Re: RDP disconnects when a second user starts a different RDP session in a network device

2021-09-24 Thread Hankins, Jonathan 
Try disabling glyph caching (I algo have disabled bitmap and off-screen
caching on my connections.)

See: https://github.com/FreeRDP/FreeRDP/issues/6258

It looks like in Guacamole 1.4.0 they are disabling the caching.

https://issues.apache.org/jira/browse/GUACAMOLE-1191

-Jonathan Hankins


On Thu, Sep 23, 2021 at 5:11 AM Jose Moreno Delgado 
wrote:

> This error appear as well:
>
> guacd[76730]: ERROR:Connection closed.
> guacd[76730]: INFO: Internal RDP client disconnected
> guacd[76730]: INFO: User "@c30491ee-9957-46e4-9eb3-4b7778271b04"
> disconnected (0 users remain)
> guacd[76730]: INFO: Last user of connection
> "$18e70f32-9815-4804-a651-330ddbaf4250" disconnected
> guacd[6]: INFO: Connection "$18e70f32-9815-4804-a651-330ddbaf4250" removed.
> guacd[76918]: ERROR:User is not responding.
> guacd[76918]: INFO: User "@00d1360e-2a61-4a4b-a22f-c397ab247c5b"
> disconnected (0 users remain)
> guacd[76918]: INFO: Last user of connection
> "$8b84d2fd-b9c0-48ae-96fd-02a69295c9ef" disconnected
> guacd[77073]: ERROR:User is not responding.
> guacd[77073]: INFO: User "@089ef6d6-7c51-43d0-99af-1024b776a9c1"
> disconnected (0 users remain)
> guacd[77073]: INFO: Last user of connection
> "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502" disconnected
> guacd[77073]: INFO: Internal RDP client disconnected
> guacd[6]: INFO: Connection "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502" removed.
> guacd[76918]: INFO: Internal RDP client disconnected
> guacd[6]: INFO: Connection "$8b84d2fd-b9c0-48ae-96fd-02a69295c9ef" removed.
>
> --
> *De:* Jose Moreno Delgado 
> *Enviado:* jueves, 23 de septiembre de 2021 12:03
> *Para:* user@guacamole.apache.org 
> *Asunto:* RE: RDP disconnects when a second user starts a different RDP
> session in a network device
>
> Hi,
>
> Just error appeared right now, this is the log where the error appears:
>
> guacd[6]: INFO: Creating new client for protocol "rdp"
> guacd[6]: INFO: Connection ID is "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c"
> guacd[77025]: INFO: Security mode: Negotiate (ANY)
> guacd[77025]: INFO: Resize method: none
> guacd[77025]: INFO: User "@9cf4b6f7-8255-445f-a23c-d1abe6e33f88"
> joined connection "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c" (1 users now
> present)
> guacd[77025]: INFO: Loading keymap "base"
> guacd[77025]: INFO: Loading keymap "es-es-qwerty"
> guacd[77025]: INFO: Connected to RDPDR 1.10 as client 0x9645
> guacd[77025]: INFO: RDPDR user logged on
> guacd[77025]: ERROR:Connection closed.
> guacd[77025]: INFO: Internal RDP client disconnected
> guacd[77025]: INFO: User "@9cf4b6f7-8255-445f-a23c-d1abe6e33f88"
> disconnected (0 users remain)
> guacd[77025]: INFO: Last user of connection
> "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c" disconnected
> guacd[6]: INFO: Connection "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c" removed.
> guacd[6]: INFO: Creating new client for protocol "rdp"
> guacd[6]: INFO: Connection ID is "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502"
> guacd[77073]: INFO: Security mode: Negotiate (ANY)
> guacd[77073]: INFO: Resize method: none
> guacd[77073]: INFO: User "@089ef6d6-7c51-43d0-99af-1024b776a9c1"
> joined connection "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502" (1 users now
> present)
> guacd[77073]: INFO: Loading keymap "base"
> guacd[77073]: INFO: Loading keymap "es-es-qwerty"
> guacd[77073]: INFO: Connected to RDPDR 1.10 as client 0x727a
> guacd[77073]: INFO: Connected to RDPDR 1.10 as client 0x527a
> guacd[77073]: INFO: RDPDR user logged on
>
> Is there something to check?
>
> --
> *De:* Jose Moreno Delgado 
> *Enviado:* jueves, 23 de septiembre de 2021 9:25
> *Para:* user@guacamole.apache.org 
> *Asunto:* RE: RDP disconnects when a second user starts a different RDP
> session in a network device
>
> Let us check, because we noticed that we had caching enabled (bitmap,
> off-screen, glyph), we're connecting mainly to windows server 2003, 2008
> and 2012 machines because of the systems embedded and it looks like this is
> more stable, we will check logs and if problem persists we will share
> logging information to drill down in the problem.
>
> --
> *De:* Mike Jumper 
> *Enviado:* martes, 21 de septiembre de 2021 16:50
> *Para:* user@guacamole.apache.org 
> *Asunto:* Re: RDP disconnects when a second user starts a different RDP
> session in a network device
>
> On Tue, Sep 21, 2021 at 4:58 AM Jose Moreno Delgado 
> wrote:
>
> Hi, we have a stable Guacamole solution running properly, but we have
> noticed that when a user is connected to a device through RDP and a second
> user runs a new RDP session (same or another device) drops and reconnect
> message appears in the screen of previously connected users. They are able
> to reconnect properly, but this is disturbing them because they lose their
> work. We have experienced this behavior using Guacamole 1.2.0 as native in
> a

Re: Exhausted simultaneous connection error

2021-09-24 Thread Mike Jumper 
I believe there are cases where this error can appear due to WebSocket
being inadvertently blocked by a network device or proxy. If the WebSocket
connection attempt fails due to certain kinds of interference, the browser
will abruptly abort the connection attempt and server-side resources for
that connection will not be released by the time the client retries using
HTTP.

Do you see any warnings in the logs regarding WebSocket and the HTTP
fallback? Anything on the network that might be interfering?

- Mike

On Fri, Sep 24, 2021, 08:00 Stratton, Craig
 wrote:

> Hi Nick,
>
> Guacd version 1.3.0 running native on Ubuntu 20.04
>
>
>
> Apologies, I had read and understood that guacd should not be the problem
> and did not need restarting, but wrote that anyway for some reason.
>
> I had recently restarted it to change the loglevel.
>
>
>
> Client has been complied with Postgres, RADIUS and LDAP authentication,
> although could not get RADIUS to work and is disabled.
>
> User is authenticated against LDAP, and database Groups match defined LDAP
> groups, so no users defined in local database, they see database defined
> connections based on LDAP group membership. This all works as expected.
>
>
>
> Thank you,
>
> Craig
>
>
>
>
>
> *From:* Nick Couchman 
> *Sent:* 24 September 2021 14:42
> *To:* user@guacamole.apache.org
> *Subject:* Re: Exhausted simultaneous connection error
>
>
>
> *This message originated from outside your organization*
> --
>
> On Fri, Sep 24, 2021 at 7:48 AM Stratton, Craig <
> craig.strat...@pspsl.co.uk.invalid> wrote:
>
> Hi,
>
> I am continually running into this error and cannot seem to resolve it.
>
>
>
> “The Guacamole server is denying access to this connection because you
> have exhausted the limit for simultaneous connection use by an individual
> user. Please close one or more connections and try again.”
>
>
>
> There are no connections listed for the user when I look to close them.
>
>
>
> I have some connections set with default blank number of connections per
> user, some with 1 some with 10, but it happens on all of them.
>
>
>
> I can connect, disconnect, reconnect fine after creating a new connection,
> then if I try again the following day I get that error, even after closing
> properly.
>
>
>
> I have not set any of the guacamole.properties file entries to override
> any defaults on number of connections, as the way I read the manual, there
> are no limits by default.
>
>
>
> If I stop and restart guacd and tomcat, it makes no difference and still
> cannot connect, it will just randomly start working again after some
> undetermined timeout?
>
>
>
> Just to note, here, guacd is not related to this issue, as the connection
> tracking, including simultaneous connections, is done by Tomcat/Guacamole
> Client. I say that only to note that restarting guacd isn't going to do
> anything for this. Restarting Tomcat should clear things out, but you
> shouldn't need to mess with guacd. That said, guacd logs may help you to
> determine if an unexpected connection is coming through, so might not be a
> bad idea to pay attention to those.
>
>
>
> What version of Guacamole are you running? What configuration - Docker or
> native, MySQL, Postgres, etc.?
>
>
>
> -NIck
> Public Sector Partnership Services Limited (PSPS) is a Local Authority
> Trading Company, wholly owned by East Lindsey District Council, South
> Holland District Council and Boston Borough Council in Lincolnshire. PSPS
> delivers services to and on behalf of the three District Councils.
> Registered Company details: Public Sector Partnership Services Limited, 2
> New Bailey, 6 Stanley Street, Salford, Greater Manchester M3 5GS Registered
> in England, Number – 07289357 Confidentiality: This e-mail and its
> attachments are intended for the above named only and may contain
> confidential and privileged information. If you are not the intended
> recipient or the person responsible for delivering the email to the
> intended recipient, be advised that you have received this email in error
> and that any use, dissemination, forwarding, printing, or copying of this
> email is strictly prohibited. If you have received this email in error,
> please notify the sender. The views expressed in this message are my own,
> and any negotiations by email are subject to formal contract. Any
> correspondence with the sender will be subject to automatic monitoring for
> inappropriate content. Your information will be processed in accordance
> with the law, in particular current Data Protection legislation. If you
> have contacted Public Sector Partnership Services for a service then your
> personal data will be processed in order to provide that service or answer
> your enquiry. For full details of our Privacy Policy and your rights please
> go to our website at https://www.pspsl.co.uk/privacy. The information
> that you provide will only be used for Company purposes unless there is a
> legal authority to do

RE: Exhausted simultaneous connection error

2021-09-24 Thread Stratton, Craig 
Hi Nick,
Guacd version 1.3.0 running native on Ubuntu 20.04

Apologies, I had read and understood that guacd should not be the problem and 
did not need restarting, but wrote that anyway for some reason.
I had recently restarted it to change the loglevel.

Client has been complied with Postgres, RADIUS and LDAP authentication, 
although could not get RADIUS to work and is disabled.
User is authenticated against LDAP, and database Groups match defined LDAP 
groups, so no users defined in local database, they see database defined 
connections based on LDAP group membership. This all works as expected.

Thank you,
Craig


From: Nick Couchman 
Sent: 24 September 2021 14:42
To: user@guacamole.apache.org
Subject: Re: Exhausted simultaneous connection error

This message originated from outside your organization

On Fri, Sep 24, 2021 at 7:48 AM Stratton, Craig 
mailto:craig.strat...@pspsl.co.uk.invalid>> 
wrote:
Hi,
I am continually running into this error and cannot seem to resolve it.

“The Guacamole server is denying access to this connection because you have 
exhausted the limit for simultaneous connection use by an individual user. 
Please close one or more connections and try again.”

There are no connections listed for the user when I look to close them.

I have some connections set with default blank number of connections per user, 
some with 1 some with 10, but it happens on all of them.

I can connect, disconnect, reconnect fine after creating a new connection, then 
if I try again the following day I get that error, even after closing properly.

I have not set any of the guacamole.properties 
file entries to override any defaults on number of connections, as the way I 
read the manual, there are no limits by default.

If I stop and restart guacd and tomcat, it makes no difference and still cannot 
connect, it will just randomly start working again after some undetermined 
timeout?

Just to note, here, guacd is not related to this issue, as the connection 
tracking, including simultaneous connections, is done by Tomcat/Guacamole 
Client. I say that only to note that restarting guacd isn't going to do 
anything for this. Restarting Tomcat should clear things out, but you shouldn't 
need to mess with guacd. That said, guacd logs may help you to determine if an 
unexpected connection is coming through, so might not be a bad idea to pay 
attention to those.

What version of Guacamole are you running? What configuration - Docker or 
native, MySQL, Postgres, etc.?

-NIck
Public Sector Partnership Services Limited (PSPS) is a Local Authority Trading 
Company, wholly owned by East Lindsey District Council, South Holland District 
Council and Boston Borough Council in Lincolnshire. PSPS delivers services to 
and on behalf of the three District Councils. Registered Company details: 
Public Sector Partnership Services Limited, 2 New Bailey, 6 Stanley Street, 
Salford, Greater Manchester M3 5GS Registered in England, Number – 07289357 
Confidentiality: This e-mail and its attachments are intended for the above 
named only and may contain confidential and privileged information. If you are 
not the intended recipient or the person responsible for delivering the email 
to the intended recipient, be advised that you have received this email in 
error and that any use, dissemination, forwarding, printing, or copying of this 
email is strictly prohibited. If you have received this email in error, please 
notify the sender. The views expressed in this message are my own, and any 
negotiations by email are subject to formal contract. Any correspondence with 
the sender will be subject to automatic monitoring for inappropriate content. 
Your information will be processed in accordance with the law, in particular 
current Data Protection legislation. If you have contacted Public Sector 
Partnership Services for a service then your personal data will be processed in 
order to provide that service or answer your enquiry. For full details of our 
Privacy Policy and your rights please go to our website at 
https://www.pspsl.co.uk/privacy. The information that you provide will only be 
used for Company purposes unless there is a legal authority to do otherwise. 
The contents of e-mails may have to be disclosed to a request under the Data 
Protection Act and the Freedom of Information Act 2000.

Re: Exhausted simultaneous connection error

2021-09-24 Thread Nick Couchman 
On Fri, Sep 24, 2021 at 7:48 AM Stratton, Craig
 wrote:

> Hi,
>
> I am continually running into this error and cannot seem to resolve it.
>
>
>
> “The Guacamole server is denying access to this connection because you
> have exhausted the limit for simultaneous connection use by an individual
> user. Please close one or more connections and try again.”
>
>
>
> There are no connections listed for the user when I look to close them.
>
>
>
> I have some connections set with default blank number of connections per
> user, some with 1 some with 10, but it happens on all of them.
>
>
>
> I can connect, disconnect, reconnect fine after creating a new connection,
> then if I try again the following day I get that error, even after closing
> properly.
>
>
>
> I have not set any of the guacamole.properties file entries to override
> any defaults on number of connections, as the way I read the manual, there
> are no limits by default.
>
>
>
> If I stop and restart guacd and tomcat, it makes no difference and still
> cannot connect, it will just randomly start working again after some
> undetermined timeout?
>

Just to note, here, guacd is not related to this issue, as the connection
tracking, including simultaneous connections, is done by Tomcat/Guacamole
Client. I say that only to note that restarting guacd isn't going to do
anything for this. Restarting Tomcat should clear things out, but you
shouldn't need to mess with guacd. That said, guacd logs may help you to
determine if an unexpected connection is coming through, so might not be a
bad idea to pay attention to those.

What version of Guacamole are you running? What configuration - Docker or
native, MySQL, Postgres, etc.?

-NIck

>

Re: Problem with child connections and child connection groups

2021-09-24 Thread Marcus Rocha 

Hi Mike!

Updating the "Connector" did the trick.
Thanks  A LOT!

Marcus

Em 23/09/2021 19:53, Mike Jumper escreveu:
On Thu, Sep 23, 2021 at 2:41 PM Marcus Vinícius de Melo Rocha 
mailto:mvro...@gmail.com>> wrote:


Hi Mike!

I myself have created the connection. Is it required to grant
access to myself?


No, you automatically have full permissions for all connections you 
create.


What version of the MariaDB / MySQL "Connector/J" driver are you 
using? There has been at least one past thread regarding children of 
connection groups not appearing despite permission being granted, and 
the ultimate solution was to update to the latest "Connector/J" driver 
from MariaDB:


https://lists.apache.org/thread.html/rf03dd3785ee1878bc470efe0b727ef75fce74eb914eadc40489d761f%40%3Cuser.guacamole.apache.org%3E 



- Mike

Exhausted simultaneous connection error

2021-09-24 Thread Stratton, Craig 
Hi,
I am continually running into this error and cannot seem to resolve it.

"The Guacamole server is denying access to this connection because you have 
exhausted the limit for simultaneous connection use by an individual user. 
Please close one or more connections and try again."

There are no connections listed for the user when I look to close them.

I have some connections set with default blank number of connections per user, 
some with 1 some with 10, but it happens on all of them.

I can connect, disconnect, reconnect fine after creating a new connection, then 
if I try again the following day I get that error, even after closing properly.

I have not set any of the guacamole.properties file entries to override any 
defaults on number of connections, as the way I read the manual, there are no 
limits by default.

If I stop and restart guacd and tomcat, it makes no difference and still cannot 
connect, it will just randomly start working again after some undetermined 
timeout?

Once this problem starts, then other connections stop working, with the 
connection attempt timing out not able to make a connection.

Anyone able to offer some pointers please?

Regards,
Craig




Public Sector Partnership Services Limited (PSPS) is a Local Authority Trading 
Company, wholly owned by East Lindsey District Council, South Holland District 
Council and Boston Borough Council in Lincolnshire. PSPS delivers services to 
and on behalf of the three District Councils. Registered Company details: 
Public Sector Partnership Services Limited, 2 New Bailey, 6 Stanley Street, 
Salford, Greater Manchester M3 5GS Registered in England, Number - 07289357 
Confidentiality: This e-mail and its attachments are intended for the above 
named only and may contain confidential and privileged information. If you are 
not the intended recipient or the person responsible for delivering the email 
to the intended recipient, be advised that you have received this email in 
error and that any use, dissemination, forwarding, printing, or copying of this 
email is strictly prohibited. If you have received this email in error, please 
notify the sender. The views expressed in this message are my own, and any 
negotiations by email are subject to formal contract. Any correspondence with 
the sender will be subject to automatic monitoring for inappropriate content. 
Your information will be processed in accordance with the law, in particular 
current Data Protection legislation. If you have contacted Public Sector 
Partnership Services for a service then your personal data will be processed in 
order to provide that service or answer your enquiry. For full details of our 
Privacy Policy and your rights please go to our website at 
https://www.pspsl.co.uk/privacy. The information that you provide will only be 
used for Company purposes unless there is a legal authority to do otherwise. 
The contents of e-mails may have to be disclosed to a request under the Data 
Protection Act and the Freedom of Information Act 2000.

Re: Radius auth user add connection

2021-09-24 Thread Erdődi Zoltán 

Dear Mike!

Thank you very much for your help.

It works.

2021-09-23 20:30 időpontban Mike Jumper ezt írta:

On Thu, Sep 23, 2021, 10:50 Erdődi Zoltán 
wrote:


Good Day!

How do I assign a connection to a user who is authenticated with a
radius?

[2021-09-23 16:04:13] [info] 16:04:13.139 [http-nio-8080-exec-1]
DEBUG
o.a.g.r.auth.AuthenticationService - Login was successful for user
"XYZUSER".
[2021-09-23 16:04:13] [info] 16:04:13.730 [http-nio-8080-exec-10]
DEBUG
o.a.g.rest.RESTExceptionMapper - Client request rejected: Session
not
associated with authentication provider "radius".

Login ok, but no RDP connection.
Where and how to define it ?
guacamole.properties or user-mapping.xml .


Neither - you would use one of the supported databases (MySQL,
PostgreSQL, etc.) and create the connection in the admin web interface
that becomes available once a database is set up. You can then create
the needed linkage between RADIUS and the connection in the database
by doing one of the following:

* Create a user in the database using the web interface (without
setting a password) having the same username as the RADIUS user, and
grant access to the connection to that user. By not setting a
password, the user will still only be able to log in using RADIUS, but
will inherit access to any connections granted to their corresponding
database user.

* Create a user group having the same name as a RADIUS group of which
the user is a member, and grant access to the connection to that
group.

This is also how things work when combining LDAP with the database,
except that administration is made more convenient in the LDAP case
since users and groups can retrieved from the LDAP directory. Since
users/groups can't be pulled automatically from RADIUS, you need to
enter them manually.

See
https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database
for how this works in principle.

- Mike





--
Erdődi Zoltán
Informatikai Rendszergazda
Könyvtár-informatikai és Adatgazdálkodási Egység
SZTE Informatikai és Szolgáltatási Igazgatóság
H-6722 Szeged, Ady tér 10.
Tel.: +36(62)546-666

ÉRTESÍTÉS BIZALMAS LEVELEZÉSHEZ
Az ebben az e-mailben található információk bizalmasak. Csak a  
megjelölt címzettekhez szól, és a hozzáférés harmadik személyek  számára 
meg nem engedett. Amennyiben nem Ön a levél tényleges  címzettje, akkor 
nem hozhatja nyilvánosságra, nem másolhatja, nem  továbbíthatja illetve 
más módon sem használhatja az ebben az e-mailben  található 
információkat, illetve azokra nem is támaszkodhat. Az ilyen  jellegű 
jogosulatlan felhasználás jogellenes.  Amennyiben tévesen  kapta meg ezt 
az e-mailt, kérjük, hogy azonnal értesítse a feladót,  valamint 
távolítsa el a levelet és összes másolatát számítógépes  rendszeréből.


PRIVACY NOTICE FOR CONFIDENTIAL COMMUNICATIONS
The information contained in this e-mail is confidential. It is  
intended only for the stated addressee(s) and access to it by any  other 
person is unauthorised. If you are not an addressee, you must  not 
disclose, copy, circulate or in any other way use or rely on the  
information contained in this e-mail. Such unauthorised use may be  
unlawful. If you have received this e-mail in error, please inform us  
immediately and delete it and all copies from your system.


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Configure GuacD in User Connection (JSON)

2021-09-24 Thread Mike Jumper 
On Fri, Sep 24, 2021 at 12:51 AM Caleb Coverdale <
caleb.coverd...@provisioninfotech.com> wrote:

> Also not sure if I can tack on another question: anyway to disable
> database authentication and use only JSON requests?
>

Yes - remove the database extension .jar file from
/etc/guacamole/extensions. If only the JSON auth extension is present, then
only the JSON auth extension will be used.

I was wondering how I would set the parameters to use the proxy_hostname,
> and proxy_port with the JSON auth module.
>

There are no such parameters provided by the JSON auth extension. The
extension currently only uses guacamole.properties for the hostname and
port of guacd.

- Mike

Re: Configure GuacD in User Connection (JSON)

2021-09-24 Thread Caleb Coverdale 
Also not sure if I can tack on another question: anyway to disable database 
authentication and use only JSON requests?

From: Caleb Coverdale 
Date: Friday, September 24, 2021 at 1:41 AM
To: user@guacamole.apache.org 
Subject: Configure GuacD in User Connection (JSON)
Hey there!

I was wondering how I would set the parameters to use the proxy_hostname, and 
proxy_port with the JSON auth module.

I tried the following:
  "connections": {
"My Connection": {
  "protocol": "rdp",
  "parameters": {
"proxy_hostname": "10.0.0.104",
"proxy_port": "4822",
"proxy_encryption_method": "NONE",
"hostname": "10.0.0.40",
"port": "3389",
"security": "nla",
"ignore-cert": "true"
  }
},


And also tried moving the proxy_hostname and port above the parameters….
Without those parameters it works fine.
Any tips?

Thanks!

Configure GuacD in User Connection (JSON)

2021-09-24 Thread Caleb Coverdale 
Hey there!

I was wondering how I would set the parameters to use the proxy_hostname, and 
proxy_port with the JSON auth module.

I tried the following:
  "connections": {
"My Connection": {
  "protocol": "rdp",
  "parameters": {
"proxy_hostname": "10.0.0.104",
"proxy_port": "4822",
"proxy_encryption_method": "NONE",
"hostname": "10.0.0.40",
"port": "3389",
"security": "nla",
"ignore-cert": "true"
  }
},


And also tried moving the proxy_hostname and port above the parameters….
Without those parameters it works fine.
Any tips?

Thanks!