Re: Guacamole Menu

[Stefan Bogdan Cimpeanu]

You can use the on-screen keyboard input method from the guacamole menu to send 
the key combinations required.

Regards,
Bogdan
On 21 Feb 2024 at 03:47 +0200, emerson.beze...@gmail.com, wrote:
> Hi.
>
> We are working on virtualizing a legacy application.
>
> Unfortunately, the application uses the same keys to open the Guacamole Menu. 
> Ctrl + Alt + Shift
>
> Is it possible to change or disable them?
>
> All the best from Brazil.
> ---
> Emerson Bezerra
> ---

Re: Weird behaviour - RDP timeout

[Stefan Bogdan Cimpeanu]

Hi Antony,
I agree it could be that, however, it does not explain (in my mind) why would 
the Guacamole server behave differently when the user is from Europe or from 
Australia if the target is still in Australia.
Is there any special connection happening from the end user all the way to the 
target somehow?

Additionally, can that 15 seconds timeout be increased somehow?

Bogdan

> On 14 Jun 2022, at 22:10, Antony Awaida  wrote:
> 
> HI There:
> 
> It may be a problem with the network latency. Have your user in Australia 
> check his latency to Europe/Azure using this:
> 
> https://www.azurespeed.com/Azure/Latency 
> <https://www.azurespeed.com/Azure/Latency>
> 
> Cheers,
> Antony Awaida
> CEO
> www.apporto.com <http://www.apporto.com/>
> 
> 2 min intro video Apporto for Business:
> Apporto for Business — Introduction - YouTube 
> <https://www.youtube.com/watch?v=lyncxPtgncQ>
> 
> 2 min intro video Apporto for Education:
> https://www.youtube.com/watch?v=dUBk_cF3tY8 
> <https://www.youtube.com/watch?v=dUBk_cF3tY8>
> 
> 
> 
> 
> On Tue, Jun 14, 2022 at 12:07 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> I have this interesting behaviour,, that I can’t fully understand, maybe 
> someone can help out please.
> 
> I have Guacamole deployed in several Azure locations in Europe.
> I have servers again in Azure deployed in most of the regions.
> 
> If I, from Europe, want to access via Guacamole, a server in Australia, it 
> all works ok.
> If someone from Australia wants to access a server from Australia, via an 
> European Guacamole, they get a connection timeout:
> 
> 
> 
> I understand round trips etc, but I really don’t see why would Guacamole 
> “care” where the user comes from. As long as Guacamole can access the target 
> server, I should get a connection, right?
> Slow, but it should be there.
> 
> Can anyone help figure this out?
> 
> Regards,
> Bogdan

Weird behaviour - RDP timeout

[Stefan Bogdan Cimpeanu]

Hello all,
I have this interesting behaviour,, that I can’t fully understand, maybe 
someone can help out please.

I have Guacamole deployed in several Azure locations in Europe.
I have servers again in Azure deployed in most of the regions.

If I, from Europe, want to access via Guacamole, a server in Australia, it all 
works ok.
If someone from Australia wants to access a server from Australia, via an 
European Guacamole, they get a connection timeout:



I understand round trips etc, but I really don’t see why would Guacamole “care” 
where the user comes from. As long as Guacamole can access the target server, I 
should get a connection, right?
Slow, but it should be there.

Can anyone help figure this out?

Regards,
Bogdan

Re: Support protocols

[Stefan Bogdan Cimpeanu]

I will get so much hate for this, but, there are other commercial solutions 
that allow you to access webpages defined or user-provided from within the 
solution, such as Fortinet.
Different ACL’s can be implemented, 2FA, and all the bells and whistles.

Bogdan

> On 29 Mar 2022, at 11:38, Ricardo García Arroyo  wrote:
> 
> Hello, good morning.
>  
> We ask because aur client is the ESA (European Space Agency).
> Is it possible to create a future release with ESA requirement with an 
> estimation (in time and value) of your work? My team and ESA would evaluate 
> your estimation.
>  
> Thanks and regards.
> Ricardo
>  
> From: Alessandro Sironi  
> Sent: martes, 29 de marzo de 2022 9:18
> To: user@guacamole.apache.org
> Subject: Re: Support protocols
>  
> Hello, if you mean to be able to direct open a webpage in http(s) than it’s 
> definitely not possibile and not in any future release.
> 
> Inviato da iPhone
> 
> 
> Il giorno 29 mar 2022, alle ore 09:14, Ricardo García Arroyo 
> mailto:rgarr...@gmv.com>> ha scritto:
> 
>  
> Hello.
>  
> We are using a NGINX proxy, we are asking that to know if in future 
> developments of the tools can be implemented the http(s) access like VNC or 
> RDP without the use of NGINX proxy.
>  
> Thanks.
> Regards.
> Ricardo
>  
> From: Sean Hulbert  > 
> Sent: martes, 29 de marzo de 2022 9:11
> To: user@guacamole.apache.org 
> Subject: RE: Support protocols
>  
> Guacamole absolutely can be accessed using http(s) , install it with NGINX 
> and proxy it.  I do highly recommend TLSv1.3 since login information can be 
> seen outside a secure unnel.  
>  
>  
>  
>  
>  
>  
>  
> Sent by Android Ai hijacked INS communications 6G
>  
>  
>  Original message 
> From: Ricardo García Arroyo mailto:rgarr...@gmv.com>>
> Date: 3/28/22 11:57 PM (GMT-08:00)
> To: user@guacamole.apache.org 
> Subject: Support protocols 
>  
> Good morning.
>  
> I’m Ricardo from an IT company in Spain.
>  
> My team and me are working in a project with Apache Guacamole tool. We 
> provide access to clients by VNC, RDP and SSH with guacamole. Our customer 
> requests us access by http or https. We watch that your tool doesn’t allow 
> this access for that moment. Is it possible a development for that or is 
> programed for future versions of Guacamole?
>  
> If that question has been sent to a wrong email, can you tell me where can I 
> ask our question?
>  
> Thanks and regards.
> Ricardo

Websocket tunnel issues

[Stefan Bogdan Cimpeanu]

Hello,

I have this weird behaviour where for the same user, from the same machine, to 
the same target (guacamole connection), from the same IP etc, I get either a 
successful tunnel created, or I don’t. This tunnel creation is affecting 
sharing profiles and ability to use the shared drive (for copying files in/out 
of the guacamole remote).

Please see the logs below.

This bit is where a tunnel is successfully created:

127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET 
/guacamole/api/patches?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 352
127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET /guacamole/translations/en.json 
HTTP/1.1" 200 47015
127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET 
/guacamole/api/session/data/ldap/connectionGroups/ROOT/tree?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 108
127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET 
/guacamole/api/session/data/mysql-shared/self/permissions?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 242
127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET 
/guacamole/api/session/data/mysql-shared/connectionGroups/ROOT/tree?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 134
127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET 
/guacamole/api/session/data/ldap/self/permissions?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 26732
127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET 
/guacamole/api/session/data/mysql/schema/protocols?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 13547
127.0.0.1 - - [25/Jun/2021:21:54:07 +] "GET 
/guacamole/websocket-tunnel?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B_DATA_SOURCE=mysql_ID=1594_TYPE=c_WIDTH=2507_HEIGHT=1336_DPI=96_TIMEZONE=Europe%2FBucharest_AUDIO=audio%2FL8_AUDIO=audio%2FL16_IMAGE=image%2Fjpeg_IMAGE=image%2Fpng_IMAGE=image%2Fwebp
 HTTP/1.1" 101 -
127.0.0.1 - - [25/Jun/2021:21:54:08 +] "GET 
/guacamole/api/session/data/mysql/connections/1594?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 321
127.0.0.1 - - [25/Jun/2021:21:54:09 +] "GET 
/guacamole/api/session/data/mysql/self/permissions?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 205
127.0.0.1 - - [25/Jun/2021:21:54:10 +] "GET 
/guacamole/api/session/data/mysql/connectionGroups/ROOT/tree?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 74777
127.0.0.1 - - [25/Jun/2021:21:54:15 +] "GET 
/guacamole/api/session/data/ldap/users/Erik.Nguyen?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 53
127.0.0.1 - - [25/Jun/2021:21:54:15 +] "GET 
/guacamole/api/session/data/mysql-shared/self/effectivePermissions?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 242
127.0.0.1 - - [25/Jun/2021:21:54:15 +] "GET 
/guacamole/api/session/data/ldap/self/effectivePermissions?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 26732
127.0.0.1 - - [25/Jun/2021:21:54:15 +] "GET 
/guacamole/api/session/data/ldap/activeConnections?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 12
127.0.0.1 - - [25/Jun/2021:21:54:15 +] "GET 
/guacamole/api/session/data/mysql-shared/activeConnections?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 12
127.0.0.1 - - [25/Jun/2021:21:54:17 +] "GET 
/guacamole/api/session/data/mysql/self/effectivePermissions?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 6464
127.0.0.1 - - [25/Jun/2021:21:54:17 +] "GET 
/guacamole/api/session/data/mysql/activeConnections?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 200 235
127.0.0.1 - - [25/Jun/2021:21:54:20 +] "POST /guacamole/api/tokens 
HTTP/1.1" 403 269
127.0.0.1 - - [25/Jun/2021:21:54:34 +] "GET 
/guacamole/api/session/tunnels/null/streams/0/1.txt?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B
 HTTP/1.1" 404 189
127.0.0.1 - - [25/Jun/2021:21:55:21 +] "POST /guacamole/api/tokens 
HTTP/1.1" 403 269
127.0.0.1 - - [25/Jun/2021:21:55:22 +] "POST /guacamole/api/tokens 
HTTP/1.1" 200 191
127.0.0.1 - - [25/Jun/2021:21:55:35 +] "GET 
/guacamole/websocket-tunnel?token=27C1C8D44B19C39E8DA6D3CADB392BAD22E9EE6E3A41ED0F58B9E3C5C9EFE99B_DATA_SOURCE=mysql_ID=1594_TYPE=c_WIDTH=2507_HEIGHT=1336_DPI=96_TIMEZONE=Europe%2FBucharest_AUDIO=audio%2FL8_AUDIO=audio%2FL16_IMAGE=image%2Fjpeg_IMAGE=image%2Fpng_IMAGE=image%2Fwebp
 HTTP/1.1" 101 -
127.0.0.1 - - [25/Jun/2021:21:55:40 +] "GET 

Sharing function flapping

[Stefan Bogdan Cimpeanu]

Hello all,
In our setup we configured guacamole 1.2 with ldap and mysql.
All our connections have two sharing profiles, one “full access” and one “read 
only”.
We assign rights to connections and sharing profiles based on the AD groups, 
from within the guacamole UI.

For some users, “randomly”, the share button is sometimes missing.
I’ve tested a bit and for some of the users that report the behaviour I’ve went 
ahead and added explicit permissions to the connections/sharing profiles, but 
the problem persists.

Can you please advise on how to identify the root cause?

Regards,
Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RDP Mapped drive issues

[Stefan Bogdan Cimpeanu]

Hello,
I think you've heard me on this list several times about some unreliable
behaviour of the mapped drives.
One of the most "blocking" issues I have so far is that for some users,
downloading files from a remote to their local machine via a mapped drive
simply doesn't work at all. In other words, there's no download dialogue or
file being downloaded, although I can clearly see the file being uploaded
on the guacamole host under the user's Downloads folder.

Connections are configured as such:
- enable drive: checked
- drive name: Z
- drive path: /guaca_files/${GUAC_USERNAME}
- automatically create drive: checked

This issue is happening to some users, but not to others. For the same
connection, a user might hit the issue, while another has it working
flawlessly, which leads me to believe there's no issue with the remote
server.
I've tried troubleshooting this quite a few times, and did remote sessions
with the users reporting the behaviour, and could not find anything wrong
on their browsers (like blocked domains or actions etc.). Incognito doesn't
help either.

The only error I can see is in guacd, however for me the file downloads
just fine. The same test with the same file for some users doesn't. Please
see below an example of guacd's only issues reported for a file named 2.txt
.

I've been trying to figure this out for a long time, and I have no idea
how/what to try and troubleshoot.
Please help!

Regards,
Bogdan

Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_close: Closed
"\Download" (file_id=3)
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open:
path="\Download", access=0x100081, file_attributes=0x0,
create_disposition=0x1, create_options=0x20
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: Normalized
path "\Download" to "\Download".
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: Translated
path "\Download" to "/guaca_files/bogdan.cimpeanu/Download".
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: native
open: real_path="/guaca_files/bogdan.cimpeanu/Download", flags=0x0
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: Opened
"\Download" as file_id=4
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdpdr_fs_process_create:
[file_id=4] desired_access=0x100081, file_attributes=0x0,
create_disposition=0x1, create_options=0x20, path="\Download"
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]:
guac_rdpdr_fs_process_query_standard_info: [file_id=4]
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]:
guac_rdpdr_fs_process_query_standard_info: [file_id=4]
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdpdr_fs_process_close:
[file_id=4]
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_close: Closed
"\Download" (file_id=4)
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open:
path="\Download\2.txt", access=0x100080, file_attributes=0x80,
create_disposition=0x1, create_options=0x20
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: Normalized
path "\Download\2.txt" to "\Download\2.txt".
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: Translated
path "\Download\2.txt" to "/guaca_files/bogdan.cimpeanu/Download/2.txt".
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: native
open: real_path="/guaca_files/bogdan.cimpeanu/Download/2.txt", flags=0x0
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdp_fs_open: open()
failed: No such file or directory
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: guac_rdpdr_fs_process_create:
[file_id=-2] desired_access=0x100080, file_attributes=0x80,
create_disposition=0x1, create_options=0x20, path="\Download\2.txt"
Apr 18 22:31:05 guacamole-noes-3 guacd[8353]: File open refused (-2):
"\Download\2.txt"

Re: Weird mapped drive issue

[Stefan Bogdan Cimpeanu]

Hi David,
It’s much simpler than that.
All the copy actions happen on host to the mapped drive’s Downloads folder.
Here’s a quick recording of the behaviour: https://youtu.be/LGoG7uZFr68 
<https://youtu.be/LGoG7uZFr68>

This is consistent on many windows flavours: 10 build 1909 or 2004, server 
2019, server 2016.

Regards,
Bogdan


> On 18 Feb 2021, at 09:44, David Barber  wrote:
> 
> This is not clear at all what you are doing, copy and paste actions need to 
> be qualified with from/to so we can understand
> 
> eg
> 1. copy at client, past to host
> 2 take same file, where?
> 
> Stefan Bogdan Cimpeanu wrote:
>> Hello,
>> I’m facing a rather interesting use case regarding the mapped drive and 
>> downloading files from a remote (RDP) via the drive.
>> 
>> My connection config is in picture.
>> 
>> 
>> 
>> If I connect to the target, and I copy/paste a file in the Downloads folder 
>> of my Z drive, browser downloads the file.
>> If I take same file, rename it, drag to downloads folder of my Z drive, 
>> browser downloads the file (new name).
>> If I however do not rename the file, and drag the file in the Downloads 
>> folder, even if different size, I don’t get a download, and a windows error 
>> while copying the file to the Downloads folder saying that source (yes, the 
>> source) file can’t be found, although there’s nothing wrong with the source 
>> file. If I rename it again, and copy/paste to Downloads, it works well.
>> 
>> I’ve started both tomcat and guacd in debug mode, there’s no errors reported 
>> on any of the services.
>> 
>> Please help me understand what’s going on and if there’s any work around.
>> 
>> Regards,
>> Bogdan
> 
> 

Re: Cannot connect using RDP

[Stefan Bogdan Cimpeanu]

Have you checked the Windows Event viewer logs on your target? Do you even get 
connection attempts?

Bogdan

> On 18 Feb 2021, at 22:28, Mike Jumper  wrote:
> 
> On Thu, Feb 18, 2021 at 11:06 AM Bill Sandor  > wrote:
> I can ping all the RDP endpoint IPs and hostnames from the guac server.  
> Connecting to client via IP or hostname fails the same either way.
> 
> I have tried with and without password (thinking it would prompt for password 
> like MS’s RDP client).  Same failure either way.
> 
> It will (as of 1.3.0), but only after authentication has been requested by 
> the RDP server. If the low-level connection to the RDP server is being 
> rejected, this won't happen.
> 
> What do you see within your guacd logs when debug-level logging is enabled?
> 
> - Mike
> 

Re: Hyper-V VMCONNECT - Display resolution problem.

[Stefan Bogdan Cimpeanu]

Hi,
For hyperv you get the best experience if you have Enhanced session enabled
on the hyperv host, and in the guacamole config for the connection you add
;EnhancedMode=1 right after the preconnection PDU.
Setting in guacamole a screen resolution will be carried over successfully
to your target in enhanced mode.

Please note that Enhanced mode is console over RDP, so the guest will “see”
you as a remote user.

Hope this helps.

From: Mike Jumper  
Reply: user@guacamole.apache.org 

Date: 19 January 2021 at 21:10:47
To: user@guacamole.apache.org 

Subject:  Re: Hyper-V VMCONNECT - Display resolution problem.

On Tue, Jan 19, 2021 at 10:17 AM Kjartan Dige  wrote:
>
>> Hello! Hope all are doing well.
>>
>> I recently started a new journey, building a javascript frontend in
>> angular, with RDP VM Console connect features. And of course! Decided to
>> use Guacamole. So... As of anything new, here are my first issues.
>>
>>
>> When I connect to a Virtual Machine using "vmconnect", the session is OK
>> and graphics renders. If I change the resolution on the VM, from 1024x768,
>> to for example 1920x1080, it renders the new screen size perfectly.
>>
>> However, if I disconnect, and the reconnect to that VM, no graphics
>> renders... Connection is established, and keys are being received by GUACD.
>> My initially tought is, that the client can't tell the hyper-v to use
>> 1024x768, or anything else. However the client still tries to use that
>> resolution, and the server will use 1920x1080, forced by the console
>> resolution... However using width: 1920 height: 1080, will let it render.
>>
>> On VNC its the server that decides what resolution to use. But on Hyper-V
>> it seems like its the client. Even tough im connection to a console RDP.
>>
>> How do I either:  1. Get the RDP Consoles display size, and reconnect
>> with correct size. OR. Let the server tell me what size is used, and adapt
>> to that?
>>
>
> The RDP support already does this:
>
> * The client will send the desired display size to the server. The server
> does not have to honor this, and the client does not assume that it will.
> * The size of the server's display is communicated to the client upon
> connecting, regardless of whether it matches the client's requested size.
> * The server can, at any time, resize the display. There is a specific RDP
> message used to communicate a display size change. The client is required
> to honor this, and Guacamole does so.
>
> I'm not sure what could be causing what you're seeing with Hyper-V, but I
> suspect something within Hyper-V itself. If you connect to a standard RDP
> server, I think you'll find that all of the above work fine. There are
> differences in the way that communication with Hyper-V occurs, in that
> there is a slightly different handshake involving an exchange of arbitrary
> data (the "preconnection PDU"), and slightly different authentication
> requirements. If the blob for the preconnection PDU isn't set, or you
> aren't using the Hyper-V-specific auth option, I'd try setting those your
> connection parameters.
>
> The rest is all normal, standard RDP, which is known to work correctly as
> far as screen size negotiation and handling is concerned.
>
> - Mike
>
>

Re: Need some help troubleshooting a guac installation

[Stefan Bogdan Cimpeanu]

http://remote.aslanfrench.work:8080/guacamole/#/ Is bot going through your
proxy, but rather directly to your guacamole’s tomcat.


If you search this mail list history you’ll find a couple of nginx config
examples some of us shared.

From: Aslan French  
Reply: user@guacamole.apache.org 

Date: 30 December 2020 at 19:36:02
To: user@guacamole.apache.org 

Subject:  Need some help troubleshooting a guac installation

 Hi,
>
> My name is Aslan. I'm a design technologist. I'm not a particularly good
> developer or sysadmin but I dabble in running cloud apps for my own
> personal needs on a homelab server. I wanted to set up Apache Guacamole so
> that I could manage my homelab server remotely while I'm away from home. I
> can ssh in of course, but sometimes it would be nice to have access to a
> GUI.
>
> My homelab server already has Nextcloud and an nginx proxy server
> installed on it.
>
> I tried following a combination of these tutorials to install Guac on my
> homelab server:
>
>
> https://www.linuxbabe.com/ubuntu/apache-guacamole-remote-desktop-ubuntu-20-04
>
> https://www.howtoforge.com/how-to-install-and-configure-guacamole-on-ubuntu-1804/
>
> When I visit http://remote.aslanfrench.work:8080/guacamole/#/ from the
> homelab server I can see the Guac login. When I try to login it stalls out
> on me.
>
> When I try to access that url from my laptop it hangs and does not work.
>
> Here is my nginx conf:
>
> ```
>> server {
>> listen 80;
>> listen [::]:80;
>>
>> #   ## ssl cert location
>> #   location /.well-known/acme-challenge {
>> # root /var/www/letsencrypt;
>> # default_type "text/plain";
>> # try_files $uri =404;
>> # }
>>
>> server_name remote.aslanfrench.work;
>> access_log  /var/log/nginx/guac_access.log;
>>
>> error_log  /var/log/nginx/guac_error.log;
>>
>> # reroute all other traffice to the 443 port
>> location / {
>> return 301 https://$server_name:443;;>https://
>> $server_name:443;
>> }
>>
>> }
>>
>>
>> #  # HTTPS stuff
>>  server {
>> listen 443 ssl http2 default_server;
>> listen [::]:443 ssl http2 default_server;
>> server_name remote.aslanfrench.work;
>>
>> access_log /var/log/nginx/guacamole.access.log main;
>> error_log /var/log/nginx/guacamole.error.log warn;
>>
>> # root /var/www/guacamole;
>> # index index.html;
>>
>> location /guacamole/ {
>> proxy_pass http://remote.aslanfrench.work:8080/guacamole/;
>> proxy_buffering off;
>> proxy_http_version 1.1;
>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> proxy_set_header Upgrade $http_upgrade;
>> proxy_set_header Connection $http_connection;
>> # access_log off;
>> }
>> }
>>
>> ```
>>
>
> That conf is based off of the nextcloud conf I'm using and the official
> Guac manual.
>
> I successfully can access the root page commented out from any external
> computer so I know that the proxy is at least working on some level
> correctly.
>
> Generally speaking though that's something I'm kind of confused about? I
> don't know anything about tomcat. The way the nginx proxy works is pretty
> self explanatory I feel with most stuff. Nextcloud is PHP. so you just
> point the nextcloud conf towards /var/www/Nextcloud and the index.php does
> the rest. But what is the guacamole conf in the nginx supposed to be
> pointing towards? "Where" in my filesystem is Guac located? I know "where"
> nextcloud is located but I don't get how that works with Guac. Is that the
> .war file? That's the guac webapp I guess? How does the nginx know where
> that is located if I don't specify that anywhere in the conf file? It
> apparently does since I can access guac's front locally (though maybe
> that's not quite right since it's not accessible externally)
>
> Anyway, lots of questions here, and I def would appreciate any
> troubleshooting tips anyone could provide.
> ***_**_*
>
>
> *Aslan French*
> *jackalope.tech*  | Design Technologist
>
>
>

Re: copy past from our system to RDP issue

[Stefan Bogdan Cimpeanu]

Are you able to copy/paste with a standard RDP connection, without Guacamole?
I am still thinking this is a policy issue on the target VM.

Bogdan

> On 2 Dec 2020, at 13:39, Arpit Agarwal  wrote:
> 
> I am using mac and have not IE in it :( 
> 
> Thanks & Regards,   
> Arpit Agarwal
> Chat ID's:
> GTalk  :a...@mpatra.com 
> Skype :iarpit22
> http://www.arpitagarwal.in 
> Office: +91 120 4561602
> India Cell   : +91 99719 0
> USA Cell : +1-732-705-7727
> 
> The information contained in this transmittal is privileged and confidential. 
>  The information is intended only for the use of the individual or entity 
> named above. If the reader of this message is not the intended recipient, you 
> are hereby notified that any dissemination, distribution or copying of this 
> communication is strictly prohibited.  If you have received this 
> communication in error, please notify us immediately by telephone or e-mail, 
> and delete this message from your server.
>  P Please don't print this e-mail unless you really need to. Be Green.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>> On 02-Dec-2020, at 5:08 PM, Adrian Owen > > wrote:
>> 
>> Try IE, see if issue repeats.
>>  
>> From: Arpit Agarwal [mailto:a...@mpatra.com ] 
>> Sent: 02 December 2020 11:16
>> To: user@guacamole.apache.org 
>> Subject: Re: copy past from our system to RDP issue
>>  
>> Hello,
>>  
>> I am using chrome always.
>> 
>> Thanks & Regards,   
>> Arpit Agarwal
>> Chat ID's:
>> GTalk  :a...@mpatra.com 
>> Skype :iarpit22
>> http://www.arpitagarwal.in 
>> Office: +91 120 4561602
>> India Cell   : +91 99719 0
>> USA Cell : +1-732-705-7727
>> 
>> The information contained in this transmittal is privileged and 
>> confidential.  The information is intended only for the use of the 
>> individual or entity named above. If the reader of this message is not the 
>> intended recipient, you are hereby notified that any dissemination, 
>> distribution or copying of this communication is strictly prohibited.  If 
>> you have received this communication in error, please notify us immediately 
>> by telephone or e-mail, and delete this message from your server.
>>  P Please don't print this e-mail unless you really need to. Be Green.
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>> 
>> 
>> 
>> On 02-Dec-2020, at 4:25 PM, Adrian Owen > > wrote:
>>  
>> Hi,
>>  
>> Hope this helps.
>>  
>> IE
>> 1)  Guacamole URL to IE->Settings->Security->Local 
>> Intranet->Sites->Advanced
>> 2)  IE->Settings->Security->Internet->Custom Level-> IE Scripting 
>> property “Allow Programmatic clipboard access” to “Enable”
>>  
>> Chrome Firefox
>> Check Clipboard permission manager.
>>  
>> Adrian
>>  
>> From: Arpit Agarwal [mailto:a...@mpatra.com ] 
>> Sent: 02 December 2020 10:21
>> To: user@guacamole.apache.org 
>> Subject: Re: copy past from our system to RDP issue
>>  
>> Hello Mike,
>>  
>> Thanks for the details. I tried all and it is not on https also but still 
>> not able to use normal clipboard from local system to rdp. All the time has 
>> to paste the text first via ctrl+shift+alt clipboard windows and then into 
>> rdp.
>>  
>> Kindly help me to solve this issue as i know it is not an issue but my 
>> system is not working with it.
>> 
>> Thanks & Regards,   
>> Arpit Agarwal
>> Chat ID's:
>> GTalk  :a...@mpatra.com 
>> Skype :iarpit22
>> http://www.arpitagarwal.in 
>> Office: +91 120 4561602
>> India Cell   : +91 99719 0
>> USA Cell : +1-732-705-7727
>> 
>> The information contained in this transmittal is privileged and 
>> confidential.  The information is intended only for the use of the 
>> individual or entity named above. If the reader of this message is not the 
>> intended recipient, you are hereby notified that any dissemination, 
>> distribution or copying of this communication is strictly prohibited.  If 
>> you have received this communication in error, please notify us immediately 
>> by telephone or e-mail, and delete this message from your server.
>>  P Please don't print this e-mail unless you really need to. Be Green.
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>> 
>> 
>> 
>> 
>> On 02-Dec-2020, at 10:14 AM, Mike Jumper > > wrote:
>>  
>> On Tue, Dec 1, 2020 at 2:28 AM Arpit Agarwal > > wrote:
>> Hello Mike,
>>  
>> Thanks for the information. I am using chrome as browser and windows 2016 
>> server in RDP but still not able to copy from local and 

Re: copy past from our system to RDP issue

[Stefan Bogdan Cimpeanu]

If this is server, like windows server 2012+, you need to enable clipboard
(and probably mapped drives etc) via GPO on the target.
Plenty of guides on this on the interwebs.

Bogdan


From: Arpit Agarwal  
Reply: user@guacamole.apache.org 

Date: 1 December 2020 at 08:13:27
To: user@guacamole.apache.org 

Subject:  copy past from our system to RDP issue

Hello,
>
> We are facing issue of copying any text from our system to RDP. We are not
> able to use ctrl+c (Copy any text from our system) and ctrl+v (past
> anything to RDP Server) to RDP server. Is there any setting we need to do
> or its feature. We are able to do this but first we have to past text to
> guacamole clipboard and we want direct as working in case of Windows rdp.
>
> Thanks & Regards,
> Arpit Agarwal
> Chat ID's:
> GTalk  :a...@mpatra.com
> Skype :iarpit22
> http://www.arpitagarwal.in
> Office: +91 120 4561602
> India Cell   : +91 99719 0
> USA Cell : +1-732-705-7727
> 
> The information contained in this transmittal is privileged and
> confidential.  The information is intended only for the use of the
> individual or entity named above. If the reader of this message is not the
> intended recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited.  If
> you have received this communication in error, please notify us immediately
> by telephone or e-mail, and delete this message from your server.
>  P Please don't print this e-mail unless you really need to. Be Green.
>
>
>
>
>
>
>
>
>
>
>
>

Re: Issues with RDP and VNC in Guacamole 1.2

[Stefan Bogdan Cimpeanu]

You can stop the guacd service and start it in foreground with debug mode like 
so:
/usr/local/sbin/guacd -f -L debug

Would give more insights.

Just to clarify: I asked if there’s port connectivity from the guacamole box to 
the targets. Like can you telnet on 3389 from the guacamole box to your Windows 
box?

Bogdan

> On 12 Nov 2020, at 23:05, Devine, Harry (FAA)  
> wrote:
> 
> Absolutely.  I can connect to them from outside of Guacamole, and when I try 
> to connect from within Guacamole, I get the “Home/Reconnect” error box 
> immediately.
>  
> Harry
>  
> From: Stefan Bogdan Cimpeanu  
> Sent: Thursday, November 12, 2020 4:04 PM
> To: user@guacamole.apache.org
> Subject: Re: Issues with RDP and VNC in Guacamole 1.2
>  
> These durations sure look like timeouts.
> Are you sure you have port connectivity from your guacamole box to the target 
> VMs?
>  
> Bogdan
> 
> 
> On 12 Nov 2020, at 20:52, Devine, Harry (FAA)  
> wrote:
>  
> We are trying to setup a VNC connection 2 servers: 1 is RHEL 7 and 1 is RHEL 
> 8, and 1 RDP connection to a Windows 10 box that we have.
>  
> For the RHEL servers, we get the following errors in /var/log/messages:
>  
> Nov 12 13:47:02 ose-access guacd[21334]: Creating new client for protocol 
> "vnc"
> Nov 12 13:47:02 ose-access guacd[21334]: Connection ID is 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f"
> Nov 12 13:47:02 ose-access guacd[36970]: Cursor rendering: local
> Nov 12 13:47:02 ose-access guacd[36970]: User 
> "@7a218333-8f7b-44be-a08e-4d41e996d432" joined connection 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f" (1 users now present)
> Nov 12 13:47:02 ose-access server: 13:47:02.314 [http-bio-8080-exec-55] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" connected to 
> connection "11".
> Nov 12 13:47:02 ose-access server: 13:47:02.314 [http-bio-8080-exec-55] INFO  
> o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not 
> WebSocket). Performance may be sub-optimal.
> Nov 12 13:47:02 ose-access guacd[36970]: VNC server supports protocol version 
> 3.8 (viewer 3.8)
> Nov 12 13:47:02 ose-access guacd[36970]: We have 2 security types to read
> Nov 12 13:47:02 ose-access guacd[36970]: 0) Received security type 19
> Nov 12 13:47:02 ose-access guacd[36970]: Selecting security type 19 (0/2 in 
> the list)
> Nov 12 13:47:02 ose-access guacd[36970]: 1) Received security type 2
> Nov 12 13:47:02 ose-access guacd[36970]: Selected Security Scheme 19
> Nov 12 13:47:02 ose-access guacd[36970]: Failed to initialized GnuTLS: Error 
> in public key generation..
> Nov 12 13:47:02 ose-access guacd[36970]: Unable to connect to VNC server.
> Nov 12 13:47:02 ose-access guacd[36970]: User 
> "@7a218333-8f7b-44be-a08e-4d41e996d432" disconnected (0 users remain)
> Nov 12 13:47:02 ose-access guacd[36970]: Last user of connection 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f" disconnected
> Nov 12 13:47:07 ose-access guacd[21334]: Connection 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f" removed.
> Nov 12 13:47:17 ose-access server: 13:47:17.399 [http-bio-8080-exec-55] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" disconnected from 
> connection "11". Duration: 15085 milliseconds
> Nov 12 13:47:17 ose-access server: 13:47:17.407 [http-bio-8080-exec-55] ERROR 
> o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection 
> to guacd timed out.
> Nov 12 13:47:17 ose-access server: 13:47:17.407 [http-bio-8080-exec-56] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" disconnected from 
> connection "11". Duration: 15093 milliseconds
>  
> For the RDP connection, we get:
>  
> Nov 12 13:45:49 ose-access guacd[21334]: Creating new client for protocol 
> "rdp"
> Nov 12 13:45:49 ose-access guacd[21334]: Connection ID is 
> "$5dcee526-43dd-4a5a-88e2-8c9a830716ff"
> Nov 12 13:45:49 ose-access guacd[36938]: Security mode: TLS
> Nov 12 13:45:49 ose-access guacd[36938]: Resize method: none
> Nov 12 13:45:49 ose-access guacd[36938]: User 
> "@aa01b7af-8e97-456e-8c5e-a36b8ad956d9" joined connection 
> "$5dcee526-43dd-4a5a-88e2-8c9a830716ff" (1 users now present)
> Nov 12 13:45:49 ose-access server: 13:45:49.769 [http-bio-8080-exec-55] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" connected to 
> connection "9".
> Nov 12 13:45:49 ose-access server: 13:45:49.769 [http-bio-8080-exec-55] INFO  
> o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not 
> WebSocket). Performance may be sub-optimal.
> Nov 12 13:45:49 ose-access guacd[36938]: Loading keym

Re: Issues with RDP and VNC in Guacamole 1.2

[Stefan Bogdan Cimpeanu]

These durations sure look like timeouts.
Are you sure you have port connectivity from your guacamole box to the target 
VMs?

Bogdan

> On 12 Nov 2020, at 20:52, Devine, Harry (FAA)  
> wrote:
> 
> We are trying to setup a VNC connection 2 servers: 1 is RHEL 7 and 1 is RHEL 
> 8, and 1 RDP connection to a Windows 10 box that we have.
>  
> For the RHEL servers, we get the following errors in /var/log/messages:
>  
> Nov 12 13:47:02 ose-access guacd[21334]: Creating new client for protocol 
> "vnc"
> Nov 12 13:47:02 ose-access guacd[21334]: Connection ID is 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f"
> Nov 12 13:47:02 ose-access guacd[36970]: Cursor rendering: local
> Nov 12 13:47:02 ose-access guacd[36970]: User 
> "@7a218333-8f7b-44be-a08e-4d41e996d432" joined connection 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f" (1 users now present)
> Nov 12 13:47:02 ose-access server: 13:47:02.314 [http-bio-8080-exec-55] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" connected to 
> connection "11".
> Nov 12 13:47:02 ose-access server: 13:47:02.314 [http-bio-8080-exec-55] INFO  
> o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not 
> WebSocket). Performance may be sub-optimal.
> Nov 12 13:47:02 ose-access guacd[36970]: VNC server supports protocol version 
> 3.8 (viewer 3.8)
> Nov 12 13:47:02 ose-access guacd[36970]: We have 2 security types to read
> Nov 12 13:47:02 ose-access guacd[36970]: 0) Received security type 19
> Nov 12 13:47:02 ose-access guacd[36970]: Selecting security type 19 (0/2 in 
> the list)
> Nov 12 13:47:02 ose-access guacd[36970]: 1) Received security type 2
> Nov 12 13:47:02 ose-access guacd[36970]: Selected Security Scheme 19
> Nov 12 13:47:02 ose-access guacd[36970]: Failed to initialized GnuTLS: Error 
> in public key generation..
> Nov 12 13:47:02 ose-access guacd[36970]: Unable to connect to VNC server.
> Nov 12 13:47:02 ose-access guacd[36970]: User 
> "@7a218333-8f7b-44be-a08e-4d41e996d432" disconnected (0 users remain)
> Nov 12 13:47:02 ose-access guacd[36970]: Last user of connection 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f" disconnected
> Nov 12 13:47:07 ose-access guacd[21334]: Connection 
> "$b937cff4-7321-4ca9-9e16-0a3074db666f" removed.
> Nov 12 13:47:17 ose-access server: 13:47:17.399 [http-bio-8080-exec-55] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" disconnected from 
> connection "11". Duration: 15085 milliseconds
> Nov 12 13:47:17 ose-access server: 13:47:17.407 [http-bio-8080-exec-55] ERROR 
> o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection 
> to guacd timed out.
> Nov 12 13:47:17 ose-access server: 13:47:17.407 [http-bio-8080-exec-56] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" disconnected from 
> connection "11". Duration: 15093 milliseconds
>  
> For the RDP connection, we get:
>  
> Nov 12 13:45:49 ose-access guacd[21334]: Creating new client for protocol 
> "rdp"
> Nov 12 13:45:49 ose-access guacd[21334]: Connection ID is 
> "$5dcee526-43dd-4a5a-88e2-8c9a830716ff"
> Nov 12 13:45:49 ose-access guacd[36938]: Security mode: TLS
> Nov 12 13:45:49 ose-access guacd[36938]: Resize method: none
> Nov 12 13:45:49 ose-access guacd[36938]: User 
> "@aa01b7af-8e97-456e-8c5e-a36b8ad956d9" joined connection 
> "$5dcee526-43dd-4a5a-88e2-8c9a830716ff" (1 users now present)
> Nov 12 13:45:49 ose-access server: 13:45:49.769 [http-bio-8080-exec-55] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" connected to 
> connection "9".
> Nov 12 13:45:49 ose-access server: 13:45:49.769 [http-bio-8080-exec-55] INFO  
> o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not 
> WebSocket). Performance may be sub-optimal.
> Nov 12 13:45:49 ose-access guacd[36938]: Loading keymap "base"
> Nov 12 13:45:49 ose-access guacd[36938]: Loading keymap "en-us-qwerty"
> Nov 12 13:45:50 ose-access guacd[36938]: Error connecting to RDP server
> Nov 12 13:45:50 ose-access guacd[36938]: User 
> "@aa01b7af-8e97-456e-8c5e-a36b8ad956d9" disconnected (0 users remain)
> Nov 12 13:45:50 ose-access guacd[36938]: Last user of connection 
> "$5dcee526-43dd-4a5a-88e2-8c9a830716ff" disconnected
> Nov 12 13:45:50 ose-access guacd[21334]: Connection 
> "$5dcee526-43dd-4a5a-88e2-8c9a830716ff" removed.
> Nov 12 13:46:00 ose-access server: 13:46:00.178 [http-bio-8080-exec-51] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" disconnected from 
> connection "9". Duration: 10409 milliseconds
> Nov 12 13:46:00 ose-access server: 13:46:00.179 [http-bio-8080-exec-63] INFO  
> o.a.g.tunnel.TunnelRequestService - User "harry.devine" disconnected from 
> connection "9". Duration: 10410 milliseconds
>  
> We can use MobaXterm to get to all 3 servers successfully, so it can’t be the 
> VNC server or RDP server on the target machines.  So, what can we look at on 
> Guacamole to get this to work?
>  
> Thanks,
> Harry
>  
> Harry Devine
> DOT/FAA/AJM-2431
> Secure-OSE Administrator
> Red 

"Global read"

[Stefan Bogdan Cimpeanu]

Hello,

We have a use case where we need to allow a certain list of users full 
visibility around all configured connections, but not the ability to 
edit/add/modify anything.
We’re trying to avoid to manually select each connection for the users/group as 
this will soon get out of sync.

I couldn’t find an easy way to do this.
We’re using LDAP +MySQL.

Can you please help?

Regards,
Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacd OOM on ssh connections

[Stefan Bogdan Cimpeanu]

Hi Nick,
Apologies for the huge delay.
Guacamole 1.2.
I never get an ssh connection. I get the OOM while it’s trying to connect.
root@guacamole-12:~# locate libssh2.so
/usr/lib/x86_64-linux-gnu/libssh2.so
/usr/lib/x86_64-linux-gnu/libssh2.so.1
/usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1

Regards,
Bogdan

> On 6 Nov 2020, at 04:26, Nick Couchman  wrote:
> 
> On Thu, Nov 5, 2020 at 7:29 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello,
> 
> I’m running guacamole successfully with more than 40 concurrent RDP users to 
> some 700+ VM’s. Never experienced any kind of performance/resource depletion 
> issues.
> 
> Today I configure a simple SSH connection, with user/password authentication.
> Guacd is being killed by kernel with OOM as soon as I try to connect to the 
> SSH connection.
> I’m trying this on one of our failover servers which has literally 0 other 
> users on it. Can you please advise what’s wrong?
> 
> Below is the output of syslog.
> 
> Yeah, 29GB is a lot of memory to use for a single SSH connection. A couple of 
> questions for you:
> - What version of guacd are you running?
> - What version of libssh2 are you running?
> - What are you doing inside the SSH connection when guacd runs out of memory?
> 
> -Nick

guacd OOM on ssh connections

[Stefan Bogdan Cimpeanu]

Hello,

I’m running guacamole successfully with more than 40 concurrent RDP users to 
some 700+ VM’s. Never experienced any kind of performance/resource depletion 
issues.

Today I configure a simple SSH connection, with user/password authentication.
Guacd is being killed by kernel with OOM as soon as I try to connect to the SSH 
connection.
I’m trying this on one of our failover servers which has literally 0 other 
users on it. Can you please advise what’s wrong?

Below is the output of syslog.

Regards,
Bogdan

Nov  6 00:22:36 guacamole-2 guacd[121853]: Creating new client for protocol 
"ssh"
Nov  6 00:22:36 guacamole-2 guacd[121853]: Connection ID is 
"$5c70fb7d-aad8-4e00-8733-23a04a037155"
Nov  6 00:22:37 guacamole-2 guacd[129389]: User 
"@580d952b-5f78-4c69-8f20-de4fb16e3c7d" joined connection 
"$5c70fb7d-aad8-4e00-8733-23a04a037155" (1 users now present)
Nov  6 00:22:48 guacamole-2 kernel: [19022155.396995] guacd invoked oom-killer: 
gfp_mask=0x6200ca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397000] CPU: 1 PID: 129393 Comm: 
guacd Not tainted 5.0.0-1035-azure #37-Ubuntu
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397001] Hardware name: Microsoft 
Corporation Virtual Machine/Virtual Machine, BIOS 090007  06/02/2017
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397002] Call Trace:
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397009]  dump_stack+0x57/0x75
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397012]  dump_header+0x57/0x315
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397015]  ? 
sched_clock_local+0x17/0x90
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397017]  
oom_kill_process+0x254/0x280
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397019]  out_of_memory+0x11b/0x510
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397023]  
__alloc_pages_slowpath+0xb32/0xe80
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397026]  ? 
blk_flush_plug_list+0xd1/0x100
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397029]  
__alloc_pages_nodemask+0x2a7/0x2c0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397033]  
alloc_pages_current+0x6a/0xe0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397037]  
__page_cache_alloc+0x6a/0xa0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397039]  filemap_fault+0x395/0x830
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397041]  ? xas_load+0xc/0x80
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397042]  ? xas_find+0x15b/0x1a0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397044]  ? 
filemap_map_pages+0x18b/0x380
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397049]  
ext4_filemap_fault+0x31/0x44
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397052]  __do_fault+0x57/0x115
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397054]  
__handle_mm_fault+0xe00/0x1340
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397056]  
handle_mm_fault+0xcd/0x230
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397059]  
__do_page_fault+0x291/0x4c0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397061]  do_page_fault+0x31/0x110
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397065]  ? page_fault+0x8/0x30
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397067]  page_fault+0x1e/0x30
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397069] RIP: 0033:0x7fcaf84927e8
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397075] Code: Bad RIP value.
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397076] RSP: 
002b:7fcaf96a8c00 EFLAGS: 00010206
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397077] RAX: 7fc3fd2fd7d0 
RBX: 7fca61a78d90 RCX: 7fcaec20
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397078] RDX: 7fc3fd2fd7d0 
RSI: 7fc3fd2ff7d0 RDI: 7fcafd2d0c40
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397079] RBP: 7fca67fff800 
R08: 0130 R09: 2841
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397080] R10: f000 
R11: 012fe000 R12: 7fcaec0218f0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397081] R13: 0a00 
R14: 000e R15: 7fcaf4003d40
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397083] Mem-Info:
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397087] active_anon:3849716 
inactive_anon:514 isolated_anon:0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397087]  active_file:188 
inactive_file:312 isolated_file:0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397087]  unevictable:0 dirty:0 
writeback:19 unstable:0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397087]  slab_reclaimable:44859 
slab_unreclaimable:44064
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397087]  mapped:508 shmem:635 
pagetables:16980 bounce:0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397087]  free:35804 free_pcp:62 
free_cma:0
Nov  6 00:22:48 guacamole-2 kernel: [19022155.397091] Node 0 
active_anon:15398864kB inactive_anon:2056kB active_file:752kB 
inactive_file:1248kB unevictable:0kB isolated(anon):0kB isolated(file):0kB 
mapped:2032kB dirty:0kB writeback:76kB shmem:2540kB shmem_thp: 0kB 

LDAP groups

[Stefan Bogdan Cimpeanu]

Hello all,
I know I’ve probably asked this before, but the answers didn’t quite resolve my 
situation.
When it comes to LDAP groups, I’m seeing inconstant results when it comes to 
listing them.
I’m using Azure ADDS, which is essentially a managed AD in Azure. All the users 
and groups live under one single OU.

When going to guacamole’s settings -> User Groups, the list provided contains 
both users and groups, but does not contain all the groups. Some, randomly, are 
missing.
I can see new groups, old groups, but also I don’t see some of the old or new 
groups. I can’t find a pattern.

I understand that guacamole simply performs an ldap query and it’s using what 
ever the response is, however I don’t know how to troubleshoot this in order to 
get all the groups listed.
There’re about 900 objects in total, users and groups.

Some help would be very appreciated.

Regards,
Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to bind guacamole on a Synology Directory Server

[Stefan Bogdan Cimpeanu]

As far as I kow, samaccountname is an active directory specific attribute. 
Try using uid instead.

Bogdan

> On 14 Sep 2020, at 16:45, Niubbo75  wrote:
> 
> Ok, I have try to change some things but I still get this:
> https://pastebin.com/fYdnytvC the first time I try to login with an AD's
> user (guacbind in this case, the one I have create to bind guacamole), if I
> try a second time, I get only:
> 
> [2020-09-14 15:35:18] [info] 15:35:18.908 [http-nio-8080-exec-9] WARN 
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> ***.***.***.*** for user "guacbind" failed.
> 
> How can I check the correct paremethers in Synology Directory Server?
> ATM I can't login on a local PC to try to use dsquery, if anyone know how
> Synology ADS works and could tell me how to configure correct paramethers,
> will be very apprecaite, thanks! 
> 
> Here a sample on how I have set guacamole.properties for LDAP section:
> https://pastebin.com/U3niSrk7
> 
> I have add RDP group because I need to let login only users that are members
> of that group.
> Thanks, best regards,
> Alessandro
> 
> 
> 
> --
> Sent from: 
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Running guacamole inside of a secured environment

[Stefan Bogdan Cimpeanu]

Hi,
If you’re more familiar with MySQL, stick with that, it’ll be easier for you in 
the long run.
Unless you’re running some super duper distributed active-active DB cluster, 
you shouldn’t find any issues (performance wise) with MySQL as a db provider.

Bogdan

> On 10 Sep 2020, at 21:10, Lander, Howard Michael  wrote:
> 
> Hi Nick
> 
> I've just about got this working, but there is one sticking point:  I 
> realized that I need to create the user myself rather than depending on the 
> mechanism enabled by postgresql-auto-create-accounts,  The documentation is 
> pretty clear on how to do this in mysql, but much less forthcoming on how to 
> do this in postgresql.  A few minutes of Google searching didn't seem to find 
> a simple recipe.  Can you offer any advice on this?  I have considered 
> switching to mysql, since I really don't care much which database is running. 
> 
> Thanks
> Howard
> 
> From: Nick Couchman 
> Sent: Wednesday, September 9, 2020 4:36 PM
> To: user@guacamole.apache.org 
> Subject: Re: Running guacamole inside of a secured environment
>  
> On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael  > wrote:
> Thanks for such a quick response.
> 
> I am updating to 1.2.0 now.
> 
> Is it not possible to do the mapping between users and connections using 
> psql? Sort of looks like it is in the docs... I am doing an automated 
> deployment and can't really use the GUI.
> 
> 
> Oh, it is definitely possible - that's all the WebUI does.  Basically what 
> you'll need to do is:
> - Grab the entity_id of the user or group you want to associate
> - Grab the connection_id of the connection you want to associate
> - Add an entry to the  table with the entity 
> id, the connection id, and "READ" permission.
> 
> You can do this with SQL on the database itself, or you can automate via 
> Guacamole's REST API. Unfortunately right now documentation for the REST API 
> is lacking, so if you go that route you'll have to figure out the calls to 
> make by looking at the network traffic on the web interface and duplicating 
> that.
> 
> -Nick

Re: Cannot Get LDAP authentication to work with Active Directory No DNS resoultion?

[Stefan Bogdan Cimpeanu]

It might be just me and my OCD, but I see an extra space after your domain name 
in the messages.
Maybe check that?
> "ADMAIN11.gccaz.edu  "
>  'Hostname 'ADMAIN11.gccaz.edu  ' could not be 
> resolved.

Bogdan

> On 4 Sep 2020, at 02:17, Mike Jumper  wrote:
> 
> On Thu, Sep 3, 2020 at 3:38 PM sysjaj  > wrote:
> ...
> Sep  3 11:27:13 guacamole tomcat9[862]: 11:27:13.994 [http-nio-8080-exec-8]
> ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
> "ADMAIN11.gccaz.edu  " as user 
> "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
> failed: ERR_04121_CANNOT_RESOLVE_HOSTNAME Cannot connect to the server,
> Hostname 'ADMAIN11.gccaz.edu  ' could not be 
> resolved.
> Sep  3 11:27:13 guacamole tomcat9[862]: 11:27:13.995 [http-nio-8080-exec-8]
> ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search
> DN "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
> 
> Now the Hostname not resolving confuses me as this server CAN ping that
> domain controller via IP and host name and joined the domain. (I have also
> tried the config file with IP address and get the SAME error which I would
> have thought not possible using IPs.)
> 
> Your LDAP server may be returning a referral to that domain.
> 
> Here is example of NSlookup on the the
> server which does resolve:
> 
> root@guacamole:/var/log# nslookup admain11
> Server: 127.0.0.53
> Address:127.0.0.53#53
> 
> Non-authoritative answer:
> Name:   admain11.gccaz.edu 
> Address: 10.1.50.240
> 
> This is not necessarily the same as a DNS lookup for the "admain11.gccaz.edu 
> " hostname provided for your "ldap-hostname" 
> property. What does dig (not nslookup) return for the exact value specified 
> in your guacamole.properties?
> 
> - Mike
> 

Re: hyper-v

[Stefan Bogdan Cimpeanu]

Hey Tom,
Sorry for the delay.
I actually got this to work just now.
Enhanced session refers to capability of hyper-v to map drives, better display 
resolutions, clipboard sharing etc.
You know you got that working if you can see the option in your vmconnect box 
(see picture).

As for guacamole, in order to get this, you need to add ;EnhancedMode=1 in your 
preconnection blob, so it looks like this: 
6697f956-22df-4bdb-a528-df14d68b53f6;EnhancedMode=1 

Regards,
Bogdan



> On 11 Aug 2020, at 12:43, Daniëls, Tom  wrote:
> 
> Hi Bogdan,
>  
> No problem of course!
>  
> Just to elaborate; when I connect to the machine with the inbuild client of 
> Hyper-V copy-pasting also appears to be working  differently from RDP 
> connections (it is not transparent, I need to click Clipboard à Type 
> Clipboard) so it might not even be a Guacamole issue.
>  
> What exactly do you mean by ‘have Enhanced session option enabled’, where can 
> I find this setting?
>  
> Kind regards,
> Tom
>  
> From: Stefan Bogdan Cimpeanu  
> Sent: vrijdag 7 augustus 2020 10:59
> To: user@guacamole.apache.org
> Subject: Re: hyper-v 
>  
> Hello Tom,
> Much appreciated your confirmation.
>  
> I’ll try to dig more on the hyper-v side, maybe it’s something related to 
> that which is blocking this behaviour.
> Just to validate this with you, in VMconnect on your hyper-v node, do you 
> have Enhanced session option enabled when connecting to a guest vm (in the 
> top menu bar)?
>  
> Cheers,
> Bogdan
> 
> 
> On 7 Aug 2020, at 09:50, Daniëls, Tom  <mailto:daniel...@buas.nl>> wrote:
>  
> Hi Nick/Stefan,
>  
> I can confirm that the same issue is there on 1.2.0. Copy-pasting to and from 
> Hyper-V guests has never worked for me (been using Guacamole since before it 
> was part of Apache so this issue has existed for a very long time  )
>  
> Regards,
> Tom
>  
> From: Nick Couchman mailto:vn...@apache.org>> 
> Sent: woensdag 5 augustus 2020 22:22
> To: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
> Subject: Re: hyper-v
>  
> On Tue, Aug 4, 2020 at 7:25 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> I’m having some issues using guacamole with hyper-v based guests.
> While I can connect to the guests, copy/pasting and mapping drives doesn’t 
> seem to be working.
> I’ve enabled enhanced session mode on hyper-v, but no luck.
> 
> Are there any special requirements to get this going please?
> 
> Using guacamole 1.1 .
>  
> My experience with Hyper-V is almost nil, but I know there were a couple of 
> issues fixed in 1.2 related to the preconnection "stuff" (that's a technical 
> term, by the way) that is required to connect to the Hyper-V console over 
> RDP.  You might give 1.2 a shot and see if that works - you should even be 
> able to just upgrade the guacd (guacamole-server) side and leave the client 
> at 1.1 to see if that fixes things.
>  
> -Nick

Mapped drive issues - same file name

[Stefan Bogdan Cimpeanu]

Hello all,

We’re experiencing a bug with the mapped drive feature. If you paste a file 
with the same name (or twice), in the Download folder of the mapped drive, the 
first time the file comes through, but the second time there’s an error saying 
file is not found on the source location.
This happens with Windows machines.

Is this a known bug and are there any possible fixes?

Regards,
Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: VNC + SFTP cannot upload files larger than a few bytes Guac 1.1.0/1.2.0

[Stefan Bogdan Cimpeanu]

My guess is that you didn’t turn off proxy buffering.
This nginx config I’m using complete with SSL and “all the bells and whistles” 
(gets an A+ on Qualys scans) and seems to be holding quite ok so far. Hope it 
helps.
The X-GUASRV header is just so I can know for sure which server I'm hitting if 
I need to debug/trace anything.


server {
listen 443 ssl http2;
client_max_body_size 1M;
ssl on;
ssl_certificate /etc/nginx/ssl/aram.crt;
ssl_certificate_key /etc/nginx/ssl/aram-dec.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# certs sent to the client in SERVER HELLO are concatenated in 
ssl_certificate
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_ciphers 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_session_cache shared:TLS:2m;
ssl_ecdh_curve secp384r1;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 valid=300s;
resolver_timeout 5s;

root /var/www/html;
index index.php index.html index.htm;

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; 
preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

access_log  /var/log/nginx/guac_access.log;
error_log  /var/log/nginx/guac_error.log;

location /guacamole/ {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /;
add_header X-GUASRV 12;
}

}

> On 10 Aug 2020, at 23:36, timeshredder  wrote:
> 
> I'm not sure exactly what is going on, but I have been able to get *most of
> guacamole working.  MySQL (mariaDB) authentication, reverse proxy via nginx,
> etc.  But I have one issue that is vexing me at this point, I am unable to
> upload any file bigger than a few bytes.  When a 4 byte file succeeds, the
> ouput is given below:
> 
>  
> 
> But if I try any file even slightly larger, it fails:
> In the log /var/log/syslog, I am getting a message (unable to open file
> "filename") 
> 
>  
> 
> I am running Ubuntu 20.04 with 1.2.0 which brings up another question
> because my guacamole installation reports version 1.1.0 (in the lower right
> hand corner of web login) but I installed from the 1.2.0 source from:
> https://downloads.apache.org/guacamole/1.2.0/source/guacamole-server-1.2.0.tar.gz
> 
> I figured it might be a limit in /etc/nginx/nginx.conf 
> but I changed to:
> client_max_body size 100M;
> 
> I also changed the relevant portions of and added the same line there
> /etc/nginx/sites-available/default
> /etc/nginx/sites-available/nginx-guacamole-ssl
> 
> Finally, I also changed a limit in: 
> /var/lib/tomcat9/webapps/guacamole/WEB-INF/web.xml
>
>104857600
>104857600
>
> 
> But it doesn't seem to be helping.
> 
> 
> 
> --
> Sent from: 
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 

Re: hyper-v

[Stefan Bogdan Cimpeanu]

Hello Tom,
Much appreciated your confirmation.

I’ll try to dig more on the hyper-v side, maybe it’s something related to that 
which is blocking this behaviour.
Just to validate this with you, in VMconnect on your hyper-v node, do you have 
Enhanced session option enabled when connecting to a guest vm (in the top menu 
bar)?

Cheers,
Bogdan

> On 7 Aug 2020, at 09:50, Daniëls, Tom  wrote:
> 
> Hi Nick/Stefan,
>  
> I can confirm that the same issue is there on 1.2.0. Copy-pasting to and from 
> Hyper-V guests has never worked for me (been using Guacamole since before it 
> was part of Apache so this issue has existed for a very long time  )
>  
> Regards,
> Tom
>  
> From: Nick Couchman  
> Sent: woensdag 5 augustus 2020 22:22
> To: user@guacamole.apache.org
> Subject: Re: hyper-v
>  
> On Tue, Aug 4, 2020 at 7:25 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> I’m having some issues using guacamole with hyper-v based guests.
> While I can connect to the guests, copy/pasting and mapping drives doesn’t 
> seem to be working.
> I’ve enabled enhanced session mode on hyper-v, but no luck.
> 
> Are there any special requirements to get this going please?
> 
> Using guacamole 1.1 .
>  
> My experience with Hyper-V is almost nil, but I know there were a couple of 
> issues fixed in 1.2 related to the preconnection "stuff" (that's a technical 
> term, by the way) that is required to connect to the Hyper-V console over 
> RDP.  You might give 1.2 a shot and see if that works - you should even be 
> able to just upgrade the guacd (guacamole-server) side and leave the client 
> at 1.1 to see if that fixes things.
>  
> -Nick

hyper-v

[Stefan Bogdan Cimpeanu]

Hello all,
I’m having some issues using guacamole with hyper-v based guests.
While I can connect to the guests, copy/pasting and mapping drives doesn’t seem 
to be working.
I’ve enabled enhanced session mode on hyper-v, but no luck.

Are there any special requirements to get this going please?

Using guacamole 1.1 .
Cheers,
Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Drive redirection and clipboard when using hyper-v

[Stefan Bogdan Cimpeanu]

Hello,
We’re forced to use for some of our use-cases hyper-v with nested 
virtualisation for our cloud guacamole deployment.

Tests so far seem very fine, except two aspects:
- clipboard doesn’t seem to be working anymore. Either by using the user menu 
(OPT+Control+Left shift) or directly , as it used to with regular RDP.
- drive redirection doesn’t seem to work. Opening \\tsclient trows an error 
that path is not found.

Hyper-v host is Windows server 2016. Guest OS is Windows 10 Ent. LTSC. 

Could you provide some hints on how to achieve these two please?

Cheers!
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Drive shortcut on desktop

[Stefan Bogdan Cimpeanu]

Hi Nick,
\\tsclient\Z  in my case as shortcut is good enough. 
Thank you!

> On 14 Jun 2020, at 21:25, Nick Couchman  wrote:
> 
> On Sun, Jun 14, 2020 at 2:20 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> We’ve received a request in our Guacamole setup to have the user’s mapped 
> drive (we’ve configured for each connection a drive for users to store 
> personal stuff that gets mounted as a drive Z for the RDP connections) as a 
> shortcut on the desktop.
> I have no idea how would I be able to do this, given not all connections use 
> such a drive.
> 
> Any input would be appreciated.
> 
> 
> Guacamole does not have a way to create a shortcut on the desktop.  Assuming 
> you are running Windows you can use Group Policy to create the shortcut to 
> \\tsclient\Guacamole (or whatever path yours points to).
> 
> For Linux (via XRDP, for example) there are ways to do this, too - there are 
> policies for most of the desktop environments that allow for the creation of 
> system-wide shortcuts.
> 
> -Nick

Drive shortcut on desktop

[Stefan Bogdan Cimpeanu]

Hello all,
We’ve received a request in our Guacamole setup to have the user’s mapped drive 
(we’ve configured for each connection a drive for users to store personal stuff 
that gets mounted as a drive Z for the RDP connections) as a shortcut on the 
desktop.
I have no idea how would I be able to do this, given not all connections use 
such a drive.

Any input would be appreciated.

Cheers!
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Guacd using much memory with no connection

[Stefan Bogdan Cimpeanu]

Guacd is barely 365 MB, according to stats provided?
I suspect there’s a miss-understanding between java, guacd and guacamole-client.

> On 10 Jun 2020, at 01:19, Nick Couchman  wrote:
> 
> On Tue, Jun 9, 2020 at 6:16 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hi,
> Java will prealocate the memory specified even if “its not doing anything”, 
> plus some overhead.
> Memory monitoring on Java applications needs a different approach, simply 
> monitoring system memory will not provide too much useful insight.
> You’d have to look at heap, GC times, etc. to evaluate a java process is 
> “healthy” or not. 
> 
> 
> You're right about Java; however, guacd is not Java-based, so something 
> different is going on, here...
> 
> -Nick

Re: Guacd using much memory with no connection

[Stefan Bogdan Cimpeanu]

Hi,
Java will prealocate the memory specified even if “its not doing anything”, 
plus some overhead.
Memory monitoring on Java applications needs a different approach, simply 
monitoring system memory will not provide too much useful insight.
You’d have to look at heap, GC times, etc. to evaluate a java process is 
“healthy” or not. 

> On 10 Jun 2020, at 01:09, Guilherme Carvalho  wrote:
> 
> Hello guys, right now there is no user connected on my guacamole, but using 
> NodeQuery to verify the resources used for this server, i saw that i´m using 
> now 5.9Gb of memory, i received an email saying that i was using more than 
> 80% of memory, so i upgrade my server from 8gb to 12gb, but i´m using almost 
> 50% with nobody connected, what could be??
> 
> Look that. Now it´s using 6.2Gb 
> 
> Current RAM usageSWAP
> 6.2 GB of 12 GB
> 2% higher than one hour ago
> 
> Top Processes by Resource Usage
> 
> Process Count CPU Memory User
> guacd 2 4% 365.5 MB root
> java 1 3.2% 5.41 GB tomcat
> nginx 8 0.5% 56.58 MB www-data
> mysqld 1 0.2% 195.5 MB mysql
> snapd 1 0% 23.45 MB root
> systemd-journal 1 0% 21.14 MB root
> unattended-upgr 1 0% 19.62 MB root
> networkd-dispat 1 0% 16.83 MB root
> VGAuthService 1 0% 9.8 MB root
> systemd 1 0% 8.7 MB root
> What can i do to resolve this issue?
> Thanks

Re: Should I try Guacamole ?

[Stefan Bogdan Cimpeanu]

Hi Lynna,

I’m running in production Guacamole serving over 500 hosts in total, a mix of 
Windows,Linux and Mac, and it’s been a breeze for almost 1 year now.
We’ve setup Windows to go through RDP, while Linux and Macs via VNC.

One note here is that Mac’s VNC is quite laggy even running it natively between 
two Macs, so expect that.
I’d suggest to keep the VPN in order to reach your Guacamole servers, for added 
security.
One nice advantage for Windows VM’s is that if you integrate Guacamole with 
your AD, you can have RDP in browser automatically login to your Windows hosts, 
with the user’s guacamole credentials (essentially the AD credentials).

Your use case sounds perfect for Guacamole. 

Bogdan

> On 5 Jun 2020, at 17:55, lynnaj  wrote:
> 
> Hello Guacamole admins, 
> 
> Would Guacamole be a good fit for the following use case 
> 
> We currently have a pool of physical "lab" Mac and Windows computers in
> classrooms that are available for remote desktop using a manual VPN, RDP,
> and VNC process. This process is difficult, at best, for non-tech savoy
> people to navigate. I have, therefore, been searching for a solution that
> takes that existing pool and by adding a service or two to those computers,
> provides access to them via an HTML-5 based web browser much the same way
> that vmware's horizon 7 VDI does. (By the way, we also have that horizon 7
> VDI implementation setup and working but it's windows only and I'd really
> like to get remote desktop access to macs as well.)
> 
> Based on my reading of the Guacamole docs , it looks like this would be
> possible. Am I reading that right?  Are any of you using Guacamole to
> provide remote desktop access to both macs and windows from an HTML-5
> website? If yes, can you comment on how easy or hard this took for you to
> setup?  
> 
> Thank you!
> - Lynna
> Lynna Jackson, Williams College
> 
> 
> 
> 
> --
> Sent from: 
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Ldap filter on groups

[Stefan Bogdan Cimpeanu]

Hello,
We’re using guacamole with Azure ADDS , which for some reason decides to
add users and groups to a single OU.
For users I’ve added filter based on objecttype to pull only users, but I
can’t find an option for groups.
Can you please provide some guidance how can I filter for groups only?

Cheers!

Re: Help mapping drive

[Stefan Bogdan Cimpeanu]

Hi Nick,

Yes account has access.
I’ve started guacd with -L debug, and this is what I can see:

May 18 00:32:09 guacamole-noes-1 guacd[4841]: User 
"@6466c93f-aa4a-4622-aec7-6191d169c915" joined connection 
"$10cc3471-26c9-4535-9857-ee3cdf1a97c8" (1 users now present)
May 18 00:32:09 guacamole-noes-1 guacd[4841]: guac_rdp_fs_alloc: Creating 
directory "/opt/guacamole/shared/bogdan" if necessary.
May 18 00:32:09 guacamole-noes-1 guacd[4841]: Loading keymap "base"
May 18 00:32:09 guacamole-noes-1 guacd[4841]: Loading keymap "en-us-qwerty"
May 18 00:32:09 guacamole-noes-1 guacd[4841]: Failed to load guacdr plugin. 
Drive redirection and printing will not work. Sound MAY not work.
May 18 00:32:09 guacamole-noes-1 guacd[4841]: Failed to load guacsnd alongside 
guacdr plugin. Sound will not work. Drive redirection and printing MAY not work.
May 18 00:32:09 guacamole-noes-1 guacd[4841]: Registering DVC plugin "guacai"
May 18 00:32:09 guacamole-noes-1 guacd[4841]: guac_rdp_fs_open: path="/", 
access=0x8000, file_attributes=0x0, create_disposition=0x1, 
create_options=0x0
May 18 00:32:09 guacamole-noes-1 guacd[4841]: guac_rdp_fs_open: Normalized path 
"/" to "\".
May 18 00:32:09 guacamole-noes-1 guacd[4841]: guac_rdp_fs_open: Translated path 
"\" to "/opt/guacamole/shared/bogdan/".
May 18 00:32:09 guacamole-noes-1 guacd[4841]: guac_rdp_fs_open: native open: 
real_path="/opt/guacamole/shared/bogdan/", flags=0x0

Any ideas?
Bogdan

> On 18 May 2020, at 03:15, Nick Couchman  wrote:
> 
> On Sun, May 17, 2020 at 7:55 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> 
> I’ve configured on my guacamole servers a shared folder which is a SMB mount, 
> to serve as “personal user folder”.
> In my RDP connections I’ve configured Device rediraction as such:
> - Enable drive - checked
> - Drive name: Z
> - Drive part: /opt/guacamole/shared/${GUAC_USERNAME}
> - Automatically create drive - checked
> 
> This worked well for a while, but for couple of days this is failing. The 
> guacamole VM has the SM mount active, can read/write to it, but I see no Z 
> when connecting via RDP.
> 
> Tried turning on debug logging, but there’s nothing about this.
> 
> 
> You say the Guacamole VM "can read/write to it", but have you verified that 
> the user running guacd can read/write?
> 
> -Nick

Help mapping drive

[Stefan Bogdan Cimpeanu]

Hello all,

I’ve configured on my guacamole servers a shared folder which is a SMB mount, 
to serve as “personal user folder”.
In my RDP connections I’ve configured Device rediraction as such:
- Enable drive - checked
- Drive name: Z
- Drive part: /opt/guacamole/shared/${GUAC_USERNAME}
- Automatically create drive - checked

This worked well for a while, but for couple of days this is failing. The 
guacamole VM has the SM mount active, can read/write to it, but I see no Z when 
connecting via RDP.

Tried turning on debug logging, but there’s nothing about this.

Regards,
Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How can Guacamole be customized?

[Stefan Bogdan Cimpeanu]

We use Guacamole in a cloud environment where we have strict GDPR and other
legal requirements we must follow, especially regarding data at rest and in
transition.
We’ve developed a custom portal ontop of Guacamole for user login (Azure
AD), with MFA and consents.

One other thing we had to take care of was storage of user data in the
mapped drive, also used for transferring in/out of the target VM.
For that we divided our guacamole farm into regions that have same
restrictions, and we used cloud storage  (Azure storage accounts) mapped to
guacamole servers. Connection profiles will create user directories within
these mapped storage accounts, thus we can guarantee data is stored in the
expected region/ country. An example: we have guacamole servers in Norway,
with storage accounts in Norway, that accepts users login from Norway only
(in the custom portal).

In order to not be able to overcome this setup, we simply added firewall
rules so that hosts with these types of restrictions can only be accessed
through their designated guacamole servers.

Definitely not OOTB behavior, but you can get compliant.
Bogdan

From: Joachim Lindenberg  
Reply: user@guacamole.apache.org 

Date: 2 May 2020 at 18:57:22
To: user@guacamole.apache.org 

Subject:  Re: How can Guacamole be customized?

In my opinion (and I can be wrong), the use of Guacamole today puts
> European companies out of law.
>
> I disagree. I am based in Germany, I do consulting w.r.t. security and
> data
> protection, and I also offer Guacamole as part of my backup service
> contracts. It really depends on your use case, and where there is a
> contract
> (service, employee, whatever), then any additional consent is imho
> worsening
> your legal situation as a provider. If you really need something like
> this,
> then you can integrate Guacamole into you own portal (you name it) and use
> single sign on mechanisms from there (I do from my backup software).
> Nevertheless I´d also like to see a full blown customization example, as
> of
> course I´d also like to brand it more easily.
> Joachim
>
> -Ursprüngliche Nachricht-
> Von: WhiteTiger 
> Gesendet: Samstag, 2. Mai 2020 17:18
> An: user@guacamole.apache.org
> Betreff: Re: How can Guacamole be customized?
>
> Now I read the framework documentation, but at least all the suggestions
> related to Disclaimers and Policy management should be included in a
>
> future
>
> release.
> Especially in Europe, the GDPR requires companies to take a particular
> approach to managing access to IT systems.
> I don't understand how those things were not already included a year ago,
> when the GDPR became law.
> In my opinion (and I can be wrong), the use of Guacamole today puts
> European
> companies out of law.
>
> In my opinion, the best solution is that the administrator has options
>
> with
>
> the possibility of inserting images or an HTML text in which he himself
>
> will
>
> insert the links to images or other pages.
>
>
>
> --
> Sent from: http://apache-guacamole-general-user-mailing-
> list.2363388.n4.nabble.com/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Download file size with guacamole 1.1

[Stefan Bogdan Cimpeanu]

Hi Giorgio,
You should check your proxy for that, guacamole doesn’t limit the size.

Bogdan

> On 2 Apr 2020, at 12:17, Giorgio  wrote:
> 
> 
> Hi,
> Is there a setting that can define the max file size for the download from 
> RDP to local machine ?
> I am having errors when attempting to download files larger than 200 Kbytes
> 
> 
> 
> Thank you.
> Giorgio


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Active sessions from multiple servers

[Stefan Bogdan Cimpeanu]

Hello all,
We’re running multiple guacamole servers connected to same database.
I’ve noticed that the “Active sessions” tab shows only connections on the 
particular server you’re on (we’re running a load balancer in-front of the 
servers).

How can we see all active sessions from all servers please? Is there maybe an 
API call we can ask each server for these details?

Thanks,

Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Best Settings for RDP virtual disk drive

[Stefan Bogdan Cimpeanu]

Thank you for the suggestions!

> On 26 Mar 2020, at 10:08, Chris Lee  wrote:
> 
> Hi Bogdan,
>  
> You make consider to use Cloud Service, such as Azure Files, so you don’t 
> need to worry about the resources, backup…..
>  
> Regards,
> Chris 
>  
> From: Stefan Bogdan Cimpeanu  
> Sent: Wednesday, March 25, 2020 6:21 PM
> To: user@guacamole.apache.org
> Subject: Re: Best Settings for RDP virtual disk drive
>  
> Hi Chris,
>  
> Perfectly valid, but then we’d have to maintain a NAS (or two) too 
> (resources, maintenance, backups, etc.) :)
> Also, the scenario here is a bit more complex too, where we’d need to have 
> different data locations for different countries, due to legal requirements.
>  
> The most elegant way would’ve been user affinity, but I suppose that’s not 
> really possible.
>  
> Thanks,
> Bogdan
> 
> 
> On 25 Mar 2020, at 12:14, Chris Lee  <mailto:chris...@centurycity.com.hk>> wrote:
>  
> Hi Bogdan,
>  
> How about multiple severs mount the same NAS shared folder?
>  
> /mnt/nas/guaca/${GUAC_USERNAME}
>  
> Regards,
> Chris 
>  
> From: Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> 
> Sent: Wednesday, March 25, 2020 5:02 PM
> To: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
> Subject: Re: Best Settings for RDP virtual disk drive
>  
> This is a good topic though… we’ve also set up using 
> /some/path/${GUAC_USERNAME} but facing the following issue: given we’ve 
> multiple guacamole servers behind load balancers, users don’t always hit the 
> same instance, hence their data is not available.
> Any way to set some sort of affinity at user level?
>  
> The alternative would be to use network mounts for the users directories, but 
> we’d want to avoid that.
>  
> Regards,
> Bogdan
> 
> 
> 
> On 25 Mar 2020, at 07:25, Sebastian Männling 
>  <mailto:sebastian.maennl...@qubestack.org>> wrote:
>  
> Hi,
>  
> you can use ${GUAC_USERNAME}
>  
> See 
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
>  
> <https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens>
> 
> Regarding the /tmp directory, keep in mind that there are automatic cleanup 
> jobs and usually iirc /tmp is tmpfs (ram) in fedora.
> 
> Sent from my iPhone
> 
> 
> 
> On 25. Mar 2020, at 03:50, Chris Lee  <mailto:chris...@centurycity.com.hk>> wrote:
> 
> 
> Hi All,
>  
> I am setup the Apache Guacamole 1.1.0 on Fedora Linux with AD Auth against 
> with MS AD which using MySQL database as backend.
>  
> For RDP Virtual Disk Drive setting, any recommendation for setup Drive Path 
> for all AD users without share the same path?
>  
> 
>  
>  
> For example:
>  
> AD user ID   Drive Path:
>  
> David /tmp/share-drive/david
> Peter /tmp/share-drive/peter
>  
> Also, it is safe to set it on /tmp folder or other folder?
>  
> Many thanks in advance.
>  
> Regards,
> Chris
>  
>  
> 
> This message and its attachment (if any) are strictly confidential and sent 
> to the designated recipient(s) only. If you are not the intended recipient, 
> please notify the sender by e-mail and delete this message and its attachment 
> (if any) from your computer system immediately . Century City International 
> Holdings Limited, Paliburg Holdings Limited, Regal Hotels International 
> Holdings Limited, its respective related subsidiaries, associated companies 
> and affiliates do not guarantee this message and its attachment (if any) are 
> free of computer virus and would not accept any liability whatsoever arising 
> from Internet transmission.
>  
> 
> 
> This message and its attachment (if any) are strictly confidential and sent 
> to the designated recipient(s) only. If you are not the intended recipient, 
> please notify the sender by e-mail and delete this message and its attachment 
> (if any) from your computer system immediately . Century City International 
> Holdings Limited, Paliburg Holdings Limited, Regal Hotels International 
> Holdings Limited, its respective related subsidiaries, associated companies 
> and affiliates do not guarantee this message and its attachment (if any) are 
> free of computer virus and would not accept any liability whatsoever arising 
> from Internet transmission.
>  
> 
> 
> This message and its attachment (if any) are strictly confidential and sent 
> to the designated recipient(s) only. If you are not the intended recipient, 
> please notify the sender by e-mail and delete this message and its attachment 
> (if any) from your computer system immediately . Century City International 
> Holdings Limited, Paliburg Holdings Limited, Regal Hotels International 
> Holdings Limited, its respective related subsidiaries, associated companies 
> and affiliates do not guarantee this message and its attachment (if any) are 
> free of computer virus and would not accept any liability whatsoever arising 
> from Internet transmission.

Re: Best Settings for RDP virtual disk drive

[Stefan Bogdan Cimpeanu]

Hi Chris,

Perfectly valid, but then we’d have to maintain a NAS (or two) too (resources, 
maintenance, backups, etc.) :)
Also, the scenario here is a bit more complex too, where we’d need to have 
different data locations for different countries, due to legal requirements.

The most elegant way would’ve been user affinity, but I suppose that’s not 
really possible.

Thanks,
Bogdan

> On 25 Mar 2020, at 12:14, Chris Lee  wrote:
> 
> Hi Bogdan,
>  
> How about multiple severs mount the same NAS shared folder?
>  
> /mnt/nas/guaca/${GUAC_USERNAME}
>  
> Regards,
> Chris 
>  
> From: Stefan Bogdan Cimpeanu  
> Sent: Wednesday, March 25, 2020 5:02 PM
> To: user@guacamole.apache.org
> Subject: Re: Best Settings for RDP virtual disk drive
>  
> This is a good topic though… we’ve also set up using 
> /some/path/${GUAC_USERNAME} but facing the following issue: given we’ve 
> multiple guacamole servers behind load balancers, users don’t always hit the 
> same instance, hence their data is not available.
> Any way to set some sort of affinity at user level?
>  
> The alternative would be to use network mounts for the users directories, but 
> we’d want to avoid that.
>  
> Regards,
> Bogdan
> 
> 
> On 25 Mar 2020, at 07:25, Sebastian Männling 
>  <mailto:sebastian.maennl...@qubestack.org>> wrote:
>  
> Hi,
>  
> you can use ${GUAC_USERNAME}
>  
> See 
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
>  
> <https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens>
> 
> Regarding the /tmp directory, keep in mind that there are automatic cleanup 
> jobs and usually iirc /tmp is tmpfs (ram) in fedora.
> 
> Sent from my iPhone
> 
> 
> On 25. Mar 2020, at 03:50, Chris Lee  <mailto:chris...@centurycity.com.hk>> wrote:
> 
> 
> Hi All,
>  
> I am setup the Apache Guacamole 1.1.0 on Fedora Linux with AD Auth against 
> with MS AD which using MySQL database as backend.
>  
> For RDP Virtual Disk Drive setting, any recommendation for setup Drive Path 
> for all AD users without share the same path?
>  
> 
>  
>  
> For example:
>  
> AD user ID   Drive Path:
>  
> David /tmp/share-drive/david
> Peter /tmp/share-drive/peter
>  
> Also, it is safe to set it on /tmp folder or other folder?
>  
> Many thanks in advance.
>  
> Regards,
> Chris
>  
>  
> 
> This message and its attachment (if any) are strictly confidential and sent 
> to the designated recipient(s) only. If you are not the intended recipient, 
> please notify the sender by e-mail and delete this message and its attachment 
> (if any) from your computer system immediately . Century City International 
> Holdings Limited, Paliburg Holdings Limited, Regal Hotels International 
> Holdings Limited, its respective related subsidiaries, associated companies 
> and affiliates do not guarantee this message and its attachment (if any) are 
> free of computer virus and would not accept any liability whatsoever arising 
> from Internet transmission.
>  
> 
> 
> This message and its attachment (if any) are strictly confidential and sent 
> to the designated recipient(s) only. If you are not the intended recipient, 
> please notify the sender by e-mail and delete this message and its attachment 
> (if any) from your computer system immediately . Century City International 
> Holdings Limited, Paliburg Holdings Limited, Regal Hotels International 
> Holdings Limited, its respective related subsidiaries, associated companies 
> and affiliates do not guarantee this message and its attachment (if any) are 
> free of computer virus and would not accept any liability whatsoever arising 
> from Internet transmission.

Re: Best Settings for RDP virtual disk drive

[Stefan Bogdan Cimpeanu]

This is a good topic though… we’ve also set up using 
/some/path/${GUAC_USERNAME} but facing the following issue: given we’ve 
multiple guacamole servers behind load balancers, users don’t always hit the 
same instance, hence their data is not available.
Any way to set some sort of affinity at user level?

The alternative would be to use network mounts for the users directories, but 
we’d want to avoid that.

Regards,
Bogdan

> On 25 Mar 2020, at 07:25, Sebastian Männling 
>  wrote:
> 
> Hi,
> 
> you can use ${GUAC_USERNAME}
> 
> See 
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
>  
> 
> 
> Regarding the /tmp directory, keep in mind that there are automatic cleanup 
> jobs and usually iirc /tmp is tmpfs (ram) in fedora.
> 
> Sent from my iPhone
> 
>> On 25. Mar 2020, at 03:50, Chris Lee  wrote:
>> 
>> 
>> Hi All,
>>  
>> I am setup the Apache Guacamole 1.1.0 on Fedora Linux with AD Auth against 
>> with MS AD which using MySQL database as backend.
>>  
>> For RDP Virtual Disk Drive setting, any recommendation for setup Drive Path 
>> for all AD users without share the same path?
>>  
>> 
>> 
>>  
>> For example:
>>  
>> AD user ID   Drive Path:
>>  
>> David /tmp/share-drive/david
>> Peter /tmp/share-drive/peter
>>  
>> Also, it is safe to set it on /tmp folder or other folder?
>>  
>> Many thanks in advance.
>>  
>> Regards,
>> Chris
>>  
>> 
>> 
>> This message and its attachment (if any) are strictly confidential and sent 
>> to the designated recipient(s) only. If you are not the intended recipient, 
>> please notify the sender by e-mail and delete this message and its 
>> attachment (if any) from your computer system immediately . Century City 
>> International Holdings Limited, Paliburg Holdings Limited, Regal Hotels 
>> International Holdings Limited, its respective related subsidiaries, 
>> associated companies and affiliates do not guarantee this message and its 
>> attachment (if any) are free of computer virus and would not accept any 
>> liability whatsoever arising from Internet transmission.

Re: Cloning Guac VM

[Stefan Bogdan Cimpeanu]

This might seem silly but… is your localhost really pointing to localhost, as 
in 127.0.0.1 or to the interface IP, meaning the source VM?

Bogdan

> On 23 Mar 2020, at 23:54, ivanmarcus  wrote:
> 
> Dennis,
> 
> I understand your issue and what you're trying to do, but don't use either 
> your hypervisor or VM OS so anything I say will be fairly generic.
> 
> That said, have you changed the hostname, ipaddress and - importantly - the 
> MAC address on the second VM instance? If these were the same I guess it 
> could cause a wierd issue.
> 
> As part of sorting it out perhaps you could spin up the second VM off the 
> network and see what it does?
> 
> 
> 
> 
> On 24/03/2020 8:52 a.m., Newman, Dennis wrote:
>> But actually what I was attempting to do was split the users between two 
>> servers – I had assumed that db named localhost – each server would only 
>> talk with itself.  But with the two servers set up – If we change on one – 
>> it shows up on the other.
>>  
>> In my case esxi host 2 has more memory and processor resources, so I was 
>> planning on either splitting things and giving one system more resources, or 
>> just move the whole system.  About 100 users virtual systems and this week 
>> we added about 50 users from home with connections to physical systems. And 
>> the virtual users are now complaining about more “bad connection” errors
>>  
>> My honest belief is that we have gone from supporting 5 offices to 
>> supporting 150 “mini” offices as everyone is working from home, which throws 
>> unknown internet quality into the mix.  But I had figured moving the 
>> Guacamole system to a faster processor and giving it a little more memory 
>> “couldn’t hurt”
>>  
>> Dennis
>>  
>> From: Mike Jumper   
>> Sent: Monday, March 23, 2020 2:30 PM
>> To: user@guacamole.apache.org 
>> Subject: Re: Cloning Guac VM
>>  
>> On Mon, Mar 23, 2020, 12:25 sciUser > > wrote:
>> If you want to have two Guacamole head servers EntryA EntryB (load balanced)
>> and have them write to a common database (G-DB), you will need to write some
>> logic for EntryA and EntryB to know what is written in the database, which
>> is a third system G-DB so you do not get duplicate entries and it is aware
>> of active sessions. 
>>  
>> Two Guacamole instances can safely share the same database. You do not need 
>> some third system or additional logic to prevent duplicates.
>>  
>> - Mike
>>  
>> 
>> 
>> The information contained in this message is intended only for the 
>> recipient, and may be a confidential attorney-client communication or may 
>> otherwise be privileged and confidential and protected from disclosure. If 
>> the reader of this message is not the intended recipient, or an employee or 
>> agent responsible for delivering this message to the intended recipient, 
>> please be aware that any dissemination or copying of this communication is 
>> strictly prohibited. If you have received this communication in error, 
>> please immediately notify us by replying to the message and deleting it from 
>> your computer. S Global Inc. reserves the right, subject to applicable 
>> local law, to monitor, review and process the content of any electronic 
>> message or information sent to or from S Global Inc. e-mail addresses 
>> without informing the sender or recipient of the message. By sending 
>> electronic message or information to S Global Inc. e-mail addresses you, 
>> as the sender, are consenting to S Global Inc. processing any of your 
>> personal data therein.
> 
> 

Re: AADDS and guacamole

[Stefan Bogdan Cimpeanu]

Hello all,

I am still facing some issues on this topic, and simply can’t figure them out.
This is what I get from guacamole when a specific user wants to login via ldap:

10:34:11.430 [NioProcessor-10] DEBUG org.apache.directory.api.CODEC_LOG - 
MSG_14002_DECODED_LDAP_MESSAGE (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment: 
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection - 
MSG_04142_MESSAGE_RECEIVED (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment: 
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection - 
MSG_04119_GETTING (1,org.apache.directory.ldap.client.api.future.BindFuture)
10:34:11.430 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection - 
MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment: 
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [http-nio-8080-exec-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection 
- MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment: 
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [http-nio-8080-exec-10] DEBUG o.a.g.a.f.FileAuthenticationProvider 
- User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will 
not be read.
10:34:11.430 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - 
Authentication attempt from 10.1.0.4 for user “firstname.lastname" failed.
10:34:11.432 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection - 
MSG_04126_REMOVING (1,org.apache.directory.ldap.client.api.future.BindFuture)
10:34:12.918 [NioProcessor-8] DEBUG o.a.d.l.c.api.LdapNetworkConnection - 
MSG_04137_NOD_RECEIVED ()


However, doing a simple ldapsearch with the same credentials, pointing at the 
same DC, things look ok:


root@guaca-replica:/etc/guacamole# ldapsearch -vvv -h 127.0.0.1 -p 389 -D 
firstname.lastname@domain.local -W -b '' -s base -S 'objectClass=*' 1.1
ldap_initialize( ldap://127.0.0.1:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: 1.1
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: 1.1
#

#
dn:

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I simply can’t understand what’s happening. Please help me work this out.

Regards,
Bogdan

> On 10 Mar 2020, at 23:34, Stefan Bogdan Cimpeanu  wrote:
> 
> Hello Mike,
> 
> I understand your point about no caching.
> About debugging, yes I have, and it gives me something like: 
> Result code : (INVALID_CREDENTIALS) invalidCredentials
> Matched Dn : ‘'
> 
> My guess is that indeed the LDAP is not in a consistent state at that point.
> 
> Thanks!
> Bogdan
> 
>> On 10 Mar 2020, at 23:30, Mike Jumper > <mailto:mjum...@apache.org>> wrote:
>> 
>> On Tue, Mar 10, 2020, 14:16 Stefan Bogdan Cimpeanu > <mailto:bog...@cimpeanu.org>> wrote:
>> Hello all,
>> 
>> I’m using Azure Active Directory Domain Services as my ldap source for 
>> Guacamole. The main use is for RDP with domain joined machines.
>> I sometimes experience two (I think related issues):
>> - some of the user accounts are not able to login to guacamole even though 
>> supplied user/password are correct (the user can RDP to the VM directly, but 
>> not login to guacamole). Error in logs don’t say much except "Authentication 
>> attempt from [ IP ] for user  failed”
>> - sometimes it takes few hours or even a server restart to see newly created 
>> AADDS users in guacamole
>> 
>> Is there a way I can “force” an ldap sync so that users are added to 
>> guacamole?
>> 
>> There is no sync. When using LDAP, Guacamole authenticates against LDAP 
>> directly. The relevant users and groups do not need to exist in the database 
>> except where you are granting those users/groups permissions for connections 
>> stored on the database, however the web interface is organized such that 
>> attempting to do s

Attributed based routing to a specific guacamole server

[Stefan Bogdan Cimpeanu]

Hello all,

We have this setup where we have multiple jump stations in different countries, 
and we use guacamole for in browser RDP sessions.
It’s going great. We do have a requirement that was brought to our attention 
just recently, where for some countries, data can not leave the country (the 
main concern is the Downloads folder to get files in/out of the RDP session).
This means we’ll have to deploy “local” guacamole servers to serve only that 
specific country, and not the entire estate.

Did anyone had to do a “routing” to a specific guacamole instance based on a 
specific attribute? be it at user details, or connection details, or some sort 
of grouping maybe?

The end goal would be that a user, after a login, would only access a specific 
VM via a specific guacamole server. Is this achievable?

Regards,
Bogdan
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Azure AADDS "duplicate" users random string

[Stefan Bogdan Cimpeanu]

Hi Nick,
That would be ok in a greed field deployment, but unfortunately this is not the 
case.

We don’t have an actual issue with this setup, we only limit guacamole login to 
a specific domain anyway, however it’s blocking from being able to automate 
connection and user permissions in guacamole.
It’s why I was hoping there’s a predictable way these strings are generated.

Regards,
Bogdan

> On 17 Mar 2020, at 22:20, Nick Couchman  wrote:
> 
> On Mon, Mar 16, 2020 at 7:34 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> In our Azure AADDS, which from Guacamole’s point of view is just a simple 
> LDAP, we have situations where a user would appear as duplicate, depending on 
> its sign in domain.
> For example we might have firstname.lastn...@domain1.com 
> <mailto:firstname.lastn...@domain1.com> and firstname.lastname@ad.local 
> <mailto:firstname.lastname@ad.local> .
> 
> 
> In this case I would suggest that you change the ldap-username-attribute to 
> something other than sAMAccountName that actually uniquely identifies the 
> user.  You might use mail to make it their e-mail address, or userPrincipal 
> (I think?) usually includes both the username and domain name.
> 
> -Nick 

Azure AADDS "duplicate" users random string

[Stefan Bogdan Cimpeanu]

Hello all,
In our Azure AADDS, which from Guacamole’s point of view is just a simple LDAP, 
we have situations where a user would appear as duplicate, depending on its 
sign in domain.
For example we might have firstname.lastn...@domain1.com 
 and firstname.lastname@ad.local 
 .

In this situation in Guacamole we see two users, one of them having what 
appears to be a random string attached, like firstname.lastn (FD5FDBAD) (yes 
there’s also some trimming involved too, I’d assume so that it would fit the 20 
chars limit for ldap?).

Can you please explain how’s this random string being generated?

Thanks,
Bogdan

Re: AADDS and guacamole

[Stefan Bogdan Cimpeanu]

Hello again,

Going through the logs I found that sometimes I get 21:33:16.456 
[NioProcessor-21] WARN  o.a.d.l.c.api.LdapNetworkConnection - Connection reset 
by peer .
Is there a way I can adjust ldap related settings for better performance?
Also, how can I configure multiple LDAP servers? (One way would be to load 
balance them, but I think that’s not that desirable).

Regards,
Bogdan 

> On 10 Mar 2020, at 23:34, Stefan Bogdan Cimpeanu  wrote:
> 
> Hello Mike,
> 
> I understand your point about no caching.
> About debugging, yes I have, and it gives me something like: 
> Result code : (INVALID_CREDENTIALS) invalidCredentials
> Matched Dn : ‘'
> 
> My guess is that indeed the LDAP is not in a consistent state at that point.
> 
> Thanks!
> Bogdan
> 
>> On 10 Mar 2020, at 23:30, Mike Jumper > <mailto:mjum...@apache.org>> wrote:
>> 
>> On Tue, Mar 10, 2020, 14:16 Stefan Bogdan Cimpeanu > <mailto:bog...@cimpeanu.org>> wrote:
>> Hello all,
>> 
>> I’m using Azure Active Directory Domain Services as my ldap source for 
>> Guacamole. The main use is for RDP with domain joined machines.
>> I sometimes experience two (I think related issues):
>> - some of the user accounts are not able to login to guacamole even though 
>> supplied user/password are correct (the user can RDP to the VM directly, but 
>> not login to guacamole). Error in logs don’t say much except "Authentication 
>> attempt from [ IP ] for user  failed”
>> - sometimes it takes few hours or even a server restart to see newly created 
>> AADDS users in guacamole
>> 
>> Is there a way I can “force” an ldap sync so that users are added to 
>> guacamole?
>> 
>> There is no sync. When using LDAP, Guacamole authenticates against LDAP 
>> directly. The relevant users and groups do not need to exist in the database 
>> except where you are granting those users/groups permissions for connections 
>> stored on the database, however the web interface is organized such that 
>> attempting to do so would result in their creation.
>> 
>> If you are seeing inconsistencies in whether users/groups exist, I don't 
>> believe that inconsistency would be on the Guacamole side. There's no cache 
>> between sessions, nothing stored from LDAP. Data from LDAP is queried 
>> directly as needed. It may be that the LDAP server takes time to become 
>> consistent, and that the correlation with server restarts is a coincidence.
>> 
>> Regarding the login failures, have you tried enabling debug-level logging in 
>> for the webapp?
>> 
>> - Mike
>> 
> 

Re: AADDS and guacamole

[Stefan Bogdan Cimpeanu]

Hello Mike,

I understand your point about no caching.
About debugging, yes I have, and it gives me something like: 
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ‘'

My guess is that indeed the LDAP is not in a consistent state at that point.

Thanks!
Bogdan

> On 10 Mar 2020, at 23:30, Mike Jumper  wrote:
> 
> On Tue, Mar 10, 2020, 14:16 Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> 
> I’m using Azure Active Directory Domain Services as my ldap source for 
> Guacamole. The main use is for RDP with domain joined machines.
> I sometimes experience two (I think related issues):
> - some of the user accounts are not able to login to guacamole even though 
> supplied user/password are correct (the user can RDP to the VM directly, but 
> not login to guacamole). Error in logs don’t say much except "Authentication 
> attempt from [ IP ] for user  failed”
> - sometimes it takes few hours or even a server restart to see newly created 
> AADDS users in guacamole
> 
> Is there a way I can “force” an ldap sync so that users are added to 
> guacamole?
> 
> There is no sync. When using LDAP, Guacamole authenticates against LDAP 
> directly. The relevant users and groups do not need to exist in the database 
> except where you are granting those users/groups permissions for connections 
> stored on the database, however the web interface is organized such that 
> attempting to do so would result in their creation.
> 
> If you are seeing inconsistencies in whether users/groups exist, I don't 
> believe that inconsistency would be on the Guacamole side. There's no cache 
> between sessions, nothing stored from LDAP. Data from LDAP is queried 
> directly as needed. It may be that the LDAP server takes time to become 
> consistent, and that the correlation with server restarts is a coincidence.
> 
> Regarding the login failures, have you tried enabling debug-level logging in 
> for the webapp?
> 
> - Mike
> 

Re: AADDS and guacamole

[Stefan Bogdan Cimpeanu]

Hi Marcus,

Please note this is AADDS, not Azure AD. It’s a different service where you can 
actually use Azure AD as an LDAP(S) 
https://azure.microsoft.com/en-us/services/active-directory-ds/ 
<https://azure.microsoft.com/en-us/services/active-directory-ds/> .
What this gets you is essentially a restricted “traditional” AD with two DC’s 
that are managed by Azure (you can connect with RSAT to it, but fairly limited 
capabilities).

Also note this will only work with tenant users, not guests (e.g. external 
users invited in your tenant).

The setup I had to do to get this going was this:
- new VNET for guacamole and windows VM’s
- VNET peering between the VNET AADDS creates and the VNET used for guacamole 
and the Windows VMs
- overwrite DNS settings in your guacamole/Windows VM’s to use your two DC’s 
IP’s as resolvers (so you can do AD join on the VM’s and have proper name 
resolution)
- Disable strict secure LDAP (probably not that wise, I was a it lazy here).

All my Guacamole connections have the domain pre-filled to use the AADDS domain 
configured on the tenant.

Hopes this helps.

Bogdan

> On 10 Mar 2020, at 23:20, Marcus Adams  wrote:
> 
> Hi Stefan
> Whilst I can't help with your issue do you mind sharing your setup steps to 
> get AzureAd working as your LDAP source - as that's my next big challenge
> 
> Regards
> Marcus
> 
> 
> 
> On Tue, 10 Mar 2020 at 21:16, Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> 
> I’m using Azure Active Directory Domain Services as my ldap source for 
> Guacamole. The main use is for RDP with domain joined machines.
> I sometimes experience two (I think related issues):
> - some of the user accounts are not able to login to guacamole even though 
> supplied user/password are correct (the user can RDP to the VM directly, but 
> not login to guacamole). Error in logs don’t say much except "Authentication 
> attempt from [ IP ] for user  failed”
> - sometimes it takes few hours or even a server restart to see newly created 
> AADDS users in guacamole
> 
> Is there a way I can “force” an ldap sync so that users are added to 
> guacamole?
> 
> I’m using a hybrid setup with ldap and mysql for authentication. I did not 
> modify the LDAP schema in any ways.
> My ldap settings:
> 
> ldap-hostname: 10.0.1.4
> ldap-port: 389
> ldap-user-base-dn: 
> ldap-group-base-dn: 
> ldap-search-bind-dn: < full DN for bind user>
> ldap-search-bind-password: 
> ldap-username-attribute: sAMAccountName
> ldap-encryption-method: none
> 
> Regards,
> Bogdan 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org 
> <mailto:user-unsubscr...@guacamole.apache.org>
> For additional commands, e-mail: user-h...@guacamole.apache.org 
> <mailto:user-h...@guacamole.apache.org>
> 

AADDS and guacamole

[Stefan Bogdan Cimpeanu]

Hello all,

I’m using Azure Active Directory Domain Services as my ldap source for 
Guacamole. The main use is for RDP with domain joined machines.
I sometimes experience two (I think related issues):
- some of the user accounts are not able to login to guacamole even though 
supplied user/password are correct (the user can RDP to the VM directly, but 
not login to guacamole). Error in logs don’t say much except "Authentication 
attempt from [ IP ] for user  failed”
- sometimes it takes few hours or even a server restart to see newly created 
AADDS users in guacamole

Is there a way I can “force” an ldap sync so that users are added to guacamole?

I’m using a hybrid setup with ldap and mysql for authentication. I did not 
modify the LDAP schema in any ways.
My ldap settings:

ldap-hostname: 10.0.1.4
ldap-port: 389
ldap-user-base-dn: 
ldap-group-base-dn: 
ldap-search-bind-dn: < full DN for bind user>
ldap-search-bind-password: 
ldap-username-attribute: sAMAccountName
ldap-encryption-method: none

Regards,
Bogdan 
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: User extract history

[Stefan Bogdan Cimpeanu]

You are absolutely correct, thank you!

Bogdan

> On 4 Mar 2020, at 02:28, Mike Jumper  wrote:
> 
> On Tue, Mar 3, 2020 at 4:10 PM Stefan Bogdan Cimpeanu  <mailto:bog...@cimpeanu.org>> wrote:
> Hello all,
> I’m trying to expose the users connection history to a non-admin user.
> What I’ve noticed is that in the MySQL database, the guacamole_user_history 
> table has far less entries than what I can see as admin in the UI.
> 
> The guacamole_user_history table is login history, not connection usage 
> history:
> 
> http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-login-history
>  
> <http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-login-history>
>  
> How can I export the history from the UI, programmatically? (not clicking the 
> Download button).
> 
> You want the guacamole_connection_history table:
> 
> http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-connection-history
>  
> <http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-connection-history>
> 
> - Mike
> 

User extract history

[Stefan Bogdan Cimpeanu]

Hello all,
I’m trying to expose the users connection history to a non-admin user.
What I’ve noticed is that in the MySQL database, the guacamole_user_history 
table has far less entries than what I can see as admin in the UI.
How can I export the history from the UI, programmatically? (not clicking the 
Download button).

Thanks!
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org