Re: Prompt for username in windows

[Nick Couchman]

On Fri, Jul 1, 2022 at 12:31 AM Ivanmarcus 
wrote:

> Sean,
>
> Thanks for returning with the fix, could be useful to someone coming
> here in the future...
>
> On 30/06/22 15:10, Sean Hulbert wrote:
> > Hello,
> >
> > OK found it, if you want windows to prompt with usernames, set your
> > guacamole connection template with no username and password in the field.
> >
> > Go in to your Windows system open regedit and make these changes.
> >
> > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> > Server\WinStations\RDP-Tcp]
> >
> > Change “SecurityLayer” value to 1
> >
> > Verify “UserAuthentication” value is 0
> >
> > Next time you login you will be presented with the Windows Login prompt.
>

Note that these registry changes are the same as disabling NLA In the Sytem
-> Remote control panel in Windows.

-Nick

Re: Guacamole/Json - trouble

[Nick Couchman]

On Tue, Jun 28, 2022 at 4:29 PM Rick .  wrote:

> Thanks again. I'm onboard with the posting/curling of an encrypted json to
> the container. I just assumed I could use json to both add a user and
> connections to the container. But then I guess I still need something like
> postgres and the init.db file to create the user I then include in the
> json? Can the connections exist only in the json before posting and get
> created that way? Or is the json only used as a filter for users and
> connections all of which are already existing in the container?
>

No, with the JSON extension you do not need the Postgres/MySQL/SQL Server
extension - you can include both the user account information and the
connection information all in the JSON data that you post to the extension,
and Guacamole will provide those connections to the user. If, however, you
want to create other connections in the database module and layer the JSON
authentication on top of that, you can certainly do that, as well. But it
isn't a requirement - the JSON module should be able to operate on its own
without any other supporting modules, either for authentication or
connection storage.

-Nick

>

Re: Can we configure terminal type for SSH Connection

[Nick Couchman]

On Tue, Jun 28, 2022 at 4:54 AM Amartya Thorat <
amartya.tho...@logicmonitor.com> wrote:

> Hi Team
> I have a cisco router with terminal type v100
>
> When I am trying to SSH the device gets an error in the device log
>
> The requested term-type 'xterm' is not supported
>
> The requested term-type 'vt102' is not supported
>
>
> Can configure guacamole and send term type in  for  ssh request
>
>
To some degree or another, yes - Guacamole supports setting the terminal
setting on both SSH and Telnet connections. See the following documentation:

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#controlling-terminal-behavior

-Nick

>

Re: VNC/RDP connection fail (Invalid Credentials?)

[Nick Couchman]

On Mon, Jun 27, 2022 at 11:16 AM Jarek Millburg <
jarekmillb...@eurofinseag.com> wrote:

> Hello there,
>
>
>
> I am working on a new custom web application and am implementing guacamole
> for a VNC and RDP connections to many target machines. My system takes
> input from a user to let the system know what IP address to connect to and
> what credentials they have.
>
>
>
> I do not use a user-mapping.xml file as we have hundreds of target
> machines throughout our network so we prompt the user for all information
> needed to make the connection. When we test without the use of a password
> it makes the connection and then prompts the user within the VNC/RDP
> connection to sign into the target machine. If we include the password with
> the credentials entered by a user then it fails to establish the connection
> and disconnects. Checking the logs the only info I find is that it was
> refused based on Authentication Failure (Invalid Credentials?).
>
>
>
> We know the account information is correct for the machine we are
> accessing so wondering if anyone has any thoughts or input on what we could
> possibly be doing wrong.
>
>
>
> P.S. Most code is based off the Skeleton code provided here : Writing
> your own Guacamole application — Apache Guacamole Manual v1.4.0
> 
>
>
>

A couple of questions for you:
1) Is there a specific reason you're writing your own web application aside
from wanting the users to be able to enter the connection information? If
the only reason you're writing a custom app is because you don't want to
pre-create all of the connections, in user-mapping.xml, JDBC, or LDAP, then
maybe instead of writing an entire separate web application it would be
better to just use a difference authentication extension - either use the
Quick Connect module, which allows for entering URIs (e.g. vnc://
192.168.1.100:5900), or write your own module that would allow users to
enter that information.
2) Even if you decide to write a custom application, you can test to make
sure that the stock Guacamole Client is able to connect and authenticate
correctly, which would help you establish where the issue actually is
(custom app vs. Guacamole core components).

-Nick

>

Re: Re: Re: Re: Re: Guacamole LDAP Users - add connections

[Nick Couchman]

On Fri, Jun 24, 2022 at 11:30 AM Rene Schrader  wrote:

> Hello Nick,
> thanks again for your help and especially patience.
>
> Is there a specific Apache-Guacamole-log-file that could help me? That
> would be the last idea that I have, because the dependencies for Tomcat9
> can also not be the reason. And the Status of Tomcat9 / the guacd looks
> fine to me.
>
>

Guacamole messages for the client are logged in the Tomcat log file -
generally catalina.out, though it will depend based on how you have Tomcat
configured. There are also instructions on how to change the log level if
you need additional debugging:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application

-Nick

Re: Re: Re: Re: Guacamole LDAP Users - add connections

[Nick Couchman]

On Fri, Jun 24, 2022 at 8:22 AM Rene Schrader  wrote:

> Okay thanks,
> but then I do not understand why my LDAP did not work.
>
> It was possible to use the login via LDAP if I installed the following
> dependencies:
>
> "apt install make libssh2-1-dev libtelnet-dev libpango1.0-dev 
> libossp-uuid-dev libcairo2-dev libpng-dev libssh2-1 libvncserver-dev 
> libvorbis-dev  gcc libssh-dev libpulse-dev tomcat9 tomcat9-admin tomcat9-docs 
> ghostscript libwebp-dev libavcodec-dev libavutil-dev libswscale-dev 
> libjpeg-turbo8-dev libtool-bin libossp-uuid-dev libavformat-dev freerdp2-dev 
> libwebsockets-dev libssl-dev"
>
> But with this dependencies LDAP did not run, but everything else did:
>
> "apt-get install gcc-6 g++-6 libossp-uuid-dev libavcodec-dev libpango1.0-dev 
> libssh2-1-dev libcairo2-dev libjpeg-turbo8-dev libpng-dev libavutil-dev 
> libswscale-dev libfreerdp-dev libvncserver-dev libssl-dev libvorbis-dev 
> libwebp-dev
>
> tomcat9 tomcat9-admin tomcat9-common tomcat9-user"
>
> Whats dependencie is so important for LDAP here? Answering this question for 
> me is really important because I have to give a presentation about that next 
> week.
>
> And I cant find an answer in the guacamole manual? It drives me crazy.
>
>

Without more information, I could not tell you why LDAP didn't work. But I
can tell you definitively that there is absolutely no link between
guacamole-server dependencies and guacamole-client support for LDAP.

The Guacamole manual is on the Guacamole web site:

https://guacamole.apache.org/
https://guacamole.apache.org/doc/gug/

-Nick

Re: "libvncserver appears to be built against libgcrypt"

[Nick Couchman]

On Thu, Jun 23, 2022 at 5:43 PM Khoe, Yonathan 
wrote:

> I had brought up last week about my Guacamole instance not able to VNC to
> our endpoints.  I noticed some additional things coming together.  I tried
> building a new guacamole-server from source and noticed that libgcrypt and
> libvncserver not playing well with each other, thus making the VNC protocol
> dead post compile.  I have ensure that I installed libvncserver-devel on my
> RHEL8.6 server.  Here are my build logs and installed packages.
>
> https://pastebin.com/Z0Av8j5j
>
> https://pastebin.com/fLgdieFg
>
>
I'm not sure what you mean  by "not playing well with each other" - from
your pastebin for the build, I see:


   1. checking whether LIBVNCSERVER_WITH_CLIENT_GCRYPT is declared... yes
   2. checking gcrypt.h usability... no
   3. checking gcrypt.h presence... no
   4. checking for gcrypt.h... no
   5. configure: WARNING:
   6. 
   7. libvncserver appears to be built against
   8. libgcrypt, but the libgcrypt headers
   9. could not be found. VNC will be disabled.
   10. 


This doesn't mean they aren't playing well together, it just means that
libvncserver is built against gcrypt, and you're missing the gcrypt
development files, which guacamole-server requires to correctly build
against libvncserver. This should be as simple a fix as:

dnf install -y libgcrypt-devel

-Nick

>

Re: Guacamole Docker Install Error

[Nick Couchman]

On Thu, Jun 23, 2022 at 1:23 PM Woods, Darren L  wrote:

> I’m getting this error message when I run the command:
>
> sudo docker run --name some-guacd -d -p 4822:4822 guacamole/guacd
>
>
>
> docker: Error response from daemon: Conflict. The container name
> "/some-guacd" is already in use by container
> "8062906e4e1eaee1e1433043042ce349201da78eef0f6e5d893d6c9956ca1f8e". You
> have to remove (or rename) that container to be able to reuse that name.
>
> See 'docker run --help'.
>
>
>

Try "docker container list --all" and see if you see the container already
called "some-guacd".

-Nick

>

Re: Weird behaviour - RDP timeout

[Nick Couchman]

On Tue, Jun 14, 2022 at 3:17 PM Stefan Bogdan Cimpeanu 
wrote:

> Hi Antony,
> I agree it could be that, however, it does not explain (in my mind) why
> would the Guacamole server behave differently when the user is from Europe
> or from Australia if the target is still in Australia.
> Is there any special connection happening from the end user all the way to
> the target somehow?
>
> Additionally, can that 15 seconds timeout be increased somehow?
>
>
At this point I do not believe the 15 second time limit can be increased,
but I'd also be surprised if it's actually taking 15 seconds to connect to
the server, even if it's going Australia -> Europe -> Australia. I run a
Guacamole instance in Ashburn, Virginia, and access servers in Singapore
and Australia from that instance, and I don't see intermittent or
consistent issues with that.

When you hit the failure, check the guacd logs, and possibly start guacd in
debug mode, and see what the error is. Is it really timing out, or is it
throwing some other error? Is there an Azure firewall, ACL, or network
route in place that could be stopping or disrupting traffic from the
Guacamole server to the target server?

-Nick

Re: Re: Guacamole does not establish a proper RDP session to server

[Nick Couchman]

On Thu, Jun 9, 2022 at 7:34 AM Luettecke, Paul 
wrote:

> Hi,
>
> I tried it with multiple versions.
>
> I also tried the latest version 1.4.0.
>
> It is a Windows Server 2016 Datacenter VM but there are also other
> Datacenter servers and they do not show this problem.
>
>
You'll probably need to look at the guacd logs to see the reason for the
failure, and possibly start guacd in debug mode to get some more detailed
logs. guacd generally logs to syslog/journald, so /var/log/messages,
/var/log/syslog, and/or journalctl are good places to start looking for
those logs.

-Nick

>

Re: Issue With Authentik and Guacamole - Infinite Redirect

[Nick Couchman]

On Thu, Jun 9, 2022 at 11:14 AM Shehwaz Shamsuddin 
wrote:

> Hello,
>
> I set up Authentik and Guacamole with the configuration found here:
> https://goauthentik.io/integrations/services/apache-guacamole/
>
> The issue I'm running into is that when I access guacamole, I'm greeted
> with the Authentik login screen and after signing in, I get stuck in a
> redirect loop.
>
>
A lot of times re-direct loops with SSO are due to HTTP vs. HTTPS issues
with the Guacamole URL. If you're proxying Guacamole behind a HTTPS proxy
(Nginx, httpd, etc.) you may need to make sure that your proxy is passing
through the X-Forwarded-Proto header, which should result in the
correct/consistent URL being provided to the SSO system.

-Nick

>

Re: Guacamole/Json - trouble

[Nick Couchman]

On Mon, Jun 13, 2022 at 12:40 PM Rick .  wrote:

>
> Thanks to you too. So seems like user-mapping.xml is out and maybe json is
> back in then.. If I should avoid touching the properties file and
> overriding the GUACAMOLE_HOME to stay away from unpredictable things. What
> would be the steps to in my case enable json authentification?  Like what
> would be the environment variable I should add in the compose to get the
> desired result? No need to copy the guacamole-auth-json-1.4.0.jar file
> anywhere? Perhaps somehow using its location in the container as an
> environment variable as well?
>

In version 1.4.0 of the Docker image, providing the environment variable
JSON_SECRET_KEY will automatically load the JSON extension in the Docker
image and put the entry in the guacamole.properties file. There's another
environment variable - JSON_TRUSTED_NETWORKS - that can also be specified
and will result in the proper entry in guacamole.properties.

I'm not sure how familiar you are with the JSON extension and how it works
- it isn't just a JSON file on the filesystem - the extension allows you to
pass JSON data in via a HTTP POST request to the Guacamole API , which
contains a user who has been authenticated by an outside system, along with
all of the connections that user should see in Guacamole Client. Also, this
request must be properly signed, using the secret key, as documented in the
manual.

https://guacamole.apache.org/doc/gug/json-auth.html

-Nick

Re: Printing using guacamole-common-js and guacamole-lite

[Nick Couchman]

On Wed, Jun 15, 2022 at 6:25 AM Matsumoto Yasushi 
wrote:

> Hello, I'm using guacamole-common-js on my frontend and guacamole-lite
> on my backend.
>
>
Please note that guacamole-lite is not an official part of the project, and
not supported by this community/forum. If you need specific help with that,
you'll need to reach out to the maintainer of that code.


> I'm trying to download a file which is printed on guacamole RDP
> connection's redirected printer. I would like to download said file to
> a web browser.
> I confirmed that the program catches a Guacamole.Client.onfile event
> when a file is printed by the redirected printer.
> Is it possible to download the file (to a web browser) which was
> printed through RDP host's redirected printer, using Guacamole-lite
> and Guacamole-common-js?
> I have installed the ghost script, and I managed to download the file
> to the web browser when using guacamole-client.
>
>
Yes, this is the way it is intended to work, and there shouldn't be any
issues. If it is working fine with the stock guacamole-client, but not with
guacamole-lite, then it sounds like there is an issue with guacamole-lite
and you should reach out to the project/maintainer.

-Nick

Re: Sessions tunnel id is null - unable to download/upload files

[Nick Couchman]

On Thu, Jun 16, 2022 at 5:17 AM Kuriackovskij, Aleks
 wrote:

> Hi Mike,
>
>
>
> Thank you, but would you mind sending a link to an actual commit/history
> to see what was changed?
>
> Or where can I find Guacamole version with that fix? 1.6.0 isn’t
> available, the latest one is 1.4.0 as I could find. Or I am misinterpreting
> all that? Basically I would like to get a fixed version either by updating
> to the version with the fix or adding a fix manually (if it’s a few lines
> of code) 
>
>
>

1.4.0 is the latest release available - 1.5.0 should be out soon-ish, and
1.6.0 will follow after that.

The commit that applied this fix is in the master branch of the git repo -
here's the merge commit:

https://github.com/apache/guacamole-client/commit/a3e202e6bfb3053d949e0d73ca9364393ef610df

-Nick

Re: question on disabling ssh-key passphrases

[Nick Couchman]

On Wed, Jun 22, 2022 at 7:51 AM CYBER PUNK 
wrote:

> Hello
>
> Thanks for the previous help regarding 2FA the environment variable works.
> But I do have a question regarding ssh keys.
> I'm adding my ssh keys in the private key section for key authentication
> i keep being prompted for a passphrase when my keys have none
>
> Is there a way to disable sshkey passphrases
> i've checked my key for a passphrase with ssh-keygen -y
> and i'm still not prompted for one so i am under the assumption I have
> none.
> I also do not recall setting one in the first place. As ive never been
> prompted for one
> when logging in.
>
> Only with guacamole do I get prompted for a passphrase.
>
>
Can you put guacd in debug mode and see what messages you're getting? I
suspect that the actual issue is that the private key format you are using
is either incorrect or not supported by the version of libssh2 you have
installed, but that guacd's behavior when it cannot load the key is to
prompt for a passphrase and re-try with that to see if the key is
encrypted. guacd debug logs should tell you a bit more.

-Nick

Re: Re: Re: Guacamole LDAP Users - add connections

[Nick Couchman]

On Wed, Jun 22, 2022 at 4:57 AM Rene Schrader  wrote:

> Hello,
> I have another question regarding LDAP.
>
> If I want to log in via LDAP with the AD data why do I need the
> dependencie "kubernets" for this. Without this it doesn't seem to work -
> but it is not mentioned in the manual.
>
>

There is absolutely no link between Kubernetes support and LDAP. If you're
"seeing" this, then it is purely coincidence and something else is going
on, here. Guacamole Server (guacd), which is what contains Kubernetes
support, has absolutely no knowledge of or interaction with Guacamole
Client's authentication and authorization components. There is absolutely
no link between the two.

-Nick

Re: Ctrl-Shift-Alt Woes

[Nick Couchman]

On Thu, Jun 16, 2022 at 4:18 PM Nick Couchman  wrote:

> Just another note, here - the issue does not seem to be related to the
> Control key - it's something about the Shift key. If I do the key sequence:
> * Press Shift
> * Press Alt
> * Release Alt
> * Release Shift
>
> I see:
> * Press Shift
> guacamole keydown 0xffe1 Left shift
> * Press Alt
> * Release Alt
> guacamole keydown 0xffe9 Left alt
> guacamole keydown 0xffe7 Left meta
> guacamole keyup 0xffe7 Left meta
> guacamole keyup 0xffe9 Left alt
> * Release Shift
> guacamole keyup 0xffe1 Left shift
>
>
Well, I have managed to figure out at least part of what's going on here.
Apparently Linux tends to map Shift + Alt -> Meta. This can be un-done,
but, by default, if you are holding Shift while you press Alt, you get
Meta. This can be seen with "xev":

KeyPress event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1150678547, (59,133), root:(930,609),
state 0x0, keycode 50 (keysym 0xffe1, Shift_L), same_screen YES,
XLookupString gives 0 bytes:
XmbLookupString gives 0 bytes:
XFilterEvent returns: False

KeyPress event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1150679124, (59,133), root:(930,609),
state 0x1, keycode 64 (keysym 0xffe7, Meta_L), same_screen YES,
XLookupString gives 0 bytes:
XmbLookupString gives 0 bytes:
XFilterEvent returns: False

KeyRelease event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1150679335, (59,133), root:(930,609),
state 0x9, keycode 64 (keysym 0xffe7, Meta_L), same_screen YES,
XLookupString gives 0 bytes:
XFilterEvent returns: False

KeyRelease event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1150679398, (59,133), root:(930,609),
state 0x1, keycode 50 (keysym 0xffe1, Shift_L), same_screen YES,
XLookupString gives 0 bytes:
XFilterEvent returns: False

There are a couple of interesting things to note, here, that may still be
buggy with how Guacamole handles it:
* xev does not show any delay in pressing the "Alt" key the way that the
Guacamole Keyboard Test page does (Alt keydown was not shown until Alt was
released).
* xev only shows the Meta key event, it does not show the Alt key event,
whereas Guacamole shows both Alt and Meta.
* Order of the key presses matters - if you press Ctrl + Alt + Shift,
things behave as expected - no Meta keypress, no funny hidden menu
behavior, etc. If you press Ctrl + Shift + Alt, you get funny results.

Based on a hint from a forum post (
https://askubuntu.com/questions/567731/why-is-shift-alt-being-mapped-to-meta),
I use xmodmap to remove the Shift + Alt mapping to Meta, and, with xev this
seems to work:

KeyPress event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1151683225, (165,-13), root:(1036,463),
state 0x0, keycode 37 (keysym 0xffe3, Control_L), same_screen YES,
XLookupString gives 0 bytes:
XmbLookupString gives 0 bytes:
XFilterEvent returns: False

KeyPress event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1151683371, (165,-13), root:(1036,463),
state 0x4, keycode 50 (keysym 0xffe1, Shift_L), same_screen YES,
XLookupString gives 0 bytes:
XmbLookupString gives 0 bytes:
XFilterEvent returns: False

KeyPress event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1151683570, (165,-13), root:(1036,463),
state 0x5, keycode 64 (keysym 0xffe9, Alt_L), same_screen YES,
XLookupString gives 0 bytes:
XmbLookupString gives 0 bytes:
XFilterEvent returns: False

KeyRelease event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1151683720, (165,-13), root:(1036,463),
state 0xd, keycode 64 (keysym 0xffe9, Alt_L), same_screen YES,
XLookupString gives 0 bytes:
XFilterEvent returns: False

KeyRelease event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1151684195, (165,-13), root:(1036,463),
state 0x5, keycode 50 (keysym 0xffe1, Shift_L), same_screen YES,
XLookupString gives 0 bytes:
XFilterEvent returns: False

KeyRelease event, serial 37, synthetic NO, window 0x4c1,
root 0x79b, subw 0x0, time 1151684327, (165,-13), root:(1036,463),
state 0x4, keycode 37 (keysym 0xffe3, Control_L), same_screen YES,
XLookupString gives 0 bytes:
XFilterEvent returns: False

However, to this point, this has not impacted how the Guacamole Keyboard
API interprets the keys - I still see the Meta key trigger when pressing
Ctrl + Shift + Alt. Not sure if I just need to restart Chrome, or if this
is truly a bug??

-Nick

>

Re: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy

[Nick Couchman]

On Fri, Jun 17, 2022 at 10:52 AM Timothy A. Dilbert | BMT <
timothy.dilb...@bmt.ky> wrote:

> Figured it out.
>
> I was able to switch Tomcat over to SSL, which fixed the SAML issue.
>

Thanks for posting your solution - I'll just add that that you can usually
set your front-end proxy (HAProxy in your case, but Nginx and Apache httpd,
as well) to forward the protocol through. This has come up on the mailing
list a few times for folks using other proxy software (Nginx, for example).
Here was Mike's response to one of those questions:

https://lists.apache.org/thread/hvd23yylm3lr9swkqxghvwlro8nlgg95

Basically you need to tell the proxy software to forward through some other
items. Based on a couple of searches, it seems like HAProxy achieves this
through the "http-request set-header" options, which I would imagine could
be used for any/all of the required headers. The following page has some
discussion/reference for it - I've not actually tried it, so I can't
provide a complete working configuration, but should point in the right
direction:

https://stackoverflow.com/questions/51928504/x-forwarded-proto-https-in-frontend-or-backend-haproxy

-Nick

>

Re: GuacD server never initiate a connection to the endpoint

[Nick Couchman]

On Thu, Jun 16, 2022 at 8:27 PM Khoe, Yonathan 
wrote:

> In my setup, the guacamole web client communicates to the guacd server via
> WebSocket, but the VNC traffic to the endpoint machine never appears in
> TCPDump on the guacd server.
>
>
Can you start guacd in debug mode, and post the logs?

/path/to/sbin/guacd -L debug -f

-Nick

Re: [EXT] Re: "Unable to add user" error in guacd process

[Nick Couchman]

On Thu, Jun 16, 2022 at 5:40 PM Khoe, Yonathan 
wrote:

> Hi, Nick,
>
> Which logs would you like in this case? /var/log/messages?
>
> https://pastebin.com/zgdAgD6s
>
>
>
> And this is the catalina.out
>
> https://pastebin.com/KuuLWe3x
>
>
>

You might want to start at least guacd in debug mode - you can stop the
service and just run guacd from the command line with something like:
/path/to/sbin/gaucd -L debug -f

This will turn on debug mode and keep it in the foreground. Then retry your
connection.

-Nick

>

Re: Ctrl-Shift-Alt Woes

[Nick Couchman]

On Thu, Jun 16, 2022 at 4:07 PM Nick Couchman 
wrote:

> Hello, everyone,
> I've posted a couple of times out this in various places, but I'm seeing
> some really odd behavior after version 1.4.0 for Ctrl-Shift-Alt sequences.
> I've used the Keyboard API tester, and I'm seeing a few oddities, there, as
> well. I will try to describe them as best I can, though it's a little hard
> to describe...
>
> First, I see an issue where, during the Ctrl-Shift-Alt keypress sequence,
> the Alt key-down doesn't get sent until another key is released. Here's the
> sequence that I press:
>
> * Press Control
> * Press Shift
> * Press Alt
> * Release Control
> * Release Shift
> * Release Alt
>
> Here is how the actual timing works out on the Keyboard API Test page:
> * Press Control
> guacamole keydown 0xffe3 Left control
> * Press Shift
> guacamole keydown 0xffe1 Left shift
> * Press Alt
> * Release Control
> guacamole keyup 0xffe3 Left control
> guacamole keydown 0xffe9 Left alt
> * Release Shift
> guacamole keyup 0xffe1 Left shift
> guacamole keyup 0xffe9 Left alt
> * Release Alt
>
> Two things jump out, here:
> * The "Alt" keydown doesn't get sent until the "Control" key is release.
> * Both the "Shift" and "Alt" keyup events occur as soon as "Shift" is
> released - while "Alt" is still pressed.
>
> The second interesting one is this:
> * Press Control
> * Press Shift
> * Press Alt
> * Release Alt
> * Release Shift
> * Release Control
>
> This results in the following sequence:
> * Press Control
> guacamole keydown 0xffe3 Left control
> * Press Shift
> guacamole keydown 0xffe1 Left shift
> * Press Alt
> * Release Alt
> guacamole keydown 0xffe9 Left alt
> guacamole keydown 0xffe7 Left meta
> guacamole keyup 0xffe7 Left meta
> guacamole keyup 0xffe9 Left alt
> * Release Shift
> guacamole keyup 0xffe1 Left shift
> * Release Control
> guacamole keyup 0xffe3 Left control
>
> The items of note, here, are that:
> * The Alt keydown is not sent until Alt is actually released.
> * The Meta keydown is sent along with the Alt keydown, which is completely
> unintended.
>
>
Just another note, here - the issue does not seem to be related to the
Control key - it's something about the Shift key. If I do the key sequence:
* Press Shift
* Press Alt
* Release Alt
* Release Shift

I see:
* Press Shift
guacamole keydown 0xffe1 Left shift
* Press Alt
* Release Alt
guacamole keydown 0xffe9 Left alt
guacamole keydown 0xffe7 Left meta
guacamole keyup 0xffe7 Left meta
guacamole keyup 0xffe9 Left alt
* Release Shift
guacamole keyup 0xffe1 Left shift

Additionally, if I use the Alt key on its own, or with other keys (letters,
for example), it works fine. And, if I press, Alt, first, and then Shift,
the keydown/keyup also works as expected. It is something about the Shift
-> Alt sequence.

-Nick

>

Ctrl-Shift-Alt Woes

[Nick Couchman]

Hello, everyone,
I've posted a couple of times out this in various places, but I'm seeing
some really odd behavior after version 1.4.0 for Ctrl-Shift-Alt sequences.
I've used the Keyboard API tester, and I'm seeing a few oddities, there, as
well. I will try to describe them as best I can, though it's a little hard
to describe...

First, I see an issue where, during the Ctrl-Shift-Alt keypress sequence,
the Alt key-down doesn't get sent until another key is released. Here's the
sequence that I press:

* Press Control
* Press Shift
* Press Alt
* Release Control
* Release Shift
* Release Alt

Here is how the actual timing works out on the Keyboard API Test page:
* Press Control
guacamole keydown 0xffe3 Left control
* Press Shift
guacamole keydown 0xffe1 Left shift
* Press Alt
* Release Control
guacamole keyup 0xffe3 Left control
guacamole keydown 0xffe9 Left alt
* Release Shift
guacamole keyup 0xffe1 Left shift
guacamole keyup 0xffe9 Left alt
* Release Alt

Two things jump out, here:
* The "Alt" keydown doesn't get sent until the "Control" key is release.
* Both the "Shift" and "Alt" keyup events occur as soon as "Shift" is
released - while "Alt" is still pressed.

The second interesting one is this:
* Press Control
* Press Shift
* Press Alt
* Release Alt
* Release Shift
* Release Control

This results in the following sequence:
* Press Control
guacamole keydown 0xffe3 Left control
* Press Shift
guacamole keydown 0xffe1 Left shift
* Press Alt
* Release Alt
guacamole keydown 0xffe9 Left alt
guacamole keydown 0xffe7 Left meta
guacamole keyup 0xffe7 Left meta
guacamole keyup 0xffe9 Left alt
* Release Shift
guacamole keyup 0xffe1 Left shift
* Release Control
guacamole keyup 0xffe3 Left control

The items of note, here, are that:
* The Alt keydown is not sent until Alt is actually released.
* The Meta keydown is sent along with the Alt keydown, which is completely
unintended.

The practical implications of this are that the hidden Guacamole menu gets
stuck or the web page things that a key is still pressed, so that, after
the first time that I open the menu, if I simply press Ctrl-Shift, the menu
pops in or pops out, presumably because there is some "confusion" about the
state of the keys.

It's entirely possible that my window manager (Xfce) is throwing some
challenges into the mix, but this only stopped working for me after
updating from 1.3.0 to 1.4.0, with the same window manager, so _something_
in that version change seems to have broken things for me. Any ideas?

Re: "Unable to add user" error in guacd process

[Nick Couchman]

On Thu, Jun 16, 2022 at 10:15 AM Khoe, Yonathan 
wrote:

> Hello Mike Jumper and others,
>
> Does anybody know why this would pop up?  I’m trying to troubleshoot an
> issue we’re having with not being able to connect to VNC from the guacamole
> web interface.  Not certain that this is the culprit, but I wan to try to
> eliminate it anyways.
>
>
>
> Our Guacamole stack is already using guac-auth-LDAP as a directory service
> method, so if this error pertains to the user-mapping.xml default
> authentication method, I don’t touch that anymore as part of my (re)build.
>
>
>
>
>
>
>

You'll need to provide more detailed logs - this isn't enough information
to go on.

-Nick

>

Re: Guacamole/Json - trouble

[Nick Couchman]

On Mon, Jun 13, 2022 at 7:32 AM Lee Doughty 
wrote:

> You could use docker-compose to "volume" mount the user-mapping.xml file
> to /etc/guacamole, and that should work for what you're trying to
> accomplish. If you don't provide it postgres or any hints that your trying
> to do another auth system, it should fall back to the XML file. (See
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html )
>
>
I would not use user-mapping.xml in any sort of production or extended
environment. It's really intended to make sure you get Guacamole working,
and then you should use one of the other extensions.


>
> You shouldn't need any of the postgres and environment rewrites or your
> extension...I don't think the JSON approach is a great idea based on your
> requirements, it's probably overall more complicated than using postgres,
> as it has a different use case
>
>
The Guacamole Docker image takes care of writing the guacamole.properties
file on its own with the values you provide in the environment variables.
Attempting to generate your own, map GUACAMOLE_HOME, etc., is likely to
result in odd and unpredictable behavior.

-NIck

Re: Re: Guacamole LDAP Users - add connections

[Nick Couchman]

On Mon, Jun 13, 2022 at 2:42 AM Rene Schrader  wrote:

> Hey,
> thanks for your answer.
>
> More beginner-Questions:
>
> Do I need access to the AD for 1) and 2) or do changes only take place in
> my Guacamole VM?
>

Yes, you need to be an active directory admin to extend the Schema (or have
your AD admins do it for you).

And, yes, you'll need to have some level of access to AD in order to add
the entries - this doesn't necessarily require admin access, as the AD
Admins can delegate permissions for you to a particular OU.


> Are there detailed instructions for this on the internet? Without will be
> somewhat difficult - I am completely new to the subject.
>
>

I'm sure there are - I don't have a good set of them around, but maybe
someone else on the list can help out.

-Nick

Re: Guacamole LDAP Users - add connections

[Nick Couchman]

On Sun, Jun 12, 2022 at 2:12 PM Sebastian Männling <
sebastian.maennl...@qubestack.org> wrote:

> Hi Rene,
>
> did something like that some time ago…
> for testing I used vagrant, using the following file…
>
>
> https://github.com/maennlse/vagrant-guac-ad/blob/02299810b0a73d51dd5b39d4ba5d0aaf600e4d39/Vagrantfile
>
> Maybe you can “extract” the relevant stuff from there…
>
> Basically it should be line 181 to extend the ad schema…
> and 192-211 to add a connection…
>
> … if I understood your question correctly.
>
> Greetings,
> Sebastian
>
> On 12. Jun 2022, at 18:25, Rene Schrader  wrote:
>
> 
> Hello all,
>
> I have a question regarding authorization with LDAP.
> Currently my system works like this:
> - One can successfully log in using the Active Directory data.
> - I can assign users a connection via the MariaDB database, which they can
> then use after authentication via LDAP.
>
> I would like to have LDAP handle the authorization directly. For this
> there are the schema files ".ldif" for OpenLDAP and ".schema" for the AD.
> If I would use OpenLDAP, I would use the command "ldapadd". But how do I
> make changes if I use an Active Directory. I really can't find anything on
> the internet about this -
> there must be some reasonable instructions on how I enter the connections
> into this .schema file?
>
>
> There are two steps to this:
1) Extend the AD schema to support the Guacamole extensions.
2) Add the entries to the LDAP directory.

If you want LDAP to handle all of the connection storage, you absolutely
must do these in order - the schema must be extended, first, and then you
can add the entries.

>From what I've found, ldifde is the Windows tool for doing AD schema
extensions, so you might look into that. After the schema is extended you
can then create entries using either a LDIF file or some sort of LDAP
browser.

-Nick

Re: LDAP authentication fail

[Nick Couchman]

On Sat, Jun 11, 2022 at 5:24 AM Arkaprabha Chakraborty <
chakrabortyarkaprabha...@gmail.com> wrote:

> I'm using guacamole 1.3.0 for ldap authentication and migration of users.
> after configuration I get this in logs
> ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using
> search DN "CN=guacldap,OU=IT,OU=DSCC,DC=dccil,DC=local"
>
>
There must be something incorrect about this particular bind DN or
password, or something on the LDAP side blocking it. Make sure that:
* You can access the specified host/port combination from the Guacamole
server (no firewalls blocking)
* You can use the bind DN and password to manually query the LDAP tree
(using ldapsearch, for example). Make sure to include testing the correct
encryption method.

-Nick

Re: Central Configuration

[Nick Couchman]

On Sat, Jun 11, 2022 at 05:59 Dirk Laurenz  wrote:

> Hi,
>
>
>
> thanks. Did i miss the documantion. I only find different auth methods,
> but not more…
>
>
>

The documentation is here:

https://guacamole.apache.org/doc/gug/

The different authentication methods are exactly how you store connection
information - read those pages carefully and you will see how they replace
and enhance the configuration provided by the user mapping file.

- Nick

Re: Frequent disconnections occurring now

[Nick Couchman]

On Thu, Jun 9, 2022 at 12:36 AM Lockhart, Roland 
wrote:

> Hi
>
>
>
> The server is hosted in AWS, so drivers are native. Instance is T2.large
> if you know what that is
>
>
>
> Internal network traffic is symmetrical line speed determined by the
> instance type. Internet will be the same
>
>
>
> HM VM’s does the host have? Hundreds I would guess. Hypervisor in ZEN
>
>
>
> The instances runs 5 docker containers with proxy, database and 3 guac
> services
>
>
>
> The guac version is 0.99
>
>
There was never any such version as 0.99 - there probably was a 0.9.9, but
that is many years old. Can you confirm that this is indeed the version of
Guacamole you're running? If so, you might want to start by upgrading it.

-Nick

>

Re: SOCKS5 proxy for guacd connections

[Nick Couchman]

On Thu, Jun 9, 2022 at 12:18 AM Yang Yang  wrote:

> Hello,
>
> Is it possible for guacd to connect a machine (SSH or RDP) through a SOCK5
> proxy? If yes, could you help to tell what I should do? There is no [proxy]
> section in guacd.conf.
>
>
Not without some modifications to the Guacamole code. In general the idea
behind Guacamole is that guacd, at the very least, lives as close to the
remote systems that it is connecting to as possible, preferably within the
network boundary. This doesn't have to be the case, but currently there is
no option to connect via SOCKS.

-Nick

Re: Guacamole does not establish a proper RDP session to server

[Nick Couchman]

On Thu, Jun 9, 2022 at 5:05 AM Luettecke, Paul 
wrote:

> Hello!
>
>
>
> I am currently testing Guacamole in my virtual environment.
>

What version of Guacamole?

>
>
> There are two DirectAccess servers running right now that are causing the
> problems.
>

What O/S and/or RDP server version?


>
>
> With a normal RDP client the connection can be made, but when I use
> Guacamole I only get a black screen and sometimes my mouse cursor.
>
>
>
> In Guacamole itself it is set up like all other servers. So that can't be
> the reason.
>
>
>
> Is there anyone who has had this or a similar problem?
>
>
>

I use Guacamole daily to access many Windows and Linux servers and do not
see this issue.

-Nick

>

Re: Request users to confirm/extend sessions

[Nick Couchman]

On Wed, Jun 8, 2022 at 11:16 AM Lee Doughty 
wrote:

> Lots of activity on the mailing list the last 2-3 weeks. Recent
> discussions got me thinking (again) about a more specific/pointed feature
> request that helps alleviate some issues that I think many of us Guacamole
> administrators would like:
>
> I think it would be a nice feature to:
> 1) Monitor for some kind of real-user-to-vm activity, and having the
> connection disconnect if it sits idle for a configured period of time
> 2) and/or: a feature to require the user to take an action to extend their
> session after a configured amount of time
>
> This seems to also address some of the pushback and use cases mentioned on
> https://issues.apache.org/jira/browse/GUACAMOLE-1126 -- where many of us
> are trying to balance resources & costs, and user activity / action is what
> determines if we have a user's VM loaded/online/existing.
>
> * Mark Nolan noted he spins up VMs on connection, and presumably then,
> turns them off after some period when the user is not connected. This is
> very similar to my use case.
>
> * Alexander Fischer noted that inactive users trigger reconnection, which
> might be a cause of an issue for him... but would also likely be mitigated
> if reconnection factored in the last time the user seems to have used
> guacamole when deciding to try and reconnect.
>
> * Edgardo Rodriguez noted in his initial description of G-1126 that users
> walk/tab away from Guacamole (also a pain point I feel regularly)... This
> kind of feature would likely reduce the need for limiting retry attempts
> (though I think _a_ limit on retry attempts is a nice feature on its own)
>
> Basically, identify when a user is not actually using the machine anymore,
> and allow the guacamole server to go through the connection close-out
> process. This saves on guacamole server resources, and can allow those of
> us with hooks on connection states to perform our desired actions (like
> freeing the target for a new user, shutting down the VM, etc.).
>
> This is obviously also a help for budgeting & resource management -- do I
> really have 500 active guacamole sessions, or 300 active guacamole sessions
> and 200 connections that are idle for 6+ hours, or days? Without snooping
> on the sessions, or the target VMs, I'm not aware of an ability to extract
> this information right now. If I could say I want sessions that are idle
> for 3 hours to be closed out, I can at least be sure the connections have
> seen activity in that time window.
>
> This doesn't exactly address what "activity" is, but I think it would be
> safe to assume that automated re-connection is not user activity... we'd
> probably want to see the mouse move in the guacamole tab, or a keypress.
>
> Would love to hear others thoughts on this kind of feature
>
>
My biggest question, here, is why we would re-invent this wheel? For RDP,
at least, and possibly for other protocols, the destination/remote system
itself is able to detect when a user is active, and set either session or
idle limits (or both) based on that user activity, and then take some sort
of action (usually logging the user off) when the user is idle or their
session limit has expired. And, while this is generally only logging the
user off, and doesn't involve shutting the remote system down, I would
think that the shut down of the remote system could be either triggered by
lack of user login on the system (I suspect there are utilities already out
there to do this), or by Guacamole (once the session actually ends, you
could have an extension go power off the remote system).

This avoids having to try to detect user activity within Guacamole itself,
but gives you what I think you're looking for?

Glad to see the discussion - just my initial thoughts, so let me know if
that does not, for some reason, meet the need.

-Nick

Re: Logout when using SAML SSO

[Nick Couchman]

On Tue, Jun 7, 2022 at 7:39 AM Vieri  wrote:

> Hi,
>
> When I select "Logout" from the dropdown menu in guacamole-client I can
> see the message that says that I've successfully logged out and a button  I
> can click on to re-login.
>
> Whether I click on that button or go to my main Guacamole URL I am
> immediately redirected to the IdP and then immediately sent back to my
> Guacamole SP without even getting a chance to enter another user's
> credentials.
> I'd have to close the browser to do that.
>
> How can I force a logout so that the IdP asks for my credentials again
> without having to close the browser?
>
> I think I might need to call something like /endpoint/logout?ReturnTo=,
> but I'm unsure as how and where to do this.
>
>
Yes, SLO is not implemented in Guacamole at the moment - there are existing
Jira issues out there to implement this in each of the SSO extensions, but
this work has not been done.

-Nick

Re: Guacamole and web links: how to use RemoteApp

[Nick Couchman]

On Mon, Jun 6, 2022 at 6:33 PM Vieri  wrote:

>  On Sunday, June 5, 2022, 03:02:35 PM GMT+2, Nick Couchman <
> vn...@apache.org> wrote:
>
> >
> > Yeah, I think the issue, here, is that Windows does not "know" the
> difference between URLs within the browser - it just knows that either
> Firefox is running, or it is not. I'm not sure
> > that Remote App can actually solve your issues, here.
>
> RemoteApps and Firefox in kiosk mode were mentioned several times on this
> list for this purpose.
>
>
Yes, I'm likely the one who has mentioned it, in response to queries about
Guacamole supporting HTTP(S) as a protocol. There are probably situations
and configurations that could work out, but there are certainly challenges
to work through and maybe even things that won't work. My mentions of it
have been, to my recollection, generic and theoretical, and certainly in
need of proving in the real world :-). I'll try to get some time to play
around with a more real-world configuration and see if I can get something
to work.


> Since kiosk mode does not work for me I tried using userchrome.css to
> disable most GUI components and launch Firefox as a private window. The
> user cannot do anything useful except close the browser by clicking on the
> window X button. It works a lot better than in kiosk mode. However, I'm
> using a common "profile dir" for all RemoteApp instances (multiple users).
> Despite launching in "private window" I0m still unsure this is "safe" to be
> used in a multi-user environment.
>
>
Cool, this sounds like a workable solution. As far as the shared profile
directory, if it were me, I would certainly launch each individual user
with a different/separate profile, but you can find a configuration that
works for you.

-NIck

Re: Guacamole and web links: how to use RemoteApp

[Nick Couchman]

On Fri, Jun 3, 2022 at 4:26 AM Vieri  wrote:

> Hi,
>
> People on this list have mentioned creating Guacamole RDP RemoteApp
> connections using a browser such as Firefox in Kiosk mode to allow for "web
> links" within the Guacamole platform.
>
> I'm having issues with my ||RemoteApp call, and I'm wondering if anyone
> has already dealt with this problem.
>
> I'm calling firefox with -no-remote -private --kiosk URL (I can leave the
> first two out and I still get the same behavior).
>
> The first time I call it with a given RDP user login, no problem.
>
> Since I don't know how to close the browser in kiosk mode, I simply
> disconnect by pressing the X on the small window within Guacamole
> (obviously the RDP session and Firfox are still running).
>
> Now, if I connect to another RemoteApp that calls either Firefox or
> another browser on the same host, it does not open the "new URL" of the
> second RemoteApp. Instead, I reconnect to the previous RemoteApp (I see
> Firefox in kiosk mode with the first URL).
>
>
Yeah, I think the issue, here, is that Windows does not "know" the
difference between URLs within the browser - it just knows that either
Firefox is running, or it is not. I'm not sure that Remote App can actually
solve your issues, here.

-Nick

Re: upgrade from 0.8.4 ubuntu

[Nick Couchman]

On Sat, Jun 4, 2022 at 3:34 AM Cristian Nuzzo  wrote:

> The Guacamole documentartion say that on ubuntu I can install Guacamole
> simply with:
>
> apt-get install guacamole-tomcat
>
> I don't know why I can't upgrade it in the same way...
>
>
Whatever documentation you are reading is not part of the Guacamole
project's official documentation, all of which can be found, here:
https://guacamole.apache.org/doc/gug/. If you're reading documentation from
any site other than that, you need to contact the person who owns or
maintains that site about that documentation.

Luke's instructions in his reply may help you out, as well.

-Nick

Re: user logs in but cannot see authorized connection

[Nick Couchman]

On Wed, Jun 1, 2022 at 6:51 PM Vieri  wrote:

> Any ideas on this matter?
> It's important to correctly honor groups sent via SAML.
>
> I see this:
>
> SAMLAuthenticatedUser.java:List samlGroups =
> identity.getAttributes().get(confService.getGroupAttribute());
>
> called in:
>
> SAMLAuthenticatedUser.java:private Set
> getGroups(AssertedIdentity identity)
>
> called by:
>
> SAMLAuthenticatedUser.java:super.init(identity.getUsername(),
> credentials, getGroups(identity), getTokens(identity));
>
> and in the tomcat log everything seems to be in order:
>
> o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Parameters:
> 3(Integer), group1(String), group2(String), My_Group(String), group3(String)
>
>
Does the case of the groups created in JDBC match the case in this log
message? So, for example, is your JDBC group called "group1" or "Group1" or
"GROUP1"? It needs to match exactly.

-NIck

Re: Frequent disconnections occurring now

[Nick Couchman]

On Wed, Jun 1, 2022 at 8:18 PM Lockhart, Roland 
wrote:

> Hi
>
>
>
> These seem to be from the same user with 4 sessions this morning
>
>
>
> There seem to be various causes
>
>
>
> That user logs in via a highly available corporate network so it should be
> reliable
>
>
>
> I am curious about these two logged events
>
>
>
> "The disconnection was initiated by an administrative tool on the server
> running in the user's session.”
>
>
>
> Could the user be doing something?
>
>
>

This would seem to indicate either the user doing something (logging off)
or an administrative setting kicking in that is forcing the logoff (idle
session timeout, session time limit, etc.).

-Nick

>

Re: Compile on Ubuntu 22.04 => openssl

[Nick Couchman]

On Wed, Jun 1, 2022 at 12:36 PM Alejandro Hernandez 
wrote:

> Understood... thanks!
>
> Another question, probably very basic for this forum but... I'm looking in
> the git the equivalent file to:
>
>
> https://apache.org/dyn/closer.lua/guacamole/1.4.0/source/guacamole-server-1.4.0.tar.gz
>
>
> But can't find it... it is not built yet? what do I have to do? where do I
> look for it?
>
Well, no, not really -the files only get built during the release process.
That said, it is possible to get a zip file of the git master repo - if you
go to the github page, there is a green "code" button and you can click
that and there is a "Download ZIP" link that will download the git code.

-NIck

>

Re: Apache Guacamole html page edit

[Nick Couchman]

On Wed, Jun 1, 2022 at 12:54 PM Suat Toksöz  wrote:

> So, what is your suggestion for me to edit admin active session tab?
>
>
Creating a custom extension and using the HTML replace functionality is the
best way to make sure that your changes are future-proof - the base of
Guacamole Client can stay unmodified, which means upgrades won't require
any re-application of changes.

That said, you should be advised that simply hiding the HTML link for the
admin doesn't mean that that the functionality is disabled - someone with
knowledge of the Guacamole code and how the links are generated could
retrieve the link and access the session, anyway. Removing the HTML link is
just "security by obscurity."

-Nick

>

Re: Apache Guacamole html page edit

[Nick Couchman]

On Wed, Jun 1, 2022 at 12:06 PM Joachim Lindenberg 
wrote:

> Two questions:
>
>- can this be done with an extension rather than a modification?
>
> Yes, and this would be a better way to do it. You should be able to use
the  tag along with "replace", as documented in the guacamole-ext
page in the manual, to replace the content that creates the link.


>-
>- didn´t this come up several times earlier and could be a
>configuration option that the webapp addresses out-of-the-box?
>
> I don't think disabling this completely has come up; however, there is a
PR in progress, along with a Jira issue, to notify users when someone joins
and leaves the connection, so at least there is a visual cue for users that
there is someone else on that connection.

-NIck

Re: Compile on Ubuntu 22.04 => openssl

[Nick Couchman]

On Wed, Jun 1, 2022 at 12:19 PM Alejandro Hernandez 
wrote:

> Hello everyone,
>
>
> Thanks for the update Mike!
>
>
> Something I don't have clear, probably because mi lack of experience with
> the git:
>
>
> If I download the server from the "official" Guacamole site:
>
>
> https://guacamole.apache.org/releases/1.4.0/
>
>
> Thats the version that has the mentioned problems, so instead I should
> download from the git:
>
>
> https://github.com/apache/guacamole-server
>
>
> Why the download link isn't updated on the main site? The git still a work
> in progress / beta version that may have some other issues???
>
>
> Correct, this is the in-progress/development version, not a release, so we
do not link in on the site as a release.

-Nick

>

Re: Apache Guacamole html page edit

[Nick Couchman]

On Wed, Jun 1, 2022 at 10:47 AM Suat Toksöz  wrote:

> Also, I am not able to find the file location on apache guacamole source
> code.
>
> https://dlcdn.apache.org/guacamole/1.4.0/source/
> [image: image.png]
>
>
That's the guacamole-server (guacd) source code - the code for the web
interface is in the guacamole-client source code. For the connection
history and active sessions, the code is specifically, here:

https://github.com/apache/guacamole-client/tree/master/guacamole/src/main/frontend/src/app/settings/templates

Please note those are the HTML templates that are used by AngularJS to fill
in the data. So, whatever modifications you want to do will likely need to
be a combination of edits to those HTML templates as well as the AngularJS
files that actually populate data.

-NIck

>

Re: Guacamole re-connection attempts never stop... they should?

[Nick Couchman]

On Tue, May 31, 2022 at 4:56 PM ralph strebbing 
wrote:

> On Tue, May 31, 2022, 4:44 PM Lee Doughty 
> wrote:
>
>> Hello Guacamole Community,
>>
>> I tried asking this a few weeks ago, but it looks like there was not a
>> lot of traction on this idea.. but I wanted to try one more time before I
>> gave up on it.
>>
>> I think it would be a great feature to stop auto-reconnect attempts that
>> are simply not connecting after several dozen attempts. I've seen in our
>> logs that some users hit the "Reconnect" button or otherwise get into a
>> reconnect loop, then leave the tab open for hours *or days*. This
>> results in our guacamole server getting a ping every minute or so from a
>> user trying to connect to a VM that is not available, and they just leave
>> it retrying over and over again.
>>
>> It would be nice to at least require user interaction to resume the
>> connection attempts... So users have to return to the tab every N attempts
>> to restart the countdown, instead of the current never-ending loop... I'm
>> not suggesting any value for N... because any reasonable value would be
>> nice over infinite. My record was somewhere in the ballpark of 7,000
>> attempts (5 days) before the user was kind enough to close the tab and stop
>> poking our Guacamole server.
>>
>> Is this something that can make it into an upcoming Guacamole release?
>>
>
> This is also something that would be nice as a "per-device" or a per guacd
> config value to adjust (or a default value if not set).
>
>
Today Guacamole attempts to handle this based on the reason for the
disconnect. If the disconnect is detected to be a "normal" disconnect (user
logs off or disconnects from inside a RDP session, for example), Guacamole
should not automatically attempt to reconnect. If the disconnect is
unexpected - network drops, mainly - Guacamole will reconnect.

That said, I think it would be useful to have an option where you could
disable the auto-reconnect, or set a limit on the number of reconnect
attempts, on a per-connection basis.

Seems related to this particular Jira issue:
https://issues.apache.org/jira/browse/GUACAMOLE-1126

-Nick

>

Re: Apache Guacamole html page edit

[Nick Couchman]

On Tue, May 31, 2022 at 10:13 AM Suat Toksöz  wrote:

> Hi,
>
> I would like to edit apache guacamole admin web site, where I can find the
> html tags?
>
>
If you want to edit the admin site, you should edit the source code and
re-builld it, and not edit the pages directly. As the site is hosted by
Tomcat, the static pages are deployed from the WAR file, which can be
re-deployed at any time and will overwrite any changes you make.

To edit the source code, you can either edit the source directly and
rebuild the war, or you can build an extension module that modifies the
HTML code dynamically. The second option is the recommended route.

To edit the source code directly, you need to download the source code and
then find the location that you want to edit in the
guacamole/src/main/frontend/src/app directory.

If you want to build an extension that modifies the HTML, see the following
manual page, and the following branding example:
https://guacamole.apache.org/doc/gug/guacamole-ext.html#updating-existing-html
https://github.com/apache/guacamole-client/tree/master/doc/guacamole-branding-example

Feel free to post back here with any further questions or concerns.

-Nick

>

Re: upgrade from 0.8.4 ubuntu

[Nick Couchman]

On Sun, May 29, 2022 at 2:59 AM Cristian Nuzzo  wrote:

> I'm not sure about the database, probably not.
>
You mentioned you would like to "keep my configuration" - I don't know how
you have it configured. If it's not in a database it's probably in the
user-mapping.xml file, which you can make a copy of and use with a new
version. That said, this file is really only meant as a means of testing
that Guacamole Client is functional, and isn't intended for serious use.


> The question was of to ungrade to a new version.
>
> I tried apt-get upgrade in ubuntu, but guacamole is still old.
>
The Guacamole project does not maintain distribution-specific packages, and
it sounds like the Debian/Ubuntu ones aren't really maintained anymore, if
you're unable to upgrade past 0.8.4.

> Is there an undate script somewhere?
>

No, but there's a manual:
https://guacamole.apache.org/doc/gug/

It contains install instructions, either native on a Linux system or via
Docker containers.

> Can I use it with my curent version?
>
> Do guacamole need a database in the most recent versions?
>
It needs some method of storing connection configurations, and, as I
mentioned, user-mapping.xml isn't really intended to be used beyond
verifying that Guacamole functions correctly. If you want user/group
management, connection management within the GUI, etc., you'll need a
database.

-Nick

>

Re: upgrade from 0.8.4 ubuntu

[Nick Couchman]

On Sat, May 28, 2022 at 05:39 Cristian Nuzzo  wrote:

> Hi everybody and thanks for your great job,
>
> I'm using guacamole on a small ubuntu server.
>
> I'dd like to upgrade from 0.8.4 version (I installed a lot of years ago)
> and I wold like to keep my configuration.
>
> Is there an easy way?


Wow, that is quite an old version. Yes, you can keep your configuration,
but if you're using a database you will need to go through each of the SQL
scripts for upgrading from one version to the next. This is described in
the manual:

https://guacamole.apache.org/doc/gug/jdbc-auth.html#upgrading-an-existing-guacamole-database

-Nick

Re: User with access to only Active Sessions and History

[Nick Couchman]

On Sat, May 28, 2022 at 01:15 Tushar Jain  wrote:

> Hi,
>
> Did a bit of digging- currently, it seems only the administrator has
> access to view "History" tab.  But i do not want to give admin access to
> the users, since I do not want them to create users, connections, etc.
>
> Active Sessions (the tab) is visible to normal users, but they don't see
> any session, even though they have access to respective connections.
>
> Am i missing anything here? I basically want to create a non-admin user
> who has access to "Active Sessions" and "History" tabs. There isn't much
> documentation also that i could find around this.
>


No, you're not missing anything - currently administrative users are the
only ones that can see either historical or active sessions for users other
than themselves.

There is a Jira issue and a pull request for adding support for an "Audit"
privilege, which would add what you're looking for (at least partially),
but it hasn't been reviewed and there is no planned release for inclusion.

https://github.com/apache/guacamole-client/pull/619
https://issues.apache.org/jira/browse/GUACAMOLE-538


-Nick

Re: Guacamole+fail2ban

[Nick Couchman]

On Wed, May 25, 2022 at 2:24 AM Golota S.V. 
wrote:

> the author recommends changing the logback.xml file "
> https://github.com/crazy-max/docker-fail2ban/tree/master/examples/jails/guacamole;
>
> and output the log file from the container for fail2ban processing, but I
> couldn’t do it, I don’t have enough rights, the guacamole container starts
> without root rights
>
You'll have to set ownership on the directory to a user/group that has the
correct access. Running as a non-root user is the right way to run it, but
it may mean making some other adjustments to allow access to the files.

-Nick

>

Re: Guacamole Upgrade from 1.2 to 1.4

[Nick Couchman]

On Thu, May 26, 2022 at 12:06 PM Tushar Jain  wrote:

> My bad I took the latest code from the master branch, instead of
> tagged (1.4.0) code. The 1.4.0 code compiles fine
>
>
The code in master should also compile without issue.

-Nick

>

Re: Setting up HTTP header authentication

[Nick Couchman]

On Tue, May 24, 2022 at 6:31 AM Dmitry Katsubo 
wrote:

> I have analysed the code and I see that most of the classes (e.g. those
> needed to parse XML) are located in guacamole module, which probably
> cannot be used as dependency for an extension. So it looks that about 5
> classes are to be copied as is to "new extension" module. Does not smell
> good in terms of code reusability.
>

You should use gaucamole-ext as the dependency for the module, plus
whatever individual dependencies you need. If you have to add other
dependencies, that's fine - I think if you were to examine the pom.xml
files across the project you'd see that there are some dependencies that
are duplicated. Is it the maximumly-efficient way to go? Maybe not;
however, it allows the extensions to be pluggable/interchangeable, and for
the framework of Guacamole to be re-used for other things. It's a
trade-off, and sometimes absolutely efficiency is sacrificed for
compatibility, ease of reuse, etc.

> I am OK that the changes I suggest do not fit the common perception about
> how API should be organized. For me it is more logical to keep 10 lines of
> code patch that perfectly fits my needs rather than re-invent the extension
> that will be a copy-paste of existing code with no added value. At the end
> of the day that what OpenSource is about.
>
You're certainly welcome to modify the code you have to fit how you want to
do it - I would say _that_ is at least one of the things that Open Source
is about. As a project, our goals may be different from your individual
use-case, and that's okay - you have the source code, you can modify it as
you see fit. However, the changes that you've suggested are not ones that
we're willing to incorporate into the main code base for the project as
they stand today, for the reasons already mentioned.

-Nick

>

Re: Access to Guacamole with OpenVPN (behind the Firewall)

[Nick Couchman]

On Mon, May 23, 2022 at 11:56 AM Dark Corner 
wrote:

> Thanks for the reply.
> I did not understand your suggestion.
> Do you mean that in the firewall I have to direct the 80/443 traffic
> towards the PC of Guacamole?
>

Yes.


> What if there is a web server on the network? There isn't, but it could be
> activated in the near future. In this case I would have to change the ports
> on Guacamole and tell users that they must use the port in the URL.
> Then I have to consider that the IP is dynamic and therefore I still have
> to use a DDNS.
>

If you don't have a dedicated public IP, or a dedicated public IP per
system that you want to serve content from, then, yes, you'll need
Dyanmic DNS. However, if you're considering placing a web server on the
network that serves content to the Internet then I would just make sure to
architect things in a way that factors in both requirements. You could go
ahead and stand up a single web server that is Internet-facing and use that
to Reverse Proxy all of your required applications. You can configure the
web server to forward the /guacamole path and everything under it to your
Guacamole server, and if you have other applications do the same. We have
instructions in the Guacamole Manual for proxying Guacamole:

https://guacamole.apache.org/doc/gug/reverse-proxy.html

Keep in mind, though, that if the proxy lives on a different server than
Tomcat running Guacamole you may want/need to take additional steps to
encrypt the traffic between the proxy and Tomcat (configure Tomcat with SSL
support and make sure the reverse proxy trusts the Tomcat certificate). So,
the setup may be slightly more complex than what is described in the
manual, but it should be doable.

-Nick

Re: Setting up HTTP header authentication

[Nick Couchman]

On Thu, May 19, 2022 at 10:52 AM Dmitry Katsubo 
wrote:

> On 2022-05-19 01:44, Michael Jumper wrote:
>
> On Mon, May 16, 2022 at 12:23 PM Dmitry Katsubo 
>  wrote:
>
>> Dear Guacamole users,
>> Dear Nick,
>>
>> Sorry I decided to resurrect the 4-years old challenge. I have rebased my
>> changes on the latest codebase. Not so many changes are required to allow
>> the user authenticated via auth-header extension to be provided
>> authentication information / connection settings from user-mapping.xml.
>> Without the changes the settings are not picked up from user-mapping.xml.
>>
>
> Is there a specific reason that you cannot use the database? It's intended
> for what you describe, intended for production use, and will work with
> header auth.
>
> I think that database is overkill for systems that have a couple of users
> (e.g. remote admins). Files are easier to maintain and backup, as all
> Guacamole configuration is basically located in one place. Also imagine the
> situation when database is down and could be fixed with help of Guacamole
> unless it is running on the top of that very database.
>
> Please check my commit b0aa658
>> .
>> If that is OK, then I would provide few unit tests for it. Otherwise let me
>> know what is missing, preferably in terms so that I can implement a test.
>>
>
> Looking at your commit, I see that one of the primary changes here is
> changing the prototype and visibility of the getAuthorizedConfigurations()
> function. This will break API and ABI compatibility, and I do not think we
> should do this.
>
> You mean that there are classes that extend SimpleAuthenticationProvider
> which are outside Guacamole git? Could be of course, however their
> adaptation will be trivial.
>

Yes, but the point is that Guacamole is designed to provide not just a
framework for itself, but one that people can build upon. With that in
mind, API/ABI changes need to be very carefully considered, and also need
to be made to be as backward-compatible as possible. In the past we've done
things like deprecate methods or classes, but they remain available in the
deprecated state for many releases before they are finally removed
completely. The changes need to be made in such a way that they don't
automatically break things for people who may be using/extending these
classes, and that they have the option of continuing to use them in the way
they are written while they change their code to the new way, but are
warned that support for it may be removed/changed at some point in the
future.


> For the built-in support for user-mapping.xml to be able to accept the
> authentication results of other installed extensions, it will need to be
> modified to use the less-simple API and implement AuthenticationProvider
> and UserContext (rather than use SimpleAuthenticationProvider).
>
> I think that should be possible. AuthenticationProvider is already
> implemented, probably not the proper way (if so, what is missing?). As for
> UserContext I am not sure: none of the providers I've checked implement
> this interface. Maybe you mean that SimpleUserContext should implement
> that interface in a proper way (again what exactly is missing)?
>

It is definitely possible, just needs to be done. I would also say it's
worth considering leaving the existing user-mapping.xml authentication
mechanism as-is and just implementing a different file-based one. It could
be XML, or YAML, or JSON (or provide methods for reading any/all of those
file types), and would be another extension in the "extensions/" folder.


> With user-mapping.xml really being intended for testing only, and with
> these changes aimed at allowing user-mapping.xml to be used in a more
> complex configuration aimed at production use, I think these changes really
> would need to be coupled with a move to a user-mapping variant that *is* 
> intended
> for production (proper salted hashes for passwords instead of
> intentionally-simplified-for-testing hashes, the ability to define a
> user/connection association that requires auth from some other extension
> and otherwise has no password, etc.).
>
> I think there are two things here mixed. The password which is used to
> authenticate the user against Guacamole is of course salted hashed and
> stored in guacamole_user SQL table. However in the setup I have the user
> is already authenticated by the front Web server, hence the password is
> null. There is nothing to salt or hash. On the other side the password
> stored in guacamole_connection_attribute table I believe is saved in
> plaintext, right? In this respect I don't see what else can be improved in
> user-mapping.xml which is basically another representation of the data in
> SQL database.
>

What you're asking for is a way to simply store connections in a file and
delegate the authentication elsewhere - the point is that the changes
you've made to the built-in test 

Re: New protocol 'http/https'

[Nick Couchman]

On Thu, May 19, 2022 at 3:48 AM Lionel PRAT  wrote:

> Hi,
>
> I'm looking for a solution to use guacamole to limit access to certain web
> administration interfaces (firewall, vmware, ...).
>
> I had thought of using a chrome in VNC but I find this solution too
> dangerous.
> The best solution would surely be to develop a connector for the
> 'http/https' protocol (perhaps starting from the existing code in the
> connector
> https://github.com/apache/guacamole-server/tree/master/src/protocols/
>  kubernetes).
> Has anyone had this problem before and if so, how did you resolve it?
>
>
This has come up several times, and, to date, we have not really seriously
entertained the idea and have kind of pushed back against it. The
conversation in the past has been that Guacamole has been targeted toward
remote desktop protocols, and HTTP/HTTPS are not remote desktop protocols.
Furthermore, there are plenty of solutions out there to proxy/reverse-proxy
HTTP and HTTPS pages, and those could be used in place of Guacamole. We may
be shifting a bit on this, but, today, it isn't possible to use HTTP/HTTPS
through guacd.

Several alternatives have been offered that continue to use Guacamole - for
example, you can set up a remote server running RDP or VNC and create a
remote connection to that server, and you can even have the remote
connection open only a web browser, and you could even do it in Kiosk mode
with either Firefox or Chrome to prevent users from using it for other web
pages.

Beyond that, adding HTTP/HTTPS support is possible, but I would not say
it's all that straight-forward. We've had some conversations about how it
could be done, and it seems like we would need to use some sort of back-end
rendering engine that guacd could interface with (there are a couple of
good ones out there) and then write the logic to translate between the
rendering engine and the Guacamole protocol. Definitely possible, just not
easy. And I'm not sure the Kubernetes protocol is a great place to start -
it's text-only, similar to Telnet and SSH, whereas the HTTP/HTTPS protocol
is going to need to be graphics-based, more along the lines of VNC or RDP.

-Nick

>

Re: Update French translations

[Nick Couchman]

On Thu, May 19, 2022 at 5:19 AM Antoine Besnier
 wrote:

> Hi,
>
> I wanted to update the French translations, as they have not been
> corrected for a long time, and some sections have not been translated at
> all.
> Would the issue GUACAMOLE-1159 (
> https://issues.apache.org/jira/browse/GUACAMOLE-1159?jql=project%20%3D%20GUACAMOLE%20AND%20text%20~%20french),
> which is closed, be suitable if I submit a PR, or would I have to open a
> new issue?
>
>
Antoine,
We always welcome help with making the translations more complete and
accurate. You'll want to open a new Jira issue and commit against that -
don't use the closed one.

Thanks, looking forward to seeing the pull request!

-Nick

Re: Feature idea for guacamole

[Nick Couchman]

On Thu, May 19, 2022 at 6:12 AM Lee Doughty 
wrote:

> I was told this might be a good place to protist a feature idea to gauge
> interest before making a ticket.
>
> Would it be difficult to add a feature/option to fall back to user input
> on connections.. or to disable features that are unavailable if they are
> not available?
>
>
One of the design decisions we have intentionally made, particularly when
soliciting user input, is that user input is _never_ allowed to override
what an administrator has entered for the connection. Doing so could
present security risks that administrators may be intentionally trying to
guard against.


> When our users log in, we set up auto login RDP with file transfer support
> to try and make the users experience more friendly... However, this is
> fragile to users changing their password or, in the case of file transfer,
> modifying their authorized keys.
>
>
Allowing a RDP or VNC connection to continue even if SFTP fails has been
discussed in the past. I guess it doesn't tend to be an issue very often or
for very many people, because it doesn't come up often, but I think there's
already a Jira issue out there for it. The question really becomes, do you
want a half-working connection, where something is broken, or do you want
the connection to fail?

That said, we have some pending changes that allow guacd to deliver
messages back to the client, so maybe we could look into allowing this, but
warning the user that file transfer will not work because of a failure.

-Nick

>

Re: The "device redirection" feature in guacd-docker does not work since version 1.3.0

[Nick Couchman]

On Tue, May 17, 2022 at 9:44 PM Yukiya Hayashi 
wrote:

> Hello everyone, I have a question. I have listed this question in the
> following Jira and was directed to ask this ML.
> https://issues.apache.org/jira/browse/GUACAMOLE-1609
>
> 
>
> *Background*
>
>   I am running Guacamole with Docker and using the "device redirection"
> feature on a Windows Server.
> After upgrading Guacamole from version 1.1.0 to 1.4.0, the "device
> redirection" function no longer works.
>
> *What I investigated*
>I have isolated the problem and found that there was no problem up to
> version 1.2.0 and the problem started with version 1.3.0. The cause appears
> to be that the user used in the container was changed from root to guacd
> starting with version 1.3.0. The guacd process seems to create a directory
> with the name of the target host in / in order to use "device redirection".
> Up to version 1.2.0, the directory was created without any problem because
> it was started as root user. However, since version 1.3.0, the "device
> redirection" does not seem to work because the directory cannot be created
> under / for the guacd user.
>
> *Possible solutions*
>   I have the following two ideas, and I would like you to consider the
> latter approach if possible.
>
>- Make guacd startup user as root as it was up to version 1.2.0.
>- Change the path for the guacd process to create the "device
>redirection" directory to something appropriate (e.g. /tmp/ would be
>appropriate).
>
>
Yes, with the change to a non-root user, you will need to make sure that
your connection configurations specify a drive redirection location where
the user running guacd has access to the folder, and, if you want users to
be able to create folders and write files, the user will need write access.
I would not make guacd start up as the root user - we have very
deliberately changed the configuration such that guacd is more secure when
running under a non-root account. I also would not use /tmp - things have a
tendency to get deleted out of /tmp. While I do not generally run guacd in
Docker, the systems where I run guacd I have a dedicated storage location
for the redirected folders, and I make sure the guacd user has read and
write access. The same could be accomplished within Docker by passing
through a folder/volume to the Docker container that the guacd user has
access to.

-Nick

>

Re: RDP drag and drop error messages

[Nick Couchman]

On Wed, May 11, 2022 at 1:36 PM Adrian Owen  wrote:

> Hi Nick,
>
> > When you say "drag and drop"?
>
> These connection properties:
> enable-drive
> drive-path
> create-drive-path
>
> I checked directory permissions on server- guacd process user is also
> owner of directory and group owner and world RW is set.
>
>
Then perhaps SELinux or AppArmor is interfering? Or if the folder isn't
local (NFS or SMB share) there is still something preventing files/folders
from being opened/read/written?


>
> When you run rdp drag and drop, do you see same errors in daemon log?
>
>
No, I do not see errors when I enable or use drive redirection.

-Nick

Re: Guacamole guacadmin password reset

[Nick Couchman]

On Wed, May 11, 2022 at 12:55 AM Pradip Sawatkar <
sawatkarpradip...@gmail.com> wrote:

> Hi All,
>
> Unfortunately, i forgot password of guacadmin user, is there any way i can
> reset it? I have reset default password, but forgot it to note down.
>
> If any one of you know the method of resetting password, please share.
>
>
You can grab the SQL file for adding the guacadmin user to the database and
either change the username in the file to add a new user to the database,
or grab the value and update the database entry with that value, which is
"guacadmin".

-Nick

>

Re: REST API authentication with TOTP extension

[Nick Couchman]

On Wed, May 11, 2022 at 4:00 AM MAURIZI Lorenzo 
wrote:

> Thank you Mike for pointing out that I can see API requests with dev tools
> of the browser.
>
> And, after working a little with curl, oathtool, jq etc, I can login
> correctly into Guacamole API. I don’t know why it didn’t work with SOAPUI.
>
>
>

It's possible it has something to do with the format of the body has being
sent to the API endpoint - that is, raw vs form, etc.

-Nick

>

Re: RDP drag and drop error messages

[Nick Couchman]

On Wed, May 11, 2022 at 5:25 AM Adrian Owen  wrote:

> Hi, RDP drag and drop works great. (Guacamole 1.2 on Debian)
>
>
When you say "drag and drop", what do you mean?


> But daemon log file show errors:
>
> May 11 10:04:29 guac-124 guacd[1543]: File open refused (-2):
> "\desktop.ini"
> May 11 10:04:29 guac-124 guacd-eesm[473]: guacd[1543]: ERROR:#011File open
> refused (-2): "\desktop.ini"
> May 11 10:04:29 guac-124 guacd[1543]: File open refused (-2):
> "\SocketTest.exe.Config"
>

This looks like guacd doesn't have read and/or write access to the location
specified for the redirected folder, or at least for some of the files in
that folder. Make sure the user running guacd has the correct privileges.

-Nick

Re: Native Guacamole Server Windows?

[Nick Couchman]

On Wed, May 11, 2022 at 6:13 AM Mark Jones 
wrote:

> Hi
>
>
>
> I was wondering if it is possible to compile Guacamole Server Windows
> using windows so that I have ability to host Guacamole natively on Windows
> rather than through a docker image.
>
>
>
> I’m interested mainly the ability to connect to machines using VNC and RDP
> protocols.
>
>
>
> I’m unsure if this has already been achieved somewhere and is so could
> point me in the right direction?
>
>
I do not know of a way. I know there are hooks in libguac for winsock, but
I don't think it will just compile on Windows. I think your only other
option aside from running Docker is to try to use the Cygwin framework to
build it - this as close to native as you'll get. Aside from guacd itself,
which, on its own, might would be compatible, there are several
dependencies that you'd have to make available on WIndows in order to
compile it - things like cairo, libjpeg, libpng, uuid, etc. If you want to
support VNC the only library that is currently supported is libvnc, so
you'll need that on Windows. Also, the only RDP libraries that are
currently supported by guacd are FreeRDP (as opposed to native Windows RDP
libraries), so you'd need that on Windows, as well.

So, in summary, 1) I doubt it would actually compile, and 2) even if it
did, you'd have many dependencies to compile, first.

-Nick

>

Re: Installing ffmeg-devel and tomcat

[Nick Couchman]

On Mon, May 9, 2022 at 2:36 PM Devine, Harry (FAA)
 wrote:

> I am, and there are 4, and all 4 are http, not https.  In fact, all of the
> mirrors (including other countries) are http only.  Strange that in 2022
> these mirrors aren’t https.
>
>
Okay, but this project/community doesn't control those mirrors, so, if you
need HTTPS, you'll have to reach out to the maintainers of those pages. I
don't have any inside information - I'm looking at exactly the same thing
you are looking at.

-Nick

>

Re: Installing ffmeg-devel and tomcat

[Nick Couchman]

On Mon, May 9, 2022 at 2:32 PM Devine, Harry (FAA)
 wrote:

> Are there any that are https?  We aren’t allowed to contact http-only
> sites either.
>
>
I don't know - you'll have to look at the mirror pages and see.

-Nick

>

Re: Installing ffmeg-devel and tomcat

[Nick Couchman]

On Mon, May 9, 2022 at 2:00 PM Devine, Harry (FAA)
 wrote:

> OK, good news and bad news:  I was able to update my Ansible Playbook to
> grab the RPM Fusion free & non-free RPM from a US mirror.  The bad news is
> that once that gets installed, it creates a repo file under
> /etc/yum.repos.d that has the following for its mirrorlist:
>
>
>
> mirrorlist=
> http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8=$basearch
>
>
>
> The issue with this in our case is that the mirror goes out to Canada and
> Germany, which we block as per our government security requirements.
> Absolutely NO non-US repositories are allowed with NO exceptions.  If we
> can’t contact a US repository to install the necessary packages, we will
> have to abandon Guacamole and look for other alternatives.
>
>
>
> Is there a mirrorlist or baseurl that does the package installation that
> we can guarantee is a US repository?  I’m OK with having our own maintained
> repo file that we push out to a system for Guacamole installation, I just
> need to find a URL that’s US only.
>
>
>

Yes, if you go to the pages I sent you before - for example, the RPMFusion
mirror list, and you filter for the one you're interested in (RPMFusion
Free for EL -> 8 -> x86_64, for example), and scroll to the bottom, you'll
see US mirrors. Just change the "baseurl" line to one of those - for
example:

http://mirrors.ocf.berkeley.edu/rpmfusion/free/el/updates/8/x86_64/

(rpmfusion free -> el -> 8 -> x86_64). That particular one is based in
Berkeley, CA.

-Nick

>

Re: SSL Handshake to Guacd randomly failing

[Nick Couchman]

On Fri, Apr 8, 2022 at 2:10 AM Tom Lawson  wrote:

> Thanks Ivanmarcus, I’ll take a look.
>
> Regards auto-updates, nothing is able to automatically update itself
> already.
>
> The containers run in a Debian 11 minimal VM and are launched via a
> docker-compose file. Config for both guacamole and guacd are bind mounted
> to the containers so that the configs are stored externally to the
> container, and an external MySQL database stores the data, with
> authentication being done externally with an IDP using OIDC extension.
>
> The odd part is that even turning SSL off doesn’t work, and rolling back
> to known working versions makes no difference.


The errors that you're seeing almost look like something is causing
problems in the conversation between the end client and guacd, somewhere
along the way. The fact that guacd is reporting protocol issues indicates
that something is disrupting the protocol stream - could be security
software of some sort or just a very unreliable network connection. The
message from Tomcat about the SSL error isn't necessarily about Tomcat <->
guacd communication, it could be browser -> Tomcat. Might just take a look
at the entire end-to-end connection and make sure there's no indication of
lost/missing/mangle packets along the way.

Keep in mind that, while Tomcat does help with some of the setup and
redirection of the tunnel to guacd, ultimately the tunnel is between the
web application running in the user's web browser and guacd.

-Nick

Re: Installing ffmeg-devel and tomcat

[Nick Couchman]

I would check out these pages:

http://mirrors.rpmfusion.org/mm/publiclist/
https://admin.fedoraproject.org/mirrormanager/mirrors/EPEL

I think you can locate by country on those, so you should be able to force
to a US-based mirror.

-Nick

On Fri, May 6, 2022 at 2:40 PM Devine, Harry (FAA)
 wrote:

> Are there any repositories for Guacamole that install ffmpeg-devel and
> tomcat that are United States only?  We’ve had to tighten up our firewalls
> and we are not permitted to access non-US repositories.  So we can no
> longer install new Guacamole instances because the install process is
> having us install EPEL and RPMFusion RPMs, and those seem to be going to
> Denmark and Canada.
>
>
>
> Thanks,
>
> Harry
>
>
>
> Harry Devine
>
> Secure-OSE System Administrator
>
> Red Hat Certified System Administrator (RHCSA)
>
> Work: (609) 485-4218
>
> FAA Cell:  (609) 612-7274
>
> Home Office/Telework: (609) 547-3579
>
>
>

Re: FIDO2 on Apache Guacamole

[Nick Couchman]

On Fri, May 6, 2022 at 3:06 AM Don Eugene Paul Viado
 wrote:

> Hello,
>
> Good Day.
> Is there any roadmap to have FIDO2 (webauthn) on Guacamole?  I just tried
> on Nextcloud and it seems to work seamlessly and wondering if this can also
> be used for passwordless login?
>
>
It's not something that has been requested in the past, but I don't know
off the top of my head any reason why it couldn't be added. You're welcome
to open a feature request on our Jira page:

https://issues.apache.org/jira/browse/GUACAMOLE

-Nick

Re: SSH failed: no matching host key type found

[Nick Couchman]

On Thu, May 5, 2022 at 6:54 PM Michael Jumper  wrote:

> On Sun, May 1, 2022 at 12:36 AM Yang Yang 
> wrote:
>
>> Hi Nick,
>>
>> I found that only ssh-rsa and ssh-dss are mentioned in ssh_agent.c
>> ,
>> does that mean other algorithms are currently not supported?
>>
>
> No, ssh_agent.c only deals with SSH agent forwarding support which is not
> in play here. For authentication with an SSH server, any key format
> supported by the libssh2 library present on the system can be used.
>
>
Also, if you're using Ubuntu with libssh2 1.8.0, you probably don't have
support for some of the host key algorithms, According to their change log,
1.9.0 introduced support for ECDSA and ED25519 key support, so you'll
probably need to bump up the version of libssh2. It's pretty easy to build
manually, so shouldn't be too difficult, or find a distribution that
includes it by default.

-Nick

Re: File Encryption for RDP Redirected Folders

[Nick Couchman]

On Wed, May 4, 2022 at 10:44 AM Joachim Lindenberg 
wrote:

> Hello Nick & Gabriel,
>
> before thinking about encryption, what is the user and authorization
> concept for that share? Can every user see and change all other users
> files? Or are the paths somehow distinct for all users, disallowing
> sharing? The doc only states, the guacd process needs to be able to
> read/write the directory, nothing else.
>

It's important to understand that the access to the redirected folder is
done by the user running guacd. So, if you point all users to the same
exact folder in the redirection, everyone will have access to all of the
files. This can be mitigated in a couple of ways:
* Use tokens in Guacamole to point users to their own folders -
for example, the path in the redirection could be
/files/guacamole/${GUAC_USERNAME}, which means each user logging into
Guacamole (not necessarily the remote system) will have their own folder.
* Instead of using folder redirection, use SSH on a server with Samba
installed, so you can transparently share that folder both with the remote
system (via SMB) and with the Guacamole browser (via SSH).


> In fact I never enabled that drive, because I never understood and thus
> referred my users to using standard shares that support ACLs (and all the
> shares are ultimately protected by Bitlocker, as is my Guacamole setup as
> it runs on Hyper-V).
>

Yes, folder redirection is different than a file share.


>
>
> Thanks for your answer Nick!
>
> It's not so clear to me how this can be implemented only on the remote
> server side since files are uploaded by Guacamole without any involvement
> of the remote server, unless it somehow monitors the folder and each time a
> new file is created it encrypts it immediately.
>
> I will look into it, thanks!
>

Yeah, you're correct about that - it wouldn't work for the remote access
from Guacamole (the browser) to the remote server. So, there'd have to be
some additional work (coding) done to make it work for both the remote
system (server via RDP) and the web browser.

-Nick

Re: Custom script after LDAP or CAS authentication

[Nick Couchman]

On Sun, May 1, 2022 at 7:39 AM Yves Auffret  wrote:

> Hi there,
>
> I would like to use Guacamole with LDAP or CAS authentication with +1000
> users, and I need to give a unique virtual machine (VM) per user.
>
> After the Guacamole LDAP or CAS authentication, the idea is to create on
> the fly a virtual machine (VM) for the user if the VM does not already
> exist for this user or wake up the VM if it already exists.
>
> In other words, I would like to know if it is possible to run a custom
> script after the LDAP or CAS authentication while recovering at least the
> user id in the script?
>
>
There's currently no built-in way to do this; however, the authentication
extension system in Guacamole is designed to be fairly extensible, and
could easily be implemented in an extension that would either run a script
upon login, or the logic to identify and start VMs could be written in the
extension directly in Java.

-Nick

>

Re: File Encryption for RDP Redirected Folders

[Nick Couchman]

On Tue, May 3, 2022 at 3:50 PM gabriel sztejnworcel 
wrote:

> Hi,
>
> Was there ever a discussion or suggestion to implement encryption for
> files transferred in RDP sessions through redirected folders? So that if
> someone gets access to the Guacamole server, they won't be able to get
> these files, which might contain sensitive information.
> I thought of creating a key for each session, when the file is uploaded -
> use the key to encrypt it. When the file is read from within the RDP
> session - decrypt the requested portion. The encryption itself might be
> challenging as it needs to be in parts.
>
> For download - maybe it's possible to stream the file to Guacamole client
> immediately and not store it on disk instead of encrypting it.
>
> Wondering if someone ever tried it or if someone else thinks it's useful.
>
>
Well, you could do this entirely on the remote desktop side and it
shouldn't be a problem, you'd just have to install some sort of encryption
software that encrypts the files before they land on the redirected folder.
The redirected folder is really just an internal file share presented by
the RDP client (\\tsclient\share), so you just need some way to enable,
encourage, and/or enforce encryption on the RDS host. It's been a little
while since I messed around with client encryption software, but back in
the day there were Open Source items like TrueCrypt and VeraCrypt that
could do this cross-platform, and I know there are also commercial
solutions. While this method is somewhat disruptive - it means additional
software/steps for the user - it is the most secure, as it allows for
encryption on a per-user basis, which means that no one, not even the root
user of the guacd server, can decrypt the files.

Beyond that I suppose guacd could be extended to support transparent
encryption of the files as they land; however, this would mean that the
encryption keys for the files would be stored on the guacd server, so if
someone compromised that server, they could still get access to the files
and decrypt them. I think some filesystems - like ZFS - support transparent
at-rest encryption and can manage access to keys, use hardware keys, etc.,
so there may be some possibilities, there, as well. This is a bit out of my
areas of experience/expertise, though.

-Nick

Re: SSH failed: no matching host key type found

[Nick Couchman]

On Sat, Apr 30, 2022 at 12:14 PM Yang Yang 
wrote:

> Hi Nick,
>
> Thank you very much for the prompt response!
>
> Guacamole/guacd is running on Ubuntu 20.04.4 LTS docker,
> with libssh2.so.1.0.1.
>

This doesn't really tell the overall version of libssh2 - the version of
the dynamic library doesn't usually match up to the package version.

-Nick

Re: SSH failed: no matching host key type found

[Nick Couchman]

On Sat, Apr 30, 2022 at 12:02 PM Yang Yang 
wrote:

> Hello,
>
> I am using Guacamole 1.4.0 to connect a Ubuntu 22.04 machine with OpenSSH
> Server with username and password, all with default settings, but failed.
> The guacd log only tells “SSH handshake failed”, while /var/log/auth.log in
> the Ubuntu machine tells “Unable to negotiate with UBUNTU-ADDRESS port
> X: no matching host key type found. Their offer: ssh-rsa,ssh-dss
> [preauth]”.
>
>
I can successfully connect to the Ubuntu machine after adding
> “HostKeyAlgorithms +ssh-rsa” to /etc/ssh/sshd_config in the Ubuntu machine,
> but is there anything I can do from Guacamole side? From the man page of
> sshd_config ,
> ssh-rasa and ssh-dns is not included by default.
>
>
What platform is Guacamole running on, and, specifically, what version of
libssh2 is installed?

-Nick

Re: Re: Re: Upgrade to 1.4.0 partial failed

[Nick Couchman]

On Fri, Apr 29, 2022 at 12:47 PM Henri Alves de Godoy <
henri.go...@fca.unicamp.br> wrote:

> Hi all !
>
> I've been working with network services for an IPv6-only Datacenter.
>
>
That's great.


> I know that sometimes we need to resolve things quickly for users. Tip:  I
> would insist on putting Tomcat on IPv6. We can no longer insist on
> continuing to be stuck in IPv4.
>
>
I don't insist on doing that, my company is still exclusively IPv4, with no
end to that in sight. There's no reason for me to not resolve it this way.
Obviously for you that's a different story, and that's great. It's
configurable, you have the flexibility to do what works in your environment.

-Nick

Re: Re: Re: Upgrade to 1.4.0 partial failed

[Nick Couchman]

On Fri, Apr 29, 2022 at 10:57 AM Henri Alves de Godoy <
henri.go...@fca.unicamp.br> wrote:

> Hi Matti,
>
> If the service is working in IPv6, why do you want to go back? We need to
> think about an IPv6 network.
>
>
It's not working - guacd is listening on IPv6, but Tomcat is trying on
IPv4. The solution is either to switch guacd to IPv4 or Tomcat to IPv6 -
the former is easier to do. And, since it's all on localhost, on the
loopback interface, IPv4 vs. IPv6 doesn't really matter.

-Nick

Re: Re: Re: Upgrade to 1.4.0 partial failed

[Nick Couchman]

On Fri, Apr 29, 2022 at 10:54 AM Matti Kaupenjohann <
matti.kaupenjoh...@fh-dortmund.de> wrote:

> I think you are my man.
>
> with `ss -tnlp` I see a line:
>
> LISTEN  0
> 5
> [::1]:4822 [::]:*
>
> Also If look into the syslog guacd also states:
>
> Apr 29 14:34:30 terminal guacd[8285]: Guacamole proxy daemon (guacd)
> version 1.4.0 started
> Apr 29 14:34:30 terminal guacd[8285]: guacd[8285]: INFO:Guacamole
> proxy daemon (guacd) version 1.4.0 started
> Apr 29 14:34:30 terminal guacd[8285]: guacd[8285]: INFO:Listening
> on host ::1, port 4822
> Apr 29 14:34:30 terminal guacd[8285]: Listening on host ::1, port 4822
>
> It seems my service is running on ipv6. Where do I change it back to ipv4?
>
>
Add the following to /etc/guacamole/guacd.conf (create the file if it
doesn't exist) and restart guacd (systemctl restart guacd.service):

[server]
bind_host=127.0.0.1
bind_port=4822

-Nick

>

Re: Re: Upgrade to 1.4.0 partial failed

[Nick Couchman]

On Fri, Apr 29, 2022 at 10:37 AM Matti Kaupenjohann <
matti.kaupenjoh...@fh-dortmund.de> wrote:

> My guacd.service is running with following status output:
>
> ```
>
> ● guacd.service - Guacamole Server
>Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor
> preset: enabled)
>Active: active (running) since Fri 2022-04-29 14:34:30 CEST; 1h 49min
> ago
>  Docs: man:guacd(8)
>  Main PID: 8285 (guacd)
> Tasks: 1 (limit: 4915)
>Memory: 10.0M
>CGroup: /system.slice/guacd.service
>└─8285 /usr/local/sbin/guacd -f
>
> ```
>
> I just used the script as aguideline for upgrading my system.
>
> Where do I check which interface guacd is using?
>
>
"ss -tnlp" should show you processes listening on TCP ports - if you see
guacd listening on [::]:4822, then it's listening on IPv6. If you see it
listening on 127.0.0.1, it's on IPv4.

-NIck

>

Re: Upgrade to 1.4.0 partial failed

[Nick Couchman]

On Fri, Apr 29, 2022 at 9:56 AM Matti Kaupenjohann <
matti.kaupenjoh...@fh-dortmund.de> wrote:

> Hello Together,
>
> I started to upgrade our guacamole instance by analyzing this upgrade
> script
> https://github.com/MysticRyuujin/guac-install/blob/main/guac-upgrade.sh.
> I needed to change a few things in the script since it was not compatible
> with our installation (Example: Our gucamole.war file is located at
> /var/lib/tomcat9/webapps/, we use ldap for auth and the guacd.service user
> is a different one than daemon).
>

This script is not supported by the Guacamole project - I'm not sure if
MysticRyuujin is on this mailing list, but you may want to try to contact
the owner of that Github repo directly if you need support on this.

>
> After all these minor patches the Application started as usuall and I can
> login. Also ldap works fine. All my Connections are listed, all Users and
> all Groups.
>
> The only important thing which is not working: Using the connection. I
> always get for VNC, SSH the same message. But the weird thing my logs do
> not post a single try or error message. How should I troubleshot without
> any informations?
>
>
> Make sure the guacd service is running and you see a guacd process. Also,
guacd is now capable of listening on both IPv4 and IPv6, so you'll need to
make sure that your guacd and Tomcat configurations point to the correct IP
version interface. Usually this is IPv4, so make sure guacd is listening on
the local IPv4 interface, and not on IPv6.

If you're not seeing any messages related to it at all then you need to
make sure you're looking at the correct log files. It looks like you're
using a Tomcat install that's packaged with a Linux distribution, so you'll
need to figure out where it logs things - either to /var/log/tomcat, or
maybe directly to syslog/journalctl.

-Nick

>

Re: LDAP Group membership mapping, LDAP+DATABASE

[Nick Couchman]

On Fri, Apr 29, 2022 at 6:22 AM Daniel Agostinho <
daniel.agosti...@fresenius-kabi.com> wrote:

> Hi,
>
>
>
> I’m trying to understand if it is possible, or I’m doing anything wrong
> with this.
>
>
>
> So, we already used LDAP+MySQL for users, it’s been working fine.
>
> Now, we are trying to map the group membership in the AD groups, to the
> groups inside Guacamole’s DB and groups.
>
>
>
> On the Settings/Group we already see the groups from AD, however, it seem
> that it cannot pick up the users inside of each group.
>
>
>

The settings page may not show the members of a group - the best way to
evaluate this is to assign privileges to some group within the database
extension and see if the users who are in that group receive the assigned
privileges.

-Nick

>

Re: Compile on Ubuntu 22.04 => openssl

[Nick Couchman]

On Thu, Apr 28, 2022 at 3:54 AM Gerd Hoerst  wrote:

> hi !
>
> is it possible to get the actual git client compiled like for v 1.4.0 ?
>
>
>
Yes, you might try a different version of the JDK - 8 works fine, I think
11 works, as well. Some of the other versions, like 17 or 18, may have
issues. Other than that it may just be an issue with how your distribution
sets up the JDK. But, in general, it compiles fine.

-Nick

>

Re: Compile on Ubuntu 22.04 => openssl

[Nick Couchman]

Make sure the javadoc command is in your normal PATH - you should be able
to execute "javadoc" from the command line.

On Wed, Apr 27, 2022 at 1:02 PM Gerd Hoerst  wrote:

> Hi !
>
> OK server compile now is OK but client complains
>
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-javadoc-plugin:3.2.0:jar (attach-javadocs)
> on project guacamole-common: MavenReportException: Error while generating
> Javadoc: Unable to find javadoc command: The environment variable JAVA_HOME
> is not correctly set. -> [Help 1]
>
> but
>
> root@capri-2:~/develop/guacamole-client# echo $JAVA_HOME
> /usr/lib/jvm/default-java
>
> and
>
> root@capri-2:/usr/lib/jvm/default-java/bin# ls
> jaotc  java javap  jdeprscan  jhsdb   jjsjmodjshell
> jstatd   rmic serialver
> jarjavacjcmd   jdeps  jimage  jlink  jps jstack
> keytool  rmid unpack200
> jarsigner  javadoc  jdbjfrjinfo   jmap   jrunscript  jstat
> pack200  rmiregistry
>
> Ciao Gerd
> Am 27.04.2022 um 13:56 schrieb Nick Couchman:
>
> On Wed, Apr 27, 2022 at 3:22 AM Gerd Hoerst  wrote:
>
>> Hi !
>>
>> is it fixed meanwhile in git ?
>>
> Yes, that's what Mike just said.
>
>
>> how can i download the archives from actual git ?
>>
> You can either use "git clone" to clone the repository, or, if you go to
> the web page (https://github.com/apache/guacamole-server) and there is an
> option to download an archive toward the top of the page.
>
> -Nick
>
>>

Re: Compile on Ubuntu 22.04 => openssl

[Nick Couchman]

On Wed, Apr 27, 2022 at 3:22 AM Gerd Hoerst  wrote:

> Hi !
>
> is it fixed meanwhile in git ?
>
Yes, that's what Mike just said.


> how can i download the archives from actual git ?
>
You can either use "git clone" to clone the repository, or, if you go to
the web page (https://github.com/apache/guacamole-server) and there is an
option to download an archive toward the top of the page.

-Nick

>

Re: guacd service does not start automatically.

[Nick Couchman]

On Mon, Apr 18, 2022 at 11:04 AM 박제형  wrote:

> It seems that the network is not detected normally in systemctl.
>
>
>
> */etc/init.d/guacd*
>
> ### BEGIN INIT INFO
>
> # Provides:  guacd
>
> # Required-Start:$network $syslog
>
> # Required-Stop: $network $syslog
>
> # Default-Start: 2 3 4 5
>
> # Default-Stop:  0 1 6
>
> # Short-Description: Guacamole proxy daemon
>
> # Description: The Guacamole proxy daemon, required to translate remote
> desktop protocols into the text-based Guacamole pro$
>
> ### END INIT INFO
>
>
If you have systemd/systemctl available, you should not be using
/etc/init.d/guacd. When you build guacd, make sure to use the ./configure
flags to enable systemd support (--with-systemd-dir=/etc/systemd/system,
for example), which will create and install the systemd unit file.

-Nick

>

Re: guacd service does not start automatically.

[Nick Couchman]

On Mon, Apr 18, 2022 at 6:28 AM 박제형  wrote:

> This is the result of trying this already.
>

Apr 17 23:05:47 raspberrypi guacd[481]: guacd[483]: ERROR:#011Unable to
bind socket to any addresses.

Apr 17 23:05:47 raspberrypi guacd[483]: Unable to bind socket to any
addresses.


It's possible that guacd is trying to start before networking completely
starts up on your device - the systemd file that's included should be
configured correctly to make it wait until networking is up, but if it
starts successfully after you log in and start it, but not at startup,
maybe this isn't the case.


Also, when you log in to start it manually, are you starting it as the same
user specified in the systemd unit file (daemon, by default), or as the
user you log in with?


-Nick

>

Re: guacd service does not start automatically.

[Nick Couchman]

On Sun, Apr 17, 2022 at 11:44 AM Sean Hulbert
 wrote:

> Run this commend
>
>
> Type:
> 1.  systemctl enable guacd
> 2.  systemctl start guard
>
>
You can also do it in one-shot:
systemctl enable --now guacd.service

-Nick

>

Re: Plan for guacamole client for Windows?

[Nick Couchman]

>
> Understand that guacamole is meant to be a clientless tool.  Since
> guacamole is meant to have a desktop experience, it doesn't seem to play
> well with specific OS (Windows) and keyboard shortcuts due to OS
> limitation.  Is there any plan to create a desktop client instead for
> Windows?  In that case, it will be more compelling to use guacamole for
> enterprise.  I am looking at something like the one Citrix, AWS Workspace
> does.  Thanks in advance.
>

No, there is currently no plan to create a client for Windows, or any other
platform. For a lot of the function keys you can get "better" behavior if
you create a Personal Web Application (PWA) out of the Guacamole web page.
In Chrome, this involves navigating to the web page, and then going to the
Settings Menu (three dots on the right-hand side of the browser) -> More
Tools -> Create Shortcut. Once you have the shortcut on your desktop and
you launch it, you'll get several more key presses that will not be
intercepted by the browser. Browsers have also started to implement a
keyboard lock API that may help with some of this, although initial tests
of that prove largely useless.

Beyond that, I think there have been attempts to port the Guacamole
front-end to some various NodeJS frameworks that allow it to run locally on
systems and may improve this experience. However, as a project, we have no
current plans to develop platform-specific clients, and at present I would
be opposed to such an effort. I've administered and used Citrix, Horizon,
and AWS Workspaces, along with Azure's WVD, and I much prefer an HTML,
browser-based experience, even if it means re-training myself to avoid some
of those shortcut keys that cause unwanted behavior. Just my opinion,
though.

-Nick

Re: I can't connect VNC and DRP

[Nick Couchman]

On Thu, Apr 14, 2022 at 10:41 AM 박제형  wrote:

> ssh connects successfully, but VNC and DRP don't connect.
>
> The following is the log when trying to connect to VNC.
>
>
>
> *system log*
>
> Apr 14 22:40:04 raspberrypi guacd[26140]: Connection
> "$e01e238e-a799-45e5-b809-1b627e39b99d" removed.
>
> Apr 14 22:46:10 raspberrypi guacd[26140]: Creating new client for protocol
> "vnc"
>
> Apr 14 22:46:10 raspberrypi guacd[26140]: Connection ID is
> "$3e3adf64-6fb9-45e7-a3f9-f136c7cbbf17"
>
> Apr 14 22:46:10 raspberrypi guacd[27295]: Cursor rendering: local
>
> Apr 14 22:46:10 raspberrypi guacd[27295]: User
> "@2d1cb845-621b-42ca-b77d-3800d20132ce" joined connection
> "$3e3adf64-6fb9-45e7-a3f9-f136c7cbbf17" (1 users now present)
>
> Apr 14 22:46:10 raspberrypi guacd[27295]: ConnectClientToTcpAddr6: connect
>
> Apr 14 22:46:10 raspberrypi guacd[27295]: ConnectToTcpAddr: connect
>
> Apr 14 22:46:10 raspberrypi guacd[27295]: Unable to connect to VNC server
>
> Apr 14 22:46:10 raspberrypi guacd[27295]: Unable to connect to VNC server.
>

There's not really a lot to say besides what the log says - it cannot
locate or connect to the VNC server. Also, I'm not entirely sure, but it
looks like it's trying to connect to a server called "connect". If you're
using a custom-built Guacamole application, rather than the provided
Guacamole Client, you may be sending instructions incorrectly such that the
"connect" instruction is being delivered as one of the arguments for the
connection.

If you're using the stock Guacamole Client, then you just need to make sure
your connection parameters are configured correctly and that the system
running guacd can both resolve server names and actually connect to them.

-Nick

>

Re: Optimize internet data performance

[Nick Couchman]

On Mon, Apr 11, 2022 at 8:00 AM CanadaunoGmail  wrote:

> i understand, but i need to reduce data flow, with an external control
> degradation of image quality.
>
There are no parameters to adjust this.

-Nick

>

Re: Optimize internet data performance

[Nick Couchman]

On Mon, Apr 11, 2022 at 7:41 AM CanadaunoGmail  wrote:

> There are any parameters to optimize speed/performance/data transfert
> over internet betweem html5 client and Guacamole server?
>
>
Guacamole does this internally - it makes decisions about the types of
images to send and frame rate based on a variety of factors, including the
performance of the connection between client and server.

-Nick

Re: Guacamole does not list users and groups from the active directory

[Nick Couchman]

On Thu, Apr 7, 2022 at 6:35 PM Estevão Costa  wrote:

> Perfect. We are using Postgres as database. How Can I set up that
> configuration properly?
>
> I created an account with the same username and password as the AD account
> in the Guacamole Admin panel but it doesn't work too. Looks like I'm doing
> something wrong.
>
>
Don't create the user with the same password as your AD password - for two
reasons. First, this will still bypass the LDAP module, as the JDBC module
will most likely be evaluated, first, and will succeed. Second, the
password will get out-of-sync, anyway, assuming you're enforcing password
rotation in AD, and there's no reason to try to keep them in-sync. Just set
a different/random password for the JDBC user, but make sure the username
is the same, and you should be good.

One other note - the username matching that Guacamole does is
case-sensitive - so, if you create a user in the JDBC module called
"John_Doe" but log in with your AD credentials using "john_doe", they are
considered different users.

-Nick

>

Re: Guacamole does not list users and groups from the active directory

[Nick Couchman]

On Thu, Apr 7, 2022 at 5:46 PM Estevão Costa  wrote:

> Hi
>
> We have a Guacamole instance deployed by docker and we are run into that
> problem:
> - We set up the Active Directory using env vars, including
> LDAP_SEARCH_BIND_DN and LDAP_SEARCH_BIND_PASSWORD and we are able to login
> into Guacamole with AD users. However, we can't see the AD users and groups
> in the Guacamole Admin Dashboard.
>
> So we can't assign connections to users because the users don't appear in
> the list.
>
> In the log, we don't see anything. No messages about it.
>
> Please, how can I solve it?
>
>
You need to log in as an LDAP (Active Directory) user to see the users in
LDAP/AD. This is because, except for the initial search for the user who is
logging in, access to LDAP/AD is done by the user who is logging in.

Practically speaking this means, that if you're using the JDBC module to
store connections, you'll need to either manually create a JDBC account for
one of your LDAP/AD users that you want to be an admin, or you'll need to
enable the DB auto-creation setting so that LDAP/AD users are automatically
added to the database upon successful login.

-Nick

>

Re: Connectivity Issue after upgrading Guacamole from 1.3 to 1.4

[Nick Couchman]

On Wed, Mar 30, 2022 at 1:21 AM Pradip Sawatkar 
wrote:

> Thanks for suggestion Nick, issue has been resolved by creating new
> directory freerdp in /usr/sbin/.config and changed ownership with
> daemon:daemon. And everything works fine.
>
> Now i have another issue. There is SSO between Moodle as SP and Okta as
> IdP. We are trying use only one entity ID of okta to redirect SAML users
> from Moodle to Apache Guacamole for Virtual Labs. But currently things are
> not working properly.
>
> Is there any way i can use one entity ID for two SP ie one is Moodle LMS
> and second is Apache Guacamole.
>
>
I don't think you want to do this - I think you want separate entity IDs
for each service provider. While those two may live on the same server,
they should have different URLs, so you should be able to identify them by
their full URLs, including the path to each of them.

-Nick

>

Re: HTTP tunnel request failed

[Nick Couchman]

On Wed, Mar 30, 2022 at 5:40 AM Max  wrote:

> Hi:
>
> After a couple of days going crazy with this problem, I figured out how to
> solve it so just leaving this here for future google surfers:
>
> Suddenly my guacamole server stopped working, the logs just showed this
> error:
>
> 11:03:14.552 [ajp-nio-8009-exec-3] DEBUG o.a.g.net.InetGuacamoleSocket -
> Connecting to guacd at localhost:4822. 11:03:14.553
>
> [ajp-nio-8009-exec-3] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel 
> request failed: java.net.ConnectException:  Connection refused (Connection 
> refused)
>
> After a lot of search, I used 127.0.0.1 instead of localhost in the 
> guacamole.properties as it worked for other people but no for me.
>
> guacd-hostname: 127.0.0.1
> guacd-port: 4822
>
>
> Until I noticed that the guacd service was listening in ::1 but not in
> 127.0.0.1
>
> Proxy daemon (guacd) version 1.4.0 started mar 30 11:00:33 Server1 
> guacd[1300]: SUCCESS mar 30 11:00:33 Kalandraka guacd[1303]: Listening on 
> host ::1, port 4822
>
> So, as I am not using Ipv6, just disabled it adding this entry:
>
> net.ipv6.conf.all.disable_ipv6 = 1
>
> To the /etc/sysctl.conf file and restart the system.
>
>
You can also force guacd to listen on the IPv4 port, without disabling IPv6
altogether. You do this by setting "bind_host" to 127.0.0.1 in
/etc/guacd.conf. See:

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd

-Nick

Re: Guacamole Balancing group and local session already opened

[Nick Couchman]

On Wed, Mar 30, 2022 at 6:22 AM Xavier Bonnec 
wrote:

> Hi,
>
> I have balancing groups in Guacamole which are running OK when there are
> only remote connections.
>
> Problem : When a local session is opened Guacamole initialize the RDP
> connection and asks for deconnection . It doesn't go further trying
> others connections from the balancing group.
>
> Is there a way to indicate to bypass this or to priorize connections
> with no open session ?
>
>
Not really, no, because Guacamole doesn't know that a session is opened
unless it is opened in Guacamole. You'd have to have some way (either
Guacamole polling something on the server, or the server updating some
information with Guacamole) for Guacamole to know that a session is already
opened outside of Guacamole. This doesn't exist in Guacamole, today - the
only solution at the moment is to make sure all access is done through
Guacamole.

-Nick

Re: Upload more than 60 files

[Nick Couchman]

On Wed, Mar 23, 2022 at 12:10 PM Denis Bessa  wrote:

> Hi,
>
> I have a Guacamole Server running on Kubernetes. It works perfectly,
> except for one thing: users can't upload more than 60 files throug the RDP
> connection.
>
> When they try to do so, they receive this error message:
>
>
> (An internal error has occurred within the Guacamole Server...)
>
>
Can you check the catalina.out file and see if there's any indication of
the error?


> Is there any limitations with the number of file uploads?
>
>
Probably, but I don't think it's 60.

-Nick

>

Re: Connectivity Issue after upgrading Guacamole from 1.3 to 1.4

[Nick Couchman]

On Fri, Mar 25, 2022 at 2:37 AM Pradip Sawatkar 
wrote:

> Hi All,
>
> I having issue of Apache Guacamole 1.4 not getting connected to xRDP of
> given connection. As i have upgraded Guacamole from 1.3 to 1.4, everything
> working fine on staging but not on production. I getting error of "RDP
> server closed/refused connection: Security negotiation failed (wrong
> security type?)" in syslog and "Log in failed. Please reconnect and try
> again." in Guacamole client consoleconsole.
>
> Please help, if anyone of you know the solution.
>
>
A couple of things to check:
* Try adjusting the security type - I think xrdp only supports TLS (not
NLA), so make sure it is set to that.
* Make sure that the user running guacd has a valid home directory and has
write access to that home directory. In 1.4, due to some FreeRDP changes,
even if you are ignoring server certificates, the FreeRDP library checks
for a location to write fingerprints to, and, if it doesn't exist, it fails.
* Try checking Ignore Server Certificate and see if that fixes it - if it
does, you'll need to make sure your certificates are trusted or that you
add the fingerprints to the FreeRDP location.

-Nick

>

Re: Extension "guacamole-auth-jdbc-postgresql-1.4.0.jar" could not be loaded

[Nick Couchman]

On Fri, Mar 25, 2022 at 10:09 AM Vieri  wrote:

> Hi,
>
> I'm running guacamole-client 1.4.0:
>
> # grep VERSION /var/lib/tomcat-8.5-hmn/webapps/HMNsg/translations/en.json
> "VERSION" : "1.4.0",
>
>
HMNsg seems like a slightly odd name - just to confirm, are you running a
standard version of Guacamole downloaded from the Guacamole home page? Have
you made any modifications to any source code? Do all of your downloads -
both the WAR and the extensions - come from the same download location?

-Nick

Re: New user...a few questions

[Nick Couchman]

On Sun, Mar 20, 2022 at 12:05 PM Stuart Blake Tener <
stuart.te...@bh90210.net> wrote:

> Guacamole users/developers,
>
> I am a reasonably new user of this software package (the effectuating of
> an installation into a container on my ProxMox server having become
> occurring just yesterday evening). Thus, in succession thereof, some
> several questions came to mind and there enumeration follows hereupon.
>
>
Welcome.


> 1) My initial observations of the guacamole's functionality seemed to not
> obviously stand demonstrative of a manner by which to purge or clear out
> the entirety of accumulated log entries via the GUI. Are there plans to add
> such functionality? If so, I would recommend being able to clear all
> entries and also a manner by which to clear entries betwixt a start and end
> date as well.
>
>
No, there is no way to do this today via the GUI. The Jira page would be
the location to request such a feature:

https://issues.apache.org/jira/projects/GUACAMOLE/issues


> 2) I was attempting to use guacamole to SSH into a Cisco 3560G switch and
> realized that certain SSH parameters (such as cipher & kexalgorithms in the
> instant case) needed to be set forth for an SSH session to initiate
> properly, is there a manner by which guacamole can be impelled to assert
> honoring such configuration parameters during the instantiation of an SSH
> connection or are there plans to add this functionality to the GUI?
>
>

In general Guacamole will auto-negotiate such features, assuming that the
version of libssh2 in use on the system running guacd supports the given
Cipher and Key Exchange algorithms. This is a pretty frequently-asked
question of Guacamole, and it's generally (though not always) due to an
older version of libssh2 being used/present on the system where guacd has
been installed. In a few cases libssh2 lacks the required cipers or kex
algorithms entirely. The overall point is that Guacamole's ability to
support certain SSH features is usually more dependent on the underlying
library, libssh2.

I don't know that there are many, if any cases, where manually forcing
parameters is required.


> 3) I could see where there could be usefulness to having a mechanism by
> which one could kill all active sessions for the currently logged in user.
> Additionally, the ability for an administrative level account to terminate
> all connections for a different actively logged in user and as well cause
> said user to be instantly locked out from logging back in would also be a
> rather useful functionality to have in the package.
>

The first part of your request already exists - sessions can be managed by
administrative users, including the ability to join the active session, as
well as the ability to forcibly kill sessions.

The second part of it is not necessarily immediately available - you cannot
completely lock out and kill a user all in one click of a button, but it
shouldn't take much - you could disable the user's account, and then go
search for all the sessions open by a particular user and kill those.


>
> 4) I can see where having a preference setting (on a per user basis) to
> cause the package to immediately return to the recent connections / all
> connections menu after disconnecting from a particular connection (instead
> of the "home/reconnect/logout" prompt) would be a nice to have.
>
>
I'm not sure I see the value in this - there has been a request that comes
up periodically to disable the auto-reconnect feature, and I can see
instances where that would be nice, but I don't know that I see a lot of
value in getting rid of the prompt. Just my opinion.


> 5) I see that all connection entries added into the package are then
> presented in an alphabetically sorted manner. I would enjoy having a way to
> substantiate the list so that the order was something I could arrange via
> the GUI vice alphabetical sorting or at least in the ordered add.
>
>
I would say that organizing connections into groups is the best way to
accomplish this. I'm not sure that the complexity of allowing re-sorting
outside of alphabetical sorting is worth


> I have not yet tested the VNC or RDP functionality as yet, though I plan
> to attempt leveraging such connective functionality later today in
> pursuance of evaluating those capabilities as well. In no uncertain terms
> the capability of amalgamating in a centralized manner access to SSH, RDP,
> and VNC via a web interface is of great utility to me and I am happy to
> have found guacamole.
>

Yep, that's the goal of the project!


>
> These are my ideas after a first blush encounter with the package. The
> forgoing notwithstanding, I find this package to be very useful and I saw
> no outright bugs in it as I used it initially. Thank you to everyone that
> has worked so hard to create and maintain this package and I hope to see to
> its improvement with my ideas and potentially code contributions in the
> future.
>
>
Glad to hear it, and welcome to the community.

Re: SAML SP metadata

[Nick Couchman]

On Sun, Mar 20, 2022 at 7:37 AM Vieri  wrote:

>
> On Sunday, March 20, 2022, 11:53:19 AM GMT+1, Vieri
>  wrote:
>
> > This is my current guacamole.properties
>
> If I replace LDAP connection provisioning with a Postgresql backend, I get
> the expected result: connections are properly loaded even when
> authenticating with SAML.
> So I guess I'm better off migrating from LDAP to Postgresql.
>
>
Vieri,
First, thanks for keeping the thread up-to-date and letting everyone know
what worked for you - this is very helpful to the entire community.

Regarding the LDAP module - it won't "stack" with the SSO module in the
same way that the JDBC module does for what you're trying to do. This is
because the LDAP module *always* uses the authentication information of the
user who is logging in to find both group membership and connection
information. The search DN and password are only used to locate the LDAP
object of the user logging in, and then the connection is re-bound with the
credentials of the user who is authenticating to Guacamole. This requires
that the password be provided for the user logging in, and since the SSO
modules don't use a password (at least not directly with Guacamole), and
since successful authentication with one module precludes authentication
from being evaluated in other modules, this won't work - the LDAP module
will never be evaluated for authentication when SSO is used, and, even if
it were, there would be no password provided to it, so it would always fail.

So, yes, if you intend to use SSO to log in to Guacamole, you will need to
store connection data in JDBC, or possibly use the JSON module to
dynamically write it with another (SSO-integrated) service.

-Nick