AVAILABLE=1 WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=ON WITH_FREERDP_DEPRECATED=OFF WITH_FREERDP_DEPRECATED_COMMANDLINE=OFF WITH_FUSE=ON WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_INTERNAL_RC4=OFF WITH_JPEG=ON WITH_KRB5=ON WITH_KRB5_NO_NTLM_FALLBACK=OFF WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBRESSL=OFF WITH_LODEPNG=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_NATIVE_SSPI=OFF WITH_NEON=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSSL=ON WITH_OPUS=OFF WITH_OSS=ON WITH_PCSC=ON WITH_PKCS11=ON WITH_PLATFORM_SERVER=ON WITH_POLL=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_APP=ON WITH_PROXY_EMULATE_SMARTCARD=OFF WITH_PROXY_MODULES=ON WITH_PULSE=ON WITH_RDTK=ON WITH_SAMPLE=ON WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SDL_IMAGE_DIALOGS=OFF WITH_SDL_LINK_SHARED=ON WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_EMULATE=ON WITH_SMARTCARD_INSPECT=OFF WITH_SMARTCARD_PCSC=ON WITH_SOXR=OFF WITH_SSE2=OFF WITH_SWSCALE=ON WITH_SYSTEMD=ON WITH_THIRD_PARTY=OFF WITH_UNICODE_BUILTIN=OFF WITH_URIPARSER=OFF WITH_VAAPI=OFF WITH_VAAPI_AVAILABLE=1 WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_VIDEO_FFMPEG=ON WITH_VIDEO_FFMPEG_AVAILABLE=1 WITH_WAYLAND=ON WITH_WEBVIEW=ON WITH_WEBVIEW_QT=OFF WITH_WINPR_DEPRECATED=OFF WITH_WINPR_TOOLS=ON WITH_WIN_CONSOLE=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XV=ON
Build type:          Release
CFLAGS:              -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/build/freerdp-git/src=/usr/src/debug/freerdp-git -flto=auto -Wall -Wpedantic -Wno-padded -Wno-cast-align -Wno-declaration-after-statement -fPIC -Wall -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -fno-omit-frame-pointer
Compiler:            GNU, 13.2.1
Target architecture: x64

[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_connect_begin]: resetting error state
[14:59:18:315] [282370:00044f03] [INFO][com.freerdp.client.x11] - [xf_pre_connect]: Authentication only. Don't connect to X.
[14:59:18:315] [282370:00044f03] [TRACE][com.freerdp.api] - [freerdp_channels_process_message]: IFCALL(message->Free) == NULL
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpdr
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpsnd
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.channels.channels.cliprdr.client] - [cliprdr_VirtualChannelEntryEx]: VirtualChannelEntryEx
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx cliprdr
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.channels.drdynvc.client] - [drdynvc_VirtualChannelEntryEx]: VirtualChannelEntryEx
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx drdynvc
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.primitives] - [primitives_autodetect_best]: primitives benchmark: only one backend, skipping...
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.primitives] - [primitives_autodetect_best]: primitives autodetect, using generic
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]: Enabling security layer negotiation: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_set_restricted_admin_mode_required]: Enabling restricted admin mode: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA extended security: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdstls]: Enabling RDSTLS security: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_aad]: Enabling RDS AAD security: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.rdp] - [rdp_client_transition_to_state][0x55d387aba3f0]: CONNECTION_STATE_INITIAL --> CONNECTION_STATE_NEGO
[14:59:18:321] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_tcp_is_hostname_resolvable]: resetting error state
[14:59:18:321] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: resetting error state
[14:59:18:321] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting to peer 10.42.4.213
[14:59:18:362] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_NLA
[14:59:18:362] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: Attempting NLA security
[14:59:18:362] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]: RequestedProtocols: 3
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_response]: RDP_NEG_RSP::flags = { [0x1f] |EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED|RDP_NEGRSP_RESERVED|RESTRICTED_ADMIN_MODE_SUPPORTED|REDIRECTED_AUTHENTICATION_MODE_SUPPORTED }
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_recv]: selected_protocol: 2
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: state: NEGO_STATE_FINAL
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_connect]: Negotiated NLA security
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_try_connect]: nego_security_connect with PROTOCOL_HYBRID
[14:59:18:517] [282370:00044f03] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
[14:59:18:517] [282370:00044f03] [WARN][com.freerdp.crypto] - [verify_cb]: CN = computer.domain.org
[14:59:18:518] [282370:00044f03] [DEBUG][com.freerdp.core.nla] - [nla_set_early_user_auth]: Early User Auth active: false
[14:59:18:518] [282370:00044f03] [DEBUG][com.freerdp.core.nla] - [nla_set_state]: -- NLA_STATE_INITIAL	--> NLA_STATE_INITIAL
[14:59:18:518] [282370:00044f03] [DEBUG][com.winpr.sspi] - [InitSecurityInterfaceExA]: InitSecurityInterfaceExA
[14:59:18:518] [282370:00044f03] [DEBUG][com.freerdp.core.auth] - [credssp_auth_init]: Using package: Negotiate (cbMaxToken: 12256 bytes)

freerdp 2

[14:56:12:893] [282108:282108] [DEBUG][com.freerdp.client.common] - This is Build configuration: BUILD_TESTING=OFF BUILTIN_CHANNELS=ON HAVE_AIO_H=1 HAVE_EXECINFO_BACKTRACE=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 HAVE_EXECINFO_H=ON HAVE_EXECINFO_HEADER=1 HAVE_FCNTL_H=1 HAVE_GETLOGIN_R=1 HAVE_GETPWUID_R=1 HAVE_INTTYPES_H=1 HAVE_JOURNALD_H=TRUE HAVE_MATH_C99_LONG_DOUBLE=1 HAVE_PIXMAN_REGION=OFF HAVE_POLL_H=1 HAVE_PTHREAD_MUTEX_TIMEDLOCK=ON HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 HAVE_SYSLOG_H=1 HAVE_SYS_EVENTFD_H=1 HAVE_SYS_FILIO_H= HAVE_SYS_MODEM_H= HAVE_SYS_SELECT_H=1 HAVE_SYS_SOCKIO_H= HAVE_SYS_STRTIO_H= HAVE_SYS_TIMERFD_H=1 HAVE_TM_GMTOFF=1 HAVE_UNISTD_H=1 HAVE_XI_TOUCH_CLASS=1 WITH_ALSA=ON WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_CLIPRDR=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=TRUE WITH_FFMPEG=TRUE WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_GSSAPI=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_IPP=OFF WITH_JPEG=ON WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBSYSTEMD=ON WITH_MACAUDIO=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSLES=OFF WITH_OPENSSL=ON WITH_OSS=ON WITH_PAM=ON WITH_PCSC=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_MODULES=OFF WITH_PULSE=ON WITH_SAMPLE=OFF WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_INSPECT=OFF WITH_SOXR=OFF WITH_SSE2=ON WITH_SWSCALE=ON WITH_THIRD_PARTY=OFF WITH_VAAPI=OFF WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_WAYLAND=ON WITH_WINPR_TOOLS=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XDAMAGE=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XKBFILE=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XSHM=ON WITH_XTEST=ON WITH_XV=ON WITH_ZLIB=ON
Build type:          None
CFLAGS:              -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -g -ffile-prefix-map=/build/freerdp2/src=/usr/src/debug/freerdp2 -flto=auto -fPIC -Wall -Wno-unused-result -Wno-unused-but-set-variable -Wno-deprecated-declarations -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -g -fno-omit-frame-pointer -DWINPR_DLL
Compiler:            GNU, 13.2.1
Target architecture: x64

[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.channels.drdynvc.client] - VirtualChannelEntryEx
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx drdynvc
[14:56:12:893] [282108:282109] [INFO][com.freerdp.client.x11] - Authentication only. Don't connect to X.
[14:56:12:895] [282108:282109] [DEBUG][com.freerdp.primitives] - primitives benchmark result:
[14:56:12:048] [282108:282109] [DEBUG][com.freerdp.primitives] -  * generic= 83
[14:56:12:199] [282108:282109] [DEBUG][com.freerdp.primitives] -  * optimized= 174
[14:56:12:199] [282108:282109] [DEBUG][com.freerdp.primitives] - primitives autodetect, using optimized
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_INITIAL --> CONNECTION_STATE_NEGO
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Attempting NLA security
[14:56:12:203] [282108:282109] [DEBUG][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state
[14:56:12:203] [282108:282109] [DEBUG][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
[14:56:12:203] [282108:282109] [DEBUG][com.freerdp.core] - connecting to peer 10.42.4.213
[14:56:12:274] [282108:282109] [DEBUG][com.freerdp.core.nego] - RequestedProtocols: 3
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - RDP_NEG_RSP
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - RDP_NEG_RSP::flags = { [0x1f] |EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED|RDP_NEGRSP_RESERVED|RESTRICTED_ADMIN_MODE_SUPPORTED|REDIRECTED_AUTHENTICATION_MODE_SUPPORTED }
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - selected_protocol: 2
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_FINAL
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - Negotiated NLA security
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - nego_security_connect with PROTOCOL_HYBRID
[14:56:13:449] [282108:282109] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[14:56:13:449] [282108:282109] [WARN][com.freerdp.crypto] - CN = computer.domain.org
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[14:56:13:449] [282108:282109] [DEBUG][com.freerdp.core.nla] - nla_client_init 411 : packageName=Negotiate ; cbMaxToken=12256
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_INITIAL
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_NEGOTIATE
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - Write flags [0xe20882b7] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_NEGOTIATE_OEM|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_LM_KEY|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_NEGOTIATE to NTLM_STATE_CHALLENGE
[14:56:13:449] [282108:282109] [TRACE][com.freerdp.core.nla] -  InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[14:56:13:449] [282108:282109] [DEBUG][com.freerdp.core.nla] - Client: Sending Authentication Token
[14:56:13:449] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 40):
[14:56:13:450] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_NEGO --> CONNECTION_STATE_NLA
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - CredSSP protocol support 6, peer supports 6
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - Read flags [0xe2898235] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_TARGET_TYPE_DOMAIN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_TARGET_INFO|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_CHALLENGE to NTLM_STATE_AUTHENTICATE
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - Write flags [0xe288a235] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_TARGET_INFO|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_AUTHENTICATE to NTLM_STATE_FINAL
[14:56:13:550] [282108:282109] [TRACE][com.freerdp.core.nla] - InitializeSecurityContext  SEC_E_OK [0x00000000]
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - Client: Sending Authentication Token
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 530):
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.pubKeyAuth (length = 48):
[14:56:13:850] [282108:282109] [DEBUG][com.freerdp.core.nla] - Client: Sending PubKeyAuth Token
[14:56:13:850] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.authInfo (length = 117):
[14:56:13:850] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_NLA --> CONNECTION_STATE_MCS_CONNECT
[14:56:13:951] [282108:282109] [DEBUG][com.freerdp.core.gcc] - Server rdp encryption method: NONE
[14:56:13:951] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_MCS_CONNECT --> CONNECTION_STATE_MCS_ATTACH_USER
[14:56:13:051] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_MCS_ATTACH_USER --> CONNECTION_STATE_MCS_CHANNEL_JOIN
[14:56:14:854] [282108:282109] [DEBUG][com.freerdp.core.info] - Client Info Packet Flags = INFO_MOUSE|INFO_DISABLECTRLALTDEL|INFO_UNICODE|INFO_MAXIMIZESHELL|INFO_LOGONNOTIFY|INFO_COMPRESSION|INFO_ENABLEWINDOWSKEY|INFO_FORCE_ENCRYPTED_CS_PDU|INFO_LOGONERRORS|INFO_MOUSE_HAS_WHEEL|INFO_NOAUDIOPLAYBACK
[14:56:14:854] [282108:282109] [DEBUG][com.winpr.timezone] - tz: Bias=-120 sn='FLE Standard Time' dln='FLE Daylight Time'
[14:56:14:854] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_MCS_CHANNEL_JOIN --> CONNECTION_STATE_LICENSING
[14:56:14:055] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_LICENSING --> CONNECTION_STATE_CAPABILITIES_EXCHANGE
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_CAPABILITIES_EXCHANGE --> CONNECTION_STATE_FINALIZATION
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x1f size=37 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x14 size=41 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x14 size=41 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x2b size=57 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x27 size=41 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Monitor Layout Data PDU (0x37), length: 42
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Synchronize Data PDU (0x1F), length: 22
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Control Data PDU (0x14), length: 26
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Control Data PDU (0x14), length: 26
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Font Map Data PDU (0x28), length: 26
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_FINALIZATION --> CONNECTION_STATE_ACTIVE
[14:56:14:256] [282108:282109] [ERROR][com.freerdp.core] - Authentication only, exit status 0
[14:56:14:256] [282108:282109] [ERROR][com.freerdp.client.x11] - Authentication only, exit status 0
[14:56:14:256] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_ACTIVE --> CONNECTION_STATE_INITIAL
[14:56:14:257] [282108:282108] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Environment (please complete the following information):

• OS: Linux
• Version/Distribution: Arch Linux
• Architecture: amd64

[akallabeth]

what is written in your /etc/krb5.conf?
we had several reports that arch ships a example configuration as the actual thing (and that leads to unreachable KDC which then needs to time out for each kerberos request)

[fredizzimo]

Yes, it definitely looks like some example

❯ cat /etc/krb5.conf
[libdefaults]
        default_realm = ATHENA.MIT.EDU

[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
        ATHENA.MIT.EDU = {
                admin_server = kerberos.mit.edu
        }
        ANDREW.CMU.EDU = {
                admin_server = kdc-01.andrew.cmu.edu
        }

[domain_realm]
        mit.edu = ATHENA.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .ucsc.edu = CATS.UCSC.EDU

[logging]
#       kdc = CONSOLE

Is it enough to comment out everything, or do I need to create a proper configuration, I don't know how to do at the moment, but I can probably figure it out? I'm currently on freerdp 2 again, so it takes a while to switch and test, therefore I'm asking instead of testing it myself.

[akallabeth]

@fredizzimo no, an empty file (or commented) is ok.

[fredizzimo]

Ok, I will try that out now, and come back to you with the results.

[fredizzimo]

Unfortunately, it did not help, not even after restarting the system.

But I see the following in the journal log now

apr 24 17:15:40 fredarch krb5kdc[5592]: Configuration file does not specify default realm - while attempting to retrieve default realm
apr 24 17:15:40 fredarch krb5kdc[5592]: krb5kdc: Configuration file does not specify default realm, attempting to retrieve default realm
apr 24 17:15:40 fredarch systemd[1]: krb5-kdc.service: Main process exited, code=exited, status=1/FAILURE
apr 24 17:15:40 fredarch systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
apr 24 17:15:40 fredarch systemd[1]: krb5-kdc.service: Scheduled restart job, restart counter is at 1.
apr 24 17:15:40 fredarch systemd[1]: Started Kerberos 5 KDC.

I also tried restarting the service after I joined the VPN, but it gives the same result. So maybe I need to try to configure it?

Also while doing that I noticed that after 10 minutes, the xfreerdp printed this in the log, but was still hanging
[17:20:25:492] [3958:00000f77] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "DOMAIN.ORG" [-1765328230])

The domain name is the correct, so it got that right at least. Maybe it's misconfiguration on the workplace side? I can try to contact the IT support there.

[akallabeth]

no, that is ok (it should fail fast if you are not using kerberos to authenticate, which is the case most of the time if you are not directly in the same network

[akallabeth]

@fredizzimo also, why is your system trying to start a KDC ? are you hosting a kerberos server instance?

[fredizzimo]

Ah, I just double checked, all of the activation of that was by myself through systemctl restart, not by the system.

1. I did it before rebooting in the hope that the configuration was not reloaded.
2. And then after it had failed to connect after the reboot. That restart was in the middle of the 10 minute wait according to the timestamp, so I think we can assume that it's unrelated.

[akallabeth]

@fredizzimo so, does your initial use case work now or is there still something to look at?

[fredizzimo]

No, my response was just about the krb5-kdc.service. So the original problem remains.

I understand that it's hard to know what the problem is with this little information, so I can try to debug it during the weekend, to at least provide more information.

[akallabeth]

a debug build with a running debugger to have a backtrace on where the application is hanging would be really helpful here.

[fredizzimo]

I don't have the symbols for the system libraries at the moment, but this is the callstack

libc.so.6!connect (Unknown Source:0)
libc.so.6![Unknown/Just-In-Time compiled code] (Unknown Source:0)
libc.so.6!__res_context_send (Unknown Source:0)
libc.so.6!__res_context_query (Unknown Source:0)
libc.so.6!__res_context_search (Unknown Source:0)
libc.so.6!res_nsearch (Unknown Source:0)
libkrb5.so.3![Unknown/Just-In-Time compiled code] (Unknown Source:0)
libkrb5.so.3!krb5_sendto_kdc (Unknown Source:0)
libkrb5.so.3![Unknown/Just-In-Time compiled code] (Unknown Source:0)
libkrb5.so.3!krb5_init_creds_get (Unknown Source:0)
libwinpr3.so.3!krb5glue_get_init_creds(krb5_context ctx, krb5_principal princ, krb5_ccache ccache, krb5_prompter_fct prompter, char * password, SEC_WINPR_KERBEROS_SETTINGS * krb_settings) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/Kerberos/krb5glue_mit.c:237)
libwinpr3.so.3!kerberos_AcquireCredentialsHandleA(SEC_CHAR * pszPrincipal, SEC_CHAR * pszPackage, ULONG fCredentialUse, void * pvLogonID, void * pAuthData, SEC_GET_KEY_FN pGetKeyFn, void * pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/Kerberos/kerberos.c:341)
libwinpr3.so.3!negotiate_AcquireCredentialsHandleA(SEC_CHAR * pszPrincipal, SEC_CHAR * pszPackage, ULONG fCredentialUse, void * pvLogonID, void * pAuthData, SEC_GET_KEY_FN pGetKeyFn, void * pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/Negotiate/negotiate.c:1457)
libwinpr3.so.3!winpr_AcquireCredentialsHandleA(SEC_CHAR * pszPrincipal, SEC_CHAR * pszPackage, ULONG fCredentialUse, void * pvLogonID, void * pAuthData, SEC_GET_KEY_FN pGetKeyFn, void * pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/sspi/sspi_winpr.c:1299)
libfreerdp3.so.3!credssp_auth_setup_client(rdpCredsspAuth * auth, const char * target_service, const char * target_hostname, const SEC_WINNT_AUTH_IDENTITY_W * identity, const char * pkinit) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/credssp_auth.c:291)
libfreerdp3.so.3!nla_client_init(rdpNla * nla) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nla.c:451)
libfreerdp3.so.3!nla_client_begin(rdpNla * nla) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nla.c:475)
libfreerdp3.so.3!transport_connect_nla(rdpTransport * transport, BOOL earlyUserAuth) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/transport.c:381)
libfreerdp3.so.3!nego_try_connect(rdpNego * nego) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nego.c:315)
libfreerdp3.so.3!nego_security_connect(rdpNego * nego) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nego.c:347)
libfreerdp3.so.3!nego_connect(rdpNego * nego) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/nego.c:282)
libfreerdp3.so.3!rdp_client_connect(rdpRdp * rdp) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/connection.c:430)
libfreerdp3.so.3!freerdp_connect_begin(freerdp * instance) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/freerdp.c:156)
libfreerdp3.so.3!freerdp_connect(freerdp * instance) (/home/fredizzimo/proj/FreeRDP/libfreerdp/core/freerdp.c:174)
xf_client_thread(LPVOID param) (/home/fredizzimo/proj/FreeRDP/client/X11/xf_client.c:1501)
libwinpr3.so.3!thread_launcher(void * arg) (/home/fredizzimo/proj/FreeRDP/winpr/libwinpr/thread/thread.c:528)
libc.so.6![Unknown/Just-In-Time compiled code] (Unknown Source:0)

So it looks like it's the Kerberos connection that fails to connect. I will try to check if freerdp 2 does something different, since that works.

[fredizzimo]

I bisected it down to this commit c9e61ff (cmake] simplify krb5 detection)

NOTE: I had to do the bisecting with a clean build directory each time, if I just tried incremental builds then event the latest version would work, which also indicate that there might be something wrong with the cmake configuration.

Probably detecting the wrong type of Kerberos implementation

[fredizzimo]

Ah, now I see, before that commit it defaulted to OFF, and now it defaults to ON. And indeed if I set -DWITH_KRB5=OFF it works on master.

And it also works with /auth-pkg-list:!kerberos. But I don't see how to pass that option when, using remmina right now.

If it can be disabled, I guess it "fixes" my problem, not sure if it's worth trying to dig further into this and found out the cause for the hang though.

[giox069]

Very similar problem here. I have just switched to (K)Ubuntu 24.04 on a couple of PC, and I can no longer connect by numeric IP address to AD domain member machines with Remmina.

xfreerdp3 /v:192.168.98.1 /d:mydom.dom /u:xxxxx

The error is:

[09:15:07:823] [1348:00000545] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_InitializeSecurityContextA]: krb5_get_credentials (Configuration file does not specify default realm [-1765328160])

The problem disappear by using a FQDN hostname instead of a numeric IP address, or by adding /auth-pkg-list:!kerberos to the xfreerdp3 command line.

Same problem when manually compiling master branch of FreeRDP3 on a Ubuntu 22.04 or Ubuntu 20.04

[fredizzimo]

I opened a Remmina feature request for being able to disable Kerberos. https://gitlab.com/Remmina/Remmina/-/issues/3104

[fredizzimo]

Some more information, by just looking at my callstack and the krb5 code, it's this nameserver lookup called from this that fail
https://github.com/krb5/krb5/blob/0a3acc20564e82ba33741248cf25ca4d085d777f/src/lib/krb5/os/locate_kdc.c#L823

My guess is that some parts of the company internal network are not reachable through the VPN, and therefore fail.

[giox069]

@fredizzimo can you try with the short netbios domain /d:mydom (no DNS domain name, no dots) ?

In my case it works as workaround. But I'm still having a customer that has NETBIOS doman identical to DNS domain (with dot inside). So I cannot use this workaround.

[akallabeth]

@giox069 @fredizzimo the krb5 stuff must fail in your cases, but there should be a NTLM fallback in place.
for some reason it does not trigger for you and that would be interesting why.

the issue I mentioned before (krb5.conf being some default) leads to incredibly high timeouts for the fallback to trigger, but if it does not trigger in your case then something else is off.

@giox069 you run a build with ntlm fallback enabled, right?

[giox069]

I'm using two xfreerdp 3: the stock version of Ubuntu 24.04, and my own compiled version from master branch on Ubuntu 22.04. In CMakeCache.txt of the compiled version can find WITH_KRB5_NO_NTLM_FALLBACK:BOOL=OFF
Other ways to check if ntlm fallback is enabled?

[akallabeth]

@giox069 seems active.
would be interesting where the error exit is coming from, to identify the branch that does not fall back to NTLM

[giox069]

I did some bisecting, the commit that introduced the problem is c9e61ff
I will try to understand where is the problem, but that commit is quite large.

[giox069]

... and it's the same commit bisected by @fredizzimo ;)

[akallabeth]

@giox069 and as @fredizzimo already found out the commit that enabled krb5 support.
no surprise there, but the interesting part is why your connectin attempt does not fall back to NTLM ...

[akallabeth]

@fredizzimo @giox069 can you add a full log of your failed connections with kerberos debugging enabled? (see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/env_variables.html for details for kerberos debugging)
[note] you can PM me in our matrix chat if you don´t want to publish the logs.

[akallabeth]

@giox069 also, do you have some stuff in your krb5.conf? did a test on my debian machine to a domain member and that instantly connects.

only message is [13:15:55:50] [97473:00017cc2] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "RDTEST" [-1765328230]) which is expected (aka no kerberos available and fall back to NTLM) while your message suggests that this stepp succeeded and only later on aborts in the following calls.

[akallabeth]

@fredizzimo ok, did manage to get a slowdown (DNS lookup delay) but no hang.
what did I do:

1. connect with xfreerdp /v:ip /u:user /d:domain.local
2. the .local is not resolvable from local environment

[13:29:57:889] [99619:00018525] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
[13:29:57:889] [99619:00018525] [WARN][com.freerdp.crypto] - [verify_cb]: CN = RD2.rdtest.local
[99619] 1714994997.396297: Matching demo1@RDTEST.LOCAL in collection with result: -1765328243/Can't find client principal demo1@RDTEST.LOCAL in cache collection
[99619] 1714994997.396298: Resolving unique ccache of type MEMORY
[99619] 1714994997.396299: Initializing MEMORY:wLqbmfR with default princ demo1@RDTEST.LOCAL
[99619] 1714994997.396300: Getting initial credentials for demo1@RDTEST.LOCAL
[99619] 1714994997.396301: Retrieving demo1@RDTEST.LOCAL -> krb5_ccache_conf_data/pa_type/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:wLqbmfR with result: -1765328243/Matching credential not found
[99619] 1714994997.396303: Retrieving demo1@RDTEST.LOCAL -> krb5_ccache_conf_data/pa_config_data/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:wLqbmfR with result: -1765328243/Matching credential not found
[99619] 1714994997.396304: Sending unauthenticated request
[99619] 1714994997.396305: Sending request (185 bytes) to RDTEST.LOCAL
[99619] 1714994997.396306: Sending DNS URI query for _kerberos.RDTEST.LOCAL.
[99619] 1714995007.408895: No URI records found
[99619] 1714995007.408896: Sending DNS SRV query for _kerberos._udp.RDTEST.LOCAL.
[99619] 1714995017.419469: Sending DNS SRV query for _kerberos._tcp.RDTEST.LOCAL.
[99619] 1714995027.429896: No SRV records found
[13:30:27:927] [99619:00018525] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "RDTEST.LOCAL" [-1765328230])
[99619] 1714995027.429897: Destroying ccache MEMORY:wLqbmfR
[99619] 1714995027.429898: Matching demo1@RDTEST.LOCAL in collection with result: -1765328243/Can't find client principal demo1@RDTEST.LOCAL in cache collection
[99619] 1714995027.429899: Resolving unique ccache of type MEMORY
[99619] 1714995027.429900: Initializing MEMORY:dM7nvS9 with default princ demo1@RDTEST.LOCAL
[99619] 1714995027.429901: Getting initial credentials for demo1@RDTEST.LOCAL
[99619] 1714995027.429902: Retrieving demo1@RDTEST.LOCAL -> krb5_ccache_conf_data/pa_type/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:dM7nvS9 with result: -1765328243/Matching credential not found
[99619] 1714995027.429904: Retrieving demo1@RDTEST.LOCAL -> krb5_ccache_conf_data/pa_config_data/krbtgt\/RDTEST.LOCAL\@RDTEST.LOCAL@X-CACHECONF: from MEMORY:dM7nvS9 with result: -1765328243/Matching credential not found
[99619] 1714995027.429905: Sending unauthenticated request
[99619] 1714995027.429906: Sending request (185 bytes) to RDTEST.LOCAL
[99619] 1714995027.429907: Sending DNS URI query for _kerberos.RDTEST.LOCAL.
[99619] 1714995037.440758: No URI records found
[99619] 1714995037.440759: Sending DNS SRV query for _kerberos._udp.RDTEST.LOCAL.
[99619] 1714995047.449855: Sending DNS SRV query for _kerberos._tcp.RDTEST.LOCAL.
[99619] 1714995057.456781: No SRV records found
[13:30:57:954] [99619:00018525] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5glue_get_init_creds (Cannot find KDC for realm "RDTEST.LOCAL" [-1765328230])
[99619] 1714995057.456782: Destroying ccache MEMORY:dM7nvS9
[13:30:57:226] [99619:00018525] [WARN][com.freerdp.core.license] - [license_read_binary_blob_data]: license binary blob::type BB_ERROR_BLOB, length=0, skipping.

[giox069]

@akallabeth my /ectkrb5.conf does not exists. I will able to produce debug trace later this night (CET), not now. If you need, I can open a remote TCP port from a fixed IP address/subnet so you can do tests by yourself. I can setup it this night.

Remember that the error appears when:
/v: contains a numeric IP address
/d: contains an internet domain (with at least a dot). Both resolvable or not in my case.

[akallabeth]

@giox069 ok, I´ll wait.
the sample above was exactly such a setup, /v:192.168.xx.yy /u:user /d:domain.local

[akallabeth]

@giox069 @fredizzimo ok, I´ve found a way to fix this for my case here with the following /etc/krb5.conf:

[libdefaults]
rdns = false
dns_lookup_kdc = 0

this effectively disables DNS lookup, failing kerberos immediately.

[giox069]

@giox069 @fredizzimo ok, I´ve found a way to fix this for my case here with the following /etc/krb5.conf:

[libdefaults]
rdns = false
dns_lookup_kdc = 0

this effectively disables DNS lookup, failing kerberos immediately.

This workaround is working! 👍