Re: Upgrade from 1.2 to 1.4 or 1.5 Scrolling content is overwriting itself
Hello!
I'm having the same issue, only in version 1.5.2 (no upgrade, clean
install, previous versions worked fine) when connecting RDP to virtual
Windows 2022 servers (Hyper-V)
Try using a lower screen resolution, preferably standard sizes (ie
1024x768) in my case that worked
Kind regards,
El 2023-11-06 16:09, Michael Jumper escribió:
On 11/6/2023 1:56 PM, Allen Chen wrote:
Hi there,
After I upgraded guacamole from 1.2 to 1.5.3, scrolling content is
overwriting itself in RDP session. I googled and found a similar issue
https://www.reddit.com/r/archlinux/comments/ajac8i/scrolling_terminal_content_is_overwriting_itself/.
Server environments: CentOS 7.7, tomcat 8, jdk-13 and Apache proxy as
the front end with SSL configured to redirect https to guacamole port
8080
Test 1: downgrade guacamole client to 1.3 and keep guacd on 1.5.3,
scrolling content is working properly both via Apache proxy and direct
access on port 8080;
Test 2: downgrade guacamole client to 1.4 and keep guacd on 1.5.3,
scrolling content is not working properly via Apache proxy, but
working properly via direct access on port 8080;
So the problem is on version 1.4 and 1.5.3 via Apache proxy.
To confirm this, I build a new machine with CentOS Stream release 8,
tomcat 9 and jdk-20, I get exactly the same results listed in Test 1
and Test 2.
I took a screenshot:
Does anybody know what is the issue?
The presence/absence of a proxy has no bearing on the graphical content
of a connection. The only case where a proxy might affect only the
handling of graphical content would be if that proxy adds HTTP headers
that instruct the browser to disallow such content from being decoded
("Content-Security-Policy").
I don't think the above is likely. There would be errors/warnings in
your browser's console if that's the case, and it would probably result
in the connection rendering absolutely nothing. From your screenshots,
things are definitely being rendered.
This looks more like a bug in the remote desktop server hosting the
session (ie: incorrect graphical updates are being sent). I think the
correlations that you're seeing between proxy vs. no proxy, various
releases of Guacamole itself, different versions of Tomcat or the JDK,
etc. are more likely coincidences.
If you can narrow things to purely one version of guacd that works and
another that doesn't, changing absolutely nothing else in the stack
whatsoever, then that could indicate a problem in the handling of
graphical updates or a bug in one of the lower-level libraries that we
consume. I don't think this is likely either, though, as it would have
been loudly noticed by others by now:
https://guacamole.apache.org/faq/#probably-not-a-bug
If you *can* narrow things to a known-good release and a known-bad
release, then a git bisect should reveal the nature of the issue.
- Mike
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
Re: New to Guacamole and looking for guidance
About #1 I've never used that, so I can't tell... but regarding #2 look at /etc/xrdp/sesman.ini to set the maxsessions allowed... but I think that works mostly for concurrent connections with different users... Although its possible to have several simultaneous connections with the same user on xrdp some software may complain if they are already in use in one of the existing session... you may want to look at: https://c-nergy.be/blog/?p=16698 Regards, El 2023-07-18 05:32, Aaron Contreras escribió: Glad to know this is the right place to ask. As I said, I got quite familiar with Guacamole's docs during last week, but I did not achieve much (besides gaining some general knowledge and learning some basic concepts, which I appreciate ) I will try my best to be more specific, but please feel free to ask for anything I may miss. Our setup consists of the following: * Our host machine (in which Guacamole is installed and to which we are connecting remotely) is running Ubuntu 22.04.2 LTS * Guacamole (and guacd) are installed via Docker, following this template on GitHub [1] We are able to access the Guacamole application and, through it, the host machine remotely. However, we are failing to cover some specific use cases: * We have configured an RDP connection to launch an initial program (a basic calculator provided by gnome), but this setting seems to be ignored * We have configured the maximum numbers of connections and connections per user to 10, but we cannot have more than one concurrent connection to the same user Regarding issue #1, and first of all, we would like to know whether this is something that should be doable in our current setup (i.e. targeting UNIX systems). If that is the case, where should we start looking for the issue? The logs generated during the connection do not provide much information... Anyway, we are attaching them to this email, both using system defaults and with debug mode ON for both guacamole and guacd (although these are quite verbose). Regarding issue #2, as per Lee Doughty's comment, I guess we will need to investigate if there is a way to enable concurrent sessions for the same user in Ubuntu and/or xrdp. If anyone has some information regarding this, we would appreciate you sharing it. Thanks for taking the time to read this email. See you soon!, [2] Aarón Contreras Tech Director redradix.com [2] On Tue, Jul 18, 2023 at 5:43 AM Lee Doughty wrote: I have already spent a few working days diving into Guacamole's docs (installation, configuration, usage...) and into the repository above (checking configuration files, contents of docker containers, logs...) to no avail. It's a fairly common misconception -- Guacamole can't work around OS limitations on concurrent sessions. Really it's the OS that decides how to handle a second session, not Guacamole... Guacamole can do a view only share (I believe, I don't use the feature) but I think that's it. So if you want 2 people interactively using the same server at the same time, using RDP, you need to look into your OS options around that. I'm not up to date on Windows, but I believe only Terminal Services supported multiple RDP connections.. though I imagine things have changed in the last decade. On Mon, Jul 17, 2023, 9:08 PM Nick Couchman wrote: On Mon, Jul 17, 2023 at 11:31 AM Aaron Contreras wrote: Hello there, first of all, I am not sure this is the proper channel to raise this kind of request, so I apologise in advance if it isn't and would appreciate being redirected to the proper channels (if any such channel exists.) I am quite new to Apache Guacamole, I have barely just installed it using a docker-compose setup found on GitHub [3], which at first glance looked OK for starters. Problem is, after creating some RDP connections, I am not able to have some basic functionality working (such as initial program or concurrent sessions...). I have already spent a few working days diving into Guacamole's docs (installation, configuration, usage...) and into the repository above (checking configuration files, contents of docker containers, logs...) to no avail. I understand this is way too generic for anyone to provide an answer, but I would really appreciate it if someone could point me in the right direction to start debugging my installation or to get a better understanding of what may be happening under the hood. This mailing list is a great place to start - hopefully the community, here, can help get you going in the right direction. In addition to that, the Guacamole Manual (Guacamole User Guide, or GUG), is a good place to start reading: https://guacamole.apache.org/doc/gug/ Beyond that, yeah, we're going to need some additional detail from you, probably log entries, or, at the very least, some very specific descriptions of the behavior you're seeing. -Nick
Re: Guacamole and Microsoft Web Application Proxy
Hello! Would be useful to know the rest of your install and components (linux version, tomcat...) I also have 1.4.0 and never had the 60 minutes issue you mention... but I don't use MS WAP, does the authentication there may be time sensitive? Regarding the file transfer that sounds like folder permissions on the linux folder you are storing the files... that's not fixed within Guacamole, but directly on Linux... but might also be you are using a restricted directory, preferrably create a dedicated folder on your server instead of using some ready-made route... Lastone I have no idea, besides perhaps looking at the firewall? El 2023-07-20 02:49, Dose, Volker escribió: Dear all, we are using Guacamole 1.4.0 in combination with a MS WAP. This WAP server forces the user to authenticate against AD FS and only after a successful authentication the user gets to Guacamole to work with. Generally speaking this setup works, bur we are facing some issues with it: * Every 60 minutes the session is disconnected - after pressing F5 the user is able to work, but this is a bit annoying Catalina.out shows a line like this: 17:08:13.871 [main] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity. But the session breaks even if the user in active all the time * We can upload files to the TRANSFER drive, but download does not work - only for files with 0 bytes * Websocket does not work at all, Catalina.out shows this 16:59:40.785 [http-nio-8080-exec-15] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Does anybody have a similar setup? Can someone guide me to the right direction? I'm a bit out of ideas right now.. Best regards Volker Dose IT-Infrastruktur
Re: Can't connect on 1.5.2 - Can't find error
Thanks Nick! I'm attaching to this email the guacd logs from 1 failed connection. If it is the bug you mentioned, is there a work around or is just wait until 1.5.3 ? In my case is not an update, was a clean install using: Ubuntu 20.04.6 LTS Apache Tomcat/9.0.75 mysql Ver 8.0.33-0 Thanks again! El 2023-06-16 10:59, Nick Couchman escribió: On Fri, Jun 16, 2023 at 12:49 PM Alejandro Hernandez wrote: Everything "seems" fine, it "works" I can login and create connections. SSH connections are working fine, but I just can't make any RDP connection work; when I select any created RDP connection the normal "connecting" message comes up and instantly I get to the you have been logged out message. I already tried several configuration combinations but same result. On my previous guacamole install the same connection is working fine. You're almost certainly hitting this bug: https://issues.apache.org/jira/browse/GUACAMOLE-1802 We've already fixed it in the staging code for 1.5.3, which will likely be released shortly as another bug fix release. I setted the logging to verbose mode to see what I can find (the attached text file belong to just 1 connection intent) I can see the log "SqlSession of thread: 25 terminated its life-cycle, closing it" but don't know if that's the problem, what that means or if any other message in the log is relevant to my case... The messages related to this bug would show up in guacd's logging, which is usually somewhere syslog-related (/var/log/messages, journalctl, etc.), not in the web logs (logback.xml). So you'd need to increase the verbosity on the guacd side, and then look at those logs. -Nick - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.orgJun 16 11:38:51 dcr-ien guacd[834]: Creating new client for protocol "rdp" Jun 16 11:38:51 dcr-ien guacd[834]: Connection ID is "$17b1313e-aff3-419b-b8b3-5bfa8b44dfab" Jun 16 11:38:51 dcr-ien guacd[1899]: Security mode: NLA Jun 16 11:38:51 dcr-ien guacd[1899]: Resize method: none Jun 16 11:38:51 dcr-ien guacd[1899]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Jun 16 11:38:51 dcr-ien guacd[1899]: User "@ae2dbd3b-879a-4d2c-8cd8-dad1471566f1" joined connection "$17b1313e-aff3-419b-b8b3-5bfa8b44dfab" (1 users now present) Jun 16 11:38:51 dcr-ien guacd[1899]: Loading keymap "base" Jun 16 11:38:51 dcr-ien guacd[1899]: Loading keymap "es-latam-qwerty" Jun 16 11:38:52 dcr-ien guacd[1899]: Connected to RDPDR 1.13 as client 0x0003 Jun 16 11:38:52 dcr-ien kernel: guacd[1904]: segfault at 0 ip 7f12a4878ba0 sp 7f12a08c18a8 error 6 in libc-2.31.so[7f12a470f000+178000] Jun 16 11:38:52 dcr-ien kernel: Code: a4 00 00 00 48 83 fa 40 77 0e c5 fe 7f 44 17 e0 c5 fe 7f 07 c5 f8 77 c3 48 81 fa 00 08 00 00 77 9d 48 81 fa 80 00 00 00 77 19 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 44 17 e0 c5 fe 7f 44 17 c0 c5 Jun 16 11:38:53 dcr-ien guacd[834]: Connection "$17b1313e-aff3-419b-b8b3-5bfa8b44dfab" removed. - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Guacamole 1.5.0
Although I really have the fidgetiness about version 1.5.0 (previously new guacamole versions were posted on the 1st day of the year) that's more like the technical justification to send the first mail of the year to this invaluable mail list which has solved a lot of issues for me, and wish a great and blessed 2023 to all that contribute to help all of us out of problems!!! Happy new year!
Re: R: Problem with expired password and TOTP
You're not the only one, I have the same issue, Ubuntu / Guacamole 1.4 (reinstalled several times for non related issues, and always had the same situation) I guess it is a bug, don't have idea if its been reported already... El 2022-06-09 03:07, MAURIZI Lorenzo escribió: Dear all, I would like to bump this thread. This behaviour is only in my installation? Thanks Da: MAURIZI Lorenzo Inviato: giovedì 19 maggio 2022 10:35 A: user@guacamole.apache.org Oggetto: Problem with expired password and TOTP Dear all, I just noticed that in my installation, with TOTP module activated, there is a problem when I create a user with the "Password expired" flag to force password change at first login. The workflow is as follows: 1. The user goes to the login page and enters the username and the first provided password 2. The user gets the password expired form, asking for the new password. After writing the new password twice, he presses "Continue" 3. The user gets the enrollment QR code for TOTP. The user makes the enrollment into the OTP application and gives the first OTP to the screen. After confirming the OTP code, the user gets "Invalid Login" error on top of the page and goes back to the login form. From now on, if the user tries to login again entering the new password, the answer is "Verification failed. Please try again" If he enters the old password, he obtains "Invalid login". Any subsequent try to login (notice: WITHOUT reloading the page) the user obtains the same results as above (Invalid login with the old password, Verification failed with the new password). The only resolution is to renew the page with a Ctrl-F5 or closing and reopening the browser. After reloading the login page, if the user makes access with the new password, the QRCode is displayed again on screen for TOTP enrollment, but the OTP Application is already enrolled, so it is only necessary to enter another OTP generated with the app. In general, this problem occurs every time the user has to change the password for expiration (forced with the Password expired flag, or just expired for password enforcing policy in guacamole.properties), but in a subsequent password change, with TOTP already enrolled, only the request for a "normal" OTP code is shown. But, after entering the OTP, again the user receives the "Invalid login" error and the login page is displayed, and it is necessary to reload the login page to make it work. I think it could be considered a bug? Best Regards Lorenzo
Re: Compile on Ubuntu 22.04 => openssl
Understood... thanks! Another question, probably very basic for this forum but... I'm looking in the git the equivalent file to: https://apache.org/dyn/closer.lua/guacamole/1.4.0/source/guacamole-server-1.4.0.tar.gz But can't find it... it is not built yet? what do I have to do? where do I look for it? Thanks again El 2022-06-01 10:23, Nick Couchman escribió: On Wed, Jun 1, 2022 at 12:19 PM Alejandro Hernandez wrote: Hello everyone, Thanks for the update Mike! Something I don't have clear, probably because mi lack of experience with the git: If I download the server from the "official" Guacamole site: https://guacamole.apache.org/releases/1.4.0/ Thats the version that has the mentioned problems, so instead I should download from the git: https://github.com/apache/guacamole-server Why the download link isn't updated on the main site? The git still a work in progress / beta version that may have some other issues??? Correct, this is the in-progress/development version, not a release, so we do not link in on the site as a release. -Nick
Re: Compile on Ubuntu 22.04 => openssl
Hello everyone, Thanks for the update Mike! Something I don't have clear, probably because mi lack of experience with the git: If I download the server from the "official" Guacamole site: https://guacamole.apache.org/releases/1.4.0/ Thats the version that has the mentioned problems, so instead I should download from the git: https://github.com/apache/guacamole-server Why the download link isn't updated on the main site? The git still a work in progress / beta version that may have some other issues??? THANKS El 2022-04-26 20:24, Michael Jumper escribió: On Tue, Apr 26, 2022, 10:22 Gerd Hoerst wrote: Hi ! i tried to compile the 1.4.0 package for Ubuntu 22.04 but i get some of this errors... make[3]: Verzeichnis „/root/develop/guacamole-server-1.4.0/src/common-ssh" wird betreten CC libguac_common_ssh_la-key.lo key.c: In function 'guac_common_ssh_key_alloc': key.c:63:9: error: 'PEM_read_bio_RSAPrivateKey' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 63 | rsa_key = PEM_read_bio_RSAPrivateKey(key_bio, NULL, NULL, passphrase); | ^~~ In file included from key.c:33: I believe this has already been addressed on the latest git via the support for OpenSSH-format keys. We no longer invoke the function in question, and instead use the key reading functions provided by libssh2. - Mike
Re: Password field on EDIT CONNECTION
It worked!!! It took me a little to create the extension properly, but once I had that it just worked, THANK YOU NICK! El 2022-02-13 20:05, Nick Couchman escribió: On Sat, Feb 12, 2022 at 4:11 PM Alejandro Hernandez wrote: Thanks Nick! Yes, I downloaded the source and intended to rebuild the war after finding out what to modify... but certainly the method you mention should be easier/cleaner if I can find such element. How do you look for the element? Is there a documentation page for the elements? Or is something like analize view / view source? I tried using the analize view in Chrome (sorry, probably too basic idea) but the description there is too generic to find something unique in that particular field, that's why I went instead... I used Chrome's Inspect Element to find the CSS element associated with this, button, which is: .form-field .password-field .icon.toggle-password This is defined in guacamole/src/main/frontend/src/app/form/styles/form-field.css - if you override this CSS for this you can add the following to the definition to disable it: pointer-events: none; -Nick
Re: Options for access to virtual environment
I'm using Ubuntu (LTS) and probably is the most stable option out there (my opinion) I use Ubuntu Server for Guacamole and Ubuntu Desktop to allow RDP connections. The actual answer to your question depends a lot about the specifics of your intended use, since every option comes with its own issues. Generally speaking I've found using Ubuntu Desktop installing xRDP a very useful option for most cases, particularly joining it to the windows domain (realm) so anyone may login using their AD (windows) credentials. You can even add Crossover on top of it (paid version) to install some Windows software like Microsoft Office, SAP GUI, SAP B1, Epicor and some others Hope it helps AH El 2022-02-13 10:05, Hans escribió: TL;DR: I'm looking for advise on using Guacamole to access a virtual desktop environment in a Wayland environment. I was previous running a Tightvnc virtual desktop, this was on a Ubuntu desktop running X11. This would allow me to login remotely via Guacamole and have access to all of my data on my server, but also not disrupt the servers :0 display/environment. With Ubuntu's migration to Wayland I have not found a way to duplicate this setup and am wondering how best I might move forward. Also I should mention that while I could revert to running Ubuntu as X11, I have found benefits to Wayland that I'd like to keep in place. Things I have explored: Continuing to run an virtual X11vnc server at the same time as a wayland physical desktop--this doesn't appear to work. RDP Server- Ubuntu has a built in RDP server, but as far as I can tell there is no way to create a virtual desktop, and it's always connected to the physical desktop. Wayvnc- I thought this was going to be my solution, but it appears to not work with Gnome. While Gnome is not a requirement, I have been unable to get a virtual wayvnc session connected to another desktop environment, but would be interested to know if this is possible. Other possible solutions I have thought about: Running an entire virtual machine on the server and accessing via a Guacamole protocol-- I'd like to know more about and what works best. Using a different distro. I'm in the process of building a new desktop, so if it makes sense to use a distro other that Ubuntu it would be a convenient time to migrate. Something else? Am I just missing something? Guacamole works so great for providing the connection, there has to be a real simple way to get back to what I had before. I look forward to hearing any thoughts and suggestions on this. Hans - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Password field on EDIT CONNECTION
Thanks Nick! Yes, I downloaded the source and intended to rebuild the war after finding out what to modify... but certainly the method you mention should be easier/cleaner if I can find such element. How do you look for the element? Is there a documentation page for the elements? Or is something like analize view / view source? I tried using the analize view in Chrome (sorry, probably too basic idea) but the description there is too generic to find something unique in that particular field, that's why I went instead... El 2022-02-12 05:36, Nick Couchman escribió: On Fri, Feb 11, 2022 at 4:14 PM Alejandro Hernandez wrote: Hi everyone! I want to remove the lock icon next to the password field in the parameters section while editing a connection, OR disable the function to unmask the field. I know is useful in many cases and from the security perspective not very effective by itself, but I prefer to remove that from my installation. I haven't figured out where or how to remove it, I thought that should be passwordFieldController.js located at: \src\app\form\controllers or passwordField.html at_ \src\app\form\templates in the guacamole-client but no luck. ¿where else should I look at? First of all, don't edit the deployed Tomcat files directly, as changes to those will likely be overwritten. You should download the source (either from the web site or github) and change it, then rebuild and deploy the web application with the changes. Also, I think the change you want to accomplish could be done by using a "branding" extension to override HTML and/or CSS to disable this. I don't have a detailed list of instructions at hand, but you'd basically want to locate the element that represents that lock icon and do something to prevent it's being clicked - replace it with nothing, disable and/or hide it, etc. The manual has instructions for how to update the HTML of the web application, including replacing items, using extensions: https://guacamole.apache.org/doc/gug/guacamole-ext.html -Nick
Password field on EDIT CONNECTION
Hi everyone! I want to remove the lock icon next to the password field in the parameters section while editing a connection, OR disable the function to unmask the field. I know is useful in many cases and from the security perspective not very effective by itself, but I prefer to remove that from my installation. I haven't figured out where or how to remove it, I thought that should be passwordFieldController.js located at: \src\app\form\controllers or passwordField.html at_ \src\app\form\templates in the guacamole-client but no luck. ¿where else should I look at? THANK YOU!!!
Re: [External] Re: Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode
Thanks Eli ! If I do that then I would connect to the host instead of the client... and yes, that way works as expected, it goes straight to the desktop, but I need to connect to the client... El 2022-02-09 01:21, Abramson, Eli escribió: Alejandro, I believe you need to change the Security Mode to NLA in the Guacamole connection template. From: Alejandro Hernandez Sent: Tuesday, February 8, 2022 6:48 PM To: user@guacamole.apache.org Cc: sam g Subject: [External] Re: Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Thanks Sam! But the key combination does work, what I wanted is to go straight to windows desktop... but thats not happening, that do works if I make a direct connection via RDP, but when using Hyper-V/VMConnect it doesn't, it goes to the welcome screen and asks to unlock :( El 2022-02-03 13:15, sam g escribió: Hello, I have a similar setup and it works. Did you tried Control-Alt-END instead? Sam Le jeudi 3 février 2022, 19:57:02 UTC+1, Alejandro Hernandez a écrit : Hello everyone! I have guacamole 1.3 in ubuntu, using mysql extension. I have a Windows Server 2012 R2 running HyperV In Hyper-V, I cloned a server from production and changed its network adapter to a private virtual switch (to preserve IP settings and avoid conflicts in my production network), so this test server doesn't have access to the internet nor any other network. I successfully setted up in Guacamole an RDP connection using port 2179, security mode Hyper-V/VMConnect and specifying Preconnection BLOB. I also configured username, password and domain, but each time Guacamole connects I get to the Windows welcome screen where you have to press Ctr-Alt-Del to get the login screen, as if I had left blank those fields. ¿is this the expected behavior? ¿or am I missing something? I would prefer to correctly set it up so I dont have to neither change the admin password nor share it with someone else in order to let them login... Thanks!!! Have a great day!!!
Re: 2FA and sharing profile
I understand that the 1) was addressed on version 1.4, now you are able to turn on TOTP just for some users, not all of them About 2) I don't know how, but the link will only work until desconnection of the session, after that if you want to reconnect a new session with an entirely different link will be created... El 2022-02-04 08:31, Don Eugene Paul Viado escribió: Hello, Just wanted to ask if the below function is already possible or any workaround 1.) Mixing 2FA and Password only users - Currently, I have used the totp plugin but this seems to force all users to enroll token on the device. Is it possible to configure some user to not be presented with 2FA challenge and only use their passwords 2.) Sharing profile - Very useful feature but i have concern with security as sharing the URL link goes to some unsecure method (chat, email) which will can be seen by someone else. Is it possible to password protect it so the link can be passed insecurely and the password to some other means Thanks in advance.
Re: About load test
I dont have any experience on jmeter, but what do you want to accomplish? Size your server accordingly I guess??? for how many simultaneous users??? El 2022-02-05 05:07, takuya morita escribió: Hi, I am Takuya. I am planning to measure the load of guacamole. I'm using jmeter, but I'm struggling with it. Is there any good way to do this?
Re: RDP performance
Ok... those specs you provide seems more than sufficient! on the server side it shouldn't be a problem, I've heard about 1cpu and 4gb ram for 10 clients without issues (guacamole server) by your last comment it definitely looks like client (en user) problem... Chrome I guess??? I've never had that problem but I usually don't use several chrome tabs on different guacamole sessions... I however did felt 1.4 version a bit slower than 1.3 Also you may want to look at your firewall in case you have one (Fortinet, Sonicwall) Guacamole over linux??? El 2022-02-03 18:05, International Security Providers escribió: for just 1-2 users currently: RDS: 20 vCPU 12 GB RAM Guacamole: 8 vCPU 8 GB RAM on very performant clients with a good internet-connection (1gbit/s) moving around windows is okayish.. but using lower-end hardware it starts to lag extremely fast when compared to a direct RDP-connection. --- Original Message --- Alejandro Hernandez schrieb am Donnerstag, 3. Februar 2022 um 20:47: What are the server resources for Guacamole AND for your RDP server??? (processors, ram...) El 2022-01-18 14:18, International Security Providers escribió: is there a way to tune Guacamole for better performance with RDP? I only use it with 2 users currently.. and it already lags after some time and is never as snappy as connecting using mstsc. the gucamole-vm is also already quite loaded with ressources.. it's running directly on ssd, has 12gb ram and 12 cpu cores.. I use this setup: https://github.com/8gears/containerized-guacamole
Re: Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode
Thanks Sam! But the key combination does work, what I wanted is to go straight to windows desktop... but thats not happening, that do works if I make a direct connection via RDP, but when using Hyper-V/VMConnect it doesn't, it goes to the welcome screen and asks to unlock :( El 2022-02-03 13:15, sam g escribió: Hello, I have a similar setup and it works. Did you tried Control-Alt-END instead? Sam Le jeudi 3 février 2022, 19:57:02 UTC+1, Alejandro Hernandez a écrit : Hello everyone! I have guacamole 1.3 in ubuntu, using mysql extension. I have a Windows Server 2012 R2 running HyperV In Hyper-V, I cloned a server from production and changed its network adapter to a private virtual switch (to preserve IP settings and avoid conflicts in my production network), so this test server doesn't have access to the internet nor any other network. I successfully setted up in Guacamole an RDP connection using port 2179, security mode Hyper-V/VMConnect and specifying Preconnection BLOB. I also configured username, password and domain, but each time Guacamole connects I get to the Windows welcome screen where you have to press Ctr-Alt-Del to get the login screen, as if I had left blank those fields. ¿is this the expected behavior? ¿or am I missing something? I would prefer to correctly set it up so I dont have to neither change the admin password nor share it with someone else in order to let them login... Thanks!!! Have a great day!!!
Re: RDP performance
What are the server resources for Guacamole AND for your RDP server??? (processors, ram...) El 2022-01-18 14:18, International Security Providers escribió: is there a way to tune Guacamole for better performance with RDP? I only use it with 2 users currently.. and it already lags after some time and is never as snappy as connecting using mstsc. the gucamole-vm is also already quite loaded with ressources.. it's running directly on ssd, has 12gb ram and 12 cpu cores.. I use this setup: https://github.com/8gears/containerized-guacamole
Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode
Hello everyone! I have guacamole 1.3 in ubuntu, using mysql extension. I have a Windows Server 2012 R2 running HyperV In Hyper-V, I cloned a server from production and changed its network adapter to a private virtual switch (to preserve IP settings and avoid conflicts in my production network), so this test server doesn't have access to the internet nor any other network. I successfully setted up in Guacamole an RDP connection using port 2179, security mode Hyper-V/VMConnect and specifying Preconnection BLOB. I also configured username, password and domain, but each time Guacamole connects I get to the Windows welcome screen where you have to press Ctr-Alt-Del to get the login screen, as if I had left blank those fields. ¿is this the expected behavior? ¿or am I missing something? I would prefer to correctly set it up so I dont have to neither change the admin password nor share it with someone else in order to let them login... Thanks!!! Have a great day!!!
Re: Invalid Login
What password are you using to login? Default password I think is "guacadmin" but the MD5 hash you have there does not belong to "guacadmin" should be 5cbd438413e8e3ca0e14e200fde621a9 (I guess, based on https://md5decrypt.net/en/) Kind regards, El 2021-12-02 17:21, Vincent Sprague escribió: I started by spinning up an entirely new vm running Ubuntu Server 20.04.03 to test with. I used the latest Ubuntu 20.04.03 ISO and after a quick Google I found the following guide and used it to install Guacamole 1.3.0. I also ran an apt-get update/install before and after installing guac and there's nothing outstanding currently. For right now I am just using the user-mapping.xml file with a md5 hashed password for authentication. Guacamole on Ubuntu 20.04 - Somik's Home [1] The only thing I added during the Ubuntu install was OpenSSH. Other than that it was a bare install. I have since found a few other older guides that mention potential issues with the freerdp2 package that comes in the official Ubuntu 20.04 repo. I don't think that's my particular issue but I'll probably give it a try and replace the freerdp2 package with the remmina repository version and then remake the Guac install. Failing that I found another guide here: Install and Use Guacamole Remote Desktop on Ubuntu 20.04 | ComputingForGeeks [2] so I'll try that one next as it is a bit more in-depth. Regarding rsyslog, what I read said omfile shouldn't need to be loaded since it's built-in. But here is a copy of my rsyslog.conf file: # /etc/rsyslog.conf configuration file for rsyslog # # For more information install rsyslog-doc and see # /usr/share/doc/rsyslog-doc/html/configuration/index.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf # MODULES # module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on") ### GLOBAL DIRECTIVES ### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf Also, for reference here is the user-mapping.xml file I am using. ssh 10.0.0.20 22 rdp windows10 3389 user true Also, here is the output of the Catalina log: 02-Dec-2021 18:53:50.726 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 02-Dec-2021 18:53:50.732 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.31 (Ubuntu)] 02-Dec-2021 18:53:50.752 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment descriptor [/etc/tomcat9/Catalina/localhost/host-manager.xml] 02-Dec-2021 18:53:50.787 WARNING [main] org.apache.catalina.startup.HostConfig.deployDescriptor The path attribute with value [/host-manager] in deployment descriptor [/etc/tomcat9/Catalina/localhost/host-manager.xml] has been ignored 02-Dec-2021 18:53:53.381 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. 02-Dec-2021 18:53:53.490 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of deployment descriptor [/etc/tomcat9/Catalina/localhost/host-manager.xml] has finished in [2,738] ms 02-Dec-2021 18:53:53.495 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment descriptor [/etc/tomcat9/Catalina/localhost/manager.xml] 02-Dec-2021 18:53:53.497 WARNING [main] org.apache.catalina.startup.HostConfig.deployDescriptor The path attribute with value [/manager] in deployment descriptor [/etc/tomcat9/Catalina/localhost/manager.xml] has been ignored 02-Dec-2021 18:53:54.904 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for
Provide reason to connect
Hello everyone! Is it possible to force that the user provides a reason before connecting to and RDP? I'm looking for just plain text for audits, no approval process or similar (although approval processes to allow or not certain connections would be nice!) Thanks and have a great weekend!
Windows 7/2008 RDP compatibility
Hello! Is there a known incompatibility or issue about connecting RDP to Widows 7 Pro or Windows Server 2008/R2? I have Guacamole 1.3.0 on Ubuntu 20.04.2 and works perfect any upper version (Windows 10, 12, 16 & 19) but when connecting to 7/2008 it does connect and after few seconds or minutes (varies) disconnects. I tried moving from NLA to RDP, same result. Tried with several different servers, ALL of those using 7/2008 disconnect. I even reinstalled Guacamole, same result... Curious thing: if I open windows explorer right click MyPC and select properties (I was willing to change RDP settings), in that exact moment it disconnects in every server I tested. If I don't do that it also disconnects, but seems to happen at random timing... THANKS!!!
Re: Renaming Virtual Drive (Guacamole RDP)
Thanks! Your should have a "buy me a coffee" link in your mail signature :) El 2021-09-02 13:08, Nick Couchman escribió: On Thu, Sep 2, 2021 at 3:05 PM Alejandro Hernandez wrote: Hello again!!! When I activate the virtual drive in a RDP connection and I specify a "Drive Name" ie. "Virtual_Drive" it appears in windows as "Virtual_Drive in Guacamole RDP" Is it possible to edit the "Guacamole RDP" part Yes, that's the Client Name parameter in the RDP connection. -Nick
Renaming Virtual Drive (Guacamole RDP)
Hello again!!! When I activate the virtual drive in a RDP connection and I specify a "Drive Name" ie. "Virtual_Drive" it appears in windows as "Virtual_Drive in Guacamole RDP" Is it possible to edit the "Guacamole RDP" part Thanks!!!
Re: Locking password view
Thanks Mike! I wasn't aware of point 2, actually that covers mi situation even better! Have a great day everyone! El 2021-09-01 18:55, Mike Jumper escribió: On Wed, Sep 1, 2021 at 4:29 PM Alejandro Hernandez wrote: Hello! I have 2 admins for Guacamole (GUI level, not Linux level). Outside Guacamole those 2 persons do not share all of their passwords (ie. just one knows the domain admin password). Using Guacamole one could create a session so the other can use the domain admin. Since both are Guacamole admins, if the user that doesn't know the password edits the respective connection would be able to see and then know such password by simply, easily and quickly pressing the lock icon next to it. May I disable such lock icon? So they are able to enter any password anywhere but then unable to see such password so easily... I know that's doesn't make it entirely secure, but in that particular case I think it would be enough. No, and you definitely SHOULD NOT do this. You should only grant full admin-level access to users that truly should be able to see and edit everything. The "administer system" permission is identical in principle to the root user on Linux systems. Your options here would be: * Integrate Guacamole with your Active Directory using LDAP and use parameter tokens to pass through the user's own credentials, that way no credentials are stored: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens * Do not grant these users full admin permission, but rather only any relevant "create" permissions. They will only be able to see, edit, and manage the connections or users that they create. Despite having admin access to _their_ connections, they won't be able to see or touch the connections created by the other. * Separate the systems, giving one admin access to one and the other admin access to the other. * Leverage the upcoming vault support, when it's ready: https://issues.apache.org/jira/browse/GUACAMOLE-641 Do not grant full admin access to users unless those users truly need and should have that kind of access. If they shouldn't have that kind of access, or you feel the need to restrict that access, then that means they definitely should not be given that level of access. Michael Jumper CEO, Lead Developer Glyptodon Inc [1]. Links: -- [1] https://glyp.to/
Locking password view
Hello! I have 2 admins for Guacamole (GUI level, not Linux level). Outside Guacamole those 2 persons do not share all of their passwords (ie. just one knows the domain admin password). Using Guacamole one could create a session so the other can use the domain admin. Since both are Guacamole admins, if the user that doesn't know the password edits the respective connection would be able to see and then know such password by simply, easily and quickly pressing the lock icon next to it. May I disable such lock icon? So they are able to enter any password anywhere but then unable to see such password so easily... I know that's doesn't make it entirely secure, but in that particular case I think it would be enough.
File permissions on session recordings
I successfully configured guacamole to record sessions to my specified directory and I tested the created files and work great!!! However I'm having an issue: Every new session recording file get created with 600 permission, and I want another user to be able to access those files in case some review is needed. In order to give him access I need to set the file permission to 644. If I manually change the permissions (chmod) it works, but I need to manually set the permission each time he needs a file. how may I set that every new session recording file is created 644 instead of 600 ??? I tried by changing the owner of the directory and via ACL but every new file come again with 600 permission... Ideas THANKS
Re: Maximum number of users that can be registered
I guess the maximum is what the database allows you, wich in practical terms means unlimited ;) Beware: although you may create an unlimited number users, the actual simultaneous users will be restricted up to the server performance... El 2021-08-22 19:42, takuya morita escribió: Thanks!! 2021年8月23日(月) 10:13 Mike Jumper : On Sun, Aug 22, 2021, 17:42 takuya morita wrote: Hi, I am Takuya. Thank you for answering my question before. Apart from that, I have a question. Did the official documents say what the maximum number of users is? If it does not say, please tell me. There is no maximum. - Mike
Re: Translated text not found in translation files - where is it???
I was downloading the already built war file and looking into the server side so I never got there I really don't know how to THANK YOU! El 2021-08-14 14:50, Nick Couchman escribió: They are in one of the translation files: https://github.com/apache/guacamole-client/tree/master/guacamole/src/main/frontend/src/translations https://github.com/apache/guacamole-client/tree/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations The first one is the main one, and contains most of the translations, especially that are common to the entire interface.. Each extension also has its own translation file, as well - the second one linked is where the JDBC extension stores its files. -Nick On Sat, Aug 14, 2021 at 4:05 PM Alejandro Hernandez wrote: Hello! When navigating to SETTINGS -> CONNECTIONS -> NEW CONNECTION (or editing a connection) appear the sections: EDIT CONNECTION, CONCURRENCY LIMITS, LOAD BALANCING, GUACAMOLE PROXY PARAMETERS and PARAMETERS If I change the language (ie. spanish) they get translated: EDITAR CONEXION, LIMITES DE CONCURRENCIA, BALANCEO DE CARGA, PARAMETROS DE PROXY, PARAMETROS Those translations aren't found in the translations/xx.json files. How may I update them??? is there another file??? something inside som class or jar file??? I did a thoroughly search but couldn't find any clue and the search is driving me crazy :( THANKS FOR ANY LIGHT ON THIS ISSUE!!!
Translated text not found in translation files - where is it???
Hello! When navigating to SETTINGS -> CONNECTIONS -> NEW CONNECTION (or editing a connection) appear the sections: EDIT CONNECTION, CONCURRENCY LIMITS, LOAD BALANCING, GUACAMOLE PROXY PARAMETERS and PARAMETERS If I change the language (ie. spanish) they get translated: EDITAR CONEXION, LIMITES DE CONCURRENCIA, BALANCEO DE CARGA, PARAMETROS DE PROXY, PARAMETROS Those translations aren't found in the translations/xx.json files. How may I update them??? is there another file??? something inside som class or jar file??? I did a thoroughly search but couldn't find any clue and the search is driving me crazy :( THANKS FOR ANY LIGHT ON THIS ISSUE!!!
Re: Removing proxy settings from edit connection
Seems a good idea, I'm giving it a try. I was already able to build a .jar file in the extensions directory as explained there, with the same example they provide (a footer in the login page) and it works! The problem now is that the example worked because I already knew I was looking for the ".login-ui .login-dialog" SELECTOR, but I haven't figured out how to find a selector corresponding to that area (guacamole proxy) or something close. Haven't found some reference for that (or any other) part/selector... Any ideas??? THANKS El 2021-08-13 06:58, Nick Couchman escribió: On Fri, Aug 13, 2021 at 2:27 AM Alejandro Hernandez wrote: Hello again! now a not so simple situation. When configuring or editing a connection, in the area below balancing are the settings for GUACAMOLE PROXY (GUACAD) I want to remove that part so no other administrator places anything there. I'm not using the option, it should go blank so I guess is possible but haven't figured out how or where is the template to eliminate that part. Any suggestions??? There's not a real easy way to do this, but I have one idea - you could try to implement a custom extension, similar to a branding extension, and try to JS+CSS to hide it. I've not tried this at all, so I don't know either a) how successful it will be, or b) exactly how to do it, but it's just the first thing that comes to mind. You can check the documentation for guacamole-ext, which describes how to modify the various elements of the web UI with custom extensions: http://guacamole.apache.org/doc/gug/guacamole-ext.html -NIck
Re: Quacamole broken due to application inspection
It is likely as you says that there is a deep packet inspection in the middle (Firewall, ie. Fortinet). If it's the case, the Firewall opens the packets and then encrypts again with its own certificate If it's the case, perhaps it might work using a different browser (ie. chrome doesn't allow add exceptions to that kind of connections but safari does) Another option may be that since the certificate will always be the same (the one from the firewall) add it to the trusted certificates... Hope it helps. El 2021-08-12 22:12, Chris Thompson escribió: I realize there is much more to this than is likely something that can be solved in Guacamole, but I thought I'd throw it out there anyway. I have a Guacamole instance running on a Linux VM behind an Nginx Reverse Proxy with SSL via LetsEncrypt. Works great with one exception... I have a problem with access for one user who has very restricted policies for Internet Access and Group Policies on his Windows Workstation at work. He cannot install any applications or browser plug-ins of any type, and he's seemingly behind some sort of Application Layer Firewall that's breaking the SSL handshaking and somehow issuing their own certifications (presumably to inspect the application traffic as it traverses the network). Wondering if anyone has run into this sort of thing and managed to find a workaround? I was hoping that it would just work being that everything would run in the browser, but somehow that's not the case.
Removing proxy settings from edit connection
Hello again! now a not so simple situation. When configuring or editing a connection, in the area below balancing are the settings for GUACAMOLE PROXY (GUACAD) I want to remove that part so no other administrator places anything there. I'm not using the option, it should go blank so I guess is possible but haven't figured out how or where is the template to eliminate that part. Any suggestions??? Thanks!!!
Re: Remove translations
Thank you!!! I feel bad, that was easy! I went as far as to disassemble LanguageResourceService.class and was wondering where that var was... I'll go slower trough the documentation Have a great day! El 2021-08-12 19:31, Mike Jumper escribió: On Thu, Aug 12, 2021, 17:40 Alejandro Hernandez wrote: Hello! My first forum message! Greetings everyone! Quick question with perhaps not-so-quick answer: How may I remove from the dropdown list of languajes in the configuration section some translations? I want to keep just 3 of them in the list. Thanks See the "allowed-languages" property: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup - Mike
Remove translations
Hello! My first forum message! Greetings everyone! Quick question with perhaps not-so-quick answer: How may I remove from the dropdown list of languajes in the configuration section some translations? I want to keep just 3 of them in the list. Thanks
