Jump to content
Welcome to our new Citrix community!
  • 1

HDX Session Validation Failure


Dimas Rivera

Question

Hi

 

I have Centos 6.6 installed and running (a moment :)) in Xendesktop 7.6, Storefront 3.0.

The problem is that appears a window with this error:

 

HDX Session Validation Failure

 

Due to a missing credential cache file, your logon request cannot be authenticated and this sesión will be terminated in 30 seconds. Please contact your administrator.

 

And yes, in 30 seconds the sesión is closed (the moment).

 

Could help me with this?

 

Best regards.

Link to comment

13 answers to this question

Recommended Posts

  • 1

If logs contains errors like this, maybe a permission error exists on a path accessed by winbind:

winbindd[1640]: [2020/05/13 11:58:30.050677,  0] ../../lib/krb5_wrap/krb5_samba.c:3597(smb_krb5_init_context_common)
winbindd[1640]:   smb_krb5_init_context_common: Krb5 context initialization failed (Permission denied)
winbindd[1640]: [2020/05/13 11:58:30.050932,  0] ../../source3/libads/kerberos.c:134(kerberos_kinit_password_ext)
winbindd[1640]:   kerberos_kinit_password_ext: kerberos init context failed (Permission denied)

the problem was the smb_krb5 dir was accessible only by root:

# ls -ld /var/lib/samba/lock/smb_krb5/
drwx------ 2 root root 4096 May 13 12:03 /var/lib/samba/lock/smb_krb5/

problem solved:

# chmod 755 /var/lib/samba/lock/smb_krb5/

 

  • Like 1
Link to comment
  • 0

Hi Dimas,

 

What AD integration are you using?

 

If you are using winbind then the most likely cause of this error is not having kerberos ticket caching enabled.

 

Please make sure the following values are uncommented and set correctly in the [Global] section of /etc/security/pam_winbind.conf:

 

krb5_auth = yes

krb5_ccache_type = FILE

mkhomedir = yes

 

Then restart winbind using:

 

sudo service winbind restart

 

Let us know if this resolves the issue.

Link to comment
  • 0

I ran into the same issue, and could not find any reference to this issue anywhere except this thread. By changing the krb5 cache file location, I was able to fix the problem.

 

The file is /etc/krb5.conf

 

[libdefaults]
 dns_lookup_realm = false
 default_ccache_name = FILE:/tmp/krb5cc_%{uid}
 default_realm = <your realm>

 

If the path specified in the ccache name does not exist or doesn't have proper permissions for the user who is logging in, that could create the problem. Instead of /tmp, it could be in the user's directory as well but I am not sure what variables can be used there, so I chose to use the /tmp instead.

 

Hope this helps.

Link to comment
  • 0

Well. Not sure but possibly you can try to upgrade or downgrade the OS version

 

Then try to re-upgrade to the required version.

 

Followed by you can try to have the values are uncommented and set correctly in the [Global] section of /etc/security/pam_winbind.conf:

 

krb5_auth = yes

krb5_ccache_type = FILE

mkhomedir = yes

 

Then restart winbind using:

 

sudo service winbind restart

Link to comment
  • 0
On 5/13/2020 at 7:03 AM, Tamás Balog said:

If logs contains errors like this, maybe a permission error exists on a path accessed by winbind:


winbindd[1640]: [2020/05/13 11:58:30.050677,  0] ../../lib/krb5_wrap/krb5_samba.c:3597(smb_krb5_init_context_common)
winbindd[1640]:   smb_krb5_init_context_common: Krb5 context initialization failed (Permission denied)
winbindd[1640]: [2020/05/13 11:58:30.050932,  0] ../../source3/libads/kerberos.c:134(kerberos_kinit_password_ext)
winbindd[1640]:   kerberos_kinit_password_ext: kerberos init context failed (Permission denied)

the problem was the smb_krb5 dir was accessible only by root:


# ls -ld /var/lib/samba/lock/smb_krb5/
drwx------ 2 root root 4096 May 13 12:03 /var/lib/samba/lock/smb_krb5/

problem solved:


# chmod 755 /var/lib/samba/lock/smb_krb5/

 


Created an account just to say thank you for posting this fix.  Had the exact same error messages and have been banging my head against a wall for a day now try to resolve this and fixing the directory permissions fixed the issue.

Link to comment
  • 0
16 hours ago, Ron Terwilliger said:


Created an account just to say thank you for posting this fix.  Had the exact same error messages and have been banging my head against a wall for a day now try to resolve this and fixing the directory permissions fixed the issue.

You're welcome. I felt I should post it :)

 

A strace + foreground winbind daemon revealed the path, grepping such output might help on less specific errors, too. If a hardened base OS must be used, there might be other problematic paths.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...