Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hi PlayerOne congratulations ! And thanks for all your queries and suggestions that I have benefited from along the way. -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
David, It seems my noobiness missed a crucial line in your instructions. "mv /root/guacamole-auth-radius-1.0.0.jar /etc/guacamole/extensions/guacamole-auth-01-radius-1.0.0.jar" I'm happy to report it's now working perfectly!!! -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Just found this, I don't seem to have the radius.jar in my extensions directory!?!? root@GUACA01~ ls /etc/guacamole/extensions guacamole-auth-02-jdbc-mysql-1.0.0.jar root@GUACA01~ -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Thanks David I'm working through those. I've just realised this may possibly be down to MS licensing. We're using the per-auth MFA licensing and apparently the Azure MFA NPS Extension isn't supported in that licensing model. After double checking everything you suggested I think I may have to look at reverting the radius config to somehow working with our Azure MFA Server and NPS policies running on our RDP Gateway. I may just remove the Azure extension from the new NPS server I just built and point the Radius requests to our Azure MFA server. Do you think that may work? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Use the almost-a-gui nmtui to check your network config (if you haven't already) -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
In guacamole.properties use a hard-coded IP address, for example: radius-hostname: 172.16.2.1 -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Check that nothing went during the install of guacamole.war into tomcat # Remove Guacamole from tomcat: cp /opt/tomcat/latest/webapps/guacamole.war /tmp/guacamole.war rm /opt/tomcat/latest/webapps/guacamole.war #restart tomcat slowly systemctl stop tomcat systemctl start tomcat # Install a clean copy of guacamole.war into tomcat cp /root/guacamole.war /opt/tomcat/latest/webapps/guacamole.war -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hi PlayerOne, My guacamole.properties is therefore similarly ordered to yours. In /etc/guacamole/extensions do the following two Authentication providers appear in alphanumeric order: guacamole-auth-01-radius-1.0.0.jar guacamole-auth-02-jdbc-mysql-1.0.0.jar Have you checked /opt/tomcat/apache-tomcat-8.5.38/logs/catalina.out for the following line: [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "RADIUS Authentication Backend" loaded. If the following line isn't present either, then turn debugging on: [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded. In file /opt/tomcat/apache-tomcat-8.5.38/conf/logging.properties set the level for all to "FINE". Do the radius properties in guacamole.properties look like these: radius-hostname: npsserver.yourdomain.com radius-auth-port: 1812 radius-shared-secret: same_shared_secret_as_used_in_your_NPS_policy radius-auth-protocol: pap # Must be pap radius-retries: 5 radius-timeout: 90 Still digging out things to check. -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hi PlayerOne, My MySQL lines are also above the Radius lines in guacamole.properties . In the folder /etc/guacamole/extensions are the two authentication providers name in alphanumeric sequence ? guacamole-auth-01-radius-1.0.0.jar guacamole-auth-02-jdbc-mysql-1.0.0.jar In the file /opt/tomcat/apache-tomcat-8.5.38/logs/catalina.out can you see line ? 03:02:48.207 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "RADIUS Authentication Backend" loaded. Are there in any Radius errors in the file ? I will post a few more checks soon. -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hi David, Windows Firewall is off, but I checked the advanced firewall rules and there are UDP rules for 1812/1813. Netstat shows its listening. This is just a test/poc environment at the moment so both the Guacamole server and Azure MFA/NPS server are right next to each other, no DMZ involved. I've run an 'nmap -sU -p 1812' from the Guacamole server and I can then see event log errors on the NPS server. If i then try Guacamole itself my Ad creds fail, and i see no errors in the NPS server event logs. So its almost like Guacamole isn't even trying to auth with Radius. Is there anything i can double check in the Guacamole config? Does it matter that the MySQL config lines are above the Radius config lines in the Guacamole config file? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: guacd timeout waiting for a connection
On Thu, Feb 21, 2019 at 6:11 PM McRoy, Jeffrey (GE Healthcare) < jeffrey.mc...@ge.com> wrote: > Hi Everyone, > > > > Is it possible to set the amount of time guacd waits for a connection > using the protocols it supports (VNC, Telnet, etc.)? > > > Jeff, The answer (I think) is, it depends. First, configuring the timeout is not currently implemented in Guacamole, so it's going to require some modifications There is a JIRA issue out there for it - https://issues.apache.org/jira/browse/GUACAMOLE-600 - and I started working on this and investigating possible ways to do it, and it looks like some of the underlying libraries don't support configuring this value. In particular, the FreeRDP and libvncclient libraries don't really have a way to specify this, and they provide the wrapper around the actual underlying socket calls, so I'm not sure how doable this is. Maybe it would be possible within the guacd to somehow wrap the calls and implement a timeout, anyway, not sure - maybe some of the other developers can comment on that. -Nick
guacd timeout waiting for a connection
Hi Everyone, Is it possible to set the amount of time guacd waits for a connection using the protocols it supports (VNC, Telnet, etc.)? Regards, Jeff smime.p7s Description: S/MIME cryptographic signature
Re: GUACAMOLE 0.9.9 - RECORDING
On Thu, Feb 21, 2019 at 5:34 PM Eriel Perez wrote: > Greetings friends from the list. > > I have the GUACAMOLE version 0.9.9 and it works well with RDP to a > computer with windows. > > I need to record the sessions. As much as I look for I can not find a > manual that explains how to do it. > > You should start by upgrading to a modern version of Guacamole. 1.0.0 is the latest available. You can download from the Guacamole website: http://guacamole.apache.org -Nick
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hi David, would you be able to post some screenshots of your NPS server policies, and any Azure MFA NPS Extension config please? I'm not sure if this will help you with IIS as it requires Azure MFA server (which is what I'm trying to get working above with Guacamole) and not the Azure MFA NPS Extension. It does mention MFA auth on IIS7 and above but not sure if it goes as far as IIS10. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-iis -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
GUACAMOLE 0.9.9 - RECORDING
Greetings friends from the list. I have the GUACAMOLE version 0.9.9 and it works well with RDP to a computer with windows. I need to record the sessions. As much as I look for I can not find a manual that explains how to do it. I thank the list for the help. -- Saludos amigos de la lista. Tengo la version GUACAMOLE 0.9.9 y funciona bien con RDP a una computadora con windows. Necesito grabar las sesiones. Por mucho que busco no encuentro un manual que me explique como hacerlo. Agradezco a la lista la ayuda.
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hi PlayerOne, The easier question first - I am just using ordinary AD security groups and all is working as I've described. I am using the Azure MFA NPS Extension on our Windows NPS server, being the "central policy server" in NPS speak. RD Gateway is a different server and its authentication is pointing to the NPS "central policy server", soresulting in our RD Gateway using the MFA service. We also have all our external authentication (eg VPN) using Radius so that we can use the Azure MFA service. We use the Azure MFA Server (Legacy PhoneFactor product) only for our secure web site, since no Azure MFA plugin for IIS 10 seems to be available. If someone knows how to get radius authentication for IIS 10 working I'd be really keen to read about it. -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
David, can I just clarify the Azure MFA side of things please. I think I may have gotten a little excited at the Azure MFA integration bit. I currently use Azure MFA Server alongside an RDP gateway. The MFA server pretty much provides the Radius proxy to Azure AD which in turn uses the NPS policies stored on the RD Gateway to gain access. I believe that setup will not work for this deployment of guacamole. What's needed is the Azure MFA NPS extension. https://docs.microsoft.com/en-gb/azure/active-directory/authentication/howto-mfa-nps-extension I'm planning on setting up a new Windows server to run this extension from to test with Guacamole. I could potentially just run the Azure NPS Extension from our current Azure MFA box, but I don't want to affect anything running on that as it's currently production. If anyone's doing this already please do let me know. Just to also confirm my previous question, do the Guacamole AD groups need to be the 'guacConfigGroup' object class, or just normal AD security groups? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Ok thank you, and those AD groups need to be the guacConfigGroup type for the updated AD schema or just standard security groups? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
> > > Yep, glad you got it. One minor note - when you create a user in the > Guacamole web interface and do not specify a password, Guacamole generates > a random password and assigns it. This is for security reasons so that the > account is protected. > > Okeey good So what i should do now is to protect my jdbc too . Thank You -- *EZZAKI Kamal*
Re: Guacamole AND FreeRadius ( Probleme with Users data )
h I get it now , the concept is to create a new user in guacamole interface *without* *password* . this stop him from connection by usingg jdbc , and after this you create a user with the same identity in radius . and by this way you make sure that guacamole go to radius for authentification and you jdbc for Users Data . Thank you very much For your Help People and if anyone have a question I m ready to answer *EZZAKI Kamal*
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
On Thu, Feb 21, 2019 at 8:10 AM Kamal Ezzaki wrote: > h I get it now , the concept is to create a new user in guacamole > interface *without* *password* . this stop him from connection by usingg > jdbc , and after this you create a user with the same identity in radius . > and by this way you make sure that guacamole go to radius for > authentification and you jdbc for Users Data . Thank you very much For your > Help People and if anyone have a question I m ready to answer > Yep, glad you got it. One minor note - when you create a user in the Guacamole web interface and do not specify a password, Guacamole generates a random password and assigns it. This is for security reasons so that the account is protected. -Nick
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
h I get it now , the concept is to create a new user in guacamole interface *without* *password* . this stop him from connection by usingg jdbc , and after this you create a user with the same identity in radius . and by this way you make sure that guacamole go to radius for authentification and you jdbc for Users Data . Thank you very much For your Help People and if anyone have a question I m ready to answer > > -- > > *EZZAKI Kamal* > >
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
( To assign permissions to RADIUS users in the JDBC module, you need to create users in the JDBC module with the same username as the RADIUSusers. You can then assign permissions to the user within JDBC, and the user logging in with RADIUS will get those permissions. Guacamole basesthis "stacking" on the username, so the usernames must be identical. ) This is exactly what i did i create users in JDBC with the same name in RADIUS users , And Guacamole Go first to Radius and check for the users but the probleme is that if the user existe in RADIUS , guacamole not checking the database for users data ( connection .. ) , and if not he check the users from the database Le jeu. 21 févr. 2019 à 10:08, Nick Couchman a écrit : > On Thu, Feb 21, 2019 at 3:23 AM Kamal Ezzaki > wrote: > >> Hello, i change the name of radius module so that it's loaded first and >> Guacamole check in radius server first than go back to jdbc but the >> problème is how to not go back to jdbc and check only radius if the user >> existe than go to jdbc for users data ( permission , connections ). >> > > To assign permissions to RADIUS users in the JDBC module, you need to > create users in the JDBC module with the same username as the RADIUS > users. You can then assign permissions to the user within JDBC, and the > user logging in with RADIUS will get those permissions. Guacamole bases > this "stacking" on the username, so the usernames must be identical. > > Version 1.0.0 introduced user groups; however, the way user groups are > currently implemented in Guacamole it will *not* work to create your RADIUS > users in JDBC, and then create a group in JDBC and assign the permissions > that way. The group would need to be present in the RADIUS module, and the > RADIUS module currently does not implement group retrieval. So, > unfortunately, for now, you would need to create those users in JDBC and > individually assign connection permissions to the user accounts in JDBC. > > -Nick > -- *EZZAKI Kamal* *Élève** ingénieur en **Administration Réseaux et **Systèmes* *à l'ENSEM* *Tél : +212 6 81 78 28 64* *Email : kamalezza...@gmail.com *
Show active session through VNC
Hello, I'm using a customised Guacamole web app, to connect via VNC. The web app retrieves computers, users from a specific AD domain. And for each computer (Windows 10), it shows the connected user (only one session at a time). Now, with Guacamole I just want to show the active session on the remote computer, with no interaction, just a view only. I do have the user connected, the session ID and I want to open the active session to show in a new browser window. Is it possible ? Here's the javascript: . . . /* */ . . . And the servlet code: @Override protected GuacamoleTunnel doConnect(HttpServletRequest request) throws GuacamoleException { // Logging ServletContext context = getServletContext(); // Préparation de la configuration GuacamoleConfiguration config = new GuacamoleConfiguration(); config.setProtocol("vnc"); config.setParameter("username", request.getParameter("userName")); config.setParameter("hostname", request.getParameter("computerName")); config.setParameter("port", System.getProperty("consoleDe.vncserver.port")); context.log("Paramètres reçus"); context.log("hostname: " + request.getParameter("computerName")); context.log("port VNC: " + System.getProperty("consoleDe.vncserver.port")); context.log("Guacamole adresse: " + System.getProperty("consoleDe.guacamole.address")); context.log("Guacamole port: " + System.getProperty("consoleDe.guacamole.port")); GuacamoleSocket socket = new ConfiguredGuacamoleSocket( new InetGuacamoleSocket( System.getProperty("consoleDe.guacamole.address"), Integer.parseInt(System.getProperty("consoleDe.guacamole.port"))), config ); // Return a new tunnel which uses the connected socket return new SimpleGuacamoleTunnel(socket); } Thanks for your help
Re: LDAP extension: how to ldap-user-base-dn with space in its name?
On Thu, Feb 21, 2019 at 4:17 AM wouterve wrote: > Hi, > > Strangely, I don't see any error output in /var/log/tomcat7/catalina.out > > Then I tried to use the following: > > > I do receive the following error: > > > > (still using the same userbase > > so, how could I limit the users to only the aftersales security group > please? > > Any screenshots you were trying to post inline got stripped out. If you're trying to limit to a certain set of users within LDAP, I'd suggest using the ldap-user-search-filter parameter in guacamole.properties, which will allow you to define the LDAP filter used. You could do something like: ldap-user-search-filter: (&(objectClass=person)(memberOf=cn=aftersales,ou=groups,dc=example,dc=com)) Obviously adjust that to the type of object you actually want to find, and the location of the group. -Nick
Re: LDAP extension: how to ldap-user-base-dn with space in its name?
Hi, Strangely, I don't see any error output in /var/log/tomcat7/catalina.out Then I tried to use the following: I do receive the following error: (still using the same userbase so, how could I limit the users to only the aftersales security group please? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
On Thu, Feb 21, 2019 at 3:23 AM Kamal Ezzaki wrote: > Hello, i change the name of radius module so that it's loaded first and > Guacamole check in radius server first than go back to jdbc but the > problème is how to not go back to jdbc and check only radius if the user > existe than go to jdbc for users data ( permission , connections ). > To assign permissions to RADIUS users in the JDBC module, you need to create users in the JDBC module with the same username as the RADIUS users. You can then assign permissions to the user within JDBC, and the user logging in with RADIUS will get those permissions. Guacamole bases this "stacking" on the username, so the usernames must be identical. Version 1.0.0 introduced user groups; however, the way user groups are currently implemented in Guacamole it will *not* work to create your RADIUS users in JDBC, and then create a group in JDBC and assign the permissions that way. The group would need to be present in the RADIUS module, and the RADIUS module currently does not implement group retrieval. So, unfortunately, for now, you would need to create those users in JDBC and individually assign connection permissions to the user accounts in JDBC. -Nick
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Okey Thank You and I Hope Someone can help me please, it's been 10 days tryinig to make it out Le jeu. 21 févr. 2019 à 09:44, drhy a écrit : > All conditions and corrections posted above have now been included in the > first posting. > > -David > > > > -- > Sent from: > http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ > -- *EZZAKI Kamal* *Élève** ingénieur en **Administration Réseaux et **Systèmes* *à l'ENSEM* *Tél : +212 6 81 78 28 64* *Email : kamalezza...@gmail.com *
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
All conditions and corrections posted above have now been included in the first posting. -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hi Kamal, I'm not clear myself how the authentication actually works when you use Groups and you use both Radius and a database. But I do not how to make it work. Hopefully someone else can help. -David -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies
Hello, i change the name of radius module so that it's loaded first and Guacamole check in radius server first than go back to jdbc but the problème is how to not go back to jdbc and check only radius if the user existe than go to jdbc for users data ( permission , connections ).