Re: nested balancing connection groups, permission denied on connect

[Joseph Szabo]

So we have 3 labs users can connect to, 45, 45, and 25 computers in each one.  
We're moving networks around and need to take a room out of the rotation for a 
day to be connected to.  It would seem easier to uncheck one box for a room, 
rather than going to 45 webpages for 45 computers, and setting the connection 
weight to 0.


Joseph Szabo
CSS Lab Technical Services
NBCS Lab Team
System Administrator
Rutgers University




From: Mike Jumper 
Sent: Wednesday, October 20, 2021 4:10 PM
To: user@guacamole.apache.org 
Subject: Re: nested balancing connection groups, permission denied on connect

Can you describe your use case in more detail? This sounds like feature request 
material, either for recursive groups (complex) or batch editing.

- Mike

On Wed, Oct 20, 2021, 13:02 Joseph Szabo 
mailto:jsz...@oit.rutgers.edu>> wrote:
That's too bad.  I was looking to more easily take one roomful of computers out 
of the connect group.  I only have access to the web interface at the moment.


Joseph Szabo
CSS Lab Technical Services
NBCS Lab Team
System Administrator
Rutgers University




From: Mike Jumper mailto:mike.jum...@glyptodon.com>>
Sent: Wednesday, October 20, 2021 3:56 PM
To: user@guacamole.apache.org 
mailto:user@guacamole.apache.org>>
Subject: Re: nested balancing connection groups, permission denied on connect

On Wed, Oct 20, 2021, 07:41 Joseph Szabo 
mailto:jsz...@oit.rutgers.edu>> wrote:
Hi.  I'm trying to have one balancing connection group inside another (remote 
desktop).  When I click the top level one, it says:

"You do not have permission to access this connection. If you require access, 
please ask your system administrator to add you the list of allowed users, or 
check your system settings."

And yet I am the administrator.  Is there some extra setting I'm missing?  
Clicking the lower level group works to connect to a computer.  Before the 
error, it says:

"Connected to Guacamole. Waiting for response..."

You're not missing a setting - you just cannot have nested balancing groups. 
The connections within a balancing group will not be queried recursively and 
need to be direct children.

The permission denied error you see is likely due to the connection group being 
"empty", at least as far as the webapp is concerned. There is no connection 
within the group to connect to.

- Mike

Re: nested balancing connection groups, permission denied on connect

[Mike Jumper]

Can you describe your use case in more detail? This sounds like feature
request material, either for recursive groups (complex) or batch editing.

- Mike

On Wed, Oct 20, 2021, 13:02 Joseph Szabo  wrote:

> That's too bad.  I was looking to more easily take one roomful of
> computers out of the connect group.  I only have access to the web
> interface at the moment.
>
> Joseph Szabo
> CSS Lab Technical Services
> NBCS Lab Team
> System Administrator
> Rutgers University
>
>
> --
> *From:* Mike Jumper 
> *Sent:* Wednesday, October 20, 2021 3:56 PM
> *To:* user@guacamole.apache.org 
> *Subject:* Re: nested balancing connection groups, permission denied on
> connect
>
> On Wed, Oct 20, 2021, 07:41 Joseph Szabo  wrote:
>
> Hi.  I'm trying to have one balancing connection group inside another
> (remote desktop).  When I click the top level one, it says:
>
> "You do not have permission to access this connection. If you require
> access, please ask your system administrator to add you the list of allowed
> users, or check your system settings."
>
> And yet I am the administrator.  Is there some extra setting I'm missing?
> Clicking the lower level group works to connect to a computer.  Before the
> error, it says:
>
> "Connected to Guacamole. Waiting for response..."
>
>
> You're not missing a setting - you just cannot have nested balancing
> groups. The connections within a balancing group will not be queried
> recursively and need to be direct children.
>
> The permission denied error you see is likely due to the connection group
> being "empty", at least as far as the webapp is concerned. There is no
> connection within the group to connect to.
>
> - Mike
>
>

Re: nested balancing connection groups, permission denied on connect

[Joseph Szabo]

That's too bad.  I was looking to more easily take one roomful of computers out 
of the connect group.  I only have access to the web interface at the moment.


Joseph Szabo
CSS Lab Technical Services
NBCS Lab Team
System Administrator
Rutgers University




From: Mike Jumper 
Sent: Wednesday, October 20, 2021 3:56 PM
To: user@guacamole.apache.org 
Subject: Re: nested balancing connection groups, permission denied on connect

On Wed, Oct 20, 2021, 07:41 Joseph Szabo 
mailto:jsz...@oit.rutgers.edu>> wrote:
Hi.  I'm trying to have one balancing connection group inside another (remote 
desktop).  When I click the top level one, it says:

"You do not have permission to access this connection. If you require access, 
please ask your system administrator to add you the list of allowed users, or 
check your system settings."

And yet I am the administrator.  Is there some extra setting I'm missing?  
Clicking the lower level group works to connect to a computer.  Before the 
error, it says:

"Connected to Guacamole. Waiting for response..."

You're not missing a setting - you just cannot have nested balancing groups. 
The connections within a balancing group will not be queried recursively and 
need to be direct children.

The permission denied error you see is likely due to the connection group being 
"empty", at least as far as the webapp is concerned. There is no connection 
within the group to connect to.

- Mike

Re: nested balancing connection groups, permission denied on connect

[Mike Jumper]

On Wed, Oct 20, 2021, 07:41 Joseph Szabo  wrote:

> Hi.  I'm trying to have one balancing connection group inside another
> (remote desktop).  When I click the top level one, it says:
>
> "You do not have permission to access this connection. If you require
> access, please ask your system administrator to add you the list of allowed
> users, or check your system settings."
>
> And yet I am the administrator.  Is there some extra setting I'm missing?
> Clicking the lower level group works to connect to a computer.  Before the
> error, it says:
>
> "Connected to Guacamole. Waiting for response..."
>

You're not missing a setting - you just cannot have nested balancing
groups. The connections within a balancing group will not be queried
recursively and need to be direct children.

The permission denied error you see is likely due to the connection group
being "empty", at least as far as the webapp is concerned. There is no
connection within the group to connect to.

- Mike

RE: SAML Groups not recognised

[Tweed, Peter]

Nick
Azure active directory is returning the group ids only via SAML.  Apparently 
this is the 
default
 (I don’t have control over this) and perhaps something to do with a migration 
from an on-premise version.  Anyway – it shouldn’t matter, they should be just 
treated as text.

I’ve got two nicely named groups in guacamole (Admins, consultants)
I’ve created groups in guacamole with the same names as the IDs which come back 
via SAML (aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ,ccc-ccc-ccc-ccc-ccc)
I’ve made aaa and bbb groups, members of group “consultants”
I’ve made ccc group member of group “admins”.

Test 1: When I manually assign a user group aaa within guacamole, then user 
gets the connections linked to “consultants” (working as expected)
Test 2: When a user logs in with groups aaa, bbb and ccc from SAML they get 
access to connections attached to consultants and admins (working as expected).
Test 3: When a user logs in with groups aaa & bbb from SAML they get access to 
no connections (they should get access to the connections attached to 
“consultants”).
There is no manual assignment of connections to users.
Test 1 shows that the “member groups” hierarchy works between aaa and 
consultants.
If SAML group name to guacamole group name mapping didn’t work, or groups 
weren’t then following the “member groups” hierarchy configured, I would expect 
Test 2 to return no connections.
Which is why I’m confused that test 3 doesn’t work.
Does that make sense?

Peter T
d  +44 (0) 141 533 4043  m  +44 (0) 778 927 3030

From: Nick Couchman 
Sent: 19 October 2021 18:27
To: user@guacamole.apache.org
Subject: Re: SAML Groups not recognised

On Tue, Oct 19, 2021 at 11:49 AM Tweed, Peter 
mailto:peter.tw...@verint.com>> wrote:
Resending – as email didn’t appear in archive so I don’t know if it sent.

Peter T
d  +44 (0) 141 533 4043  m  +44 (0) 778 927 3030

From: Tweed, Peter
Sent: 18 October 2021 16:54
To: user@guacamole.apache.org
Subject: SAML Groups not recognised

Hi
I have connected SAML to Guacamole (1.3.0, docker version), with:
saml-group-attribute: 
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

I’ve created groups in Guacamole (Postgres DB) to match the GUIDs that come 
back from active directory:
aaa-aaa-aaa-aaa-aaa
bbb-bbb-bbb-bbb-bbb
ccc-ccc-ccc-ccc-ccc

Our admins have all three AD groups.  Our users have the first two groups., so 
I’ve created two nicely named groups: Consultants, Admins.
Member of Consultants: aaa-aaa-aaa-aaa-aaa , bbb-bbb-bbb-bbb-bbb
Member of Admins: ccc-ccc-ccc-ccc-ccc

Excerpt from guacamole log:
Admins: 
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[
 aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb, ccc-ccc-ccc-ccc-ccc],
Consultants: 
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[
 aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ],


I'm a bit confused, here, as to what you've done with GUIDs vs. "nicely named 
groups"? It sounds like your SAML IdP is returning the groups as GUIDs, and 
you've possibly created some of the groups with those names, or not? I'm not 
clear on this point. Guacamole won't be able to do any additional lookup to 
translate those Group GUIDs to their actual names, so if you're wanting to 
assign permissions via group, no matter what the groups are named or how many 
there are, the names of the groups need to match what the SAML IdP is returning 
for claims.

Is it possible for one or more of the admin accounts you're using that you've 
manually added that account to a JDBC group, or assigned permissions directly 
to the account? That would explain why it appears to work for some users and 
not for others.

-NIck


This electronic message may contain proprietary and confidential information of 
Verint Systems Inc., its affiliates and/or subsidiaries. The information is 
intended to be for the use of the individual(s) or entity(ies) named above. If 
you are not the intended recipient (or authorized to receive this e-mail for 
the intended recipient), you may not use, copy, disclose or distribute to 
anyone this message or any information contained in this message. If you have 
received this electronic message in error, please notify us by replying to this 
e-mail.

nested balancing connection groups, permission denied on connect

[Joseph Szabo]

Hi.  I'm trying to have one balancing connection group inside another (remote 
desktop).  When I click the top level one, it says:

"You do not have permission to access this connection. If you require access, 
please ask your system administrator to add you the list of allowed users, or 
check your system settings."

And yet I am the administrator.  Is there some extra setting I'm missing?  
Clicking the lower level group works to connect to a computer.  Before the 
error, it says:

"Connected to Guacamole. Waiting for response..."


Joe