FreeRDP: [arch,kerberos] Freerdp 3 authentication hangs due to broken krb5.conf

Describe the bug After the Arch Linux remmina package was updated to use freerdp3 the remote connection to my workplace Windows 11 computer stopped working. I first thought that it was a remmina problem, but it does seem to be freerdp one, since I can repeat it with xfreerdp. Freerdp 2 works fine.

To Reproduce

  1. run xfreerdp /v:computer.domain.org /u:user.name@domain.org /p:password /log-level:TRACE +auth-only
  2. Observe that it hangs after a short time, with no more logs being printed. CTRL-c does not kill it either, it has to be killed the hard way.

Expected behavior It should login and exit

Application details

  • FreeRDP version (xfreerdp /version): 3.5.2-dev0 (c172713c4)
  • Command line used: xfreerdp /v:computer.domain.org /u:user.name@domain.org /p:password /log-level:TRACE +auth-only
  • Output of xfreerdp /buildconfig
buildconfig ``` [15:25:21:504] [335632:00051f10] [INFO][com.winpr.timezone] - [winpr_detect_windows_time_zone]: tzid: Europe/Helsinki This is FreeRDP version 3.5.2-dev0 (c172713c4) Build configuration: BUILD_TESTING=OFF WINPR_HAVE_AIO_H=1 WINPR_HAVE_EXECINFO_BACKTRACE=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 WINPR_HAVE_EXECINFO_HEADER=1 WINPR_HAVE_FCNTL_H=1 WINPR_HAVE_GETLOGIN_R=1 WINPR_HAVE_GETPWUID_R=1 WINPR_HAVE_INTTYPES_H=1 WINPR_HAVE_POLL_H=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIB=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 WINPR_HAVE_STDBOOL_H=1 WINPR_HAVE_STDINT_H=1 WINPR_HAVE_STRNDUP=1 WINPR_HAVE_SYSLOG_H=1 WINPR_HAVE_SYS_EVENTFD_H=1 WINPR_HAVE_SYS_FILIO_H= WINPR_HAVE_SYS_SELECT_H=1 WINPR_HAVE_SYS_SOCKIO_H= WINPR_HAVE_SYS_TIMERFD_H=1 WINPR_HAVE_TM_GMTOFF=1 WINPR_HAVE_UNISTD_H=1 WINPR_HAVE_UNWIND_H=1 WITH_AAD=ON WITH_ABSOLUTE_PLUGIN_LOAD_PATHS=ON WITH_ADD_PLUGIN_TO_RPATH=OFF WITH_ALSA=ON WITH_BINARY_VERSIONING=OFF WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CLIENT_SDL=ON WITH_CLIENT_SDL_AVAILABLE=1 WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_CODECS=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_EVENTS=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SCHANNEL=OFF WITH_DEBUG_SDL_EVENTS=OFF WITH_DEBUG_SDL_KBD_EVENTS=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_DSP_FFMPEG_AVAILABLE=1 WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=ON WITH_FREERDP_DEPRECATED=OFF WITH_FREERDP_DEPRECATED_COMMANDLINE=OFF WITH_FUSE=ON WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_INTERNAL_RC4=OFF WITH_JPEG=ON WITH_KRB5=ON WITH_KRB5_NO_NTLM_FALLBACK=OFF WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBRESSL=OFF WITH_LODEPNG=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_NATIVE_SSPI=OFF WITH_NEON=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSSL=ON WITH_OPUS=OFF WITH_OSS=ON WITH_PCSC=ON WITH_PKCS11=ON WITH_PLATFORM_SERVER=ON WITH_POLL=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_APP=ON WITH_PROXY_EMULATE_SMARTCARD=OFF WITH_PROXY_MODULES=ON WITH_PULSE=ON WITH_RDTK=ON WITH_SAMPLE=ON WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SDL_IMAGE_DIALOGS=OFF WITH_SDL_LINK_SHARED=ON WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_EMULATE=ON WITH_SMARTCARD_INSPECT=OFF WITH_SMARTCARD_PCSC=ON WITH_SOXR=OFF WITH_SSE2=OFF WITH_SWSCALE=ON WITH_SYSTEMD=ON WITH_THIRD_PARTY=OFF WITH_UNICODE_BUILTIN=OFF WITH_URIPARSER=OFF WITH_VAAPI=OFF WITH_VAAPI_AVAILABLE=1 WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_VIDEO_FFMPEG=ON WITH_VIDEO_FFMPEG_AVAILABLE=1 WITH_WAYLAND=ON WITH_WEBVIEW=ON WITH_WEBVIEW_QT=OFF WITH_WINPR_DEPRECATED=OFF WITH_WINPR_TOOLS=ON WITH_WIN_CONSOLE=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XV=ON Build type: Release CFLAGS: -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/build/freerdp-git/src=/usr/src/debug/freerdp-git -flto=auto -Wall -Wpedantic -Wno-padded -Wno-cast-align -Wno-declaration-after-statement -fPIC -Wall -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -fno-omit-frame-pointer Compiler: GNU, 13.2.1 Target architecture: x64 Keyboard Shortcuts: <Right CTRL> releases keyboard and mouse grab <CTRL>+<ALT>+<Return> toggles fullscreen state of the application <CTRL>+<ALT>+c toggles remote control in a remote assistance session Action Script Executes a predefined script on key press. Should the script not exist it is ignored. Scripts can be provided at the default localtion ~/.config/freerdp/action.sh or as command line argument /action:script:<path> The script will receive the current key combination as argument. The output of the script is parsed for 'key-local' which tells that the script used the key combination, otherwise the combination is forwarded to the remote. ```
  • OS version connecting to (server side): Windows 11 Enterprise 22000.2836
  • If available the log output from a run with /log-level:trace 2>&1 | tee log.txt freerdp3
freerdp3 
[14:59:18:312] [282370:00044f02] [INFO][com.winpr.timezone] - [winpr_detect_windows_time_zone]: tzid: Europe/Helsinki
[14:59:18:315] [282370:00044f02] [DEBUG][com.freerdp.client.common] - [freerdp_client_settings_parse_command_line]: This is 3.5.2-dev0 Build configuration: BUILD_TESTING=OFF WINPR_HAVE_AIO_H=1 WINPR_HAVE_EXECINFO_BACKTRACE=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 WINPR_HAVE_EXECINFO_HEADER=1 WINPR_HAVE_FCNTL_H=1 WINPR_HAVE_GETLOGIN_R=1 WINPR_HAVE_GETPWUID_R=1 WINPR_HAVE_INTTYPES_H=1 WINPR_HAVE_POLL_H=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIB=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 WINPR_HAVE_STDBOOL_H=1 WINPR_HAVE_STDINT_H=1 WINPR_HAVE_STRNDUP=1 WINPR_HAVE_SYSLOG_H=1 WINPR_HAVE_SYS_EVENTFD_H=1 WINPR_HAVE_SYS_FILIO_H= WINPR_HAVE_SYS_SELECT_H=1 WINPR_HAVE_SYS_SOCKIO_H= WINPR_HAVE_SYS_TIMERFD_H=1 WINPR_HAVE_TM_GMTOFF=1 WINPR_HAVE_UNISTD_H=1 WINPR_HAVE_UNWIND_H=1 WITH_AAD=ON WITH_ABSOLUTE_PLUGIN_LOAD_PATHS=ON WITH_ADD_PLUGIN_TO_RPATH=OFF WITH_ALSA=ON WITH_BINARY_VERSIONING=OFF WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CLIENT_SDL=ON WITH_CLIENT_SDL_AVAILABLE=1 WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_CODECS=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_EVENTS=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SCHANNEL=OFF WITH_DEBUG_SDL_EVENTS=OFF WITH_DEBUG_SDL_KBD_EVENTS=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_DSP_FFMPEG_AVAILABLE=1 WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=ON WITH_FREERDP_DEPRECATED=OFF WITH_FREERDP_DEPRECATED_COMMANDLINE=OFF WITH_FUSE=ON WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_INTERNAL_RC4=OFF WITH_JPEG=ON WITH_KRB5=ON WITH_KRB5_NO_NTLM_FALLBACK=OFF WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBRESSL=OFF WITH_LODEPNG=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_NATIVE_SSPI=OFF WITH_NEON=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSSL=ON WITH_OPUS=OFF WITH_OSS=ON WITH_PCSC=ON WITH_PKCS11=ON WITH_PLATFORM_SERVER=ON WITH_POLL=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_APP=ON WITH_PROXY_EMULATE_SMARTCARD=OFF WITH_PROXY_MODULES=ON WITH_PULSE=ON WITH_RDTK=ON WITH_SAMPLE=ON WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SDL_IMAGE_DIALOGS=OFF WITH_SDL_LINK_SHARED=ON WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_EMULATE=ON WITH_SMARTCARD_INSPECT=OFF WITH_SMARTCARD_PCSC=ON WITH_SOXR=OFF WITH_SSE2=OFF WITH_SWSCALE=ON WITH_SYSTEMD=ON WITH_THIRD_PARTY=OFF WITH_UNICODE_BUILTIN=OFF WITH_URIPARSER=OFF WITH_VAAPI=OFF WITH_VAAPI_AVAILABLE=1 WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_VIDEO_FFMPEG=ON WITH_VIDEO_FFMPEG_AVAILABLE=1 WITH_WAYLAND=ON WITH_WEBVIEW=ON WITH_WEBVIEW_QT=OFF WITH_WINPR_DEPRECATED=OFF WITH_WINPR_TOOLS=ON WITH_WIN_CONSOLE=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XV=ON
Build type:          Release
CFLAGS:              -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/build/freerdp-git/src=/usr/src/debug/freerdp-git -flto=auto -Wall -Wpedantic -Wno-padded -Wno-cast-align -Wno-declaration-after-statement -fPIC -Wall -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -fno-omit-frame-pointer
Compiler:            GNU, 13.2.1
Target architecture: x64

[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_connect_begin]: resetting error state
[14:59:18:315] [282370:00044f03] [INFO][com.freerdp.client.x11] - [xf_pre_connect]: Authentication only. Don't connect to X.
[14:59:18:315] [282370:00044f03] [TRACE][com.freerdp.api] - [freerdp_channels_process_message]: IFCALL(message->Free) == NULL
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpdr
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpsnd
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.channels.channels.cliprdr.client] - [cliprdr_VirtualChannelEntryEx]: VirtualChannelEntryEx
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx cliprdr
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.channels.drdynvc.client] - [drdynvc_VirtualChannelEntryEx]: VirtualChannelEntryEx
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx drdynvc
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.primitives] - [primitives_autodetect_best]: primitives benchmark: only one backend, skipping...
[14:59:18:315] [282370:00044f03] [DEBUG][com.freerdp.primitives] - [primitives_autodetect_best]: primitives autodetect, using generic
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]: Enabling security layer negotiation: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_set_restricted_admin_mode_required]: Enabling restricted admin mode: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security: TRUE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA extended security: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdstls]: Enabling RDSTLS security: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_enable_aad]: Enabling RDS AAD security: FALSE
[14:59:18:320] [282370:00044f03] [DEBUG][com.freerdp.core.rdp] - [rdp_client_transition_to_state][0x55d387aba3f0]: CONNECTION_STATE_INITIAL --> CONNECTION_STATE_NEGO
[14:59:18:321] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_tcp_is_hostname_resolvable]: resetting error state
[14:59:18:321] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: resetting error state
[14:59:18:321] [282370:00044f03] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting to peer 10.42.4.213
[14:59:18:362] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_NLA
[14:59:18:362] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: Attempting NLA security
[14:59:18:362] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]: RequestedProtocols: 3
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_response]: RDP_NEG_RSP::flags = { [0x1f] |EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED|RDP_NEGRSP_RESERVED|RESTRICTED_ADMIN_MODE_SUPPORTED|REDIRECTED_AUTHENTICATION_MODE_SUPPORTED }
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_recv]: selected_protocol: 2
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: state: NEGO_STATE_FINAL
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_connect]: Negotiated NLA security
[14:59:18:424] [282370:00044f03] [DEBUG][com.freerdp.core.nego] - [nego_try_connect]: nego_security_connect with PROTOCOL_HYBRID
[14:59:18:517] [282370:00044f03] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0
[14:59:18:517] [282370:00044f03] [WARN][com.freerdp.crypto] - [verify_cb]: CN = computer.domain.org
[14:59:18:518] [282370:00044f03] [DEBUG][com.freerdp.core.nla] - [nla_set_early_user_auth]: Early User Auth active: false
[14:59:18:518] [282370:00044f03] [DEBUG][com.freerdp.core.nla] - [nla_set_state]: -- NLA_STATE_INITIAL	--> NLA_STATE_INITIAL
[14:59:18:518] [282370:00044f03] [DEBUG][com.winpr.sspi] - [InitSecurityInterfaceExA]: InitSecurityInterfaceExA
[14:59:18:518] [282370:00044f03] [DEBUG][com.freerdp.core.auth] - [credssp_auth_init]: Using package: Negotiate (cbMaxToken: 12256 bytes)
freerdp 2 
[14:56:12:893] [282108:282108] [DEBUG][com.freerdp.client.common] - This is Build configuration: BUILD_TESTING=OFF BUILTIN_CHANNELS=ON HAVE_AIO_H=1 HAVE_EXECINFO_BACKTRACE=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 HAVE_EXECINFO_H=ON HAVE_EXECINFO_HEADER=1 HAVE_FCNTL_H=1 HAVE_GETLOGIN_R=1 HAVE_GETPWUID_R=1 HAVE_INTTYPES_H=1 HAVE_JOURNALD_H=TRUE HAVE_MATH_C99_LONG_DOUBLE=1 HAVE_PIXMAN_REGION=OFF HAVE_POLL_H=1 HAVE_PTHREAD_MUTEX_TIMEDLOCK=ON HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 HAVE_SYSLOG_H=1 HAVE_SYS_EVENTFD_H=1 HAVE_SYS_FILIO_H= HAVE_SYS_MODEM_H= HAVE_SYS_SELECT_H=1 HAVE_SYS_SOCKIO_H= HAVE_SYS_STRTIO_H= HAVE_SYS_TIMERFD_H=1 HAVE_TM_GMTOFF=1 HAVE_UNISTD_H=1 HAVE_XI_TOUCH_CLASS=1 WITH_ALSA=ON WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_CLIPRDR=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=TRUE WITH_FFMPEG=TRUE WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_GSSAPI=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_IPP=OFF WITH_JPEG=ON WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBSYSTEMD=ON WITH_MACAUDIO=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSLES=OFF WITH_OPENSSL=ON WITH_OSS=ON WITH_PAM=ON WITH_PCSC=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_MODULES=OFF WITH_PULSE=ON WITH_SAMPLE=OFF WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_INSPECT=OFF WITH_SOXR=OFF WITH_SSE2=ON WITH_SWSCALE=ON WITH_THIRD_PARTY=OFF WITH_VAAPI=OFF WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_WAYLAND=ON WITH_WINPR_TOOLS=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XDAMAGE=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XKBFILE=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XSHM=ON WITH_XTEST=ON WITH_XV=ON WITH_ZLIB=ON
Build type:          None
CFLAGS:              -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -g -ffile-prefix-map=/build/freerdp2/src=/usr/src/debug/freerdp2 -flto=auto -fPIC -Wall -Wno-unused-result -Wno-unused-but-set-variable -Wno-deprecated-declarations -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -g -fno-omit-frame-pointer -DWINPR_DLL
Compiler:            GNU, 13.2.1
Target architecture: x64

[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.channels.drdynvc.client] - VirtualChannelEntryEx
[14:56:12:893] [282108:282109] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx drdynvc
[14:56:12:893] [282108:282109] [INFO][com.freerdp.client.x11] - Authentication only. Don't connect to X.
[14:56:12:895] [282108:282109] [DEBUG][com.freerdp.primitives] - primitives benchmark result:
[14:56:12:048] [282108:282109] [DEBUG][com.freerdp.primitives] -  * generic= 83
[14:56:12:199] [282108:282109] [DEBUG][com.freerdp.primitives] -  * optimized= 174
[14:56:12:199] [282108:282109] [DEBUG][com.freerdp.primitives] - primitives autodetect, using optimized
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_INITIAL --> CONNECTION_STATE_NEGO
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA
[14:56:12:202] [282108:282109] [DEBUG][com.freerdp.core.nego] - Attempting NLA security
[14:56:12:203] [282108:282109] [DEBUG][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state
[14:56:12:203] [282108:282109] [DEBUG][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
[14:56:12:203] [282108:282109] [DEBUG][com.freerdp.core] - connecting to peer 10.42.4.213
[14:56:12:274] [282108:282109] [DEBUG][com.freerdp.core.nego] - RequestedProtocols: 3
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - RDP_NEG_RSP
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - RDP_NEG_RSP::flags = { [0x1f] |EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED|RDP_NEGRSP_RESERVED|RESTRICTED_ADMIN_MODE_SUPPORTED|REDIRECTED_AUTHENTICATION_MODE_SUPPORTED }
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - selected_protocol: 2
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_FINAL
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - Negotiated NLA security
[14:56:13:344] [282108:282109] [DEBUG][com.freerdp.core.nego] - nego_security_connect with PROTOCOL_HYBRID
[14:56:13:449] [282108:282109] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[14:56:13:449] [282108:282109] [WARN][com.freerdp.crypto] - CN = computer.domain.org
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[14:56:13:449] [282108:282109] [DEBUG][com.freerdp.core.nla] - nla_client_init 411 : packageName=Negotiate ; cbMaxToken=12256
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_INITIAL
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_NEGOTIATE
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - Write flags [0xe20882b7] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_NEGOTIATE_OEM|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_LM_KEY|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[14:56:13:449] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_NEGOTIATE to NTLM_STATE_CHALLENGE
[14:56:13:449] [282108:282109] [TRACE][com.freerdp.core.nla] -  InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[14:56:13:449] [282108:282109] [DEBUG][com.freerdp.core.nla] - Client: Sending Authentication Token
[14:56:13:449] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 40):
[14:56:13:450] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_NEGO --> CONNECTION_STATE_NLA
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - CredSSP protocol support 6, peer supports 6
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - Read flags [0xe2898235] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_TARGET_TYPE_DOMAIN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_TARGET_INFO|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_CHALLENGE to NTLM_STATE_AUTHENTICATE
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - Write flags [0xe288a235] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_TARGET_INFO|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[14:56:13:550] [282108:282109] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_AUTHENTICATE to NTLM_STATE_FINAL
[14:56:13:550] [282108:282109] [TRACE][com.freerdp.core.nla] - InitializeSecurityContext  SEC_E_OK [0x00000000]
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - Client: Sending Authentication Token
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 530):
[14:56:13:550] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.pubKeyAuth (length = 48):
[14:56:13:850] [282108:282109] [DEBUG][com.freerdp.core.nla] - Client: Sending PubKeyAuth Token
[14:56:13:850] [282108:282109] [DEBUG][com.freerdp.core.nla] - NLA.authInfo (length = 117):
[14:56:13:850] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_NLA --> CONNECTION_STATE_MCS_CONNECT
[14:56:13:951] [282108:282109] [DEBUG][com.freerdp.core.gcc] - Server rdp encryption method: NONE
[14:56:13:951] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_MCS_CONNECT --> CONNECTION_STATE_MCS_ATTACH_USER
[14:56:13:051] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_MCS_ATTACH_USER --> CONNECTION_STATE_MCS_CHANNEL_JOIN
[14:56:14:854] [282108:282109] [DEBUG][com.freerdp.core.info] - Client Info Packet Flags = INFO_MOUSE|INFO_DISABLECTRLALTDEL|INFO_UNICODE|INFO_MAXIMIZESHELL|INFO_LOGONNOTIFY|INFO_COMPRESSION|INFO_ENABLEWINDOWSKEY|INFO_FORCE_ENCRYPTED_CS_PDU|INFO_LOGONERRORS|INFO_MOUSE_HAS_WHEEL|INFO_NOAUDIOPLAYBACK
[14:56:14:854] [282108:282109] [DEBUG][com.winpr.timezone] - tz: Bias=-120 sn='FLE Standard Time' dln='FLE Daylight Time'
[14:56:14:854] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_MCS_CHANNEL_JOIN --> CONNECTION_STATE_LICENSING
[14:56:14:055] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_LICENSING --> CONNECTION_STATE_CAPABILITIES_EXCHANGE
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_CAPABILITIES_EXCHANGE --> CONNECTION_STATE_FINALIZATION
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x1f size=37 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x14 size=41 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x14 size=41 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x2b size=57 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - rdp_send_data_pdu: sending data (type=0x27 size=41 channelId=1009)
[14:56:14:155] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Monitor Layout Data PDU (0x37), length: 42
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Synchronize Data PDU (0x1F), length: 22
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Control Data PDU (0x14), length: 26
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Control Data PDU (0x14), length: 26
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.rdp] - recv Font Map Data PDU (0x28), length: 26
[14:56:14:255] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_FINALIZATION --> CONNECTION_STATE_ACTIVE
[14:56:14:256] [282108:282109] [ERROR][com.freerdp.core] - Authentication only, exit status 0
[14:56:14:256] [282108:282109] [ERROR][com.freerdp.client.x11] - Authentication only, exit status 0
[14:56:14:256] [282108:282109] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_ACTIVE --> CONNECTION_STATE_INITIAL
[14:56:14:257] [282108:282108] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Environment (please complete the following information):

  • OS: Linux
  • Version/Distribution: Arch Linux
  • Architecture: amd64

About this issue

  • Original URL
  • State: closed
  • Created 2 months ago
  • Comments: 31 (21 by maintainers)

Most upvoted comments

@giox069 @fredizzimo ok, I´ve found a way to fix this for my case here with the following /etc/krb5.conf:

[libdefaults]
rdns = false
dns_lookup_kdc = 0

this effectively disables DNS lookup, failing kerberos immediately.

This workaround is working! 👍

+1
giox069 on May 6, 2024

@giox069 @fredizzimo ok, I´ve found a way to fix this for my case here with the following /etc/krb5.conf:

[libdefaults]
rdns = false
dns_lookup_kdc = 0

this effectively disables DNS lookup, failing kerberos immediately.

+1
akallabeth on May 6, 2024

@akallabeth my /ectkrb5.conf does not exists. I will able to produce debug trace later this night (CET), not now. If you need, I can open a remote TCP port from a fixed IP address/subnet so you can do tests by yourself. I can setup it this night.

Remember that the error appears when:
/v: contains a numeric IP address
/d: contains an internet domain (with at least a dot). Both resolvable or not in my case.

+1
giox069 on May 6, 2024

@fredizzimo @giox069 can you add a full log of your failed connections with kerberos debugging enabled? (see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/env_variables.html for details for kerberos debugging) [note] you can PM me in our matrix chat if you don´t want to publish the logs.

+1
akallabeth on May 6, 2024

No, my response was just about the krb5-kdc.service. So the original problem remains.

I understand that it’s hard to know what the problem is with this little information, so I can try to debug it during the weekend, to at least provide more information.

+1
fredizzimo on Apr 25, 2024

Ah, I just double checked, all of the activation of that was by myself through systemctl restart, not by the system.

  1. I did it before rebooting in the hope that the configuration was not reloaded.
  2. And then after it had failed to connect after the reboot. That restart was in the middle of the 10 minute wait according to the timestamp, so I think we can assume that it’s unrelated.
+1
fredizzimo on Apr 24, 2024

Ok, I will try that out now, and come back to you with the results.

+1
fredizzimo on Apr 24, 2024
Read more comments on GitHub
← FreeRDP: ERRINFO_INVALID_INPUT_PDU_MOUSE and exit on middle mouse button click
FreeRDP: Cannot connect through RD Gateway →