Re: what is java.lang.NullPointerException

[Mike Jumper]

The access logs are of very limited utility, providing little
information beyond the status code (500). Please provide the log
output from:

1) Guacamole itself (this will likely be in "catalina.out", but could
also be in journalctl or elsewhere, depending on how Tomcat is
installed/packaged in your case)
2) guacd (this will be syslog, likely /var/log/messages,
/var/log/syslog, or journalctl, depending on your distribution)

Thanks,

- Mike


On Tue, Oct 24, 2017 at 11:47 PM, Youhei Ootsuki
 wrote:
> Hi,
>
>
> Would you like to read this log ?
>
> Suddenly "HTTP 500 ERROR" is occurring.
>
> The setting at that time is as follows
>
> --- setting -
>
> 
> ssh
> *
> 22
> true
> *
> *
> 
> 
>
> ---
>
>
>
> --- log ---
>
>
> 25/Oct/2017:15:21:10 "GET /GUAC/api/patches HTTP/1.1" 200
> 25/Oct/2017:15:21:10 "GET /GUAC/api/languages HTTP/1.1" 200
> 25/Oct/2017:15:21:10 "POST /GUAC/api/tokens HTTP/1.1" 403
> 25/Oct/2017:15:21:33 "POST /GUAC/api/tokens HTTP/1.1" 403
> 25/Oct/2017:15:21:42 "POST /GUAC/api/tokens HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "POST /GUAC/api/tokens HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET
> /GUAC/api/session/data/default/connectionGroups/ROOT/tree?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET
> /GUAC/api/patches?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET
> /GUAC/api/session/data/default/users/youhei-otsuki?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 200
>
>
> 25/Oct/2017:15:21:42 "GET /GUAC/images/magnifier.png HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET /GUAC/images/protocol-icons/guac-text.png
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET /GUAC/images/protocol-icons/guac-monitor.png
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET /GUAC/images/action-icons/guac-logout-dark.png
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET /GUAC/images/arrows/down.png HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET /GUAC/images/user-icons/guac-user.png HTTP/1.1"
> 200
> 25/Oct/2017:15:21:42 "GET
> /GUAC/api/session/data/default/self/permissions?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET
> /GUAC/api/session/data/default/activeConnections?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET /GUAC/images/action-icons/guac-home-dark.png
> HTTP/1.1" 200
> 25/Oct/2017:15:21:42 "GET /GUAC/images/action-icons/guac-config-dark.png
> HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/settings/touchscreen.png HTTP/1.1"
> 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/settings/touchpad.png HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/settings/tablet-keys.png HTTP/1.1"
> 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/settings/zoom-in.png HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/settings/zoom-out.png HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "POST /GUAC/api/tokens HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/share.png HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/action-icons/guac-back.png HTTP/1.1"
> 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/drive.png HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/layouts/en-us-qwerty.json HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/app/element/templates/blank.html HTTP/1.1"
> 200
>
>
>
>
> 25/Oct/2017:15:21:54 "GET
> /GUAC/api/session/data/default/connections/Catalyst%203750%20V2(ssh)?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/x.png HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET /GUAC/images/logo-144.png HTTP/1.1" 200
> 25/Oct/2017:15:21:54 "GET
> /GUAC/websocket-tunnel?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0&GUAC_DATA_SOURCE=default&GUAC_ID=Catalyst%203750%20V2(ssh)&GUAC_TYPE=c&GUAC_WIDTH=1475&GUAC_HEIGHT=864&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng
> HTTP/1.1" 500
> 25/Oct/2017:15:21:54 "GET
> /GUAC/api/session/tunnels/3f75fd9f-1dc5-469c-a50e-7d11d1c465b9/activeConnection/connection/sharingProfiles?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 404
> 25/Oct/2017:15:22:09 "POST /GUAC/api/tokens HTTP/1.1" 200
> 25/Oct/2017:15:22:09 "GET /GUAC/images/action-icons/guac-home.png HTTP/1.1"
> 200
> 25/Oct/2017:15:22:09 "GET /GUAC/images/circle-arrows.png HTTP/1.1" 200
> 25/Oct/2017:15:22:09 "GET /GUAC/images/action-icons/guac-logout.png
> HTTP/1.1" 200
> 25/Oct/2017:15:22:16 "DELETE
> /GUAC/api/tokens/5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
> HTTP/1.1" 204
> 25/Oct/2017:15:22:16 "POST /GUAC/api/tokens HTTP/1.1" 403
>
>
>
>
> Don’t hesitate to contact me if you have any questions.
>

Re: what is java.lang.NullPointerException

[Mike Jumper]

.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
> at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
> at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486)
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
>
>
>
>
> I am looking forward to hearing from you.
>
> Sincerely yours,
>
>
> -- Yo
>
>
>
>
>
> 2017-10-25 15:57 GMT+09:00 Mike Jumper :
>>
>> The access logs are of very limited utility, providing little
>> information beyond the status code (500). Please provide the log
>> output from:
>>
>> 1) Guacamole itself (this will likely be in "catalina.out", but could
>> also be in journalctl or elsewhere, depending on how Tomcat is
>> installed/packaged in your case)
>> 2) guacd (this will be syslog, likely /var/log/messages,
>> /var/log/syslog, or journalctl, depending on your distribution)
>>
>> Thanks,
>>
>> - Mike
>>
>>
>> On Tue, Oct 24, 2017 at 11:47 PM, Youhei Ootsuki
>>  wrote:
>> > Hi,
>> >
>> >
>> > Would you like to read this log ?
>> >
>> > Suddenly "HTTP 500 ERROR" is occurring.
>> >
>> > The setting at that time is as follows
>> >
>> > --- setting -
>> >
>> > 
>> > ssh
>> > *
>> > 22
>> > true
>> > *
>> > *
>> > 
>> > 
>> >
>> > ---
>> >
>> >
>> >
>> > --- log ---
>> >
>> >
>> > 25/Oct/2017:15:21:10 "GET /GUAC/api/patches HTTP/1.1" 200
>> > 25/Oct/2017:15:21:10 "GET /GUAC/api/languages HTTP/1.1" 200
>> > 25/Oct/2017:15:21:10 "POST /GUAC/api/tokens HTTP/1.1" 403
>> > 25/Oct/2017:15:21:33 "POST /GUAC/api/tokens HTTP/1.1" 403
>> > 25/Oct/2017:15:21:42 "POST /GUAC/api/tokens HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "POST /GUAC/api/tokens HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET
>> >
>> > /GUAC/api/session/data/default/connectionGroups/ROOT/tree?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
>> > HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET
>> >
>> > /GUAC/api/patches?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
>> > HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET
>> >
>> > /GUAC/api/session/data/default/users/youhei-otsuki?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
>> > HTTP/1.1" 200
>> >
>> >
>> > 25/Oct/2017:15:21:42 "GET /GUAC/images/magnifier.png HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET /GUAC/images/protocol-icons/guac-text.png
>> > HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET /GUAC/images/protocol-icons/guac-monitor.png
>> > HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET /GUAC/images/action-icons/guac-logout-dark.png
>> > HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET /GUAC/images/arrows/down.png HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET /GUAC/images/user-icons/guac-user.png
>> > HTTP/1.1"
>> > 200
>> > 25/Oct/2017:15:21:42 "GET
>> >
>> > /GUAC/api/session/data/default/self/permissions?token=5B2E50C517D0B38A68B5824EA84D5D6B4F1FDC6430834B581C7275195DAAB5F0
>> > HTTP/1.1" 200
>> > 25/Oct/2017:15:21:42 "GET
>> >
>&g

Re: VNC & Networking

[Mike Jumper]

On Thu, Oct 26, 2017 at 5:53 PM, Steven Pollock 
wrote:

> I have tried this with both the noauth and mysql configs, as I thought it
> might be a noauth issue initially.  The network is not blocking, lets not
> go there.
>
>
The authentication backend in use has no bearing on whether Guacamole can
connect via VNC to a particular machine. It is guacd which actually
performs the network connection to the VNC server.


> Single interface guac sitting on 10.80.100.x/24
>VNC to 10.80.100.10 -- works
>RDP to 10.80.100.11 -- works
>RDP to AWS (amazon) -- works
>
> Move the guac to another network and change the IP address to
> 10.80.160.x/24
>VNC to 10.80.100.10 -- fail
>RDP to 10.80.100.11 -- works
>RDP to AWS (amazon) -- works
>
> Use a standard off the shelf VNC client in 10.80.160.x
>VNC to 10.80.100.10 -- works
>
> Simply changing the subnet causes guac VNC to fail in either noauth or
> mysql configs.
>
> Any ideas? Maybe a way to troubleshoot?
>
>
If you are able to connect to other machines, and only connections to a
particular subnet fail, that strongly suggests that there is an issue with
the network configuration on either of the machines in question, or in the
network between them. There is no magic within guacd nor within the
authentication extensions which would result in connections failing only
for a particular subnet. Routing of packets between subnets is handled by
the system's networking stack, not by guacd.

To troubleshoot, I suggest looking strictly at the network configuration
and behavior of the machines where you're seeing this issue. Don't draw
conclusions from connecting from another machine that happens to be in the
same subnet; connect strictly from the machine hosting guacd.

On another note, you mention NoAuth - beware that this extension has been
deprecated. Its use is no longer recommended. See:

http://guacamole.incubator.apache.org/releases/0.9.13-incubating/#noauth-now-deprecated

- Mike

Re: VNC & Networking

[Mike Jumper]

On Thu, Oct 26, 2017 at 6:38 PM, Steven Pollock 
wrote:

> Thanks Mike, but makes no sense to me that it is a network issue.
>
>
That's really the only possibility. Unless the hostname or IP address of
the destination machine has been mistyped, there is no other possible
explanation.

Have you checked the logs from guacd?

I can connect from an other VNC client, just not Guac.
>
>
>From another VNC client on the same machine that's running guacd?

I can connect via RDP from guac.
>
>
Via RDP to the same machine that you are unable to connect to via VNC?

- Mike

Re: ssh handshake failed latest libssh2

[Mike Jumper]

On Thu, Oct 26, 2017 at 8:10 PM, cchance  wrote:

> Ok i read that the reason SSH was giving handshake errors was that it was
> due
> to the dockerfile based on centos which had old libssh2 so i wrote my own
> dockerfile that builds with
>
> ENV GUACAMOLE_VERSION 0.9.13-incubating
> ENV OPENSSL_VERSION 1.1.0f
> ENV LIBSSH2_VERSION 1.8.0
>
> But STILL i'm getting ssh handshake failed everytime i try to ssh to a
> switch, works in putty works
>
> As a note the switch seems to use diffie-hellman-group1-sha1
>
> I thought using the latest openssl and libssh2 would fix the issue but
> apparently not? Is their somewhere i need to allow specifically sha1 beyond
> just upgrading to latest libssh2 before building guacd?
>

Are you sure that the libssh2 version from the distribution's own packages
is no longer installed?

- Mike

Re: Disable SFTP from web interface

[Mike Jumper]

On Fri, Oct 27, 2017 at 10:43 AM, Nick Couchman  wrote:

> On Thu, Oct 26, 2017 at 5:40 PM, Anthony Moon <
> anthon...@moving-picture.com> wrote:
>
>> We’d like to eliminate the potential for administrators to have access to
>> this feature (if at all possible).
>>
>
> I do not know of a way to do this at the Guacamole level at this point.
> On the server-side you could disable it in the SSH server config
> (sshd_config) if you have control over those servers and don't want it
> available at all, or disable it for certain groups of users, etc.  But I
> don't know of a way in the Guacamole configuration to prevent it.
>
>
There really isn't a way to disable this access via configuration alone. It
would be possible to write an extension which does not use the
corresponding connection parameters, but if the use case here is
specialized enough, it may be better to look into leveraging the Guacamole
API to build a webapp specific to that case, rather than stripping out
parts of the mainline webapp.

- Mike

Re: BAD signature when trying to verify the download

[Mike Jumper]

On Sun, Nov 5, 2017 at 5:36 AM, dirkguacamole  wrote:

> Hi all,
>
> when trying to verify the download with
> https://www.apache.org/dist/incubator/guacamole/0.9.13-
> incubating/source/guacamole-client-0.9.13-incubating.tar.gz.asc
>
> i get :
> BAD signature from "Michael Jumper (CODE SIGNING KEY)  >"
> [unknown]
>
> any idea ?
>
>
What command did you run when trying to verify the signature?

- Mike

Re: Authentication using http

[Mike Jumper]

On Fri, Nov 3, 2017 at 6:01 AM, Nick Couchman  wrote:
>
> On Tue, Oct 31, 2017 at 5:43 PM, Thompson, John H. (GSFC-606.2)[PATUXENT 
> TECHNOLOGY PARTNERS]  wrote:
>>
>> Will storing the allowed connections in LDAP work with HTTP
>> header authentication"?
>>
>> ...
>>
>
> I believe the answer is no.  Mike can correct this if I'm wrong, but my 
> understanding is that one of the security mechanisms in the LDAP module is 
> that the bind to look for connections is done with the user who logged in.  
> So, if the user is logged in through another mechanism (header 
> authentication), and particularly one that doesn't provide the password to 
> Guacamole (header will not), then there's not going to be any way for the 
> user who logged in to bind to the LDAP directory.
>

This is exactly correct. Part of the idea behind the LDAP
authentication is to allow the LDAP directory's own security
constraints to dictate access level. This cannot be done without a
bind.

- Mike

Re: guacamole-common-js confusion

[Mike Jumper]

On Tue, Oct 31, 2017 at 1:54 PM, David L Napier  wrote:
> We're building an app that's utilizing Guacamole.  I have Tomcat behind an
> Nginx reverse proxy.  The app successfully utilizes guacamole-common-js and
> connects to tomcat via the proxy.  Then it loads the canvas into the client.
> However, the canvas is returning with a size of 0 height, 0 width.
>

What do you mean by "loads the canvas into the client"?

Guacamole does use canvas tags, but you shouldn't be touching the
canvas itself (which is internal). You should only be dealing with the
display abstraction provided by Guacamole.Display (returned by
getDisplay() of Guacamole.Client), adding the display to the DOM using
the element returned by getElement():

http://guacamole.incubator.apache.org/doc/guacamole-common-js/Guacamole.Client.html#getDisplay
http://guacamole.incubator.apache.org/doc/guacamole-common-js/Guacamole.Display.html#getElement

The display itself will not have non-zero dimensions until it receives
the size from the server. If this never occurs, check that:

1) You have set handlers for the tunnel and client "onerror" and
"onstatechange" events (so you know when things are failing)
2) There aren't errors in the logs from guacd (the connection may not
have succeeded at all)

> I've got this warning in my console: "[Deprecation] Resource requests whose
> URLs contained both removed whitespace (`\n`, `\r`, `\t`) characters and
> less-than characters (`<`) are blocked. Please remove newlines and encode
> less-than characters from places like element attribute values in order to
> load these resources. See
> https://www.chromestatus.com/feature/5735596811091968 for more details."
>

Check your HTML. From the warning, it sounds like some of your
attribute values contain angle brackets, and are thus being recognized
by Chrome as possible injection attacks.

- Mike

Re: GUAC-1096 conditions for WebSockets

[Mike Jumper]

On Tue, Oct 31, 2017 at 1:17 PM, bkalb  wrote:
> I apologize for the lack of logs but we can only reproduce this in a closed
> off network.

Logs would be helpful. If you are seeing unexpected behavior, the
first thing to check would be whether there are errors in the Tomcat
and guacd logs, as well as the JavaScript error log of the browser in
use.

>
> ...  We don't see this error when deploying Guacamole on our normal
> development environment.
>

How do the failing environment and development environment differ?

- Mike

Re: Capture keyboard input?

[Mike Jumper]

On Tue, Oct 31, 2017 at 10:30 AM, Anthony Moon
 wrote:
> Hi all,
>
> Just wondering if Gauc has the ability to capture all keyboard input? I
> can’t tell you how many times I’ve accidentally closed the whole tab while
> typing (CTRL + W)..
>

Guacamole already attempts to capture absolutely all keyboard input.
It's up to the OS and the browser to decide which key events to
actually expose to JavaScript. Keyboard events for shortcuts reserved
by the OS (Ctrl+Alt+Del, Alt+Tab, etc.) are typically eaten by the OS
before they reach the browser, and keyboard events for shortcuts
reserved by the browser (such as Ctrl+W) are typically eaten by the
browser before they reach JavaScript.

Some browsers, Chrome included, will allow bookmarks to be saved to
the desktop or home screen, and give the webapps bookmarked in such a
manner access to additional keystrokes. If the browser you're using
has this feature, that may help things. Beyond that, it's a security
feature of the browser that web applications cannot take full control
of the keyboard, and there's nothing that can be done within
JavaScript to alter this. As long as the key event actually happens
within JavaScript, Guacamole will handle it and pass it along to the
remote desktop.

- Mike

Re: FLASH SUPPORT for Audio in IE

[Mike Jumper]

On Wed, Nov 8, 2017 at 2:22 AM, Amarjeet Singh  wrote:

> Hi Team,
>
> As there is no fallback of * AudioContext() *for IE I am trying to add
> support for sound in IE using Flashback but unable to do so.
>
> *In Chrome and Firefox  during WebSocket connection I get the following
> stream :-*
>
>>
>> 5.audio,1.1,31.audio/L16;rate=44100,channels=2;10.filesystem,1.0,12.Shared
>> Drive;4.size,1.0,4.1920,3.546;4.name,11.172.16.1.75;4.size,
>> 2.-1,2.11,2.16;3.img,1.3,2.12,2.-1,9.image/png,1.0,1.0;4.blob,1.3,232.
>> iVBORw0KGgoNSUhEUgsQCAYAAADAvYV+BmJLR0QA/wD/AP+
>> gvaeTYklEQVQokY2RQQ4AIQgDW+L/v9y9qCEsIJ4QZggoJAnDYwAwFQwASI
>> 4EO8FEMH95CRYTnfCDOyGFK6GEM6GFo7AqKI4sSSsCJH1X+roFkKdjueABX/
>> On77lz2uGtr6pj9okfTeJQAYVaxnMASUVORK5CYII=;3.end,1.3;6.
>> cursor,1.0,1.0,2.-1,1.0,1.0,2.11,2.16;
>
>
> *In IE I get the following stream :- *
>
>>
>> "10.filesystem,1.0,12.Shared Drive;4.size,1.0,4.1920,3.516;4.name
>> ,11.172.16.1.75;4.size,2.-1,2.11,2.16;3.img,1.3,2.12,
>> 2.-1,9.image/png,1.0,1.0;4.blob,1.3,232.iVBORw0KGgoNSUhEUgsAAA
>> AQCAYAAADAvYV+BmJLR0QA/wD/AP+gvaeTYklEQVQokY2RQQ4AIQgDW+L/
>> v9y9qCEsIJ4QZggoJAnDYwAwFQwASI4EO8FEMH95CRYTnfCDOyGFK6GEM6GF
>> o7AqKI4sSSsCJH1X+roFkKdjueABX/On77lz2uGtr6pj9okfTeJQAYVaxnMA
>> SUVORK5CYII=;3.end,1.3;6.cursor,1.0,1.0,2.-1,1.0,1.0,2.11,2.16;"
>
>
> Why there is *no audio* coming from the back end in IE ?
>
> Does the back end code depends on the browser ?
>
>
The mimetypes of any supported audio codecs are required to be submitted
during the initial Guacamole protocol handshake. As that handshake is
handled server-side, those mimetypes need to be submitted to the server
prior to or as the connection is being established. In the mainline
Guacamole webapp, the audio mimetypes are submitted to the tunnel during
the initial connection attempt via "GUAC_AUDIO" query parameters, and the
part of the webapp that handles tunnel requests transforms those parameters
into the list of audio mimetypes required by the GuacamoleClientInformation
object which is given to ConfiguredGuacamoleSocket to perform the handshake.

See:

http://guacamole.incubator.apache.org/doc/gug/guacamole-protocol.html#guacamole-protocol-handshake

The flow for this in the mainline Guacamole webapp is:

https://github.com/apache/incubator-guacamole-client/blob/0611fe8fff694dff7e3cb6a62918f6c90668728c/guacamole-common-js/src/main/webapp/modules/AudioPlayer.js#L62-L79
https://github.com/apache/incubator-guacamole-client/blob/0611fe8fff694dff7e3cb6a62918f6c90668728c/guacamole/src/main/webapp/app/client/services/guacAudio.js
https://github.com/apache/incubator-guacamole-client/blob/0611fe8fff694dff7e3cb6a62918f6c90668728c/guacamole/src/main/webapp/app/client/types/ManagedClient.js#L229-L232
https://github.com/apache/incubator-guacamole-client/blob/0611fe8fff694dff7e3cb6a62918f6c90668728c/guacamole/src/main/java/org/apache/guacamole/tunnel/TunnelRequest.java#L333-L343
https://github.com/apache/incubator-guacamole-client/blob/0611fe8fff694dff7e3cb6a62918f6c90668728c/guacamole/src/main/java/org/apache/guacamole/tunnel/TunnelRequestService.java#L154-L157

If you are adding IE-specific support for
"audio/L16;rate=44100,channels=2", you will need to see that this mimetype
is submitted to the server. Lacking this, the code handling audio for the
remote desktop will not know what formats the client side supports, and
will not be able to provide an audio stream.

- Mike

Re: Configuring LDAP

[Mike Jumper]

On Thu, Nov 9, 2017 at 12:45 PM,  wrote:

> I’m trying to configure LDAP to work on our new Guacamole installation.  I
> followed Chapter 7 in the user guide, but I still can’t get it to work.
> When I enter a user name and the password that I know exists in our LDAP
> (which is running on RHEL 7 using IDM), and click the Login button, nothing
> happens.  No errors, no visual clues, nothing.  I look at the logs on the
> server and get zero errors or indications that it even attempted it.
>

There will not be visual clues, as such details are not exposed at the
user-visible level. There should be log messages, however, including
messages indicating that the LDAP authentication extension was loaded. Can
you post what you see in the Tomcat logs from the point that Guacamole is
starting up until the first pair of login failures (there should be at
least two: the first resulting from the default anonymous auth attempt
which caused the login dialog to display, and the second from using that
login dialog)?

- Mike

Re: Virtual or Dyanmic Channels support

[Mike Jumper]

On Fri, Nov 10, 2017 at 4:59 AM, Amarjeet Singh 
wrote:

> I am asking about support of Static Virtual Channels in Guacamole?
>
> How can we configure support of more Static virtual channels in Guacamole ?
>
>
Can you be more specific? What channels?

- Mike

Re: Virtual or Dyanmic Channels support

[Mike Jumper]

On Fri, Nov 10, 2017 at 12:11 PM, Amarjeet Singh 
wrote:

> Static Virtual channels in RDP which is of 7 character and RDP supports 31
> static virtual channels.
> That is what I am talking about.
>
>
So, just arbitrary static virtual channels? Do you have some application
which will be running under RDP which will be leveraging your own SVC, and
which you want the JavaScript side of Guacamole to communicate with? Can
you elaborate on the nature of the SVC in your case?

- Mike

Re: Virtual or Dyanmic Channels support

[Mike Jumper]

On Fri, Nov 10, 2017 at 12:52 PM, Amarjeet Singh 
wrote:

> Yes, There is a module which will be running on server side for Printing (
> instead of using Guacamole Printer which changes name  for every session )
> name=hyprint.
>
>
You can expose arbitrary static virtual channels to JavaScript using the
"static-channels" parameter provided by Guacamole's RDP support:

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#rdp-device-redirection

The parameter accepts a comma-separated list of static channel names to
open and expose as pipe streams. For each SVC which is successfully handled
within RDP, Guacamole will open an outbound pipe with the name of the
static channel, which will trigger the "onpipe" handler of Guacamole.Client:

http://guacamole.incubator.apache.org/doc/guacamole-common-js/Guacamole.Client.html#event:onpipe

You can then deal with the inbound stream however you see fit. If
JavaScript needs to communicate back in the other direction, it should
respond by opening another pipe with the same name:

http://guacamole.incubator.apache.org/doc/guacamole-common-js/Guacamole.Client.html#createPipeStream

- Mike

Re: Virtual or Dyanmic Channels support

[Mike Jumper]

On Sat, Nov 11, 2017 at 4:51 AM, Amarjeet Singh 
wrote:

> ...
>>
>> *Nov 11 07:46:04 localhost guacd[7887]: Inbound half of channel "hyprint"
>> connected.*
>
>
This is not an error, but an informative message that the inbound pipe
stream (the pipe from the browser to the server) for your channel has been
connected. It is being logged at the wrong log level, but is not an error.


> When I am printing the document on server side using this module. i am not
> receiving any data?
>
> client.onpipe = function(input_stream, mimetype, name) {
>>
>> reader = new Guacamole.StringReader(input_stream);
>> reader.ontext = function(text) {
>> // Handle input here
>> };
>>
>
>
What makes you think you're not receiving any data? The example code you've
provided here is explicitly not handling any data (it has placeholder
comments where the necessary code would need to go). Assuming you're using
this code as-is, you would have no indication regarding whether data is
being received or not. Received data would be silently discarded.

- Mike

Re: Guacamole Redirected Printer download files

[Mike Jumper]

On Mon, Nov 13, 2017 at 9:56 AM, Amarjeet Singh 
wrote:

> Hi Team,
>
> when I print any file using guacamole redirected printer, it always
> download the file instead of showing print preview.
> It is written to follow the above behavior
> .
> I looked into guacamole common js where it downloads with the help of
> iframe.
>

guacamole-common-js leaves the handling of downloads open to the
implementor using the API. If you're looking at code which leverages an
iframe for download, you are looking at the web application, not
guacamole-common-js.

I tried all the possible ways to edit the code and show the PDF files in
> iframe instead of downloading directly.
> It always downloads.
> Then I tried to change the url and gave the url of the PDF file from the
> server directly. It shows in the iframe and doesn't downloads.
> I came to know that there is something with the url which always tried to
> download.
> Any suggestions to resolve and show the PDF file in the iframe?
>

My suggestion would be to not attempt to override this behavior, and allow
the PDF to always download. Displaying the PDF within the browser is
problematic, and does not work identically across all browsers. Some will
display the PDF correctly, downloading the PDF only if no viewer is
present, others will display an empty iframe/tab even though a PDF viewer
is available or built-in, and yet others will silently fail with no way for
JavaScript to detect this.

Downloading the PDF directly is the only behavior which works universally.

- Mike

Re: Intermittent VNC connectivity to IP KVM

[Mike Jumper]

On Mon, Nov 13, 2017 at 9:47 AM, kpham  wrote:

> ...
> kernel: [20018.150998] traps: guacd[2185] trap divide error ip :
> 7f493214dbcd sp:7f4932d70b80 error:0 in
> libvncclient.so.1.0.0[7f493213d+1e]
>
> Do you think it's a bug in vncclient module? Any suggestion for me on how
> to
> fix it ?
>
>
This does look like a bug in libvncclient, the library used by Guacamole's
VNC support to handle the VNC protocol. It's hard to tell exactly where
within the library this is happening, but the kernel is reporting here that
the library is attempting to divide by zero. My guess, given context, is
that the VNC server is sending an empty rectangle with one of the
dimensions being zero, and libvncclient is improperly handling this
condition.

I would recommend installing the absolute latest libvncclient (part of
libvncserver), rebuilding guacamole-server, and seeing if the problem is
resolved. If the bug remains, the next step would be to report it upstream:

https://github.com/LibVNC/libvncserver

- Mike

Re: Configuring LDAP

[Mike Jumper]

Following a restart of Tomcat, can you post the entire Tomcat log
somewhere, at least the portion which follows that restart?

- Mike


On Mon, Nov 13, 2017 at 10:51 AM,  wrote:

> I tried to add GUACAMOLE_HOME=”/etc/guacamole” into
> /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work.
> Instead of getting “Login failed” on the page, the page did nothing.  So I
> backed that out and restarted everything, and can’t log in at all.  I enter
> the guacadmin user and password and click Login, and nothing happens.  I do
> see a successful login message in /var/log/messages, but the page doesn’t
> redirect me anywhere any longer.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 13, 2017 8:49 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Well, I tried moving the extensions to /etc/guacamole and restarting
> Tomcat and guacamole, and I still don’t see LDAP referenced in the logs.
> Where do I set that in catalina.properties?  That’s my next step.  Also,
> when I try to log in, I do see the following error in the log (I masked out
> the IP and the user name):
>
>
>
> Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "user" failed.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vn...@apache.org ]
> *Sent:* Monday, November 13, 2017 8:05 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Mon, Nov 13, 2017 at 7:55 AM,  wrote:
>
> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading.  I have the 0.9.13 LDAP extension at 
> /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it?  I’m pretty sure that’s where the user
> guide said to put it.  I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>
>
>
> In 0.9.13-incubating, if you downloaded the release from the website, then
> the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
> Double-check and make sure that's the Tomcat user's home directory.  You
> can also change the GUACAMOLE_HOME via either the guacamole.home property
> in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
> environment variable before starting Tomcat.  This changes slightly in
> 0.9.14-incubating (git repo), with /etc/guacamole becoming the
> fallback-default location.
>
>
>
> If you have guacamole.properties in /etc/guacamole, and you can
> successfully change other items in that file and see the changes take
> effect, then I believe your GUACAMOLE_HOME is probably configured for
> /etc/guacamole, in which case your extensions should be in
> /etc/guacamole/extensions.  So, you might try creating that directory,
> placing the LDAP extension there, and then restarting Tomcat.
>
>
>
> -Nick
>

Re: Configuring LDAP

[Mike Jumper]

Don't send it to me directly off-list - things really need to be kept
on-list.

pastebin or a GitHub gist are decent choices. You could also paste the logs
directly into a new email. I don't recommend trying to attach the logs, as
attachments are sometimes filtered away.


On Mon, Nov 13, 2017 at 12:44 PM,  wrote:

> Any place in particular?  Not really sure where I can put something like
> that.  Can I send it to you off-list?
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Mike Jumper [mailto:mike.jum...@guac-dev.org]
> *Sent:* Monday, November 13, 2017 2:02 PM
>
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Following a restart of Tomcat, can you post the entire Tomcat log
> somewhere, at least the portion which follows that restart?
>
>
>
> - Mike
>
>
>
>
>
> On Mon, Nov 13, 2017 at 10:51 AM,  wrote:
>
> I tried to add GUACAMOLE_HOME=”/etc/guacamole” into
> /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work.
> Instead of getting “Login failed” on the page, the page did nothing.  So I
> backed that out and restarted everything, and can’t log in at all.  I enter
> the guacadmin user and password and click Login, and nothing happens.  I do
> see a successful login message in /var/log/messages, but the page doesn’t
> redirect me anywhere any longer.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 13, 2017 8:49 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Well, I tried moving the extensions to /etc/guacamole and restarting
> Tomcat and guacamole, and I still don’t see LDAP referenced in the logs.
> Where do I set that in catalina.properties?  That’s my next step.  Also,
> when I try to log in, I do see the following error in the log (I masked out
> the IP and the user name):
>
>
>
> Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "user" failed.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vn...@apache.org ]
> *Sent:* Monday, November 13, 2017 8:05 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Mon, Nov 13, 2017 at 7:55 AM,  wrote:
>
> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading.  I have the 0.9.13 LDAP extension at 
> /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it?  I’m pretty sure that’s where the user
> guide said to put it.  I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>
>
>
> In 0.9.13-incubating, if you downloaded the release from the website, then
> the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
> Double-check and make sure that's the Tomcat user's home directory.  You
> can also change the GUACAMOLE_HOME via either the guacamole.home property
> in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
> environment variable before starting Tomcat.  This changes slightly in
> 0.9.14-incubating (git repo), with /etc/guacamole becoming the
> fallback-default location.
>
>
>
> If you have guacamole.properties in /etc/guacamole, and you can
> successfully change other items in that file and see the changes take
> effect, then I believe your GUACAMOLE_HOME is probably configured for
> /etc/guacamole, in which case your extensions should be in
> /etc/guacamole/extensions.  So, you might try creating that directory,
> placing the LDAP extension there, and then restarting Tomcat.
>
>
>
> -Nick
>
>
>

Re: Configuring LDAP

[Mike Jumper]

Which log are these messages from?

- Mike


On Mon, Nov 13, 2017 at 12:55 PM,  wrote:

> OK, here goes:  https://pastebin.com/Be35FaN6
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Mike Jumper [mailto:mike.jum...@guac-dev.org]
> *Sent:* Monday, November 13, 2017 3:49 PM
>
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Don't send it to me directly off-list - things really need to be kept
> on-list.
>
>
>
> pastebin or a GitHub gist are decent choices. You could also paste the
> logs directly into a new email. I don't recommend trying to attach the
> logs, as attachments are sometimes filtered away.
>
>
>
>
>
> On Mon, Nov 13, 2017 at 12:44 PM,  wrote:
>
> Any place in particular?  Not really sure where I can put something like
> that.  Can I send it to you off-list?
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Mike Jumper [mailto:mike.jum...@guac-dev.org]
> *Sent:* Monday, November 13, 2017 2:02 PM
>
>
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Following a restart of Tomcat, can you post the entire Tomcat log
> somewhere, at least the portion which follows that restart?
>
>
>
> - Mike
>
>
>
>
>
> On Mon, Nov 13, 2017 at 10:51 AM,  wrote:
>
> I tried to add GUACAMOLE_HOME=”/etc/guacamole” into
> /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work.
> Instead of getting “Login failed” on the page, the page did nothing.  So I
> backed that out and restarted everything, and can’t log in at all.  I enter
> the guacadmin user and password and click Login, and nothing happens.  I do
> see a successful login message in /var/log/messages, but the page doesn’t
> redirect me anywhere any longer.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 13, 2017 8:49 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Well, I tried moving the extensions to /etc/guacamole and restarting
> Tomcat and guacamole, and I still don’t see LDAP referenced in the logs.
> Where do I set that in catalina.properties?  That’s my next step.  Also,
> when I try to log in, I do see the following error in the log (I masked out
> the IP and the user name):
>
>
>
> Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "user" failed.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vn...@apache.org ]
> *Sent:* Monday, November 13, 2017 8:05 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Mon, Nov 13, 2017 at 7:55 AM,  wrote:
>
> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading.  I have the 0.9.13 LDAP extension at 
> /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it?  I’m pretty sure that’s where the user
> guide said to put it.  I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>
>
>
> In 0.9.13-incubating, if you downloaded the release from the website, then
> the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
> Double-check and make sure that's the Tomcat user's home directory.  You
> can also change the GUACAMOLE_HOME via either the guacamole.home property
> in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
> environment variable before starting Tomcat.  This changes slightly in
> 0.9.14-incubating (git repo), with /etc/guacamole becoming the
> fallback-default location.
>
>
>
> If you have guacamole.properties in /etc/guacamole, and you can
> successfully change other items in that file and see the changes take
> effect, then I believe your GUACAMOLE_HOME is probably configured for
> /etc/guacamole, in which case your extensions should be in
> /etc/guacamole/extensions.  So, you might try creating that directory,
> placing the LDAP extension there, and then restarting Tomcat.
>
>
>
> -Nick
>
>
>
>
>

Re: Configuring LDAP

[Mike Jumper]

And, failing that, journalctl or /var/log/messages or syslog. Distributions
vary widely.

- Mike


On Nov 15, 2017 12:24, "Nick Couchman"  wrote:

> On Mon, Nov 13, 2017 at 7:27 PM,  wrote:
>
>> /var/log/tomcat/catalina.2017-11-13.log
>>
>
> Can you look for/at /var/log/tomcat/catalina.out, instead?  I'm not
> certain that file will be there, but my general experience with Tomcat is
> that catalina.out has more detail than even the catalina.*.log files.
>
> -Nick
>

Re: Fwd: Need Help to know Virtual Drive Creation process in RDP session

[Mike Jumper]

On May 18, 2016 1:44 PM, "Vijay Kumar Kamannavar" 
wrote:
>
> Hello All,
>
> I wanted to know What command Guacamole uses or how guacamole create
shared drive/virtual drive in RDP session login.
>

Hi Vijay,

There is no such command. Guacamole provides the virtual drive using the
"RDPDR" channel, which is a standard part of the RDP protocol.

>
> i have some issue on creating G drive. and able to see Problem connecting
device 0 severity= in guacamole log
>

Can you provide the full log messages (everything from guacd from the point
you connect to the point to disconnect)?

What version of Guacamole and Windows are in use in your case?

Thanks,

- Mike

Re: Fwd: Need Help to know Virtual Drive Creation process in RDP session

[Mike Jumper]

On Wed, May 18, 2016 at 2:44 PM, Vijay Kumar Kamannavar <
vijaykumar.p...@gmail.com> wrote:

> Hello Mike.
>
> Thank you for the reply!!
>
> I am trying to connect to Windows 2012 R2 using Guacamole 0.9.2 and Some
> how i am not able to see the G drive in the RDP machine.
>
>
I would recommend at least upgrading to the latest. The 0.9.2 release is
quite old.


> I have configured the Device and Resource Redirection setting under group
> policy (gpedit.msc)  as Not Configured in windows machine.
>
> Any predefined setting we need configure in Windows machine to make G
> drive visible ?
>
>
The setting you described for gpedit should be enough ...

Is sound working?

Re: Fwd: Need Help to know Virtual Drive Creation process in RDP session

[Mike Jumper]

On Fri, May 20, 2016 at 12:04 AM, Vijay Kumar Kamannavar <
vijaykumar.p...@gmail.com> wrote:

> Hello Mike,
>
> Thank you for the reply.
>
> Thanks for confirming that gpedit.msc must be enough.
>
> 1. I read in some forums that, if sound plugin(guacsnd) is not loaded(due
> to binaries missed) then we may see issues with Virtual Drive creation
>

Correct. More on this below.


> 2. Even if we open PROXY_RDP for Windows 2012 R2 in IE 11, due to
> non-support of audio codecs *wav and ogg/vorbis *in IE browser,  sound
> will be disabled and we see "No Available Audio Encoding, Sound Disabled"
> message is GUACD log.
>
>
Yes, this is correct. Sound will always be disabled if the Guacamole client
determines that the browser is incapable of playing sound encoded with any
supported codec.

Further, for Guacamole releases prior to 0.9.9, lack of audio support will
prevent the virtual drive from functioning. Due to a bug in Windows 2012
(and possibly other versions of Windows), the virtual channel used for the
drive ("RDPDR") has no effect even after it has successfully opened unless
the virtual channel for audio ("RDPSND") has also been opened.

I'm not sure this is the particular issue in your case, however, as you are
also getting an explicit refusal to connect the virtual drive from the RDP
server. In my experience with the above bug, the failure to properly
connect the virtual drive was always silent.

Please confirm whether my understanding is correct or not
>
> These issues are addressed in current release.
>

Your understanding is correct, and the issue with RDPSND vs. RDPDR is
indeed fixed in 0.9.9. The original issue tracking that in the old JIRA was:

https://glyptodon.org/jira/browse/GUAC-1196

Thanks,

- Mike

Re: bad image quality with tigervnc server

[Mike Jumper]

Hi Miroslav,

It's likely that TigerVNC is using JPEG to encode the updates it send to
Guacamole, hence the artifacts / poor quality. This will also lead to
performance degradation, as the JPEG artifacts will decrease the efficiency
of the PNG compression used by Guacamole for most images.

You can change this behavior by explicitly setting the "encodings"
parameter of the VNC connection(s) to a space-delimited list of encodings
which does NOT include the "tight" encoding (the VNC encoding that uses
JPEG). A known-good value is:

zrle ultra copyrect hextile zlib corre rre raw

If you are using the database auth, I have a SQL script which updates all
VNC connections, setting the "encodings" parameter to the above value:

https://gist.github.com/mike-jumper/35987e86c64cac389e8b

This shouldn't be a problem going forward, as the default for "encodings"
has been changed to exclude the "tight" encoding. If you're OK with
building from git, that should solve things as well:

https://github.com/apache/incubator-guacamole-server

If you follow the current version of the manual for building from git,
beware that the manual still refers to the version of Guacamole prior to
its migration to the Apache Incubator, so the names and URLs of the git
repositories will be incorrect. The new repositories are all of the form "
https://github.com/apache/incubator-guacamole-*";.

Thanks,

- Mike


On Mon, May 23, 2016 at 12:43 PM, Miroslav Vadkerti 
wrote:

> Hi,
>
> I am experiencing bad image quality when connecting to my TigerVNC server
> via guacamole. With the TigerVNC viewer the image is sharp. Any idea what
> could be wrong? Could be that the guacamole vnc client is using wrong
> encoding or jpeg transport?
>
> Thanks,
> /M
>

Re: per user virtual drive

[Mike Jumper]

On Tue, May 24, 2016 at 11:18 AM, Maarten Dirickx @ WTD <
mdiri...@walkingthedog.be> wrote:

> Hello,
>
> I've set up quite a few connections and quite a few users. For convenience
> of file transfer, each connections has a virtual drive mapped to it. I feel
> it would be much easier from a user's point of view if I could give a them
> a personal folder, and map that to each connection. Is this possible in any
> way?
>
> For example, map a drive under /var/guac/%username and create it if it
> doesn't exist. That way a file only needs to be uploaded once, to be
> deployed to several machines.
>
> I could not find any documentation about this, though I don't believe I am
> the first to ask.
>
>
You do this using parameter tokens:

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

In your case, specifying a value like "/var/guac/${GUAC_USERNAME}" for
"drive-path" would accomplish what you're looking for. To have this created
automatically, you would set the "create-drive-path" to "true":

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#rdp-device-redirection

There are analogous parameters for the SFTP options of VNC, RDP, and SSH,
as well.

Thanks,

- Mike

Re: External link to a connection

[Mike Jumper]

On Tue, May 24, 2016 at 11:51 PM, Iker Ibarguren Berasaluze <
iibargu...@pasaia.net> wrote:

> Hi,
> We have an intranet where I want to print the direct url to a connection
> for a user. I mean, if in my intranet I´m reading user1 profile, I want to
> append a button witch can be clicked in order to control this machine
> directly. I tried accessing guacamole mysql data but there is no the
> necesary info to get the url.
>
> Is there any way to do this?
>

The necessary information is indeed there - you just need to know how to
generate the URL. The base64 bit after ".../guacamole/client/" in the URL
of a connection is built from the following information:

1. The connection identifier (in MySQL / PostgreSQL, this will be the
connection ID)
2. The type ("c" for connections and "g" for balancing groups)
3. The identifier of the auth provider storing the connection data (usually
"postgresql", "mysql", or "ldap" - in your case the correct value would be
"mysql")

Each of these components separated from the other by a single NULL
character (U+), with the resulting string encoded with base64.

For example, "NQBjAHBvc3RncmVzcWw=", a valid base64 string taken from an
actual Guacamole deployment, decodes to:

$ echo 'NQBjAHBvc3RncmVzcWw=' | base64 -d | xxd
000: 3500 6300 706f 7374 6772 6573 716c   5.c.postgresql
$

"5" being the connection identifier, "c" indicating that this is a
connection and not a group, and "postgresql" representing the auth provider
(PostgreSQL). Within the Guacamole web application, this string is
generated within JavaScript by the "ClientIdentifier" class using
"ClientIdentifier.toString()" function:

https://github.com/apache/incubator-guacamole-client/blob/0.9.9/guacamole/src/main/webapp/app/navigation/types/ClientIdentifier.js#L99-L119

The base64 identifier actually only has meaning to the JavaScript code - it
is decoded and parsed out into its individual components prior to making
the request to open the tunnel, at which point these values are included as
normal HTTP parameters:

https://github.com/apache/incubator-guacamole-client/blob/0.9.9/guacamole/src/main/webapp/app/client/types/ManagedClient.js#L428-L435

https://github.com/apache/incubator-guacamole-client/blob/0.9.9/guacamole/src/main/webapp/app/client/types/ManagedClient.js#L153-L216

The easiest way to obtain this string would be to simply copy it from the
URL of the connection from within the Guacamole interface, but you can also
use the above algorithm to generate it yourself.

Note that this does not bypass authentication - the users will still need
to authenticate with Guacamole to gain access to any connection, even if
they know the URL ahead of time.

If you would rather that users login to your existing application only, the
proper way to achieve this is to integrate Guacamole into that application
using an extension (such that Guacamole can validate the user's
authenticated status and pull their data, without prompting them again for
credentials). Avoid the temptation to disable Guacamole's authentication
entirely; it may seem simpler, but it is an EXTREMELY bad idea.

Hope this helps,

- Mike

Re: Question about RDP / RDWeb

[Mike Jumper]

On Wed, May 25, 2016 at 1:27 PM, Frank Lam  wrote:

> Hi,
>
>
>
> First off, great software! I’ve been testing it for the last 2 weeks, and
> it works great.
>
>
>
> Just a question I cant seem to find the answer to, is it possible to
> connect to a RDP host via the MS Remote Desktop Web Access (443)?
>
>
I believe so.

If I remember correctly, MS RD Web Access is not a gateway and does not
affect the way RDP works. It simply provides a website which serves *.rdp
files containing configuration information for RDP clients. The connection
itself is still made using a normal RDP client to the default port of the
terminal server (3389).

Assuming the above is correct - yes, it's ultimately no different than any
other RDP connection. Just obtain the configuration information for the RDP
connections in question, and add new connections to Guacamole with those
parameters.

Thanks,

- Mike

Re: Question about RDP / RDWeb

[Mike Jumper]

On Thu, May 26, 2016 at 5:04 AM, Frank Lam  wrote:

> Hi Mike,
>
>
>
> Thanks for the answer.
>
>
>
> I think i have to rephrase my question, RDweb does indeed only serve RDP
> files.
>
>
>
> I have a RDWeb + RDS Gateway, the RDS gateway tunnels the RDP via port 443.
>
>
>

Ah, OK.


> It it possible to use the gateway in between? With xfreerdp i use
> /v:localmachine /u:user /d:domain /p:pass /gu:user /gp:pass /g:
> gateway.public.com
>
> I would like to use the gateway parameters in guacamole as well. Is there
> a way?
>
>
>
Yes, but not at present. This has been requested before, and the support is
definitely present in FreeRDP (as you note), but we have not yet leveraged
that support within Guacamole's RDP backend. The issue in our old JIRA for
this was GUAC-913 [1]. I've just now moved the old JIRA issue to
GUACAMOLE-40 [2] in the Apache JIRA.

Theoretically, adding the support would not be difficult. It's just not
historically been a priority with respect to other issues.

Thanks,

- Mike

[1] https://glyptodon.org/jira/browse/GUAC-913
[2] https://issues.apache.org/jira/browse/GUACAMOLE-40

Re: LDAP - Error while query user DNs.

[Mike Jumper]

On Thu, May 26, 2016 at 7:09 AM, Dawson Bessinger 
wrote:

> Hello,
>
> We have setup a test Guacamole server and are having an LDAP auth issue.
> If we list the root of our AD in ldap-user-base-dn, guacamole throws an
> exception:
>
> ~~~
>
> org.glyptodon.guacamole.GuacamoleServerException: Error while query user
> DNs.
>
> at
> org.glyptodon.guacamole.auth.ldap.user.UserService.getUserDNs(UserService.java:271)
> ~[guacamole-auth-ldap-0.9.9.jar:na]
>
> ~~~
>
>
>
> I enabled debug error level and this is at the bottom of the stack trace:
>
> ~~~
>
> Caused by: com.novell.ldap.LDAPReferralException: Referral
>
> at com.novell.ldap.LDAPSearchResults.next(Unknown Source)
> ~[guacamole-auth-ldap-0.9.9.jar:na]
>
> at
> org.glyptodon.guacamole.auth.ldap.user.UserService.getUserDNs(UserService.java:262)
> ~[guacamole-auth-ldap-0.9.9.jar:na]
>
> ~~~
>
>
Can you describe in more detail how your LDAP server is set up?

I've not seen this particular exception before. It's unfortunate that the
error message itself is so artfully useless, but looking at the JavaDoc for
that LDAPReferralException[1], the description reads:

"Thrown when a server returns a referral and when a referral has not
been followed. It contains a list of URL strings corresponding to the
referrals or search continuation references received on an LDAP operation."

Until today, I had no idea that "referrals" were a concept in LDAP. From
the description, it sounds like LDAP deployments can potentially span
multiple servers, with each server being somewhat aware of its relatives'
contents. If that is the case, it seems the sort of thing that an LDAP
library would want to abstract away from downstream users of said library
... but then again perhaps not.

Thanks,

- Mike

[1]
https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/LDAPReferralException.html

Re: Guacamole connected, waiting for response for a while then disconnected

[Mike Jumper]

On May 26, 2016 8:09 PM, "do hung"  wrote:
>
> Can you tell me which firewall ports should be opened in order for
Guacamole to work?
>

Only the publicly-facing port used by Tomcat (or the proxy in front of
Tomcat) need be open.

Typically, this will be 443 (HTTPS), with a proxy like Apache or Nginx
providing SSL termination and avoiding the need to run Tomcat as a
privileged user.

If SSL has not been configured at all (not the best idea, but common when
people are just getting started), then this will probably be 8080 -
Tomcat's default port.

- Mike

Re: Guacamole connected, waiting for response for a while then disconnected

[Mike Jumper]

On May 26, 2016 8:17 PM, "do hung"  wrote:
>
> Thanks, Mike. But I have configured Tomcat to work on port 80. I don't
think firewall blocked this port, there should be something else :(
>

I highly recommend using a proxy rather than running Tomcat as a privileged
user for the sake of port 80, and even MORE highly recommend using SSL [1].
This can be addressed later though.

As for the problem at hand, is there any proxy at all between the affected
workstations and your Guacamole server? Perhaps the kind of virus-scanning
software that intercepts and scans web traffic?

- Mike

[1] http://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html

Re: Guacamole connected, waiting for response for a while then disconnected

[Mike Jumper]

On Thu, May 26, 2016 at 8:35 PM, do hung  wrote:

> No, the workstations connect directly to internet, no proxy at all. And I
> have also turned off the anti virus software :(
>
>
Do you see anything in the Tomcat logs from Guacamole around the time that
a user attempts to connect and fails?

- Mike

Re: Ansible playbooks?

[Mike Jumper]

On May 27, 2016 2:14 PM, "Greg Trasuk"  wrote:
>
> Hi there:
>
> Is there an Ansible playbook or roles to setup the Guacamole components?
Google says yes, but the Github page that used to have them says “404”.
>

Hi Greg,

What pages are returning 404?

I am not presently aware of any Ansible playbooks for the Guacamole stack,
and there are no official playbooks provided/supported by the Guacamole
project directly.

I don't think we'd be against having such things - we just don't right now.
As far as automating deployment is concerned, our first steps in that
direction have been the Docker images:

http://guacamole.incubator.apache.org/doc/gug/guacamole-docker.html

If you're interested in contributing playbooks for Guacamole, I'd be glad
to assist.

Thanks,

- Mike

Re: guacd won't connect to RDP server using NLA and UPN

[Mike Jumper]

On Mon, May 30, 2016 at 11:07 PM, James Johnston <
johnstonj.pub...@codenest.com> wrote:

> Hi,
>
> I'm trying to connect to an RDP server that is set up with both TLS and
> NLA.  I
> want the RDP connection to take place using the username of the guacamole
> user
> who has logged in.  (guacamole has been linked with LDAP.)  Unfortunately,
> this
> doesn't work: the RDP server disconnects the client immediately (according
> to
> the guacamole web GUI).  docker logs guacd merely reports:
>
> guacd[41]: ERROR:   Error connecting to RDP server
> guacd[41]: INFO:Connection did not succeed
>
> My connection username is set to ${GUAC_USERNAME}.  Password is set to
> ${GUAC_PASSWORD}.  Domain box is left blank, security mode set to NLA, and
> Ignore server certificate has been checked to work around the issue in my
> last
> e-mail.  Everything is left at defaults.
>
>
Have you tried specifying the domain? (And only specifying the username for
the username, not username@domain)

Guacamole is integrated with Active Directory using LDAP, with a PostgreSQL
> back-end for configuration.  I set up docker to use the userPrincipalName
> LDAP
> attribute for usernames.  So e.g. I login to guacamole as "
> u...@mydomain.com".
>
>
I'm not sure if the RDP server will happily accept the full user@domain as
the username. If this works with other RDP clients, it may be that those
clients are parsing out the user and domain, and still pass them to the RDP
server separately.

I usually see users configuring Guacamole + Active Directory by:

1) Providing a search DN and password within guacamole.properties
2) Using "sAMAccountName" as the username attribute
3) Specifying the domain explicitly
4) Using "${GUAC_USERNAME}" for the username in the connection parameters

Note that I am using latest docker images for both guacd and guacamole.
>
> I have verified that logging in with regular Microsoft Remote Desktop
> client
> using the UPN works.  So that's not the problem...  On the other hand, if I
> manually type the UPN into the username box instead of using
> ${GUAC_USERNAME},
> it still doesn't work.
>

By "the username box", are you referring to Windows' own username/password
prompt when you're logging in, or are you referring to the connection
parameters within Guacamole?

Thanks,

- Mike

Re: Please add us as a support group for Guacamole

[Mike Jumper]

Hi Jim,

Can you provide your company's details (name, type of support offered, logo
if available, etc.)?

Thanks,

- Mike


On Tue, May 31, 2016 at 12:10 PM, Jim Sullivan  wrote:

> Please add us as a support group for Guacamole.
>
>
>
> Jim Sullivan 
>
> Certified Scrum Master 
>
> Certified Scrum Professional 
>
> Certified SAFe Program Consultant 
>
> IBM Master Instructor 
>
> *Voice:* 888-553-6563 ext 700
>
> *Fax*: 888-553-6563
>
> *Mobile*: 917-837-5210
>
> Principal and Arcisphere Technical Lead
>
> www.arcisphere.com
>
> AWS Partner 
>
> [image: btn_liprofile_blue_80x15]
> 
>
>
> [image: jim@arcisphere]    [image:
> VMW_12Q4_LGO_VTSP_K_email2]    [image:
> Scaled_Agile_Framework(R)_SPC_Cert_Mark]
>    [image: CSP_resize]
>    [image:
> CertSecuritySystems_color] 
>   [image: IBM-MI-EM] 
>
>
>

Re: Please add us as a support group for Guacamole

[Mike Jumper]

On Tue, May 31, 2016 at 12:26 PM, Jim Sullivan  wrote:

> Mike:
>
>
>
> We love Guacamole. We are a software engineering firm. We also provide
> product training. That is how we started working with Guacamole, and it is
> a fantastic product. We have struggled with it, learned it, and we have had
> success with Guacamole. We also have had users get into some trouble with
> respect to malware, so we have experience with those risks. Our firms loves
> to share the success we have had with commercial, and open software
> products. We would love to help clients with installation, and general
> product usage.
>

OK. Trying to condense this down to around 50 words... Is the following
accurate?

"Arcisphere is a software engineering firm which started working with
Guacamole to provide product training. They continue to provide assistance
with Guacamole installation and general product usage, and love to share
the success they have had with both commercial and open software products."

Please feel free to reword the above - we just need to keep the company
blurb brief and (to the extent possible) unbiased from the perspective of
the project.


> Here is our website, and I attached the logo.
>
> http://arcisphere.com/
>
>
Looking at your site, I don't see support services for Guacamole listed.
Where should I be looking?

Do you have a roughly-square logo? I can extract the image portion of the
logo PDF you sent, but don't want to do that without permission. If I just
use the logo as-is, it will end up resized to the point that it's
unreadable.

Thanks,

- Mike

Re: Please add us as a support group for Guacamole

[Mike Jumper]

On Tue, May 31, 2016 at 1:19 PM, Jim Sullivan  wrote:

> Mike:
>
>
>
> That sounds great to me. Thanks.
>

Are you referring to the blurb, to my question regarding the logo, or both?
(See below)


> Please let me know the next step.
>

The next step for us is to simply add the content to the site, which is
pretty simple and automated. Before we do so, can you please address the
following:

1) Looking at your site, I don't see support services for Guacamole listed.
Where should I be looking?

2) Do you have a roughly-square logo? I can extract the image portion of
the logo PDF you sent, but don't want to do that without permission. If I
just use the logo as-is, it will end up resized to the point that it's
unreadable.

Thanks,

- Mike

Re: Please add us as a support group for Guacamole

[Mike Jumper]

On Tue, May 31, 2016 at 1:34 PM, Jim Sullivan  wrote:

> Mike:
>
>
>
> We will add the Guacamole support to our website.
>

OK.

We were holding off as we wanted to establish the proper support
> relationship.
>

I'm not sure exactly what you mean, but given the word "relationship", let
me quickly clarify:

The directory of commercial support providers on the Apache Guacamole
project website does not imply a relationship between the providers and the
project (or the ASF). It's a directory that we provide for the sake of the
community because we believe the availability of such support is critical.

Don't misunderstand - the community benefits from a growing list of
choices, and we are very happy to add your company to this list. I just
want to be clear that there is no implied relationship; the independence of
the project is paramount.

As far as the logo, yes, please extract what works from the logo file. I
> also attached a different logo file. This one may be friendlier.
>
>
Excellent. Thanks!

- Mike

Re: Please add us as a support group for Guacamole

[Mike Jumper]

On Tue, May 31, 2016 at 1:57 PM, Jim Sullivan  wrote:

> Mike:
>
>
>
> Thanks for the clarification. Based on that we are adding Guacamole
> support to our website. We look forward to working with the community, and
> we look forward to working with Guacamole users.
>
>
>

Thanks, Jim. I've opened an issue in our JIRA [1] to track this, as well as
a pull request on GitHub [2] to add the content.

- Mike

[1] https://issues.apache.org/jira/browse/GUACAMOLE-43
[2] https://github.com/apache/incubator-guacamole-website/pull/12

Re: Question Regarding Invalid Username/Password for Linux VM's

[Mike Jumper]

On Wed, Jun 1, 2016 at 11:27 AM, Matthew Ramella 
wrote:

> Hello,
>
>
>
> We’re testing out Guacamole for use in our business (CenturyLink), and
> have a quick question regarding authentication to Linux VM’s via Guacamole.
>
>
>
> In our scenario, for connecting to Linux VM’s via Guacamole, we’re not
> passing usernames and/or password, and thus, Guacamole is prompting for
> username and password (which is exactly what we’re looking for :-),
> however, we noticed that if we pass a bad username/password, the Guacamole
> view does not provide an error message, and does not indicate that a bad
> username/password was provided, but rather, the view seems to hang, and the
> user cannot interact with the view.  We’re wondering if this is a bug?
> Ideally, we were hoping that the view would indicate that a bad
> username/password was provided, and to please try again.
>
>
>
Yes, this is a bug, but it should have been fixed recently:
https://github.com/apache/incubator-guacamole-server/commit/7c2766b34bd10f0ae2dcd0b378696fb454498a76

If you can, please try building from git to see if the problem is resolved.

Thanks,

- Mike

Re: Question Regarding Invalid Username/Password for Linux VM's

[Mike Jumper]

On Wed, Jun 1, 2016 at 12:04 PM, Mike Jumper 
wrote:

> On Wed, Jun 1, 2016 at 11:27 AM, Matthew Ramella 
> wrote:
>
>> Hello,
>>
>>
>>
>> We’re testing out Guacamole for use in our business (CenturyLink), and
>> have a quick question regarding authentication to Linux VM’s via Guacamole.
>>
>>
>>
>> In our scenario, for connecting to Linux VM’s via Guacamole, we’re not
>> passing usernames and/or password, and thus, Guacamole is prompting for
>> username and password (which is exactly what we’re looking for :-),
>> however, we noticed that if we pass a bad username/password, the Guacamole
>> view does not provide an error message, and does not indicate that a bad
>> username/password was provided, but rather, the view seems to hang, and the
>> user cannot interact with the view.  We’re wondering if this is a bug?
>> Ideally, we were hoping that the view would indicate that a bad
>> username/password was provided, and to please try again.
>>
>>
>>
> Yes, this is a bug, but it should have been fixed recently:
> https://github.com/apache/incubator-guacamole-server/commit/7c2766b34bd10f0ae2dcd0b378696fb454498a76
>
> If you can, please try building from git to see if the problem is resolved.
>
>
For reference, the original report of this issue was GUAC-1381 [1], fixed
while debugging changes for GUAC-1389 [2] (finalization of screen sharing
support in the backend). The issue is not in the Apache JIRA as it was
fixed before migration to Apache Incubator was completed.

- Mike

[1] https://glyptodon.org/jira/browse/GUAC-1381
[2] https://glyptodon.org/jira/browse/GUAC-1389

Re: GUAC 0.9.10 Incubating Preview Release???

[Mike Jumper]

On Wed, Jun 1, 2016 at 12:39 PM,  wrote:

>
> Hi to everyone...
>
> Is there anyway I can get a pre-release glance to Guacamole 0.9.10?
>
>
Hi Seba,

The best way to get the latest unreleased code is to build from git. The
manual covers the overall build process:

http://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html#building-guacamole-server
http://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html#building-guacamole-client

Beware that the above documentation covers 0.9.9, which was released prior
to Guacamole's acceptance into the Apache Incubator. The repositories
listed will be incorrect. The correct -client and -server repositories are:

https://github.com/apache/incubator-guacamole-client
https://github.com/apache/incubator-guacamole-server

Acording to https://glyptodon.org/jira/projects/GUAC/versions/11501
> there's no release date assigned, ...
>

The correct place to track development progress going forward is the Apache
JIRA:

https://issues.apache.org/jira/browse/GUACAMOLE/

We've not historically projected release dates via JIRA, and I'm not sure
if that's going to change. If you're looking for an idea of when version X
is going to be released, I would recommend looking through the dev mailing
list to see if there's been recent discussion on the subject. If there
hasn't, make a post yourself to get the discussion going.

I'd like to try GUAC-236 and GUAC-1451


Both GUAC-236 and GUAC-1451 are on git.

Thanks,

- Mike

Re: Map LDAP goups to connections

[Mike Jumper]

On May 31, 2016 5:34 AM, "Östh Mikael" 
wrote:
>
> Hi
>
> I have Guacamole set up with both MySQL and LDAP (MS AD) authentication.
The guacadmin user is also in AD so LDAP users and groups are populated in
WebGUI.
>
> I would like to make so that everyone that is member of an AD group gets
a specific connection profile.
>
> But when I map a connection to this populated AD group, its members are
still not getting the connection when they login.
>
> The only way I can map a user to a connection is to open every
individually user and set its connection, that cannot be the intended way?
>

Hi Mikael,

The prescribed way to control access to connections using LDAP groups is
via the LDAP schema modifications:

http://guacamole.incubator.apache.org/doc/gug/ldap-auth.html#ldap-schema-changes

This level of control is currently provided only by the LDAP backend,
mainly because the extension API does not yet represent user groups.

Supporting groups within Guacamole in general is planned, and so this
should be possible with the MySQL/PostgreSQL backends eventually, but for
the time being the best way to accomplish this is through using purely LDAP.

Thanks,

- Mike

Re: PowerPoint document takes too long for editing

[Mike Jumper]

On Thu, Jun 2, 2016 at 11:47 AM, Prashant Govindaraju <
pgovindar...@boardvantage.com> wrote:

> Hello Everyone,
>
>
Hi Prashant,

When starting a new thread, please only email one list. There is no need to
duplicate a thread across multiple lists.

I am trying to edit a PowerPoint document via RDP protocol by using
> Guacamole in my project.
>
> Few pptx documents take too long to close and release RDP session.
>
>
What do you mean by "taking too long to close and release the RDP session"?

Thanks,

- Mike

Re: PowerPoint document takes too long for editing

[Mike Jumper]

On Thu, Jun 2, 2016 at 12:05 PM, Prashant Govindaraju <
pgovindar...@boardvantage.com> wrote:

> After I close the pptx file, I see a blue screen for about 3-4 minutes and
> then the Windows logoff screen is shown.
>
>
Are you using RemoteApp?

This doesn't sound like something that would be Guacamole-specific, though
the behavior might not be as noticeable when using a native RDP client (as
the desktop background is not normally rendered when using a native client
+ RemoteApp).

If the above sounds plausible, you could confirm by retrying with a native
RDP client, closing PowerPoint as normal, and then watching how long it
takes the RDP client process to die.

If the client process DOES die immediately, then there must be some way to
hook into RemoteApp closure that is not currently being done within
Guacamole.

Thanks,

- Mike

Re: PowerPoint document takes too long for editing

[Mike Jumper]

On Fri, Jun 3, 2016 at 3:22 PM, Prashant Govindaraju <
pgovindar...@boardvantage.com> wrote:

> Hi Mike,
>
> I tried to open the PPTX file via RDP client and observed that the
> performance is pretty good and fast for file opening and closing.
>
>
But is it actually closing? Or does the client window close, and the client
process may still be connected and running?

If you are seeing the following behavior with Guacamole

1) Close PowerPoint
2) ... 3 - 4 minutes ...
3) Windows logoff screen
4) Connection closed

and the following behavior with a native RDP client:

1) Close PowerPoint
2) Windows logoff screen
3) Client window closes

then something strange is going on. The key here being the total lack of
pause between closure of the application and the appearance of the Windows
logoff screen. BUT, if you are actually seeing the following behavior with
the native client:

1) Close PowerPoint
2) Client window closes

Note the lack of logoff screen. If this is the case, then the same behavior
you see with Guacamole may actually be happening with the native client as
well. It is just not visible, running in the background.

But I we connect to the same machine via Guacamole setup, we can open the
> file normally, but close of pptx takes 3-4 minutes.
>
> We don’t use “Remote App” setting with Guac admin page.
>
> I am attaching a screenshot for more information.
> ...
>
We set Initial program parameter to invoke MSoffice exe for PowerPoint and
> feed the target file from a Guac drive that we create.
>
> Initial program = %SYSTEMDRIVE%\Program Files\Microsoft
> Office\Office14\powerpnt.exe \\tsclient\G\test_ppt.pptx
>
>
While you may not be explicitly using RemoteApp, I believe that "initial
program" actually uses the same backend system as RemoteApp in recent
versions of Windows. If you're not seeing this behavior with the native
client (ie: you have confirmed that the native client process is no longer
running immediately upon close - it doesn't just appear to be closed, but
the connection has actually completely shut down), then it does sound like
something different must be happening, though I'm not sure at the moment
what that could be.

After I close the pptx file, I see a blue screen for about 3-4 minutes and
> then the Windows logoff screen is shown.
>
> So, the Rdp session is not closed quickly for selective pptx files.
>
>
You only see this behavior for specific PowerPoint files?

Re: Question about /guacamole/api/tokens endpoint for .9.10 version

[Mike Jumper]

On Jun 4, 2016 5:13 AM, "Matthew Ramella"  wrote:
>
> Hello,
>
> We’ve recently upgraded to the .9.10 incubator version of Guacd and the
Guac Client.  In our app, we’re calling through to the tokens API via the
following endpoint:
>
> /guacamole/api/tokens
>
> By chance, has this endpoint changed as part of the .9.10 version?  We’re
receiving 404 errors when we attempt to access the endpoint.
>

Nope, it's the same.

Perhaps the webapp is not deployed to /guacamole?

Thanks,

- Mike

Re: RDP client names

[Mike Jumper]

On Fri, Jun 3, 2016 at 12:12 PM, Zachary Bonjour <
zbonj...@vibrantcreditunion.org> wrote:

> Is there a way to set the client name variable to the hostname of the
> device that is logging into Guac?  Leaving it blank uses the Guac server's
> hostname, and using a variable that is tied to the user (I am currently
> using "guac-${GUAC_USERNAME}") won't work for our application.  Thanks!
>
>
No, there is currently no token for the hostname/address of the device
connected through Guacamole. The system handling such tokens is pretty
straightforward, so adding such a thing is not too hard. If you're
interested in contributing this, I can point you in the right direction.
Failing that, the next best option would be to request the feature in our
JIRA:

https://issues.apache.org/jira/browse/GUACAMOLE

Thanks,

- Mike

Re: Error Loading Authentication Provider Class (0.9.9-incubator)

[Mike Jumper]

On Tue, Jun 7, 2016 at 10:52 AM, Matthew Ramella 
wrote:

> Hello,
>
>
>
> We’ve recently upgraded to the Apache incubator version of Guacamole.  I
> have rebuilt our authentication provider extension using the latest
> incubator Guacamole common and ext JARS, and I have updated the
> guacamoleVersion in my guac-manifest.json file to 0.9.9-incubating.
> Unfortunately, we’re seeing the following error: *Authentication provider
> class cannot be loaded (wrong version of API?).*
>
>
>
> I’m wondering if there’s something I’m missing on my side?
>
>
Hi Matt,

Are you sure you rebuilt everything? That particular error indicates that
the JVM failed to load the class because it implements an incompatible
version of AuthenticationProvider. If the extension got that far in the
loading process, then the "guacamoleVersion" sanity check passed, so that
much is definitely OK, but it somehow must still be using a different
version of AuthenticationProvider if the JVM refused to load the class.

I'd recommend:

1) Doing a full "mvn clean install" of guacamole-client, such that all
.jars are rebuilt and installed to the local repository
2) Double-checking the pom.xml of your extension, making sure that
"guacamole-common" and "guacamole-ext" are both "org.apache.guacamole" and
"0.9.9-incubating".
3) Rebuilding the extension

Assuming all the above has been done, and the new extension has been
installed in place of the old one, things should work.

Thanks,

- Mike

Re: Connection URLs and Apache Proxy/Rewrite

[Mike Jumper]

On Sat, Jun 4, 2016 at 7:36 PM, Nick Couchman 
wrote:

> First, I want to say that Guacamole is awesome.  I've followed since the
> very early days of development, and just recently dug back into the
> project.  It's fantastic, and I think we have several potential areas to
> use it across the company - between enabling remote desktop connectivity on
> tablets and ultra books, and application delivery, it is proving to be
> quite useful.
>

Hey, Nick! Glad to see you're still around.


> I'm running into one situation, specifically when doing application
> delivery, that I could use some help with.  In this particular instance I
> have Guacamole set up with the No Auth plugin, and am using it to connect
> to Windows-based hosts over RDP.  No credentials are being stored, and the
> users must authenticate with their AD credentials to the Windows system, so
> it's a pretty low-risk scenario for using No Auth.


In virtually all cases, using NoAuth is a hack and a bad idea. More on this
later.

What I'd really like to do, however, is set up specific hostnames that
> redirect to a Guacamole connection.  I'm using Apache to front the HTTP
> connections and using mod_proxy to connect to Tomcat.  Let's say my server
> is guacamole.example.local, but that I want
> .apps.example.local to redirect to
> guacamole.example.local/guacamole/#/client/.  I've tried
> several Apache incantations to get this working, and have not stumbled
> across the correct configuration.  My most recent set of configs looks like
> this:
>
> 
> ServerName erp.apps.example.local
> ProxyPass / http://localhost:8080/guac/ flushpackets=on
> ProxyPassReverse / http://localhost:8080/guac/
> RewriteRule / "/#/client/SUZTIExpdmUAYwBub2F1dGg=" [NE]
> ProxyPassReverseCookiePath /guac /
> 
>
>
This will not work, because it is not the server that needs to read that
URL; it is the JavaScript code of the web application. It is the duty of
the page handling the /#/client/... URL to decode the base64 identifier and
use it to provide the correct HTTP parameters when making the connection
request.

Even if we did not use these base64 identifiers, it is unlikely such an
approach would work for any application using these sorts of "/#/..." URLs,
as everything following the hash is handled within the browser only. You
cannot rely on an HTTP client sending anything following a hash character
back to the server.

The part following the hash of a URL is known as the "fragment identifier".
>From the Wikipedia page covering this[1]:

"... Clients are not supposed to send URI-fragments to servers when they
retrieve a document, and without help from a local application (see below)
fragments do not participate in HTTP redirections. ..."

BUT! All is not lost. You can do this, and you can do it without using
NoAuth (the way it should be done 99.9% of the time, IMHO). Consider:

1) A Guacamole extension can leverage just about anything present in an
HTTP request for the sake of authentication and authorization. You can use
the content of the HTTP request to determine what data is available to the
user, ideally while validating that they are indeed authenticated to access
the system. You could use the "Host" header to determine virtual host[2]
they accessed, for example.

2) If a user has access to only one connection, they will be taken to that
connection automatically. You won't need to include the client identifier
in the URL if they only have one connection to begin with.

If you embrace the authentication system (GOOD!) instead of bypassing the
authentication system (BAD!), and leverage it to both provide your users
with what is requested and restrict them to only what they are allowed, you
will have a better and safer system that does what you need.

Thanks,

- Mike "I really think we should stop supporting NoAuth" Jumper

[1] https://en.wikipedia.org/wiki/Fragment_identifier
[2] https://en.wikipedia.org/wiki/Virtual_hosting

Re: [9.10-Incubating] Screen Recording GUAC286 & GUAC1451 - HowTo...

[Mike Jumper]

On Mon, Jun 6, 2016 at 11:25 AM,  wrote:

> Hi, folks!
>
> I've downloaded and successfully compiled guacd using
> https://github.com/apache/incubator-guacamole-server (MASTER BRANCH)...
>
> I'd like to test screen recording features, but I don't know how to work
> them out... (args & parameters to guacd)...
>
>
Hi Seba,

There are no extra parameters to be passed to guacd for screen recording.
Since you asked specifically about text-based screen recording for SSH and
telnet (old downstream issue GUAC-1451), I'll cover that specifically here.

Text-based screen recordings of SSH or telnet sessions are saved as
typescripts in the format used by the script[1] and scriptreplay[2]
commands. The way these typescripts are saved is controlled with three
additional connection parameters:

1) "typescript-path"

The directory in which typescript files should be created. If a typescript
needs to be recorded, this parameter is required. Specifying this parameter
enables typescript recording. If this parameter is omitted, no typescript
will be recorded.

2) "typescript-name"

The base filename to use when determining the names for the data and timing
files of the typescript. This parameter is optional. If omitted, the value
"typescript" will be used instead.

Each typescript consists of two files which are created within the
directory specified by "typescript-path": "NAME", which contains the raw
text data, and "NAME.timing", which contains timing information, where NAME
is the value provided for the "typescript-name" parameter.

This parameter only has an effect if typescript recording is enabled. If
the "typescript-path" is not specified, recording of typescripts will be
disabled, and this parameter will be ignored.

3) "create-typescript-path"

If set to "true", the directory specified by the "typescript-path"
parameter will automatically be created if it does not yet exist. Only the
final directory in the path will be created - if other directories earlier
in the path do not exist, automatic creation will fail, and an error will
be logged.

This parameter is optional. By default, the directory specified by the
"typescript-path" parameter will not automatically be created, and attempts
to record typescripts in a non-existent directory will be logged as errors.

This parameter only has an effect if typescript recording is enabled. If
the "typescript-path" is not specified, recording of typescripts will be
disabled, and this parameter will be ignored.

Thanks,

- Mike

[1] http://man7.org/linux/man-pages/man1/script.1.html
[2] http://man7.org/linux/man-pages/man1/scriptreplay.1.html

Re: Pass credentials to RDP session

[Mike Jumper]

On the contrary, this is implemented and possible. You need to use
parameter tokens:

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

If you set the username and password parameters to "${GUAC_USERNAME}" and
"${GUAC_PASSWORD}" respectively, they will automatically be substituted
with the username and password that the user provided when they
authenticated with Guacamole.

- Mike


On Mon, Jun 13, 2016 at 8:55 AM, Nick Couchman 
wrote:

> Ferron,
> I do not believe it is currently possible to pass credentials through from
> authentication to remote sessions.  I'm sure it's just a matter of
> implementing it, but does not existing in the current code base.
>
> -Nick
>
> On Jun 13, 2016, at 01:15, Ferron Nijland - Switch IT Solutions <
> f.nijl...@switch.nl> wrote:
>
> Hello,
>
>
>
> I've guacamole 0.9.9 up and running with LDAP authentication.
>
> Is it possible to pass these credentials to the rdp session?
>
> I'm looking forward to your answer.
>
> Kind Regards,
>
>
>
> Ferron Nijland
>
>
>
>
>
>
>
>
> --
>
> This e-mail may contain SEAKR Engineering (SEAKR) Confidential and
> Proprietary Information. If this message is not intended for you, you are
> strictly prohibited from using this message, its contents or attachments in
> any way. If you have received this message in error, please delete the
> message from your mailbox. This e-mail may contain export-controlled
> material and should be handled accordingly.  ­­
>

Re: Map LDAP goups to connections

[Mike Jumper]

On Wed, Jun 1, 2016 at 11:16 PM, Östh Mikael 
wrote:

> Thank you for the prompt reply. Then I guess the only way for us to bulk
> manage users is via AD schema modification or by editing the MySQL database
> directly?
>
>
Correct.

- Mike

Re: Installing Apache Guacamole under Apache TomEE

[Mike Jumper]

On Thu, Jun 2, 2016 at 8:23 AM, Greg Trasuk  wrote:

> Hi all:
>
> I’m trying to use Guacamole under Apache TomEE - There’s going to be an
> additional web app that I’d like to use EE6 features with.  Starting up
> Guacamole fails.  In the Tomcat logs, there are a number of entries like:
>
> Jun 02, 2016 2:56:56 PM org.apache.tomee.catalina.TomEEClassLoaderEnricher
> validateJarFile
> WARNING: jar
> '/usr/share/tomcat/webapps/guacamole/WEB-INF/lib/javax.inject-1.jar'
> contains offending class: javax.inject.Inject. It will be ignored.
> Jun 02, 2016 2:56:56 PM org.apache.tomee.catalina.TomEEClassLoaderEnricher
> validateJarFile
> WARNING: jar
> '/usr/share/tomcat/webapps/guacamole/WEB-INF/lib/jersey-core-1.17.1.jar'
> contains offending class: javax.ws.rs.Path. It will be ignored.
> Jun 02, 2016 2:56:56 PM org.apache.tomee.catalina.TomEEClassLoaderEnricher
> validateJarFile
> WARNING: jar
> '/usr/share/tomcat/webapps/guacamole/WEB-INF/lib/jsr250-api-1.0.jar'
> contains offending class: javax.annotation.PostConstruct. It will be
> ignored.
> Jun 02, 2016 2:56:57 PM org.apache.openejb.config.ConfigurationFactory
> configureApplication
> INFO: Configuring enterprise application:
> /usr/share/tomcat/webapps/guacamole
> Jun 02, 2016 2:56:57 PM org.apache.openejb.config.AppInfoBuilder build
> INFO: Enterprise application "/usr/share/tomcat/webapps/guacamole" loaded.
> Jun 02, 2016 2:56:57 PM org.apache.openejb.assembler.classic.Assembler
> createApplication
>
> followed later by a number of “NoClassDefFound” for classes that are
> defined in those jar files.
>
> My suspicion is that TomEE is unhappy with Guacamole’s use of Google Guice.
>

It seems unhappy with both Google Guice and Jersey.


> Any suggestions?
>

The whole situation is rather disturbing. I'm definitely not a fan of this
automatic amputation of bundled libraries from a .war file.

On one hand, the whole point of TomEE seems to be that it is Tomcat plus
several APIs, so I can understand that refusing to load conflicting
implementations would be a necessity, but on the other hand I'm not sure
how any application could be safely deployed under TomEE without having
been explicitly designed with this in mind.

What specific classes were the "NoClassDefFound" errors for? It may be
possible that Guacamole could be modified to be immune to this behavior,
but that will depend on how deep these cuts go, as well as the design of
Guice/Jersey.

Thanks,

- Mike

Re: Portuguese European (pt-PT) RDP keyboard layout.

[Mike Jumper]

On Fri, Jun 17, 2016 at 4:49 AM, Joao Alexandre 
wrote:

> Hi All,
>
> I do understand that this mailing list isn't an answering machine, but
> could anyone give me some help, tip, please?
>
>
Hi João,

Please be patient [1]. Sometimes we respond quickly, other times slowly. We
always try to respond eventually, but we are all volunteers here. There's
no harm in giving your email thread a friendly bump, but please keep this
in mind.


> On Wed, Jun 15, 2016 at 5:42 PM, Joao Alexandre 
> wrote:
>
>> Hi All,
>>
>> I would like very much to have a Portuguese European (pt-PT, Portugal)
>> RDP keyboard layout in Guacamole.
>>
>> I'm not a programmer, but I'm available to help anyway to accomplish this.
>>
>
Great!

This actually shouldn't be too tricky. Adding a new keyboard layout does
not require any real programming, but you would need to create a keyboard
mapping file. There are a few examples of this in the source [2][3], so the
first thing I would recommend is that you take a brief look at those files
and see what you think.

You need to understand at least conceptually the purpose of these mappings.
Guacamole uses "keysyms" to represent pressed/released keys. These are
conveniently well-defined by X11 and are quite thorough; they represent the
*identity* of a key, as well as the implied behavior. If you attempt to
type "a", Guacamole will send the keysym representing the lowercase letter
"a". Protocols like VNC and SSH are very happy with this, as they also only
care about the identity of the key or character, not the hardware
implementation of that key.

RDP is a different animal. It uses scancodes to represent keys. Keyboard
scancodes do not represent the identity of the key - they represent the
*location* of the key. If you press "a" while using an RDP client, the
client sends a key event to the server which more-or-less translates to
"the user pressed the second key in the second row". Clearly, determining
what that actually means depends on the keyboard layout, which brings us to
Guacamole's RDP keymap system:

Guacamole's RDP support contains a system which translates received keysyms
to a corresponding sequence of scancodes, where that sequence is whatever
is required to duplicate the function of the pressed key on the RDP server.
Often, this is a simple one-to-one mapping of keysym to scancode, but it
can get much more complicated. Take, for example, the "@" character:

On a US keyboard, this is typed by pressing Shift+2. On a German keyboard,
this is typed by pressing AltGr+Q. Thus, if you're using a US keyboard
while connected to an RDP server that expects a German keyboard, Guacamole
has to perform some shuffling when following when you type "@":

1) The Shift key is currently held down, but the remote keyboard cannot
type "@" with Shift. Release Shift.
2) The AltGr key is not held down, but the remote keyboard requires this
for "@". Press AltGr.
3) The "@" key maps to scancode 0x10 - send that.
4) The AltGr key was not originally held down. Release AltGr to restore
state.
5) The Shift key was originally held down. Press Shift to restore state.

This behavior is automatic thanks to the keymap files mentioned above. In
this case, it's due to the following simple line in the German keyboard
mapping file:

map +altgr -shift 0x10 ~ "@"

which essentially means "to type '@', use scancode 0x10, and ensure that
AltGr is pressed and Shift is released". The keymap file syntax is more
flexible than this, though, and allows you to define entire swaths of keys
in a way that is visually easy to verify:

map -altgr -shift  0x02..0x0C  ~ "1234567890ß"
map -altgr -shift  0x10..0x1B  ~ "qwertzuiopü+"
map -altgr -shift  0x1E..0x28 0x2B ~ "asdfghjklöä#"
map -altgr -shift 0x56 0x2C..0x35  ~ "http://www.apache.org/dev/contrib-email-tips#patience
[2]
https://github.com/apache/incubator-guacamole-server/blob/master/src/protocols/rdp/keymaps/en_us_qwerty.keymap
[3]
https://github.com/apache/incubator-guacamole-server/blob/master/src/protocols/rdp/keymaps/de_de_qwertz.keymap

Re: keyboard does not take effect out of the div of display

[Mike Jumper]

On Wed, Jun 15, 2016 at 7:24 AM, 李小蛟  wrote:
> hello,

Hello,

First, please be careful when sending email - I'm not sure what's
going on here, but you're using an absolutely enormous font... 36px is
pretty excessive. If you're unsure how to set this in your mail
client, I'd recommend switching to text-only mail.

I am responding in plain text mode to de-format this email and make
things readable again.

> here,i have a question .Just as the picture below:On the top,here is a
> display of vnc connection,and on the bottom of the display is a input .  So
> when i type in the input,all the keyboard input was sent into the display.
> it was not what i wanted.How could I do to solve this problem?

If you want to receive keyboard events generically across the window,
you will need to use the document object. Using something else will
mean that keyboard events will only occur when that object has focus,
which can be difficult to predict and may not work at all.

Instead, I would recommend continuing to use the document object, but
instead disable handling of the keyboard while your input fields have
focus. You can do this by:

1) Tracking focus with the "blur" and "focus" events provided by the browser.
2) Returning true within your onkeydown handler when you wish to allow
the events through to your input field.
3) Not calling sendKeyEvent() except when you want a key event to be
sent to the remote desktop server.

Thanks,

- Mike

Re: Portuguese European (pt-PT) RDP keyboard layout.

[Mike Jumper]

On Sat, Jun 18, 2016 at 4:28 PM, Joao Alexandre
 wrote:
> Hi Mike,
>
> Sorry, I've sent a message without being finished.
>
> I've always been a polite guy, but my 52 years old is driving me impatient,
> so I'm really sorry for my precipitated "bump myself".
>
> First things first, thank you Mike for this detailed, time consuming and
> enlightened reply.
>

No problem!

> Indeed yesterday, I've made a git clone of both Guacamole server and client,
> as I've found the files you've mentioned at "src/protocols/rdp/keymaps".
> I've looked at all of them, made a new one based on the French or Italian
> files, I really don't recall, and altered a Makefile so that the
> "pt_pt_qwerty.keymap" would get compiled. After I tried to test it but then
> I've realized that the web client interface didn't have the option to choose
> my new keyboard, and I could not find out to do it.

Ah, OK.

> Next, I've copied my new Portuguese keymap file over the failsafe.keymap,
> that I thought it was the unicode option in the web interface. I tried these
> combination but I had several mismatch keys. I also search in Google for
> keyboard scan codes, but I could find any information useful, at least to my
> knowledge, so I got frustrated. The Portuguese keyboard has more keys than
> the English one, and at the end of the day I've quit.
>

Figuring out the proper scancodes for keys which are missing from the
English keyboard will be difficult, but not impossible. They must
exist if such keyboards work with RDP at all, so it's just a matter of
time.

> Today after reading your post, I've decided to give it another try, I still
> have doubts.
>
> Forme the Portuguese keymap file should look like this:
>
> parent  "base"
> name"pt-pt-qwerty"
> freerdp "KBD_PORTUGUSE"
>
> #
> # Basic keys
> #
>
> map -altgr -shift 0x29 0x02..0x0D  ~ "\1234567890'«"
> map -altgr -shift  0x10..0x1B  ~ "qwertyuiop+'"
> map -altgr -shift  0x1E..0x28 0x2B ~ "asdfghjklçº~"

Looks good so far, though "KBD_PORTUGUSE" should be "KBD_PORTUGUESE".

> map -altgr -shift 0x56 0x2C..0x35  ~ " (the last character of the second row is a dead key, the accent character in
> "a" letter like á)
>

Dead keys may be a problem. We've had issues supporting these in the
past, as it varies widely by browser and OS how the resulting key
events are exposed to JavaScript (if at all).

I'd be interested to hear what you see when you type "á" using dead
keys while on our JavaScript key event test page:

http://guacamole.incubator.apache.org/pub/tests/key-event-test.html

As well as what happens on the Guacamole key event test page:

http://guacamole.incubator.apache.org/pub/tests/guac/keyboard-test.html

> map -altgr +shift 0x29 0x02..0x0D  ~ "|!"#$%&/()=?»"
> map -altgr +shift  0x10..0x1B  ~ "QWERTYUIOP*`"
> map -altgr +shift  0x1E..0x28 0x2B ~ "ASDFGHJKLçª^"
> map -altgr +shift 0x56 0x2C..0x35  ~ ">ZXCVBNM;:_"
>
> #
> # Keys requiring AltGr
> #
>
> map +altgr -shift 0x12 ~ "€"
> map +altgr -shift 0x09 ~ "["
> map +altgr -shift 0x0A ~ "]"
> map +altgr -shift 0x03 ~ "@"
> map +altgr -shift 0x04 ~ "£"
> map +altgr -shift 0x05 ~ "§"
> map +altgr -shift 0x08 ~ "{"
> map +altgr -shift 0x0B ~ "}"
> map +altgr -shift 0x1A ~ "¨"
>
> Those this looks OK to you?
>

In general, yes, but I don't have a Portuguese keyboard to compare
against. If these mappings seem to work for you thus far (with the
exception of dead keys), then I'd say you're on the right track.

> Yesterday, I've tried a similar setup on failsafe.keymap supposing it was
> the unicode option in the web client, but some keys didn't work like 0x29 \
> between others.
>

The "failsafe.keymap" is a barebones keymap which defines only the
keys common to most layouts which are not available via Unicode. The
keymap system built into Guacamole's RDP support will default to
sending Unicode events (which are distinct from key events, but
supported by Windows and RDP) if there are no combinations of
scancodes which can produce the desired effect. By not defining
virtually any keys, the failsafe keymap forces use of Unicode events
for everything.

> Last questions:
>
> - does failsafe.keymap correspond to unicode?

Yes, in that it forces the Guacamole RDP keymap system to fallback to
Unicode events. This can be problematic in some cases, however,
especially if the RDP server does not implement Unicode events (like
XRDP and some virtualization software).

> - Is it easy to add a new keyboard option in the web client?
>

Yes. All available options for the admin interface are defined using
JSON within guacamole-ext [1]. You would need to add your option to
that JSON definition.

Once that's done, you'll need to add a translation string at least for
English so that the interface knows what to display when rendering the
option [2].

> Once more, thank you.
>

Sure thing. Please give it another shot, and definitely come back if
you have any further questions.

It would be wonderful to get some more key

Re: Problem Connecting to certain hostnames

[Mike Jumper]

Hi Keith,

The connection name shouldn't make any difference - they are completely
arbitrary. I'm inclined to think that the cause is elsewhere, and that the
change in name is a coincidence.

If it's complaining about an invalid type, it sounds like the "type"
portion of the URL (as you're using the legacy URLs extension) is invalid.
My guess would be that it was omitted entirely, and thus guac is attempting
to decode the name as if it were one of the new base64 identifiers that
embeds the type, name, underlying datasource, etc. This would, of course,
not result in valid values.

The old style of URL which the legacy extension brings back to life uses
".../client/c/ID" or ".../client/g/ID", where the "c" and "g" are the type.
In the case of NoAuth, this will always be "c".

Thanks,

- Mike
On Jun 20, 2016 10:17 AM, "Andrews, Keith" 
wrote:

> Hello,
>
>
> I have been facing an issue for some time now and have tried everything to
> no avail.  I am using v 0.99 with the no-auth and  legacy-urls extension,
> so that I can connect directly via the hostname i.e.
> http://:8080/guacamole/#/client/.  The problem is
> that there appears to be an issue with certain hostnames which makes
> absolutely no since.  For example, this hostname works:
>
>
>
> 
>
> 
>
> 
>
> 
>
>
>
> catalina.out:
>
> 10:12:08.729 [http-bio-8080-exec-3] INFO
> o.g.g.n.b.r.a.AuthenticationService - User
> "36d2727a-fe03-4111-a930-37c9899c0fc7" successfully authenticated from
> 10.4.16.203.
>
> 10:12:09.431 [http-bio-8080-exec-4] INFO
> o.g.g.net.basic.TunnelRequestService - User
> "36d2727a-fe03-4111-a930-37c9899c0fc7" connected to connection
> "Brocade-SSH".
>
>
>
> But this hostname doesn't:
>
>
>
> 
>
> 
>
> 
>
> 
>
>
>
> catalina.out:
>
> 10:10:08.348 [http-bio-8080-exec-3] INFO
> o.g.g.n.b.r.a.AuthenticationService - User
> "34557901-71d7-4c93-bb38-def37c83c5b9" successfully authenticated from
> 10.4.16.203.
>
> 10:10:08.824 [http-bio-8080-exec-1] ERROR
> o.g.g.n.b.w.t.GuacamoleWebSocketTunnelServlet - Creation of WebSocket
> tunnel to guacd failed: Illegal identifier - unknown type
>
>
>
> Any ideas of what the problem could be?
>
>
> Thanks,
> Keith
>
>
>
>
>
> --
> This e-mail message is for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies of the original message. If you are the intended recipient,
> please be advised that the content of this message is subject to access,
> review and disclosure by the sender's e-mail System Administrator.
>

Re: Problem Connecting to certain hostnames

[Mike Jumper]

On Mon, Jun 20, 2016 at 10:55 AM, Andrews, Keith
 wrote:
> Problem solved!  Thanks Mike!

Great!

>
> The missing “c” was the issue.  Weird how certain hostnames didn’t require it 
> and other did.
>

They do require it. I'm not sure what could have been happening, but
it's impossible that the type was not required. The type is a critical
part of the connection's identity, and the connection cannot be
located by the provided value if this is not provided.

I can only say that the cause of the behavior you were seeing must
have been something else. If the connections were previously working,
the most likely explanation is that the "c" was present in those
cases.

Re: Guacamole and linux Pulseaudio

[Mike Jumper]

On Jun 25, 2016 12:59 PM, "brian mullan"  wrote:
>
> I've implemented a set of 6 scripts to install Guacamole w/NGINX,
Tomcat8, Mysql on Ubuntu 16.04 servers.
>
> I also install Pulseaudio in the Host/Server and configure it (/etc/pulse/
default.pa) to load the Pulseaudio TCP module:
>
> load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;
10.0.3.0/24 auth-anonymous=1
>
> ...
>
> Each connection is configured with RDP and RDP security.
>
> I create several test users also and give each use access to multiple LXD
container connections.
>
> Logout of Guacamole & log back in as one of the "test" users and I can
connect to and log into Ubuntu-Mate desktop on any of the containers just
fine.
>
> Running "pactl list modules"  in any of the LXD containers shows the same
Pulseaudo "modules" loaded as the Host/Server.
>
> However, audio/sound played in any of the LXD containers can't be heard.
>

Hi Brian,

Guacamole does not use PulseAudio for grabbing the audio of an RDP
connection. It supports PulseAudio for VNC connections because VNC
otherwise lacks its own standard support for audio, but with RDP the
"RDPSND" channel will be used.

If you wish to use RDP, then the next step would be to determine why your
RDP server is not providing audio via RDPSND. Though XRDP may well use
PulseAudio behind the scenes, the RDP client (in this case: Guacamole) need
not be aware of this; the RDP-facing side of this audio should be standard
RDPSND.

Alternatively, if you are OK with using a VNC server instead of RDP, you
could do so and then use PulseAudio as you were originally expecting.

Thanks,

- Mike

Re: Guacamole and linux Pulseaudio

[Mike Jumper]

On Jun 25, 2016 8:03 PM, "brian mullan"  wrote:
>
> Thanks Mike for the response.   I'm no wiz with RDP :-)
>
> Just understanding what you've described helps.
>
> So if I can make an RDP connection to  one of the LXD containers & bring
up the desktop OK... it should be the xrdp/x11rdp drivers in that Container
that support that connection's job to pass the pulseaudio to RDPSND
channel...

Correct so far.

> ... which should be directly sent back to the remote end-user's browser &
played then locally because that RDPSND channel is part of the original
browser connection to Guacamole?
>

Not quite. In spirit, yes, but:

The Guacamole JavaScript client has no concept of RDP (or VNC ... or SSH
...). It speaks only the Guacamole protocol, which defines its own
universal flavor of in-band audio streams.

The RDP client piece that uses RDPSND sits behind guacd, as does the VNC
client piece that uses out-of-band PulseAudio. Both of these components
digest different protocols and different audio sources but ultimately
produce the same type of output: Guacamole protocol with in-band audio
streams. The only difference here is where that audio actually came from,
but that is intentionally opaque to the client.

- Mike

Re: Custom Authentication with DIGITAL Certificate from a Apache HTTP Reverse Proxy

[Mike Jumper]

On Tue, Jun 21, 2016 at 7:38 AM, Massimo Cusumano 
wrote:

> Hi,
>
> I have an Apache HTTP Server with  SSL authentication  (Client
> certificate  Authentication). This Apache HTTP Server reverse proxies from
> port 443 to Guacamole ajp port  8009
>
> The  Guacamole setup uses the mysql jdbc authentication extension
> (guacamole-auth-jdbc-mysql-0.9.9.jar).
>
> I wrote an extension that perform authentication based on  the "Common
> Name" of the user's Client Digital Certificate. The extension retrieves the
> "Common Name" from the certificate and the "Common Name" is then used by
> MYSQL authenticator (MYSQL authenticator trusts the extension
> authentication).
>
> Now, when I browse to  Guacamole web portal (https://MYIP/guacamole/), a
> client certificate is required by Apache; after I select the  client
> certificate, the   "default Guacamole login page" is displayed (index.html)
> and when clicking  on the Login button (without entering any
> username/password) I can access with success to the "Guacamole Home Screen"
>
> My questions are:
> - Can I customize the "default Guacamole login page"  to remove the
> username and password field and leave only the "Login" button?
>

There is no login "page" per se - the username and password fields are
generated dynamically, based on a machine-readable description of the
credentials required when an authentication attempt fails:

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/GuacamoleInvalidCredentialsException.html

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/CredentialsInfo.html

If you do not wish the username/password fields to appear, then simply do
not ask for them when you throw your GuacamoleInvalidCredentialsException.

The part of the code that actually does this within the JDBC auth is here:

https://github.com/apache/incubator-guacamole-client/blob/3c2dbbe4f9577ed7da97acec7412c2e43ee48122/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticationProviderService.java#L80-L81

Some older code may not throw these exceptions at all, relying instead on
behavior providing backwards compatibility with older versions of Guacamole
that did not have these exceptions. In such a case, Guacamole would throw
this exception for you, and would include the username/password fields.

- Can I insert the "common name" of the certificate in the login page (e.g.
> Welcome " " User;
> or
> - Can I bypass the "default login page" and connect directly to the
> "Guacamole Home Screen"?
>

There no need to bypass it, as it doesn't truly exist. The authentication
system is flexible enough that if you don't wish to prompt the user for
credentials, then all you need to do is not ask for them.

Visiting any page within Guacamole results in an authentication /
reauthentication attempt, so your AuthenticationProvider will be queried
and requeried regarding whether the user is authorized. The login form
appears only in response to an error thrown by the extension indicating
that additional credentials are required, or that the provided credentials
are invalid.

If your AuthenticationProvider's authenticateUser() implementation returns
an AuthenticatedUser and does not throw a
GuacamoleInvalidCredentialsException (or
GuacamoleInsufficientCredentialsException), then they will not be prompted
for anything.

Thanks,

- Mike

Re: Please add us as a support group for Guacamole

[Mike Jumper]

On Tue, May 31, 2016 at 3:14 PM, Mike Jumper 
wrote:

> On Tue, May 31, 2016 at 1:57 PM, Jim Sullivan  wrote:
>
>> Mike:
>>
>>
>>
>> Thanks for the clarification. Based on that we are adding Guacamole
>> support to our website. We look forward to working with the community, and
>> we look forward to working with Guacamole users.
>>
>>
>>
>
> Thanks, Jim. I've opened an issue in our JIRA [1] to track this, as well
> as a pull request on GitHub [2] to add the content.
>
> - Mike
>
> [1] https://issues.apache.org/jira/browse/GUACAMOLE-43
> [2] https://github.com/apache/incubator-guacamole-website/pull/12
>
>
Hi Jim,

Looking through the Arcisphere site, and clicking the links that a user
searching for support would presumably click on, I'm still not seeing where
support for Apache Guacamole is listed as an available service.

As a project, we naturally can't vet support providers or we would risk
violating project neutrality/independence, but we do need to at least
verify that such support is listed [1].

Any update?

Thanks,

- Mike

[1]
https://lists.apache.org/thread.html/782a7d0d5a0517319795215dd64342015ab7a5ad5b22295ee1fbcf7a@%3Cdev.guacamole.apache.org%3E

Re: An internal error has ...

[Mike Jumper]

On Jul 3, 2016 5:34 AM, "Nick Couchman"  wrote:
> ...
> - Have you tried restarting guacd and Tomcat?
>

With the exception of applying upgrades or installing extensions, you
should never have to do this.

- Mike

Re: Some Questions about guacamole-client-0.9.9

[Mike Jumper]

On Jul 3, 2016 7:27 AM, "Nick Couchman"  wrote:
>
> So, first, I think Mike would tell you not to use the NoAuth driver.

Yup.

> It is not really designed to be dynamically configured, so I don't think
there's any way to change it on the fly.

It is designed to reload the config file, so this is not entirely correct,
but yes: not meant to be used as a hack to integrate an external system.

> If you need to configure connections on-the-fly, either the Database or
LDAP modules should allow you to do this - you can configure the
connections in MySQL, PostgreSQL, or LDAP, and reload the home page, and
you'll see the connections.  The DB and LDAP modules are pretty easy to set
up and use.
>

The ideal way for integrating an external system providing dynamic
connection data, etc. would be to write an extension.

Just as we have implemented database, LDAP, etc. extensions, so too can
others write extensions which use any other backend system. There's no need
to use a database or LDAP directory (or XML) as an interface layer between
your application and Guacamole, when you can integrate with that
application directly.

- Mike

Re: An internal error has ...

[Mike Jumper]

On Jul 4, 2016 9:06 AM, "Amin Joodaki"  wrote:
>
> sire my sever located at isolated zone and don't have access to Internet,
but this problem happen.
>

Well... from the error message:

"... check your system logs."

And also from Nick:

>
> - What does the catalina.out file say?  Any more errors in it that help
solve the problem?
>

Have you looked through the logs, as suggested by Nick and the error
message itself?

That would be the best place to start. The true cause of errors will not be
exposed in the interface for security reasons, but information describing
the failure will be logged.

- Mike

Re: Status and calabilityof desktop sharing

[Mike Jumper]

On Jul 5, 2016 6:16 AM, "Neil Canham" 
wrote:
>
> Hi
>   Congratulations on becoming an Apache Incubator project!  I've been
following Guacamole for years and this is a wonderful step.
>

Thanks!

> We have a need to run several Windows desktops that can be logged into in
a browser, each one could be connected to by quite a few people
simultaneously, and they would need to have a shared view.  I've seen
mention of shared desktop support now in Guacamole but I can't see anything
in the docs.  Would Guacamole running against RDP support sharing one
connection across many users?  If so, how many simultaneous connections
could one remote desktop support?
>

Yes, this will be supported, but the feature has not yet been released.

At a low level, this is achieved via display replication. That much has
already been merged, but this is not currently being leveraged by the web
application portion. The issue in JIRA tracking the first user-visible
feature leveraging this is GUACAMOLE-5 [1].

If you have your own application driven by the Guacamole APIs, you can
leverage this already. You would need a recent build from git. Each
connection will have it's own ID generated by guacd upon creation, exposed
within Java by ConfiguredGuacamoleSocket [2]. If this ID is given to
another ConfiguredGuacamoleSocket via a GuacamoleConfiguration [3], the new
connection will join the existing connection rather than starting an
entirely new session.

There is no inherent limit to the number of users sharing of a connection.
The overhead of replicating a connection is negligible, especially compared
to a fully independent connection. Updates are only encoded once, with the
resulting data simply copied across all users of the shared connection.

- Mike

[1] https://issues.apache.org/jira/browse/GUACAMOLE-5
[2]
http://guacamole.incubator.apache.org/doc/guacamole-common/org/glyptodon/guacamole/protocol/ConfiguredGuacamoleSocket.html#getConnectionID--
[3]
http://guacamole.incubator.apache.org/doc/guacamole-common/org/glyptodon/guacamole/protocol/GuacamoleConfiguration.html#setConnectionID-java.lang.String-

Re: Connection list not displaying after LDAP login

[Mike Jumper]

On Fri, Jul 8, 2016 at 9:42 AM, Devlin, Joshua P. 
wrote:

> I can successfully authenticate users through OpenLDAP using the
> guacamole-auth externsion.  I have added the guacConfigGroup schema,
> created a connection group, and added the users as members of that group
> but do not get the connection list under the “ALL CONNECTIONS” section of
> the web page.
>
>
>
> Ubuntu 14.04 server
>
> Guacamole version 0.9.9
>
> Tomcat7
>
>
>
> * Guac Connection 
>
> ...
>
> member: cn=devuser,ou=Users,dc=aaabbb,dc=ccc,dc=d,dc=com
>
>
>
>  User Entry 
>
> # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b
> "ou=users,dc=aaabbb,dc=ccc,dc=d,dc=com" cn=devuser
>
> dn: uid=devuser,ou=Users,dc=aaabbb,dc=ccc,dc=d,dc=com
>

Hi Josh,

The current value of the member attribute of your guacConfigGroup
("*cn*=devuser,...")
does not match the actual DN of the user in question ("*uid*=devuser,...").
Try changing the member attribute of your guacConfigGroup such that it
contains the user's DN and see if that solves things.

Thanks,

- Mike

Re: URL parameters to automate guacamole session start?

[Mike Jumper]

On Mon, Jul 11, 2016 at 9:58 AM, Oliver Jones  wrote:

> Is there a way to configure a guacamole web server so it will accept a url
> something like this:
>
>
> https://hostname.example.com/guacamole?host=xxx&user=yyy&token=zzz&arg=
>
> I'd like this automatically to connect the guacamole web site visitor to a
> linux-hosted RDP session on the given host with the given username.
>
> The idea is to be able to publish relatively short-lived access URLs to
> particular users, and make them able to use an rdp session, without needing
> a username or password.
>
> Is this sort of thing available within today's Guacamole?  Is it
> conceivable an authorization extension could be developed to handle it?
>

Hi Ollie,

That should be possible, yes.

When any page within the Guacamole web application is visited, the
JavaScript first makes an authentication / re-authentication attempt,
including any parameters from the URL as parameters in that request. If you
implement an authentication extension, that extension will receive these
parameters via the Credentials [1] object passed to authenticateUser() [2]
and updateAuthenticatedUser() [3] (depending on whether the user is already
logged in).

The alternative to this, of course, would be to implement your own
purpose-built web application leveraging the Java and JavaScript APIs [4]
(guacamole-common and guacamole-common-js respectively) to provide the same
remote desktop functionality as the mainline Guacamole webapp, but with
your own authentication semantics. Those APIs were kept separate
specifically so that third parties could implement their own applications
without being restricted by our choices regarding authentication scheme,
interface design, etc.

Thanks,

- Mike

[1]
http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/Credentials.html
[2]
http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/AuthenticationProvider.html#authenticateUser-org.glyptodon.guacamole.net.auth.Credentials-
[3]
http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/AuthenticationProvider.html#updateAuthenticatedUser-org.glyptodon.guacamole.net.auth.AuthenticatedUser-org.glyptodon.guacamole.net.auth.Credentials-
[4] http://guacamole.incubator.apache.org/api-documentation/

Re: Pointers for debugging latest build

[Mike Jumper]

This thread has moved to the @dev list:

https://lists.apache.org/thread.html/8ad8edf7c488cdcc98ce8a0d7951aae5c152d0ce7dc2951d63d1a249@%3Cdev.guacamole.apache.org%3E


On Thu, Jul 7, 2016 at 9:04 AM, Neil Canham 
wrote:

> Hi
>   Having successfully installed and tested Guacamole 0.9.9 against a
> couple of RDP connections, I've now tried to build the client and server (I
> want to try out the desktop sharing functionality in the API).  Build has
> gone fine, then I had an issue with the FreeRDP libraries not being found
> (as reported by running guacd directly in the console);
>
> freerdp_load_library_symbol: failed to open
> /usr/lib/x86_64-linux-gnu/freerdp/guacsnd.so:
> /usr/lib/x86_64-linux-gnu/freerdp/guacsnd.so: cannot open shared object
> file: No such file or directory
>
> Solved by creating symbolic link as in this thread:
> https://sourceforge.net/p/guacamole/discussion/1110834/thread/35f991bb/
>
> ie:  ln -s /usr/local/lib/freerdp/guac* /usr/lib/x86_64-linux-gnu/freerdp/
>
> After that, the webapp looked as if it was connecting.  Log shows:
>
> guacd[684]: INFO:   Creating new client for protocol "rdp"
> guacd[684]: INFO:   Connection ID is
> "$f45458f8-df00-42df-a751-c85623e9f159"
> guacd[699]: DEBUG:  Parameter "console" omitted. Using default value
> of 0.
> guacd[699]: DEBUG:  Parameter "console-audio" omitted. Using default
> value of 0.
> guacd[699]: DEBUG:  Parameter "ignore-cert" omitted. Using default
> value of 0.
> guacd[699]: DEBUG:  Parameter "disable-auth" omitted. Using default
> value of 0.
> guacd[699]: INFO:   No security mode specified. Defaulting to RDP.
> guacd[699]: DEBUG:  User resolution is 1562x920 at 96 DPI
> guacd[699]: DEBUG:  Parameter "dpi" omitted. Using default value of 96.
> guacd[699]: DEBUG:  Using resolution of 1560x920 at 96 DPI
> guacd[699]: DEBUG:  Parameter "enable-wallpaper" omitted. Using
> default value of 0.
> guacd[699]: DEBUG:  Parameter "enable-theming" omitted. Using default
> value of 0.
> guacd[699]: DEBUG:  Parameter "enable-font-smoothing" omitted. Using
> default value of 0.
> guacd[699]: DEBUG:  Parameter "enable-full-window-drag" omitted. Using
> default value of 0.
> guacd[699]: DEBUG:  Parameter "enable-desktop-composition" omitted.
> Using default value of 0.
> guacd[699]: DEBUG:  Parameter "enable-menu-animations" omitted. Using
> default value of 0.
> guacd[699]: DEBUG:  Parameter "color-depth" omitted. Using default
> value of 16.
> guacd[699]: DEBUG:  Parameter "disable-audio" omitted. Using default
> value of 0.
> guacd[699]: DEBUG:  Parameter "enable-printing" omitted. Using default
> value of 0.
> guacd[699]: DEBUG:  Parameter "enable-drive" omitted. Using default
> value of 0.
> guacd[699]: DEBUG:  Parameter "drive-path" omitted. Using default
> value of "".
> guacd[699]: DEBUG:  Parameter "create-drive-path" omitted. Using
> default value of 0.
> guacd[699]: DEBUG:  Parameter "recording-name" omitted. Using default
> value of "recording".
> guacd[699]: DEBUG:  Parameter "create-recording-path" omitted. Using
> default value of 0.
> guacd[699]: INFO:   Resize method: none
> guacd[699]: INFO:   User "@9795d9ab-d36e-44bd-b189-4252baec05b0"
> joined connection "$f45458f8-df00-42df-a751-c85623e9f159" (1 users now
> present)
> guacd[699]: INFO:   Loading keymap "base"
> guacd[699]: INFO:   Loading keymap "en-us-qwerty"
> connected to :3389
> guacd[699]: INFO:   guacdr connected.
> guacd[699]: INFO:   guacsnd connected.
> guacd[684]: INFO:   Connection "$f45458f8-df00-42df-a751-c85623e9f159"
> removed.
>
> So the connection is formed, then removed.  No reason given.  Webapp never
> showed the desktop but RDP connection was definitely made (I know that
> because I kept a Windows RDP session connected one time and it was forcibly
> closed when Guacamole connected)
>
> So two things:
>
> 1. Is the symbolic link above required? Is it the right solution?
> 2. Any way I can find out more on why this isn't connecting?
>
>

Re: Sharing RDP session between multiple users

[Mike Jumper]

On Thu, Jul 7, 2016 at 3:16 PM, Pete Kruckenberg 
wrote:

> Apologies, I just found the archived discussion about this same question.
>
>
Hi Pete,

For the sake of those that find this thread while searching for an answer
to the same question, do you have a link to said archived discussion?

Thanks,

- Mike

Re: HOW do i create a connection?

[Mike Jumper]

On Wed, Jul 13, 2016 at 8:32 PM, Babatunde Busari <
babatunde.bus...@gmail.com> wrote:

> Anyone willing to help?
>
> I have everything setup, just want to know the steps to adding connection
> to a remote fresh install Ubuntu 16.04 LTS desktop
>
>
Hi Babatunde,

Regardless of how Guacamole has been installed, the method for adding
connections will depend on which authentication backend has been configured
(see below). I'm not sure what script you used specifically, but
if that script came with any documentation, it might point in the right
direction and/or mention what backend it is intended to set up. The
configuration methods for each backend are documented in the manual
[1][2][3].

Before you get too deep into debugging the results of your scripted install
... beware that we intentionally do not provide or support install scripts
as a project, and I must caution against their use. Writing a truly robust
script is extremely difficult. Such scripts may seem inviting at first, but
avoiding the "learning" part of a learning curve is self-defeating.

The closest thing to a scripted install that we officially support are the
Docker images [4]. These images make much of the installation/configuration
process simpler, but without hiding the architecture.

Thanks,

- Mike

[1]
http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#basic-auth
[2] http://guacamole.incubator.apache.org/doc/gug/jdbc-auth.html
[3] http://guacamole.incubator.apache.org/doc/gug/ldap-auth.html
[4] http://guacamole.incubator.apache.org/doc/gug/guacamole-docker.html

Re: HOW do i create a connection?

[Mike Jumper]

On Jul 14, 2016 8:55 AM, "Babatunde Busari" 
wrote:
>
> Ok seems like i need to do something on the remote client desktop first
> What exactly do i need to do because i didn't know i had to do anything
as guacamole is said to be clienteles
>

No, not on the client. These kind souls are telling you that you need to
look at the machine you're trying to connect to - the machine whose
hostname you entered to produce the connection that you're using when you
log in.

>
> Lastly and again, why can't guacamole timeout if it cannot connect so i
can edit connection or at least keep working on the guacamole setup?
>

Guacamole timing out is one of the reasons you might see that error dialog.
The reconnect timer is only there for convenience.

If you want to go back to the settings, open the Guacamole menu by pressing
Ctrl+Alt+Shift, click your username to open the user menu, and then click
"Settings".

Using the Guacamole interface in general, as well as opening that menu, is
documented in the manual:

http://guacamole.incubator.apache.org/doc/gug/using-guacamole.html#guacamole-menu

- Mike

Re: HOW do i create a connection?

[Mike Jumper]

On Thu, Jul 14, 2016 at 10:11 AM, Babatunde Busari <
babatunde.bus...@gmail.com> wrote:

> Ok i have installed x1vnc
>
> apt install x11vnc
>
> and its running on port 631
>
>
What leads you to believe that x11vnc is running on port 631?

It's not impossible, but the circumstances that would lead to that are
pretty contrived. Port 631 is a privileged port [1] and is the default port
for CUPS / IPP [2], the printing system used by most Linux distributions,
including Ubuntu.

- Mike

[1] https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
[2] https://en.wikipedia.org/wiki/Internet_Printing_Protocol

Re: HOW do i create a connection?

[Mike Jumper]

On Jul 14, 2016 1:06 PM, "Mahmoud El Tabarane"  wrote:
>
> ... standard location in unix based is /etc/guacamole/user-mapping.xml
>

That's actually a common misconception. The default location is
GUACAMOLE_HOME/user-mapping.xml, unless overridden via guacamole.properties
(or with a symbolic link):

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#user-mapping

There is nothing within the Guacamole web application that will look into
/etc unless it is explicitly directed to do so through configuration.

Re: HOW do i create a connection?

[Mike Jumper]

On Thu, Jul 14, 2016 at 2:46 PM, Babatunde Busari <
babatunde.bus...@gmail.com> wrote:

> Ok i have installed tightvncserver and i have established connection but
> guacamole shows this screen below
>
> [image: Inline image 1]
>
> What do i do to be able to see desktop properly?
>

Babatunde,

Please just focus on getting VNC working *independently of Guacamole*
before continuing to assume the problem is on Guacamole side. Using a
normal VNC client, verify that you have things set up correctly. If you do
this, and you are still having trouble, then by all means post here and we
will gladly try to help. Beyond that, there's really no sense in beating
this dead horse further. Continue familiarizing yourself with VNC, get your
system working as expected. The Guacamole part should be a piece of cake
after that.

Best of luck,

- Mike

Re: Benchmark guacd performance with RDP

[Mike Jumper]

On Jul 18, 2016 1:03 AM, "Olivier Berthonneau" <
olivier.berthonn...@nanocloud.com> wrote:
>
> ...
>
> My guess is I will have to code a bot to connect to multiple sessions at
the same time. As I want the session to produce change on the screen to
generate load I was thinking of opening my session with a full screen video
playing a typical usage of a Windows session.
>
> Has anyone any thoughts about this before I jump in ?
>

Hi Olivier,

I would recommend against this approach. Doing this will nullify the remote
desktop features of RDP (like bitmap caching and copying rectangles between
surfaces).

The result may look visually similar, but the information that remote
desktop servers hook into for efficient operation will be gone. The server
will be forced to do nothing but frequent and large brute-force image
comparisons, followed by encoding those large areas. This will be orders of
magnitude more intense than what would happen compared to typical
operations with respect to processing.

If you want the benchmark to be representative, you will need to script the
inputs of the user such that the applications running on the remote desktop
server are actually opened, used in a way typical of a user, etc. I don't
think there are any shortcuts around that which wouldn't also defeat the
benchmark.

Thanks,

- Mike

Re: Login page cursor wait status

[Mike Jumper]

On Mon, Jul 18, 2016 at 6:02 AM, Danielson, Mark A 
wrote:

> Hello,
>
> I have an install of Guacamole .99 that auths against an ldap directory.
> The directory is rather large and it takes a moment or two to login, which
> is acceptable for the time being.  At the moment, when its searching
> though, it just sits there.  I’d like to change the cursor to "in progress"
> if possible.
>
> Is this something I can do with the css extension?  I am already using
> that to change the color scheme and logo of the login page.  Otherwise, can
> someone point in the right direction?
>
>
I believe so, yes. When a section of the Guacamole interface is loading,
the CSS class "loading" is applied:

https://github.com/apache/incubator-guacamole-client/blob/065548fcdd885a8f15cbb936f49a60cf9f08b414/guacamole/src/main/webapp/app/index/styles/loading.css

You can add an additional rule to your extension's CSS which uses this
class and the "cursor" property:

https://developer.mozilla.org/en-US/docs/Web/CSS/cursor

Keep in mind that this will only affect the mouse when it is over the
loading section. It will not affect the mouse in other parts of the
Guacamole interface, nor outside the browser.

Thanks,

- Mike

Re: RDP Display Size with IE and Firefox

[Mike Jumper]

Arseny and Peter,

On the browser side, what exact version of IE11 and Firefox are you using
when this fails? And under what operating system?


On Mon, Jul 18, 2016 at 7:15 PM, Peter Burdine  wrote:

> I am having the same issue as James.  If I try to use IE 11 or Firefox 47,
> the RDP session shows up as a little box on the bottom of the screen,  It
> only shows up as maybe 30x20 pixels.  If I set the zoom up to 400%, then I
> can see it is the login screen, but it is basically unusable.  I've tried
> setting the display width/height/dpi/color, but all it does is change the
> aspect ratio slightly.  It is still smaller than my thumbnail (literally).
> All of this works fine is Chrome, but the clients this is intended for can
> only use IE.
>
> Installed on CentOS 7.2.1511
> Apache Tomcat/7.0.54
> Guacamole 0.9.9
>
> This occurs on the most basic of installs (just following install
> instructions for Centos, with the user-mapping.xml), so I don't think I
> changed any settings that could have effected this.
>
> Has anyone else run into this and resolved the issue?
>
> Thanks,
> Peter
>
> The RDP screen in IE and Firefox does not fill the browser window; it
>> just sits at the bottom as a tiny dot. At first I thought it didn't work
>> at all, but then I noticed that if I zoom the browser to 400% or more, I
>> can recognize the RDP screen. Chrome browser works excellent, and
>> doesn't have that problem. I have upgraded the IE browser to the latest
>> version 11, and Firefox to
>> version 47. That didn't change a thing. I looked at using the "width" and
>> "height" display settings under the
>> xml settings, but I'd like the display to take full size of the browser
>> window automatically as it does in Chrome.
>> I'm running guacamole 0.9.8 for close to a year now, and very happy with
>> it exception this little hickup. Since I don't see anyone else having
>> this problem on the forum, my guess
>> is I'm missing something small in the configuration. I looked around,
>> but couldn't find what I'm missing. If anyone can point me in the right
>> direction, it would be great. thank you for the great product and the
>> community effort
>> James
>
>
>

Re: RDP Display Size with IE and Firefox

[Mike Jumper]

Can you provide a screenshot of the failure?

On Jul 18, 2016 9:01 PM, "Peter Burdine"  wrote:

> These are the configurations that aren't working:
> I've tried Win7, Server 2012R2, and Windows 10
> * Firefox 47.0 (Win7)
> * Firefox 47.0.1 (Win2012R2)
> * IE 11.0.9600.18376 (Win7/2012R2)
> * IE 11.420.10586.0 (Win10)
>
>
> Chrome 51.0.2704.103 works well on Win7 and Win10.
>
> On Mon, Jul 18, 2016 at 8:29 PM, Mike Jumper 
> wrote:
>
>> Arseny and Peter,
>>
>> On the browser side, what exact version of IE11 and Firefox are you using
>> when this fails? And under what operating system?
>>
>>
>> On Mon, Jul 18, 2016 at 7:15 PM, Peter Burdine 
>> wrote:
>>
>>> I am having the same issue as James.  If I try to use IE 11 or Firefox
>>> 47, the RDP session shows up as a little box on the bottom of the screen,
>>>  It only shows up as maybe 30x20 pixels.  If I set the zoom up to 400%,
>>> then I can see it is the login screen, but it is basically unusable.  I've
>>> tried setting the display width/height/dpi/color, but all it does is change
>>> the aspect ratio slightly.  It is still smaller than my thumbnail
>>> (literally).  All of this works fine is Chrome, but the clients this is
>>> intended for can only use IE.
>>>
>>> Installed on CentOS 7.2.1511
>>> Apache Tomcat/7.0.54
>>> Guacamole 0.9.9
>>>
>>> This occurs on the most basic of installs (just following install
>>> instructions for Centos, with the user-mapping.xml), so I don't think I
>>> changed any settings that could have effected this.
>>>
>>> Has anyone else run into this and resolved the issue?
>>>
>>> Thanks,
>>> Peter
>>>
>>> The RDP screen in IE and Firefox does not fill the browser window; it
>>>> just sits at the bottom as a tiny dot. At first I thought it didn't
>>>> work
>>>> at all, but then I noticed that if I zoom the browser to 400% or more,
>>>> I
>>>> can recognize the RDP screen. Chrome browser works excellent, and
>>>> doesn't have that problem. I have upgraded the IE browser to the latest
>>>> version 11, and Firefox to
>>>> version 47. That didn't change a thing. I looked at using the "width"
>>>> and "height" display settings under the
>>>> xml settings, but I'd like the display to take full size of the browser
>>>> window automatically as it does in Chrome.
>>>> I'm running guacamole 0.9.8 for close to a year now, and very happy
>>>> with
>>>> it exception this little hickup. Since I don't see anyone else having
>>>> this problem on the forum, my guess
>>>> is I'm missing something small in the configuration. I looked around,
>>>> but couldn't find what I'm missing. If anyone can point me in the right
>>>> direction, it would be great. thank you for the great product and the
>>>> community effort
>>>> James
>>>
>>>
>>>
>>
>

Re: Need to pull small but at least important change to MySQL Auth DB Create...

[Mike Jumper]

On behalf of James, who is currently having issues [1] responding on
the @user list:

>
> Good catch Sebastián!
>
> That should be an easy fix - I'll open a PR to fix this issue.
>
> Thanks
>   James
>

The pull request mentioned has since been merged [2], so that much
should be back to normal now.

- Mike

[1] https://issues.apache.org/jira/browse/INFRA-12334
[2] https://github.com/apache/incubator-guacamole-client/pull/35


On Tue, Jul 26, 2016 at 11:54 AM,   wrote:
> At the present day,
>
> ./extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql
>
> throws back a MySql error due to a missing comma...
>
>
> root@poc-lxc-1:~/incubator-guacamole-client-master# diff
> evil_sentence.sql_ORIGINAL evil_sentence.sql_MODIFIED
> 26c26
> < REFERENCES `guacamole_connection` (`connection_id`) ON DELETE SET NULL
> ---
>> REFERENCES `guacamole_connection` (`connection_id`) ON DELETE SET NULL,
> root@poc-lxc-1:~/incubator-guacamole-client-master#
> root@poc-lxc-1:~/incubator-guacamole-client-master#
>
>
> It's just a matter of adding that extra comma in order to get the
> create_schema_job successful
>
> Best Regards,
> Sebastián
>

Re: Need to pull small but at least important change to MySQL Auth DB Create...

[Mike Jumper]

Hi Sebastián,

Seeing as you knew enough to determine how to fix the problem
yourself, and that it would need to be fixed upstream, let me point
out that you can always open a pull request yourself. Contributions
are welcome and are necessary for a healthy open source project. This
isn't all that relevant now, as we made the change on our end and it's
been merged, but something to keep in mind going forward if you ever
feel the need to modify things.

Our contribution guidelines are here:

https://github.com/apache/incubator-guacamole-client/blob/master/CONTRIBUTING

Anyway, thanks again.

- Mike


On Tue, Jul 26, 2016 at 1:29 PM, Mike Jumper  wrote:
> On behalf of James, who is currently having issues [1] responding on
> the @user list:
>
>>
>> Good catch Sebastián!
>>
>> That should be an easy fix - I'll open a PR to fix this issue.
>>
>> Thanks
>>   James
>>
>
> The pull request mentioned has since been merged [2], so that much
> should be back to normal now.
>
> - Mike
>
> [1] https://issues.apache.org/jira/browse/INFRA-12334
> [2] https://github.com/apache/incubator-guacamole-client/pull/35
>
>
> On Tue, Jul 26, 2016 at 11:54 AM,   wrote:
>> At the present day,
>>
>> ./extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql
>>
>> throws back a MySql error due to a missing comma...
>>
>>
>> root@poc-lxc-1:~/incubator-guacamole-client-master# diff
>> evil_sentence.sql_ORIGINAL evil_sentence.sql_MODIFIED
>> 26c26
>> < REFERENCES `guacamole_connection` (`connection_id`) ON DELETE SET NULL
>> ---
>>> REFERENCES `guacamole_connection` (`connection_id`) ON DELETE SET NULL,
>> root@poc-lxc-1:~/incubator-guacamole-client-master#
>> root@poc-lxc-1:~/incubator-guacamole-client-master#
>>
>>
>> It's just a matter of adding that extra comma in order to get the
>> create_schema_job successful
>>
>> Best Regards,
>> Sebastián
>>

Re: auth. extension class loading error

[Mike Jumper]

On Thu, Jul 28, 2016 at 12:32 PM, Oliver Jones  wrote:
> Hi, I'm trying to implement an authorization extension to Guacamole.
>
> I'm trying to do this by creating a class that implements this interface in
> guacamole-ext:  org/apache/guacamole/net/auth/AuthenticationProvider.
>
> But when I put my .jar file in the extensions directory and bounce Tomcat,
> guacamole doesn't load properly and I get this class loader error in
> localhost.-MM-DD.log:
>
> SEVERE: Exception sending context initialized event to listener instance of
> class org.glyptodon.guacamole.net.basic.BasicServletContextListener
> java.lang.NoClassDefFoundError:
> org/apache/guacamole/net/auth/AuthenticationProvider
>

The issue here is that the version of the web application is from
prior to the move to the Apache Incubator, thus it doesn't know about
the org.apache.guacamole classes. The AuthenticationProvider class is
provided by guacamole-ext, which extensions expect to be provided by
the web application (and thus do not bundle the .jar internally).

You'll need to build a guacamole.war from the latest git to obtain a
Guacamole which can load an extension that uses the
org.apache.guacamole classes.

> This happens even before I mention the extension in the properties file.
>

Mention it how?

If you're referring to your extensions own properties, then no worries.

Just in case you're referring to the deprecated "auth-provider"
property, however: please don't use that. That property will either do
nothing (it doesn't exist in recent git [1]) or will result in a loud
warning in the logs and some of the extension subsystem being disabled
for compatibility with older releases which did use that property
(0.9.7, 0.9.8, and 0.9.9 will honor the property but log warnings
about its use [2]).

Thanks,

- Mike

[1] 
https://github.com/apache/incubator-guacamole-client/commit/c7a5f0bcd611f6acac003f18a2022a185a34a5ee
[2] 
https://github.com/glyptodon/guacamole-client/blob/162f4db386c3a612e8a1189e92b7f789d51945d8/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/extension/ExtensionModule.java#L145-L179

Re: auth. extension class loading error

[Mike Jumper]

On Fri, Jul 29, 2016 at 9:38 AM, Oliver Jones  wrote:
> Following up on my message from yesterday, I'm still stumped.
>
> Ubuntu 16.04 LTS, tomcat7, Java 1.8
>
> I built the tutorial auth extension described in chapter 18 of the Guacamole
> manual, and I have the same problem; this time it's the
> SimpleAuthenticationProvider that the class loader can't find.
>

Can you post the full text of the new error?

Re: Custom auth provider source control?

[Mike Jumper]

On Thu, Jul 28, 2016 at 11:21 AM, Oliver Jones  wrote:
> Dear fellow squashers of avocados
>
> Is there a best way to handle source control for a custom authentication
> provider extension?
>
> A fork of the github tree?  A separate repo?
>

The best way to write an authentication extension is to make a
separate Maven project, presumably in its own repository. The new
project shout not be part of the main source tree. In fact, the only
case where you should do such a thing is if you intend to contribute
that extension upstream such that it's part of the main Guacamole
build.

> I've tried the separate repo approach, and found that I have to copy the
> files of the that repo into the main source tree to get Maven to make my
> extension jarfile.

This is definitely not necessary. If your project will not build
unless it's part of the Guacamole source tree, then it sounds like
something is off in your pom.xml.

The pom.xml of an extension must:

1) Depend on the same guacamole-ext used by the web application (using
scope "provided").
2) Depend on the same guacamole-common used by the web application
(this will be pulled as a transitive dependency via guacamole-ext).
3) NOT reference the parent "guacamole-client" project (this is only
needed for extensions that are intended to be part of the Guacamole
source).
4) Result in building a .jar that contains (a) your extension's
classes, (b) the classes of all non-provided dependencies (not .jars -
the classes), and (c) the extension's guac-manifest.json.

If you think the .jar should satisfy the above, a quick way to verify
would be to unzip the built .jar to see if the contents are truly what
you expect.

- Mike

Re: LDAP and MySQL, single connection

[Mike Jumper]

On Tue, Aug 2, 2016 at 1:33 AM, Bastiaan van Haastrecht <
b.vanhaastre...@gmail.com> wrote:

> Hello again,
>
> I'm trying to find a solution for the folowing. I have my LDAP users in
> the GUAC settings portal. Currently I need to go into each user and assign
> an connection to the user, this is very time consuming and not automatic if
> a new user should be added to the LDAP directory.
>
> I would like to assign an connection to all existing and all new-to-come
> LDAP users. Like an auto provisioning rule based on LDAP group membership
> or other paramters. Is this posible?
>
>
With a build of Guacamole from git, yes. Support for role-based access
control was added after the 0.9.9 release and prior to its acceptance into
the Apache Incubator:

https://issues.apache.org/jira/browse/GUACAMOLE-12

You can add groups as members of a guacConfigGroup using the "seeAlso"
attribute. Users which are members of those groups will then have access to
the connections described by any associated guacConfigGroups.

- Mike

Re: custom authentication provider

[Mike Jumper]

On Tue, Aug 9, 2016 at 8:54 AM, Oliver Jones  wrote:

> Hi, all.
>
> I'm working on a custom authentication provider, following the example in
> Chapter 18 of the manual.
>
> I'm trying to authenticate using a one-time URL looking something like
> this:
>
>  https://hostname/guacamole?sessionkey=HardToGuessValue
>
> It seems, from the definition of the Credentials object, that I should be
> able to use code like this:
>
>HttpServletRequest request = credentials.getRequest();
>String sessionkey = request.getParameter("sessionkey");
>
> But, getParameter(), in this context, returns a null string.
>  getParameterMap() returns an empty dictionary object.   I'm obviously
> missing something. What's the right way to get URL parameters into a custom
> authentication provider?
>
>
That's the right way - but try:

https://hostname/guacamole/#/?sessionkey=HardToGuessValue

I think you're just running into differences in the way that AngularJS
handles query parameters. It's ultimately the client-side JavaScript which
grabs the parameters from the URL and forwards them along with the auth
attempt that occurs whenever a page is visited.

- Mike

Re: 0.9.10 release

[Mike Jumper]

Not quite imminent, but it's definitely testing time. Now is the time to
identify any glaring issues or regressions which should be addressed before
a release can be considered.

- Mike

On Aug 11, 2016 9:44 AM, "Zachary Bonjour" 
wrote:

>
> I see that there are no more open issues for this version.  Does that mean
> that the official release is imminent?
>
>
> NOTICE: This electronic mail message and any files transmitted with it are
> intended exclusively for the individual or entity to which it is addressed.
> The message, together with any attachment, may contain confidential and/or
> privileged information. Any unauthorized review, use, printing, saving,
> copying, disclosure or distribution is strictly prohibited. If you have
> received this message in error, please immediately advise the sender by
> reply email and delete all copies.

Re: 0.9.10 release

[Mike Jumper]

The best way to see which issues (thus far) are relevant to
0.9.10-incubating is through JIRA:

https://issues.apache.org/jira/browse/GUACAMOLE-13?jql=project%20%3D%20GUACAMOLE%20AND%20fixVersion%20%3D%200.9.10-incubating


On Thu, Aug 11, 2016 at 9:52 AM, Shashank Reddy  wrote:
> Can we see the Changelog for 0.9.10?
>
> On Thu, Aug 11, 2016 at 11:44 AM, Zachary Bonjour
>  wrote:
>
>
> I see that there are no more open issues for this version. Does that mean
> that the official release is imminent?
>
>
> NOTICE: This electronic mail message and any files transmitted with it are
> intended exclusively for the individual or entity to which it is addressed.
> The message, together with any attachment, may contain confidential and/or
> privileged information. Any unauthorized review, use, printing, saving,
> copying, disclosure or distribution is strictly prohibited. If you have
> received this message in error, please immediately advise the sender by
> reply email and delete all copies.

Re: 0.9.10 release

[Mike Jumper]

Looking over JIRA, it looks like there is still one remaining
in-flight task which has been partly completed (portions merged to
master) but was not properly tagged as 0.9.10-incubating:

https://issues.apache.org/jira/browse/GUACAMOLE-51

So once that's out of the way, the initial intended scope of the
release will be satisfied, but again - whether any additional work
remains beyond that will ultimately boil down to rounds of testing.

To that end ... please feel free to test as much as you can, even with
the above issue in progress. There's quite a lot done since the
pre-Apache 0.9.9 release many months ago.


On Thu, Aug 11, 2016 at 9:48 AM, Mike Jumper  wrote:
> Not quite imminent, but it's definitely testing time. Now is the time to
> identify any glaring issues or regressions which should be addressed before
> a release can be considered.
>
> - Mike
>
>
> On Aug 11, 2016 9:44 AM, "Zachary Bonjour" 
> wrote:
>>
>>
>> I see that there are no more open issues for this version.  Does that mean
>> that the official release is imminent?
>>
>>
>> NOTICE: This electronic mail message and any files transmitted with it are
>> intended exclusively for the individual or entity to which it is addressed.
>> The message, together with any attachment, may contain confidential and/or
>> privileged information. Any unauthorized review, use, printing, saving,
>> copying, disclosure or distribution is strictly prohibited. If you have
>> received this message in error, please immediately advise the sender by
>> reply email and delete all copies.

Re: Guacamole Performance

[Mike Jumper]

On Aug 11, 2016 6:44 PM,  wrote:
>
> Hi,
>
>
>
> I’ve recently installed a guacamole based tool to access remote machines.
In comparison to using TurboVNC directly to the same machine, guacamole
seems to perform very poorly (low fps, regular stutters, noticeable delay
between input and feedback)  and on safari some of the colours seem to be
messed up. I’m just wondering is this possibly because I’ve set it up
differently in some way to what it should be or if this is just the nature
of the additional web layer on top of vnc?
>

Hi Alex,

No, poor performance is definitely not expected, nor should there be any
browser-specific difference in color.

What tool are you referring to?

What version of Guacamole is involved, and how is it deployed? Any proxies?
SSL?

Thanks,

- Mike

Re: Guacamole Performance

[Mike Jumper]

On Thu, Aug 11, 2016 at 7:47 PM,  wrote:

> Hi Shanon,
>
>
>
> I’m not sure about the version numbers but I cloned guacamole-client and
> guacamole-server directly from https://github.com/glyptodon about a month
> ago so it should be pretty recent.
>

The latest development will be on the Apache repositories, so definitely
try against those:

https://github.com/apache/incubator-guacamole-client

https://github.com/apache/incubator-guacamole-server

A month ago is after the point where Guacamole was accepted into the Apache
Incubator, so there's a good change the code you cloned was actually closer
to ~6 months old.

That said, even that old should be fine ... 0.9.9 happened before that and
was a very decent release, and quite fast.

I should probably clarify that turbovnc runs without issues, it’s only
> guacamole.
>
>
Is there anything else you can tell us about your setup?

What does your network look like? What kind of machine is serving
Guacamole? Are you using Tomcat or some other servlet container? Are there
any proxies involved? etc.

You say that you're using a Guacamole-based tool. What differs here between
the tool (what tool?) and a stock Guacamole deployment?

Any additional information about the deployment details of guac would be
helpful.

- Mike

Re: guacamole 0.9.9 immediately disconnects all sessions

[Mike Jumper]

On Fri, Aug 12, 2016 at 3:18 PM, Steffen Moser 
wrote:

> Hi Benjamin,
>
> On 08/12/2016 08:39 PM, Cahill, Benjamin wrote:
> >...
> >
> > I failed to mention that I have already done this. The connections are
> > also failing in the same way for Windows XP RDP connections as well as
> > Linux SSH connections.
> >
> > Other ideas?
>
> I had quite similar problems when I upgraded from Tomcat 6 to Tomcat 8
> (both running on Solaris 11.3) after a server crash. The RDP connection
> was closed immediately after opening it and the message you mentioned
> was displayed. I didn't see any helpful logs, but I must admit that I
> unfortunately didn't have much time for further analyzing, because I had
> to restore the production system after its breakdown.
>
> Downgrading to Tomcat 6 fixed the problem for me.
>

Tomcat 8 *should* work fine (as should 7). I highly recommend against
downgrading all the way to Tomcat 6 - you'll lose support for WebSocket, as
well as any other enhancements the Tomcat community has made since.

If you find Tomcat 8 is failing, it'd be better to try a slightly-newer or
slightly-older version of the same (but still 8.0.x). You shouldn't need to
fall down two whole major releases.

The only version-specific issues I'm aware of with respect to Tomcat are
WebSocket being effectively broken in 7.0.61 and 8.0.21 (due to
https://bz.apache.org/bugzilla/show_bug.cgi?id=57776). They fixed that in
subsequent releases, though.

- Mike

Re: INVALID LOGIN UBUNTU

[Mike Jumper]

On Aug 14, 2016 5:44 AM, "Ankit Jain"  wrote:
>
> HELLO
>
> I am first testing on vm and had setup everything as described here
>
>
https://gist.github.com/jeffersonmartin/8236574/8b36ce844ad46d67ca7102b4b65df51957d7f460
>

Hi Ankit,

0.8.3 is three years old at this point. Please instead install the latest
version by following the instructions in the manual:

http://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html

All is not lost - much of what you learned through that tutorial is still
applicable. If you still encounter issues after following the manual, just
come back here and we'll try to help.

Thanks,

- Mike

Re: Using Android native keyboard

[Mike Jumper]

Hi Shashank,

Have you tried the "text input" option?

http://guacamole.incubator.apache.org/doc/gug/using-guacamole.html#text-input

Using that will allow you to use your device's native on-screen keyboard.

- Mike

On Aug 12, 2016 12:55 PM, "Shashank Reddy"  wrote:

> Is it possible to use the native Android keyboard to enter text when
> accessing the connections on Android device? Currently we need to
> constantly switch between onscreen keyboard and none which is not very
> intuitive.
>

Re: Filter User with LDAP Group

[Mike Jumper]

Hi Thiago,

You can't currently limit login based purely on LDAP group membership, but
there are recent WIP changes that would allow you to limit access to only
those users that also exist in the database (MySQL in your case):

https://issues.apache.org/jira/browse/GUACAMOLE-70

The code thus far is on a separate branch called "restrict-database-login":

https://github.com/mike-jumper/incubator-guacamole-client/tree/restrict-database-login

I'm not going to open a PR for that until we have 0.9.10-incubating behind
us, but if you want to give it a try, please do. With a guacamole.war and
MySQL auth .jar built from the above, you would specify the following in
your guacamole.properties:

mysql-user-required: true

Attempts to login via any other mechanism (including LDAP) will then be
denied unless that user has been associated with data in MySQL already.

Thanks,

- Mike


On Wed, Aug 17, 2016 at 5:34 PM, Thiago Cruz  wrote:

> Hello,
>
> I've implemented Gucamole with MySQL and Active Directory (no schema
> changed). Everything is working but I'd like to allow users to login if
> they are mapped into some LDAP group. I've tried using binding attributes
> with no sucess. Anyone know if is that possible?
>
> Regards,
>

Re:

[Mike Jumper]

On Mon, Aug 22, 2016 at 2:39 PM, Thomas Bereknyei 
wrote:

> Hi,
>
> I'm trying to package guacamole for NixOS. I ran into the following issue;
> Tomcat is serving the client and serves the login page. Guacd is running
> (compiled with ssh support) and I get the following errors. I can see that
> the client can at least interact with the server, but the server doesn't
> like the protocol, even though it was part of the compilation.
>
> guacd[1080]: INFO:  Protocol "ssh" selected
> guacd[1080]: WARNING:   Support for selected protocol is not installed
>
>
Is there anything unique about the way NixOS handles dlopen() (or the
system linker path)?

When a particular protocol is about to be used, guacd dynamically loads the
"libguac-client-PROTOCOL.so" library. This is done via a call to dlopen(),
which will search the system linker path for the library having that name.

If SSH support was built, but guacd fails to find it at runtime, that must
mean either:

1) The libguac-client-ssh.so library could not be found in the system
linker path by dlopen().
or 2) libguac-client-ssh.so did not get linked properly during the build,
and the linker thus cannot load it despite having otherwise found it
successfully (unlikely)

- Mike