RE: Problems with SSH

[Pål Hjelmeseth Myklebust]

After I did a sudo make uninstall, manually deleted 
/usr/local/include/guacamole and /usr/local/lib/* and did a new sudo make 
install SSH started working again (with 1.5.3). So problem solved.

-
Pål

-Original Message-
From: Pål Hjelmeseth Myklebust  
Sent: Thursday, January 11, 2024 11:05 AM
To: user@guacamole.apache.org
Subject: RE: Problems with SSH

I think the initial problem is related to the "major bug", but the downgrade 
should have fixed SSH (like it did RDP). I even did a server reboot to no 
avail. Could it be a tomcat cache issue?

-
Pål

-Original Message-
From: Vieri  
Sent: Thursday, January 11, 2024 11:01 AM
To: user@guacamole.apache.org
Subject: Re: Problems with SSH

 On Thursday, January 11, 2024 at 10:55:53 AM GMT+1, Anders Fogh Eriksen 
 wrote: 

 >  This could be related to the ”major bug” issue: 
 >https://lists.apache.org/thread/z8m7y5n0nco0smn1mscdn0fhyxjctrtt 
> We have the same problem on our setup that after a certain amount of sessions 
> everything just stops working

Also make sure you stop/kill all guacd processes when restarting guacd 1.5.3.

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

B�CB��[��X��ܚX�KK[XZ[
�\�\�][��X��ܚX�P�XX�[[�K�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
�\�\�Z[�XX�[[�K�\X�K�ܙ�B

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: Problems with SSH

[Pål Hjelmeseth Myklebust]

I think the initial problem is related to the "major bug", but the downgrade 
should have fixed SSH (like it did RDP). I even did a server reboot to no 
avail. Could it be a tomcat cache issue?

-
Pål

-Original Message-
From: Vieri  
Sent: Thursday, January 11, 2024 11:01 AM
To: user@guacamole.apache.org
Subject: Re: Problems with SSH

 On Thursday, January 11, 2024 at 10:55:53 AM GMT+1, Anders Fogh Eriksen 
 wrote: 

 >  This could be related to the ”major bug” issue: 
 >https://lists.apache.org/thread/z8m7y5n0nco0smn1mscdn0fhyxjctrtt 
> We have the same problem on our setup that after a certain amount of sessions 
> everything just stops working

Also make sure you stop/kill all guacd processes when restarting guacd 1.5.3.

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Problems with SSH

[Pål Hjelmeseth Myklebust]

Hello, after we upgraded to 1.5.4 RDP and SSH stopped working the next day. I 
downgraded to 1.5.3, and RDP started working again, but not SSH. There are no 
errors in the logs:

Jan 11 10:42:40 guacamole.uio.no guacd[1395]: Creating new client for protocol 
"ssh"
Jan 11 10:42:40 guacamole.uio.no guacd[1395]: Connection ID is 
"$bd0b91f9-b39e-461b-ad12-6177fb8f063e"
Jan 11 10:42:40 guacamole.uio.no guacd[122497]: User 
"@0281f99a-ca22-410e-9a26-6d4ca105b3fd" joined connection 
"$bd0b91f9-b39e-461b-ad12-6177fb8f063e" (1 users now present)
Jan 11 10:42:40 guacamole.uio.no guacd[122497]: Recording of session will be 
saved to 
"/var/lib/guacamole/recordings/85745cff-3836-349e-8a1c-0da0f329c685/recording".

but the GUI is stuck on 'Connected to Guacamole. Waiting for response', and the 
recording is empty. SSH works fine from the guacamole server command line, so 
it's not a network problem and the build log shows no errors (installed 
natively on RHEL9). Any idea what's wrong or where to start looking?

-
Pål

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: Major bug message log in guacd 1.5.4

[Pål Hjelmeseth Myklebust]

We also experienced this. Upgraded from 1.5.3 to 1.5.4 and everything worked 
fine. The next day nobody was able to establish a connection. I did not have 
time to debug, so I downgraded the guacd server to 1.5.3, the web client and 
the extensions are still running 1.5.4, and everything works ok. 

-
Pål

-Original Message-
From: Joonas Tuomisto  
Sent: Monday, January 8, 2024 12:06 PM
To: user@guacamole.apache.org
Subject: Re: Major bug message log in guacd 1.5.4

Hi,

I also ran into this exact issue it seems, but we're not using the Guacamole 
Docker images, instead we're using custom built RPM packages on OpenSUSE Leap 
15.5 as a native systemd service.

To me this does indeed look like some kind of resource leak in guacd.

Initially everything works, but eventually guacd stops being able to initiate 
new connections, and it's not limited to just one protocol, at least both RDP 
and SSH are impacted.

I'm not entirely sure how forking processes interact with system limits and how 
to debug this to find what resource exactly is being leaked.

I attached to guacd with strace after encountering this state and initiated a 
new RDP/SSH connection and it does appear to be failing after a connect() but I 
didn't notice anything weird.

connect() goes -1 EINPROGRESS and poll, recvfrom() goes -1 EAGAIN.

There's indeed a whole bunch of eventfd2() when trying an RDP connection.

guacd logs (for RDP):
> RDP server closed/refused connection: Security negotiation failed 
> (wrong security type?)

guacd logs (for SSH):
> GLib (gthread-posix.c): Unexpected error from C library during 
> 'pthread_key_create': Resource temporarily unavailable. Aborting.

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: LDAP problem

[Pål Hjelmeseth Myklebust]

The problem was that one AD had the uid attribute, and the other didn't. 
Problem solved, sorry about the noise. 

-
Pål

-Original Message-
From: Pål Hjelmeseth Myklebust  
Sent: Monday, December 11, 2023 1:29 PM
To: user@guacamole.apache.org
Subject: RE: LDAP problem

Looks like the problem is that "List userDNs = 
userService.getUserDNs(config, searchConnection, username);" return nothing, 
but I don’t understand why since ldapsearch with the same search-bind-dn 
returns the correct DN.

-
Pål

-Original Message-----
From: Pål Hjelmeseth Myklebust  
Sent: Monday, December 11, 2023 12:40 PM
To: user@guacamole.apache.org
Subject: RE: LDAP problem

Thank you, but in this case the user only exists in the second AD.

-
Pål

-Original Message-
From: Molina de la Iglesia, Manuel 
 
Sent: Monday, December 11, 2023 12:33 PM
To: user@guacamole.apache.org
Subject: Re: LDAP problem

Hello, 

Note that you have to provide user@domain format instead of sAMAccountName to 
avoid collisions with identical usernames on both domains.


Manel Molina


manuel.molina-de-la-igle...@veolia.com 
<mailto:manuel.molina-de-la-igle...@veolia.com> 


Dirección de Ciberseguridad


Ciutat de L’Aigua (D38)

Paseo de la Zona Franca, 48 
08038 Barcelona / España

www.veolia.com





 
<https://lh6.googleusercontent.com/NQV9u40gljVwEqEKuehJa7RKmmfRae8z2UYjOxr5GVL5ok2fdqBmZzcVbk0umI01LS-Mgfv2KWX2S5LJBd23DohY8J-I8ztlXhure-9MAOCXJC8pWplfaaMxikBt7GS2csFWIjlEXNc>
 



El lun, 11 dic 2023 a las 12:30, Pål Hjelmeseth Myklebust 
(mailto:p.h.mykleb...@usit.uio.no> >) escribió:


Hello, We have configured Guacamole against two AD's. Authentication 
against the first AD works great, but the second gives this error:

INFO  o.a.g.a.l.AuthenticationProviderService - Unable to determine DN 
of user "" using LDAP server "ad.kiosk.educloud.no 
<http://ad.kiosk.educloud.no> ". Proceeding with next server...

Ldapsearch from the guacamole server returns the user with the correct 
DN, and the user-base-dn, search-bind-dn and search-bind-password in the 
ldap-servers.yml is correct. Any idea what could be wrong? 

-
Paul




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org 
<mailto:user-unsubscr...@guacamole.apache.org> 
For additional commands, e-mail: user-h...@guacamole.apache.org 
<mailto:user-h...@guacamole.apache.org> 




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: LDAP problem

[Pål Hjelmeseth Myklebust]

Looks like the problem is that "List userDNs = 
userService.getUserDNs(config, searchConnection, username);" return nothing, 
but I don’t understand why since ldapsearch with the same search-bind-dn 
returns the correct DN.

-
Pål

-Original Message-----
From: Pål Hjelmeseth Myklebust  
Sent: Monday, December 11, 2023 12:40 PM
To: user@guacamole.apache.org
Subject: RE: LDAP problem

Thank you, but in this case the user only exists in the second AD.

-
Pål

-Original Message-
From: Molina de la Iglesia, Manuel 
 
Sent: Monday, December 11, 2023 12:33 PM
To: user@guacamole.apache.org
Subject: Re: LDAP problem

Hello, 

Note that you have to provide user@domain format instead of sAMAccountName to 
avoid collisions with identical usernames on both domains.


Manel Molina


manuel.molina-de-la-igle...@veolia.com 
<mailto:manuel.molina-de-la-igle...@veolia.com> 


Dirección de Ciberseguridad


Ciutat de L’Aigua (D38)

Paseo de la Zona Franca, 48 
08038 Barcelona / España

www.veolia.com





 
<https://lh6.googleusercontent.com/NQV9u40gljVwEqEKuehJa7RKmmfRae8z2UYjOxr5GVL5ok2fdqBmZzcVbk0umI01LS-Mgfv2KWX2S5LJBd23DohY8J-I8ztlXhure-9MAOCXJC8pWplfaaMxikBt7GS2csFWIjlEXNc>
 



El lun, 11 dic 2023 a las 12:30, Pål Hjelmeseth Myklebust 
(mailto:p.h.mykleb...@usit.uio.no> >) escribió:


Hello, We have configured Guacamole against two AD's. Authentication 
against the first AD works great, but the second gives this error:

INFO  o.a.g.a.l.AuthenticationProviderService - Unable to determine DN 
of user "" using LDAP server "ad.kiosk.educloud.no 
<http://ad.kiosk.educloud.no> ". Proceeding with next server...

Ldapsearch from the guacamole server returns the user with the correct 
DN, and the user-base-dn, search-bind-dn and search-bind-password in the 
ldap-servers.yml is correct. Any idea what could be wrong? 

-
Paul




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org 
<mailto:user-unsubscr...@guacamole.apache.org> 
For additional commands, e-mail: user-h...@guacamole.apache.org 
<mailto:user-h...@guacamole.apache.org> 




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: LDAP problem

[Pål Hjelmeseth Myklebust]

Thank you, but in this case the user only exists in the second AD.

-
Pål

-Original Message-
From: Molina de la Iglesia, Manuel 
 
Sent: Monday, December 11, 2023 12:33 PM
To: user@guacamole.apache.org
Subject: Re: LDAP problem

Hello, 

Note that you have to provide user@domain format instead of sAMAccountName to 
avoid collisions with identical usernames on both domains.


Manel Molina


manuel.molina-de-la-igle...@veolia.com 
<mailto:manuel.molina-de-la-igle...@veolia.com> 


Dirección de Ciberseguridad


Ciutat de L’Aigua (D38)

Paseo de la Zona Franca, 48 
08038 Barcelona / España

www.veolia.com





 
<https://lh6.googleusercontent.com/NQV9u40gljVwEqEKuehJa7RKmmfRae8z2UYjOxr5GVL5ok2fdqBmZzcVbk0umI01LS-Mgfv2KWX2S5LJBd23DohY8J-I8ztlXhure-9MAOCXJC8pWplfaaMxikBt7GS2csFWIjlEXNc>
 



El lun, 11 dic 2023 a las 12:30, Pål Hjelmeseth Myklebust 
(mailto:p.h.mykleb...@usit.uio.no> >) escribió:


Hello, We have configured Guacamole against two AD's. Authentication 
against the first AD works great, but the second gives this error:

INFO  o.a.g.a.l.AuthenticationProviderService - Unable to determine DN 
of user "" using LDAP server "ad.kiosk.educloud.no 
<http://ad.kiosk.educloud.no> ". Proceeding with next server...

Ldapsearch from the guacamole server returns the user with the correct 
DN, and the user-base-dn, search-bind-dn and search-bind-password in the 
ldap-servers.yml is correct. Any idea what could be wrong? 

-
Paul




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org 
<mailto:user-unsubscr...@guacamole.apache.org> 
For additional commands, e-mail: user-h...@guacamole.apache.org 
<mailto:user-h...@guacamole.apache.org> 




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

LDAP problem

[Pål Hjelmeseth Myklebust]

Hello, We have configured Guacamole against two AD's. Authentication against 
the first AD works great, but the second gives this error:

INFO  o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user 
"" using LDAP server "ad.kiosk.educloud.no". Proceeding with next 
server...

Ldapsearch from the guacamole server returns the user with the correct DN, and 
the user-base-dn, search-bind-dn and search-bind-password in the 
ldap-servers.yml is correct. Any idea what could be wrong? 

-
Paul




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

OpenID and grant type

[Pål Hjelmeseth Myklebust]

Hello, is there any plans to implement support for authorization code flow for 
the OpenID support? None of my IDP's support implicit flow since its deprecated.

-
Pål

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: SAML question

[Pål Hjelmeseth Myklebust]

Ok. What attributes does the SAML extension expect in return from the IdP? It 
looks like it's using the temporary session uuid as username witch results in a 
new user for each try. Is there support for specifying the attribute names?

-
Pål

-Original Message-
From: Nick Couchman  
Sent: Thursday, August 24, 2023 3:44 PM
To: user@guacamole.apache.org
Subject: Re: SAML question

On Thu, Aug 24, 2023 at 7:05 AM Pål Hjelmeseth Myklebust 
 wrote:
>
> Hello, I am trying to configure the SAML extension. Is there a way to 
> download/view the SP metadata (preferably in a xml format)?

No, we currently do not have a way to generate the SP metadata.

-Nick

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

SAML question

[Pål Hjelmeseth Myklebust]

Hello, I am trying to configure the SAML extension. Is there a way to 
download/view the SP metadata (preferably in a xml format)?

Thank,

Pål



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org