Re: how to get the xorg driver working

[Nick Couchman]

On Fri, Mar 23, 2018 at 3:45 PM, Tom Astle  wrote:

> This is great, if I want to run the desktop as root all the time.
>
>
>
> For example: startx /usr/bin/icewm-session -- :1 -config
> /etc/X11/xorg.conf   works great
>
>
>
> Is this intended for only one user at a time?
>
>
>
Just like a normal X server you should be able to run a desktop login
manager (GDM, KDM, LXDM, etc.) on this X server, allowing Guacamole to
connect and then the user to log in, if you so choose.  Pretty much
whatever you want to do with a X.org server.

-Nick

Re: how to get the xorg driver working

[Mike Jumper]

On Fri, Mar 23, 2018 at 12:45 PM, Tom Astle  wrote:

> This is great, if I want to run the desktop as root all the time.
>
>
No, you do not need to run the desktop as root.


>
> For example: startx /usr/bin/icewm-session -- :1 -config
> /etc/X11/xorg.conf   works great
>
>
>
> Is this intended for only one user at a time?
>
>
No, but you will need to start separate X.Org instances on a per user
basis, similar to the way you would need to start multiple instances of a
VNC server.

- Mike

RE: how to get the xorg driver working

[Tom Astle]

This is great, if I want to run the desktop as root all the time. 

For example: startx /usr/bin/icewm-session -- :1 -config /etc/X11/xorg.conf   
works great

Is this intended for only one user at a time?


From: McRoy, Jeffrey (GE Healthcare)
Sent: Monday, March 12, 2018 17:13
To: user@guacamole.apache.org
Subject: Re: how to get the xorg driver working

Hi Thomas,

Below are some notes that might help you.

Regards,
Jeff


When the xorg branch of Guac is built the resulting libraries typically go to 
/usr/lib64/xorg/modules/, but this could vary by OS/xorg installation.
- (as the root user) chmod 755 /usr/lib64/xorg/modules/drivers/guac_drv*
- (as the root user) ldconfig

The xorg.conf file typically goes in /etc/X11/xorg.conf.d/, but this could vary 
by OS/xorg installation.

- Set the access permissions for the config file: chmod 644 xorg.conf

To allow external connections:
- Edit /usr/bin/startx script to listenarg="-listen tcp" instead of 
listenarg="-nolisten tcp"

The X server also uses a host-based access control list for deciding whether or
not to accept connections from clients on a particular machine. If no other
authorization mechanism is being used, this list initially consists of the host
on which the server is running as well as any machines listed in the file
/etc/Xn.hosts, where n is the display number of the server. Each line of the
file should contain either an IP Address, Internet hostname (e.g. 
expo.lcs.mit.edu) or a
DECnet hostname in double colon format (e.g. hydra::) or a complete name in the
format family:name as described in the xhost(1) manual page. There should be no
leading or trailing spaces on any lines. For example:

192.168.1.1
joesworkstation
corporate.company.com
star::
inet:bigcpu
local:


Determine if xauth is being used.
Procedure:
# xauth
xauth> list

If the above command sequence does not show any host other than the localhost, 
than xauth is not being used.
Search the system for an X*.hosts file, where "*" is a display number used to 
limit X window connections.
If no files are found, X*.hosts files are not being used. If the X*.hosts files 
contain any unauthorized hosts, this is a finding.
If both xauth and X*.hosts files are not being used, this is a finding.


To turn off xauth
- Edit /usr/bin/startx script to enable_xauth=0 instead of enable_xauth=1


To start the X Server without an X application using display 1:
startx -- :1 -ac -config /etc/X11/xorg.conf.d/xorg.conf &
(-ac shuts off access control for this instance)

To start the X Server with an X application usong display 1:
startx /path/to/application -- :1 -ac -config 
/etc/X11/xorg.conf.d/xorg.conf.guac

To start the X Server with LXDE lightweight desktop using display 0 (if 
installed):
startx /usr/bin/startlxde -display :0 -- :0 -ac -config 
/etc/X11/xorg.conf.d/xorg.conf &

startx must be run from the console, not from within an X session.

startx needs an absolute path to the program.

Everything before '--' is executed as a command after the server is running. 
Everything after '--' gets passed to the server.
':1' is the display name. It must be unique (default is ':0').
startx (or more accurately, the X server), searches /etc/X11/ for the file you 
specify with the -config option. For more details, run man Xorg.


How to debug X problems (Fedora)
https://fedoraproject.org/wiki/How_to_debug_Xorg_problems



From: Tom Astle 
Reply-To: "user@guacamole.apache.org" 
Date: Monday, March 12, 2018 at 3:45 PM
To: " user@guacamole.apache.org" 
Subject: EXT: how to get the xorg driver working

I recompiled Mike Jumper’s xorg branch and installed it on my CentOS 7 server
 
I placed the xorg.conf file where it typically would land, but I’m not sure how 
one starts the Xserver so that it uses the guac xorg.conf?
 
Any ideas would be most appreciated.
 

​​Thomas Astle 
System Administrator 
Red Hat Certified System Administrator 
Phone: (800)722-1082
 

Re: Connecting as admin user issue

[Aaron Newsome]

Harry, if you create another connection for the admin user, it should go to
the home page on login instead of going straight into the admin's only
connection.

--Aaron

On Fri, Mar 23, 2018 at 12:13 PM,  wrote:

> I have our admin user set to connect to a VNC connection.  So when it logs
> in, it automatically goes into that connection.  We didn’t mean to do this
> and need to back that out, so we can go into the Guacamole settings page
> and administer the other connections and users.  How can I do this?  I am
> pretty good at MySQL so if it has to be at the database level, I can do
> that too.
>
>
>
> Thanks,
>
> Harry
>
>
>
> Harry Devine
>
> DOT/FAA/AJM-2412
>
> Common ARTS Software Development
>
> Terminal Server (NASDAC) Adminstrator
>
> Red Hat Certfied System Adminstrator (RHCSA)
>
> harry.dev...@faa.gov
>
> (609)485-4218 <(609)%20485-4218>
>
> Building 300, 3rd Floor, Column L20 (3L20)
>
>
>

RE: Connecting as admin user issue

[harry.devine]

Thanks Nick!  The Ctrl+Alt+Shift gave me what I needed.  Forgot all about that!

Thanks,
Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Friday, March 23, 2018 3:27 PM
To: user@guacamole.apache.org
Subject: Re: Connecting as admin user issue

On Fri, Mar 23, 2018 at 3:13 PM, 
> wrote:
I have our admin user set to connect to a VNC connection.  So when it logs in, 
it automatically goes into that connection.  We didn’t mean to do this and need 
to back that out, so we can go into the Guacamole settings page and administer 
the other connections and users.  How can I do this?  I am pretty good at MySQL 
so if it has to be at the database level, I can do that too.


In the currently-released version, if the user only has 1 connection available, 
that connection is started automatically.  You can get to the Settings menu by 
using the Ctrl-Alt-Shift hot-key, which brings up the hidden menu, and then use 
the drop-down menu to get to the Settings page.

A recent JIRA issue and pull request changed this behavior:
https://issues.apache.org/jira/browse/GUACAMOLE-508
https://github.com/apache/guacamole-client/pull/255

So, after the next release (or using the current code in the git master), if 
the user has access to the Settings page (e.g. Admin user), the user will be 
taken to the home page instead of automatically connecting,

-Nick

Re: Connecting as admin user issue

[Nick Couchman]

On Fri, Mar 23, 2018 at 3:13 PM,  wrote:

> I have our admin user set to connect to a VNC connection.  So when it logs
> in, it automatically goes into that connection.  We didn’t mean to do this
> and need to back that out, so we can go into the Guacamole settings page
> and administer the other connections and users.  How can I do this?  I am
> pretty good at MySQL so if it has to be at the database level, I can do
> that too.
>
>
>
In the currently-released version, if the user only has 1 connection
available, that connection is started automatically.  You can get to the
Settings menu by using the Ctrl-Alt-Shift hot-key, which brings up the
hidden menu, and then use the drop-down menu to get to the Settings page.

A recent JIRA issue and pull request changed this behavior:
https://issues.apache.org/jira/browse/GUACAMOLE-508
https://github.com/apache/guacamole-client/pull/255

So, after the next release (or using the current code in the git master),
if the user has access to the Settings page (e.g. Admin user), the user
will be taken to the home page instead of automatically connecting,

-Nick

Connecting as admin user issue

[harry.devine]

I have our admin user set to connect to a VNC connection.  So when it logs in, 
it automatically goes into that connection.  We didn't mean to do this and need 
to back that out, so we can go into the Guacamole settings page and administer 
the other connections and users.  How can I do this?  I am pretty good at MySQL 
so if it has to be at the database level, I can do that too.

Thanks,
Harry

Harry Devine
DOT/FAA/AJM-2412
Common ARTS Software Development
Terminal Server (NASDAC) Adminstrator
Red Hat Certfied System Adminstrator (RHCSA)
harry.dev...@faa.gov
(609)485-4218
Building 300, 3rd Floor, Column L20 (3L20)

Re: Shared RDP connections with 0.9.14

[NeilC]

Is there an API for generating the sharing URL?  If I could do that in an
automated way then distribute that to all my clients I can probably manage
the interaction swapping myself in another layer.

I'll have a look at the way the current client does it, see what I can find



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Guacamole doesn't support AUDIO enable disable feature as FreeRDP do

[Amarjeet Singh]

>
> Guacamole does not use the same options to configure the same internal
> flags. The "xfreerdp" client and Guacamole are not equivalent in
> implementation, regardless of the fact that they use the same underlying
> RDP library (FreeRDP).



 I was just looking into FreeRDP code and get to know about these flags.

It's not my requirement.  I was just playing with those flags and trying to
find out the behaviour of Audio in Remote Server.

There could be use case though If I want to play sound on server machine
but not on the local machine which is somewhere else and do have audio
support ( speakers  not on cloud ) .

>
> Honestly, "leave on server" does not make sense to me as an option, but
> based on the code you pasted in your email, you'd need to use the
> "console-audio" option:


I tried to send the console-audio flag as well based on that code but of no
use.

On Fri, Mar 23, 2018 at 6:24 PM, Nick Couchman  wrote:

>
>>> It has following command line interface options.
>>>
>>>
 audio-mode: Audio output mode
 (mode can 0 - redirect locally, 1 - leave on server, 2 - none)
>>>
>>>
>>> In Guacamole, If I set disable-audio=true then it disables the audio on
>>> remote server as well.
>>>
>>> *How can we achieve this on Guacamole ? (  leave on server  ) *
>>>
>>>
>> Honestly, "leave on server" does not make sense to me as an option, but
>> based on the code you pasted in your email, you'd need to use the
>> "console-audio" option:
>>
>>
> Yeah, I'm curious, Amarjeet, what your use-case is for having the audio
> available on the server?  This option has never made a lot of sense to me,
> though I can imagine maybe one scenario (controlling a desktop) where this
> might make sense, but in a server or cloud scenario where you have multiple
> users accessing a variety of either server or VDI-type machines, I fail to
> see why you'd ever need audio to be "playing" on a server device and not
> forwarded out to the remote system?
>
> -Nick
>

Re: In-Context Launch and Caching

[Nick Couchman]

>
> I don't think the logout will work for me as I have to hide all general
> aspects of Guacamole (no home page, etc... ) to get the launch-in context.
> I have put a trace in the shutdown() method but I'm not seeing it being
> called (probably a side effect of the previous).
> I'm happy to hear of the periodic clean up, I think/hope that will settle
> my
> worry.
>
>
It's probably only called on Logout, or when the DELETE method is called on
the api/tokens endpoint, so you'll have to do something with that in order
to get it to run.  You also could do something like override the tunnel
connection methods in the Connection class and do something to make the
credentials invalid as soon as the tunnel is connected such that someone
can't reuse it.  Depends on how concerned you are about someone being able
to maliciously (re)use the credentials.


> Had to play some interesting games (comparing the new request to the
> existing configuration of the user) to avoid re-authenticating uselessly as
> updateAuthenticatedUser is called more often than expected but I think I
> have it working now so I can serve a new authorization every time a new
> target is invoked (within the same session or not).
>

You might take a look at these methods in some of the other modules, like
the CAS, Duo, and Header ones, as they may behave similarly to how you're
attempting to get your module to work.


>
> My next challenge now is to figure out a way to display a proper error
> message when the authorization fails (there is no cascading to other
> authorization plugin and none will do).  Right now, all I get is a blank
> page.
>

Again, might look at some of the other modules to get examples - throwing a
GuacamoleInvalidCredentialsException or
GuacamoleInsufficientCredentialsException should allow you to display a
custom page (Form/Field) that gives the user a userful error message, or
redirect the user to some other page for authentication (CAS, OAuth, Duo do
this).

-Nick

Re: In-Context Launch and Caching

[ggagnon]

Thanks for the info.
I don't think the logout will work for me as I have to hide all general
aspects of Guacamole (no home page, etc... ) to get the launch-in context.
I have put a trace in the shutdown() method but I'm not seeing it being
called (probably a side effect of the previous).
I'm happy to hear of the periodic clean up, I think/hope that will settle my
worry.

Had to play some interesting games (comparing the new request to the
existing configuration of the user) to avoid re-authenticating uselessly as
updateAuthenticatedUser is called more often than expected but I think I
have it working now so I can serve a new authorization every time a new
target is invoked (within the same session or not).

My next challenge now is to figure out a way to display a proper error
message when the authorization fails (there is no cascading to other
authorization plugin and none will do).  Right now, all I get is a blank
page.

Thanks




--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: 404 when trying to import all.min.js using HTTPS (NGINX)

[messido]

Thank you very much for your quick response!

For anyone else coming across this issue, ended up resolving it by adding a
proxy pass for the /resources route

`location /resources/ {
proxy_pass "http://127.0.0.1:8080/Mavis/resources/;;
}
`

into my server {  } block for my nginx configuration file... "Mavis" is
just the name of my .war file



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: In-Context Launch and Caching

[Nick Couchman]

>
> As for the memory/accumulation issue I raise, in
> AuthenticationService.authenticate, I see that tokenSessionMap is
> populated
> with information for each session.   However, it's not clear when those are
> removed from the map.  I think I deduce from a rest API call
> (Administration?) And there's another case upon an unclear exception but
> there's limits to how IntelliJ will let me traceback and reverse engineer
> this...
>
>
A couple of things, here:
- There is code during the "logout" process that tears down the session
(look at the DELETE method on the api/tokens endpoint).
- In your custom authentication module, there's a shutdown() method that
you could use to clean up anything specific to your authentication module.
- If you put Guacamole into DEBUG logging and look at the Tomcat logs
(catalina,out or syslog, depending on your configuration) you'll see
periodic messages from o.a.g.rest.auth.HashTokenSessionMap cleaning up old
sessions.
- I believe Tomcat's monitoring/management interface can show you memory
utilization for a deployed application, so you can monitor that and make
sure it isn't leaking.

-Nick

Re: Guacamole doesn't support AUDIO enable disable feature as FreeRDP do

[Nick Couchman]

>
>
>> It has following command line interface options.
>>
>>
>>> audio-mode: Audio output mode
>>> (mode can 0 - redirect locally, 1 - leave on server, 2 - none)
>>
>>
>> In Guacamole, If I set disable-audio=true then it disables the audio on
>> remote server as well.
>>
>> *How can we achieve this on Guacamole ? (  leave on server  ) *
>>
>>
> Honestly, "leave on server" does not make sense to me as an option, but
> based on the code you pasted in your email, you'd need to use the
> "console-audio" option:
>
>
Yeah, I'm curious, Amarjeet, what your use-case is for having the audio
available on the server?  This option has never made a lot of sense to me,
though I can imagine maybe one scenario (controlling a desktop) where this
might make sense, but in a server or cloud scenario where you have multiple
users accessing a variety of either server or VDI-type machines, I fail to
see why you'd ever need audio to be "playing" on a server device and not
forwarded out to the remote system?

-Nick

Re: Shared RDP connections with 0.9.14

[Nick Couchman]

>
>
> However, if on step 4 the browser is authenticated to Guacamole as a
> different user, the pasted link seems to open the top level connection and
> not the shared connection, so RDP of course logs the first user out.
>
>
Interesting.  I'm not sure if this is intentional or not - I'll have to
play with it and see what my experience is.


> What I am eventually trying to achieve is that I can hand a URL to a set of
> users, they all see the shared connection and one of them has control - the
> others read-only, but that control can be passed between users.  I had
> assumed for that that everyone must be logged in and then some API call
> would determine who was read-only and who not.  Is there another way I
> might
> achieve what I want?
>
>
I don't think you're going to get to exactly where you want to be with the
way Guacamole works today.  There are some JIRA issues out there that deal
with making shared sessions available on the home page to users, so that
functionality is probably not far off; however, switching between read-only
and read-write and passing control of a session around between multiple
users ("Passing the Ball" in WebEx) is not something that's possible in
Guacamole right now, and I don't think there is a JIRA issue in for that
one, yet.

-Nick

Re: Date Filter Option

[Joseph Bernard]

For anyone else that doesn't know this, Google displays the date based on 
locale but use the international format of -MM-DD for searching.  I had the 
same issue trying to figure out what format it wanted.

Thanks,
Joseph B.

Sent from my iPhone

> On Mar 23, 2018, at 4:04 AM, sebastian.k  
> wrote:
> 
> Ok, thanks for clearifying this up.
> But it's still confusing for someone who doesn't know this.
> Wouldn't it be better to always show the date in international format then,
> regardless of the choosen language?
> 
> 
> 

Re: Duo two-factor authentication does not work: where's my mistake?

[Nick Couchman]

On Fri, Mar 23, 2018 at 8:00 AM, Magnus Lobenhofer <
magnus.lobenho...@icloud.com> wrote:

> Hello Nick,
>
> thank you for your quick reply!
> Your first tip was the right one. I actually had the version 0.9.9 mixed
> with the extension for Duo 0.9.14.
> The cause was my mistake to install guacamole from the repository Raspbian
> for convenience, and later the duo extension via the download from the
> project page, but without paying attention to the version.
>
>
>
Yeah, it's up to each of the individual distributions to keep the packages
up to date, and 0.9.9 seems to be a very popular version in the
Debian-based repos, so it seems like maybe that package isn't being
actively maintained by anyone.

-Nick

Re: 404 when trying to import all.min.js using HTTPS (NGINX)

[Nick Couchman]

On Fri, Mar 23, 2018 at 8:32 AM, messido  wrote:

> Keeping it short, when I was developing locally and serving .war file over
> tomcat (without the use of nginx) the all.min.js file was being imported
> properly and I could connect to session over the Guacamole tunnel no
> problem. However, now that I setup a remote server and added nginx (with
> SSL
> certificate, making the connection https) I get `GET
> https:///resources/all.min.js net::ERR_ABORTED` which is
> pretty much a 404...
>
>
It looks like maybe you're trying to have your application proxied out at a
different location than it is deployed in Tomcat?  So, you probably have
your web app deployed such that the link in Tomcat is:
http://hostname.domain.tld:8080/guacapp/

But, when you proxy it over nginx, you're trying to make it show up at:

https://hostname.domain.tld/

(without the trailing guacapp/), correct?  If so, you'll need to make sure
that your proxy configuration is correctly rewriting the URLs such that
everything, links, includes, etc., gets translated from one URL to
another.  I'm not familiar enough with Nginx to know off the top of my head
how to do this, or even if it will work in all situations.  The following
StackOverflow question may help:

https://stackoverflow.com/questions/46610662/nginx-reverse-proxy-with-different-context-path

In some cases you have to do some pretty serious filtering/rewriting if the
application in question is unable to handle the varying context paths  To
simplify things in your scenario, I would try setting up the proxy config
with nginx such that it is using the exact same context path as is used in
the deployment in Tomcat.  So, if you are deploying to /guacapp in Tomcat,
make sure the Nginx path contains the same /guacapp path and see if you can
get it to work that way.

-Nick

404 when trying to import all.min.js using HTTPS (NGINX)

[messido]

Keeping it short, when I was developing locally and serving .war file over
tomcat (without the use of nginx) the all.min.js file was being imported
properly and I could connect to session over the Guacamole tunnel no
problem. However, now that I setup a remote server and added nginx (with SSL
certificate, making the connection https) I get `GET
https:///resources/all.min.js net::ERR_ABORTED` which is
pretty much a 404... 

I'm developing my own front end, and I haven't changed the directory
locations (webapp/resources and webapp/ng) from when I was developing
locally and connecting through tomcat to when I moved to deploying it on my
server with NGINX and SSL...

Am i supposed to be editing the "server {  }" brackets inside my nginx
configurations to enable access to the all.min.js file? even though it
should be getting packaged inside the .war file? Or am I supposed to be
importing the file differently?

the "webapp" directory that gets packaged by maven looks like this

webapp
   -resources
  -all.min.js
  -polyfills.bundle.js
  -styles.bundle.js
  -(a bunch of other bundle.js files for my front end that don't throw
404)
   -WEB-INF
  -web.xml
   -ng
  -(my front end files)


and I'm importing the `resources/all.min.js` inside my front-end's main
index.html by typing 
`
  `



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Guacamole doesn't support AUDIO enable disable feature as FreeRDP do

[Mike Jumper]

On Fri, Mar 23, 2018 at 1:07 AM, Amarjeet Singh 
wrote:

> Hi Team,
>
> In Guacamole we have the option to disable audio to true or false but
> FreeRDP doesn't behave like this while connecting through command line
> interface.
>
>
Guacamole does not use the same options to configure the same internal
flags. The "xfreerdp" client and Guacamole are not equivalent in
implementation, regardless of the fact that they use the same underlying
RDP library (FreeRDP).

It has following command line interface options.
>
>
>> audio-mode: Audio output mode
>> (mode can 0 - redirect locally, 1 - leave on server, 2 - none)
>
>
> In Guacamole, If I set disable-audio=true then it disables the audio on
> remote server as well.
>
> *How can we achieve this on Guacamole ? (  leave on server  ) *
>
>
Honestly, "leave on server" does not make sense to me as an option, but
based on the code you pasted in your email, you'd need to use the
"console-audio" option:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#rdp-device-redirection

Can you describe what you're trying to do here? What makes you look into
the specifics of these audio options vs. FreeRDP?

...
> {code:none}
>

JIRA wiki markup only has any effect in JIRA.

- Mike

Guacamole doesn't support AUDIO enable disable feature as FreeRDP do

[Amarjeet Singh]

Hi Team,


In Guacamole we have the option to disable audio to true or false but
FreeRDP doesn't behave like this while connecting through command line
interface.

It has following command line interface options.


> audio-mode: Audio output mode
> (mode can 0 - redirect locally, 1 - leave on server, 2 - none)


In Guacamole, If I set disable-audio=true then it disables the audio on
remote server as well.

*How can we achieve this on Guacamole ? (  leave on server  ) *


My Observations of Command Line Interface code of FreeRDP is as follows :

{code:none}
CommandLineSwitchCase(arg, "audio-mode")
{
long mode = strtol(arg->Value, NULL, 0);

if (errno != 0)
return COMMAND_LINE_ERROR_UNEXPECTED_VALUE;

if (mode == AUDIO_MODE_REDIRECT)
{
settings->AudioPlayback = TRUE;
}
else if (mode == AUDIO_MODE_PLAY_ON_SERVER)
{
settings->RemoteConsoleAudio = TRUE;
}
else if (mode == AUDIO_MODE_NONE)
{
settings->AudioPlayback = FALSE;
settings->RemoteConsoleAudio = FALSE;
}
}

{code}

Any suggestions on the above ?



Thanks and Regards,
Amarjeet Singh

Re: Date Filter Option

[sebastian.k]

Ok, thanks for clearifying this up.
But it's still confusing for someone who doesn't know this.
Wouldn't it be better to always show the date in international format then,
regardless of the choosen language?



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/