NoMachine Headless Server

Summary

The “Session Negotiation Failed” error in a NoMachine headless server setup typically indicates a mismatch between the NoMachine session transport and the underlying X11/X server configuration. The specific error ui_init(), failed to open X11 display: The X11Forwarding is already enabled suggests a conflict where the NoMachine session manager is attempting to start a local X server (or X forwarder) when one is already active or configured incorrectly. In this specific topology (OpenBSD Client -> Unix Headless Server -> Windows Terminal Server), the issue usually stems from the NoMachine agent on the Unix server failing to handshake with the Windows Terminal Server node due to missing X11 dependencies or conflicting display allocation.

Root Cause

The root cause is the inability of the NoMachine session manager on the Unix headless server to initialize a valid graphical session context for the downstream Windows target.

Missing X11 Libraries on Headless Server: NoMachine requires base X11 libraries even for headless forwarding. If the Unix server is truly headless (no X11 installed), the xinit or session handshake fails.
Conflicting X11 Forwarding: The error X11Forwarding is already enabled implies that the SSH daemon or the NoMachine node process is trying to bind to a display that is already claimed or the logic for starting the X server is circular.
Incorrect Display Protocol: The configuration is attempting to use X11 forwarding directly to a Windows machine (which uses RDP, not X11) without the proper NoMachine “bridge” or proxy configuration.
Firewall/NAT Traversal: The “Session Negotiation Failed” often occurs when the RTP ports used by NoMachine NX are blocked between the Unix server and the Windows Terminal Server node.

Why This Happens in Real Systems

NoMachine NX is an X11-based protocol. Even when connecting to non-X11 systems (like Windows), the intermediate Unix server must act as an X11 bridge.

“Headless” Misconception: Administrators often configure a server as “headless” (no physical monitor/GPU) but fail to install a virtual framebuffer (like Xvfb or Xdummy). NoMachine requires a display server to render the session, even if it’s virtual.
Component Architecture: The NoMachine “Node” (service) on the Unix server requires the nxnode process to spawn the session. If the environment variables (specifically DISPLAY) are set incorrectly, the node attempts to start a new X server where one is forbidden or already active.
RDP vs. X11 Protocol Translation: The error ui_init() comes from the client-side or node-side X11 abstraction layer. When connecting to Windows, the Unix server must proxy the X11 stream over RDP. If the tunnel is not established, the client falls back to local X11 initialization, resulting in the “failed to open X11 display” error.

Real-World Impact

Total Service Outage: Users cannot establish any remote desktop sessions, rendering the Unix gateway server useless for its intended purpose.
Authentication Loop: Users can pass the initial authentication (via Web) but get kicked out immediately upon session launch, confusing the troubleshooting process.
Resource Waste: The nxserver and node processes may spawn zombie processes trying to recover the failed session, consuming CPU and memory.
Security Risk: Temporarily disabling security features (like X11 forwarding checks) to force a connection can leave the server vulnerable if not reverted.

Example or Code

To resolve the X11 dependency on a headless Unix server (assuming a Linux-based system, as OpenBSD has different package names), you must install a virtual framebuffer and ensure the NoMachine session can bind to it.

# Install Xvfb (X Virtual Framebuffer) to simulate a display on a headless server
# For Debian/Ubuntu
sudo apt-get update
sudo apt-get install xvfb

# For RHEL/CentOS/Fedora
sudo yum install xorg-x11-server-Xvfb

# Create a virtual display on display :99
Xvfb :99 -screen 0 1920x1080x24 &

# Export the DISPLAY variable before starting the NoMachine session
export DISPLAY=:99

# Restart the NoMachine service to pick up the display
sudo systemctl restart nxserver

How Senior Engineers Fix It

Verify Environment Variables: Senior engineers ensure DISPLAY is not set to a non-existent local display. They use unset DISPLAY or set it explicitly to a virtual display (:99) within the session context.
Install X11 Dependencies: Even on a “headless” server, they install xorg-x11-base or xvfb to provide the necessary libraries for the NoMachine ui_init() function.
Check Node Configuration: They inspect /usr/NX/etc/node.cfg to ensure DisplayServer settings are correct. If the server is truly headless, they force the use of Xvfb or a dummy driver.
Validate the Windows Node Connection: They ensure the Unix NoMachine server can reach the Windows Terminal Server via the specific NoMachine ports (usually 4000 range) and that the Windows NoMachine node is running and paired correctly.
Review Logs: They analyze /usr/NX/var/log/nxserver.log and nxnode.log to identify the exact point of failure (e.g., “Cannot bind to display,” “Connection refused”).

Why Juniors Miss It

Assuming “Headless” Means “No X11”: Juniors often strip X11 libraries entirely to save space on headless servers, not realizing that NoMachine is fundamentally an X11 server/client system that requires the libraries to function, even without a physical monitor.
Misinterpreting Error Messages: The message X11Forwarding is already enabled is often taken literally as an SSH config issue. Juniors may spent hours checking SSHD config (/etc/ssh/sshd_config), not realizing the error originates from the NoMachine internal X11 wrapper logic.
Ignoring Topology Incompatibility: They may try to use standard X11 forwarding (ssh -X) techniques on a protocol that encapsulates RDP, missing the nuance that NoMachine handles the translation internally.
Overlooking the Display Requirement: They fail to provision a virtual display (Xvfb), assuming the server should create one dynamically, leading to the “failed to open X11 display” crash.