MS SQL Extension Broken?

[sebastian.k]

Hi there,

I've setup guacamole on centos 7.4/rhel with the new MS-SQL extension from
version 0.9.14.
The problem is that users get "corrupted". After a fresh install I can login
once or twice with the guacadmin user without problems. But on the third or
forth login attempt I'm getting. "Unexpected internal error". I logged out
correctly every time. I also tried installing MS-SQL locally but the results
are the same.

I'm getting also error 500 in Chromes network manager.
({message: "Unexpected internal error.",…}
expected
:
null
message
:
"Unexpected internal error."
statusCode
:
null
translatableMessage
:
{key: "Unexpected internal error.", variables: null}
type
:
"INTERNAL_ERROR")
#
angular.js:9902 POST http://52.174.30.206:8080/guacamole/api/tokens 500
(Internal Server Error)
#
And my Catalina out says the following:
Feb 09, 2018 10:10:06 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Server version:Apache Tomcat/7.0.76
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Server built:  Oct 30 2017 10:21:55 UTC
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Server number: 7.0.76.0
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: OS Name:   Linux
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: OS Version:3.10.0-693.11.6.el7.x86_64
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Architecture:  amd64
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Java Home:
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: JVM Version:   1.8.0_161-b14
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: JVM Vendor:Oracle Corporation
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: CATALINA_BASE: /usr/share/tomcat
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: CATALINA_HOME: /usr/share/tomcat
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Command line argument: -Dcatalina.base=/usr/share/tomcat
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Command line argument: -Dcatalina.home=/usr/share/tomcat
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Command line argument: -Djava.endorsed.dirs=
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Command line argument: -Djava.io.tmpdir=/var/cache/tomcat/temp
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Command line argument:
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.VersionLoggerListener
log
INFO: Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Feb 09, 2018 10:10:07 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Feb 09, 2018 10:10:07 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Feb 09, 2018 10:10:07 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Feb 09, 2018 10:10:07 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3583 ms
Feb 09, 2018 10:10:08 AM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Feb 09, 2018 10:10:08 AM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.76
Feb 09, 2018 10:10:08 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive
/var/lib/tomcat/webapps/guacamole.war
Feb 09, 2018 10:10:10 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable
debug logging for this logger for a complete list of JARs that were scanned
but no TLDs were found in them. Skipping unneeded JARs during scanning can
improve startup time and JSP compilation time.
Feb 09, 2018 10:10:11 AM com.google.inject.internal.ProxyFactory 
WARNING: Method [public void
org.apache.guacamole.auth.jdbc.connection.ConnectionDirectory.add(org.apache.guacamole.net.auth.Identifiable)
throws org.apache.guacamole.GuacamoleException] is synthetic and is being
intercepted by
[org.mybatis.guice.transactional.TransactionalMethodInterceptor@2a9d7e33].
This 

Re: MS SQL Extension Broken?

[Mike Jumper]

On Fri, Feb 9, 2018 at 5:33 AM, Nick Couchman  wrote:

> On Fri, Feb 9, 2018 at 5:55 AM, sebastian.k  > wrote:
>
>> Hi there,
>>
>> I've setup guacamole on centos 7.4/rhel with the new MS-SQL extension from
>> version 0.9.14.
>> The problem is that users get "corrupted". After a fresh install I can
>> login
>> once or twice with the guacadmin user without problems. But on the third
>> or
>> forth login attempt I'm getting. "Unexpected internal error". I logged out
>> correctly every time. I also tried installing MS-SQL locally but the
>> results
>> are the same.
>> ...
>> It would be great if someone could tell me what I'm doing wrong.
>> Is somebody using MS SQL 2016 with latest Guacamole 0.9.14 without any
>> trouble?
>>
>> Thanks in advance
>>
>> Sebastian
>>
>
> It's definitely possible there is an issue with the MS-SQL Extension, but
> I have not run into this particular behavior.
>

I just managed to reproduce this myself. The problem is within the query
returning user information for a single account. From my test instance's
logs:

09:43:47.642 [http-nio-8080-exec-18] DEBUG
o.a.g.a.j.user.UserMapper.selectOne - ==>  Preparing: SELECT
[guacamole_user].user_id, [guacamole_user].username, password_hash,
password_salt, password_date, disabled, expired, access_window_start,
access_window_end, valid_from, valid_until, timezone, full_name,
email_address, organization, organizational_role, ( SELECT MAX(start_date)
FROM [guacamole_user_history] WHERE [guacamole_user_history].user_id =
[guacamole_user].user_id ) AS last_active FROM [guacamole_user] LEFT JOIN
[guacamole_user_history] ON [guacamole_user_history].user_id =
[guacamole_user].user_id WHERE [guacamole_user].username = ?
09:43:47.642 [http-nio-8080-exec-18] DEBUG
o.a.g.a.j.user.UserMapper.selectOne - ==> Parameters: guacadmin(String)
09:43:47.650 [http-nio-8080-exec-18] DEBUG
o.a.g.a.j.user.UserMapper.selectOne - <==  Total: 2
09:43:47.656 [http-nio-8080-exec-18] ERROR o.a.g.rest.RESTExceptionWrapper
- Unexpected internal error: Expected one result (or null) to be returned
by selectOne(), but found: 2
09:43:47.672 [http-nio-8080-exec-18] DEBUG o.a.g.rest.RESTExceptionWrapper
- Unexpected error in REST endpoint.
org.apache.ibatis.exceptions.TooManyResultsException: Expected one result
(or null) to be returned by selectOne(), but found: 2

The new login history tracking is resulting in multiple rows being returned
for a query which *should* be returning only one row, causing result sanity
checks to fail. I'll have to retest against MySQL and PostgreSQL to make
sure this isn't affecting those versions of the database extension, but I
believe this is isolated to SQL Server. The problem is that stray LEFT
JOIN, which should have been removed as part of the following commit:

https://github.com/apache/guacamole-client/commit/394a289879dba9273f976a9174ad4eec45b674c2

New issue in JIRA:

https://issues.apache.org/jira/browse/GUACAMOLE-505

- Mike

Re: Send PrintScreen key to the Remote Desktop

[Mike Jumper]

On Thu, Feb 8, 2018 at 11:25 PM, Amarjeet Singh 
wrote:

> ...
> I tried to send both keydown and keyup as well but didn't worked.
>
> Any suggestions.
>
> Can't we send keysym as we send for normal keys  ( a - z or A-Z or 0-9 ) ?
>
>
If the "printscreen" key is not working for RDP specifically, and it is
working with other RDP clients, that suggests that the key is simply not
mapped to a scancode. Checking the base keymap, I don't see a mapping for
this key:

https://github.com/apache/guacamole-server/blob/3187a641cf915f5d8d0a0e1b8b481442fcfe26c5/src/protocols/rdp/keymaps/base.keymap

If that is the reason this isn't working, you should see a message in your
guacd logs regarding the lack of mapping for that key, and adding support
for that key would be a matter of determining what scancode, flags, etc.
needs to be sent.

- Mike

Re: OpenID-Connect HTTP 500

[Nick Couchman]

On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier 
wrote:

> The response paylode is: {"message":"Invalid
> login.","translatableMessage":{"key":"Invalid
> login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok
> en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus
> tin-tech.com/auth/realms/Justin-Tech/protocol/openid-
> connect/auth?scope=openid+email+profile_type=id_token_i
> d=guacamole_uri=https%3A%2F%2Fguacamole.justin-
> tech.com%2F=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT
> IALS"}
>
> I also see a GET for https://guacamole.justin-tech.com/#session_state=b
> 1988d87-4a4d-4539-a186-1d2ef58aca04_token=[TOKEN]
> policy=1518147539
>
>
Mike can probably provide more precise information, but my guess is that
there is something about the response being sent back to the Guacamole
Session that Guacamole is unhappy about - either it isn't seeing the
id_token parameter when it expects to, or it's in a format it doesn't
expect, or something like that.  I've not used Guacamole with OIDC, so I'm
not going to be of very much help, here.

-Nick

Re: OpenID-Connect HTTP 500

[Justin Gauthier]

Hey Nick,

Thanks for the response!

I suspected as much, unfortunately I am unsure why it’s not seeing the token. 
Like I said, I don’t have anything else that uses OpenID to test the setup.

Hopefully Mike is able to assist when he gets a chance.

Thanks again for the help, it’s greatly appreciated.


From: Nick Couchman 
Sent: Friday, February 9, 2018 8:40:25 AM
To: user@guacamole.apache.org
Subject: Re: OpenID-Connect HTTP 500

On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier 
> wrote:
The response paylode is: {"message":"Invalid
login.","translatableMessage":{"key":"Invalid
login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok
en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus
tin-tech.com/auth/realms/Justin-Tech/protocol/openid-
connect/auth?scope=openid+email+profile_type=id_token_i
d=guacamole_uri=https%3A%2F%2Fguacamole.justin-
tech.com%2F=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT
IALS"}

I also see a GET for https://guacamole.justin-tech.com/#session_state=b
1988d87-4a4d-4539-a186-1d2ef58aca04_token=[TOKEN]
policy=1518147539


Mike can probably provide more precise information, but my guess is that there 
is something about the response being sent back to the Guacamole Session that 
Guacamole is unhappy about - either it isn't seeing the id_token parameter when 
it expects to, or it's in a format it doesn't expect, or something like that.  
I've not used Guacamole with OIDC, so I'm not going to be of very much help, 
here.

-Nick

Re: MS SQL Extension Broken?

[Nick Couchman]

On Fri, Feb 9, 2018 at 5:55 AM, sebastian.k 
wrote:

> Hi there,
>
> I've setup guacamole on centos 7.4/rhel with the new MS-SQL extension from
> version 0.9.14.
> The problem is that users get "corrupted". After a fresh install I can
> login
> once or twice with the guacadmin user without problems. But on the third or
> forth login attempt I'm getting. "Unexpected internal error". I logged out
> correctly every time. I also tried installing MS-SQL locally but the
> results
> are the same.
> ...
> It would be great if someone could tell me what I'm doing wrong.
> Is somebody using MS SQL 2016 with latest Guacamole 0.9.14 without any
> trouble?
>
> Thanks in advance
>
> Sebastian
>

It's definitely possible there is an issue with the MS-SQL Extension, but I
have not run into this particular behavior.  I doubt very much that the
user - or at least the user information in the database - is actually
getting corrupted.  It's more likely some sort of connection error between
the extension or JDBC driver and SQL Server.  So, a few questions for you...
- What version of Java are you using?
- What version of Tomcat are you using?
- What make/model/version of the MS-SQL JDBC driver are you using?
- If you restart Tomcat, does the problem go away?
- If you create a new user while you're able to log in, does that user
account work when guacadmin does not?
- Are there any system-level messages - anything in dmesg output, or
/var/log/messages, etc., that indicates any other sort of problem (OOM,
SELinux, etc.)?

Also, if you could, could you configure the Guacamole Client for either
debug or trace logging and post the output (preferably in a PasteBin or
something like that, and not in the e-mail)?  This can be done by creating
a logback.xml file in GUACAMOLE_HOME, and you can find instructions for
what that file needs to contain here:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging

-Nick