Re: change recordings path

[Nick Couchman]

On Mon, Apr 15, 2024 at 3:11 AM Molina de la Iglesia, Manuel
 wrote:

> Hi,
>
> Yes, the problem is the folder permissions, but if I change the owner of
> the folder the previous files are reachable from the history tab, but not
> new videos. I tried to modify the umask but I don't know how to do it
> properly, and I think that it could not be the best solution, I would like
> to create a "guacd" user and add it to the tomcat group. Does it make
> sense? How can I specify the user that runs guacamole?
>
>
Yes, you can either create a user like guacd and add to the Tomcat group,
or you can create a "guacamole" group and add both the tomcat user and the
guacd user to that group. Also, if your underlying filesystem supports
POSIX ACLs, you can use ACLs to allow both users to read and write from the
folders.

-Nick

>

Re: How to get client IP address ?

[Stephan von Krawczynski]

On Thu, 18 Apr 2024 10:18:03 -0400
Nick Couchman  wrote:

> I believe the issue that Stephan is describing is that, when the user logs
> in to Guacamole, and the remote LDAP server that is authenticating the user
> logs a client IP address, it should log the IP address of the browser (far
> end client) and not the IP address of the Guacamole Client (tomcat) system.
> I'm just trying to get clarity from Stephan on whether this is what he's
> actually trying to do and why.
> 
> -Nick

Yes, Nick, you are exactly on the right track here. And I am really not in a
logging question, but truely in the authentication process where I want to
know the far end client.

-- 
Regards,
Stephan

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Stephan von Krawczynski]

On Thu, 18 Apr 2024 09:47:21 -0400
Nick Couchman  wrote:

> On Thu, Apr 18, 2024 at 8:24 AM Stephan von Krawczynski 
> wrote:
> 
> > Hello all,
> >
> > I have a setup of guacamole where the user authentication is done by ldap
> > (openldap slapd). Is there an easy way to hand the client IP over to ldap
> > bind
> > requests?
> >
> >  
> Maybe you can provide a little more detail on what you're trying to
> accomplish? I'm sure it's possible, but probably not without modifications
> to the code. Also, it'd be interesting to know why this is a desired or
> required configuration?
> 
> -Nick

Hello Nick,

think of the client IP as a kind of trigger to allow or deny certain
authentication procedures. "Username"/"PW" tuple is a bit weak for a nowadays
authentication, maybe you should expect more parameters in the future.
I think one should be able to select from these inside the authenticator - be
it ldap or even a simple script provided with an array of parameters answering
yes or no in the end as exit code.

-- 
Regards,
Stephan


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Nick Couchman]

On Thu, Apr 18, 2024 at 10:00 AM Molina de la Iglesia, Manuel
 wrote:

> Hi,
>
> Similar situation, I have an application that authenticates the user, the
> a connection ID and "build" the URL with the token that is where the user
> goes. The IP that appears on the log is the address of the server where the
> intermediate application is.
>
>
I think this is a different issue - what you're describing is that the IP
address that is logged for a user login or connection within Guacamole is
the IP address of either the proxy (Nginx, httpd, etc.) or the Guacamole
Client system, rather than the actual client (browser) IP address. This is
covered in the manual under this section:

https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve

I believe the issue that Stephan is describing is that, when the user logs
in to Guacamole, and the remote LDAP server that is authenticating the user
logs a client IP address, it should log the IP address of the browser (far
end client) and not the IP address of the Guacamole Client (tomcat) system.
I'm just trying to get clarity from Stephan on whether this is what he's
actually trying to do and why.

-Nick

>

Re: Major bug message log in guacd 1.5.4

[Nick Couchman]

n Thu, Apr 18, 2024 at 10:05 AM Maciej Konigsman
 wrote:

> Has this issue been resolved in v1.5.5?
>

Yes; however, a new issue was introduced where a lock is not correctly
checked/opened, and having microphone support enabled can result in RDP
connections failing. We haven't decided, yet, if we're going to do a 1.5.6
bugfix release to correct that and anything else that pops up, or just move
on to 1.6.0.

-Nick

Re: Major bug message log in guacd 1.5.4

[Maciej Konigsman]

Has this issue been resolved in v1.5.5?

On Thu, 25 Jan 2024 at 17:26, Weston Thayer  wrote:

> Hmm, I'd try openssl 1.0.2, but I don't see an alpine repository for it.
> Not quite sure how to go about building from source. I'd already tried
> downgrading FreeRDP (although there could be an interaction there).
>
> I suppose another approach would be to start a bisect of guacd commits
> between 1.5.3 and 1.5.4. Seems possible to automate...
>
> On Thu, Jan 25, 2024 at 1:17 AM Vieri  wrote:
>
>>  On Wednesday, January 24, 2024 at 11:38:35 PM GMT+1, Nick Couchman <
>> vn...@apache.org> wrote:
>>
>> > CentOS 7
>> > freerdp-libs 2.1.1-5.el7_9
>> > openssl-devel 1.0.2k-26.el7_9
>>
>>
>> I'm using:
>> openssl 1.1.1l
>> freerdp 2.4.1
>>
>> In my case, guacd 1.5.3 works flawlessly whereas 1.5.4 fails.
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
>> For additional commands, e-mail: user-h...@guacamole.apache.org
>>
>>

Re: How to get client IP address ?

[Molina de la Iglesia, Manuel]

Hi,

Similar situation, I have an application that authenticates the user, the a
connection ID and "build" the URL with the token that is where the user
goes. The IP that appears on the log is the address of the server where the
intermediate application is.

Any suggestions?
Thanks

*Manel Molina*

*manuel.molina-de-la-igle...@veolia.com
*

*Dirección de Ciberseguridad*

Ciutat de L’Aigua (D38)

Paseo de la Zona Franca, 48
08038 Barcelona / España

www.veolia.com





El jue, 18 abr 2024 a las 15:50, Nick Couchman ()
escribió:

> On Thu, Apr 18, 2024 at 8:24 AM Stephan von Krawczynski <
> skraw...@ithnet.com> wrote:
>
>> Hello all,
>>
>> I have a setup of guacamole where the user authentication is done by ldap
>> (openldap slapd). Is there an easy way to hand the client IP over to ldap
>> bind
>> requests?
>>
>>
> Maybe you can provide a little more detail on what you're trying to
> accomplish? I'm sure it's possible, but probably not without modifications
> to the code. Also, it'd be interesting to know why this is a desired or
> required configuration?
>
> -Nick
>

Re: How to get client IP address ?

[Nick Couchman]

On Thu, Apr 18, 2024 at 8:24 AM Stephan von Krawczynski 
wrote:

> Hello all,
>
> I have a setup of guacamole where the user authentication is done by ldap
> (openldap slapd). Is there an easy way to hand the client IP over to ldap
> bind
> requests?
>
>
Maybe you can provide a little more detail on what you're trying to
accomplish? I'm sure it's possible, but probably not without modifications
to the code. Also, it'd be interesting to know why this is a desired or
required configuration?

-Nick

How to get client IP address ?

[Stephan von Krawczynski]

Hello all,

I have a setup of guacamole where the user authentication is done by ldap
(openldap slapd). Is there an easy way to hand the client IP over to ldap bind
requests?

-- 
Regards,
Stephan

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Pod auto-scaling for guacamole

[Nick Couchman]

On Thu, Apr 18, 2024 at 1:30 AM Viji Shankar 
wrote:

> Hi Team,
>
> We are enabling auto-scaling for the Guacamole pod which contains 3
> containers(guacamole, guacd and ngnix). After giving load to the container,
> the pod got autoscaled but we are getting the following error when we
> connect VM using guacamole.
>
>
>
> ERROR: *An error has occurred and this action cannot be completed. If the
> problem persists, please notify your system administrator or check your
> system logs.*
>
>
>

You'll need to check the logs further, and possibly enable some additional
debugging, to see what's going on, here. Look at container logs for both
guacamole and guacd containers.


> Please give me some suggestions to enable pod auto-scaling for guacamole.
>

Because Guacamole currently does not have any built-in HA capabilities (for
synchronizing session and such), in a configuration like this you will need
to insure that:
* The front-end load balancer uses some sort of session tracking or
"stickiness" to make sure that the client gets sent to the same Guacamole
Client (guacamole) container. Otherwise, the client will log in to one of
the guacamole containers, but then on the next request, potentially be
redirected to another guacamole container, which won't "know" about the
login.
* The guacamole containers need to be configured to use a consistent guacd
container for the connection. If any load balancing is configured such that
it might send traffic to multiple back-end guacd containers, this will
likely cause problems and result in errors.

-Nick