Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 27, 2017 at 9:46 AM,  wrote:

> Update: using port 389 and none for encryption, and I had to change the
> search DN to be just cn=Directory Manager.  Now I get the following error:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
Try disabling LDAP alias dereferencing:

ldap-dereference-aliases: never

It looks like you probably have the cn=users,cn=compat area pointed to the
real objects (cn=users,cn=accounts), and this could be confusing the LDAP
client when it expects uniquely-named items.  Otherwise, you'll need to
narrow your base DN such that it only locates one or the other account.

-Nick

Re: INFO REQUIRED : Support of Shell Mode in Guacamole

[Nick Couchman]

On Mon, Nov 27, 2017 at 11:41 AM, Mike Jumper 
wrote:

> On Mon, Nov 27, 2017 at 5:25 AM, Amarjeet Singh 
> wrote:
>
>> Hi Team,
>>
>>
>> I was trying to run a program using shell command instead of Remote app.
>>
>> It seems that Guacamole doesn't support the shell command.
>>
>>
> It does.
>
>
>> Below are the parameters of freeRDP  which is used to open any progam in
>> shell mode.
>>
>> */shell*
>> *Alternate shell*
>>
>
> The parameter for this in Guacamole is "initial-program":
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.
> html#rdp-session-settings
>

Oops...for some reason I was thinking "shell" and "initial-program" were
different settings within RDP.  Sorry about that.

-Nick

Re: Does Guacamole support Gemalto Safenet 2FA??

[Nick Couchman]

On Fri, Nov 24, 2017 at 3:05 PM, yisas  wrote:

> Hi there,
>
> Guacamole incubator project is an awesome project and I can't wait to see
> more and more of this platform. I'd would like to ask you, whether you know
> there is any road-map to add support for 2FA Gemalto Safenet as DUO has
> already.
>
> Are you aware if this 2FA product is currently supported?
>

Soon:

https://issues.apache.org/jira/browse/GUACAMOLE-96

I don't know how soon it will support hardware-based tokens, like the
Gemalto ones.  Initially it will support OTP apps like Google
Authentication.

-Nick

Re: VNC access with password

[Nick Couchman]

On Fri, Nov 24, 2017 at 1:49 AM,  wrote:

> Hi
>
>
>
> The two connections where not on the same computers
>
>
>
> As far as I know the VNC Servers are running under Windows CE, the exact
> version of the server is not know, but for sure it’s an older version
>
> Reason, these are operator panels of machines I need to integrate.
>
> Modifications and updates to these Win CE Panels is not possible
>
>
>
Can you find out what VNC server/version is on the one that is failing, and
how it's configured (aside from requiring a password)?

-Nick

Re: VNC access with password

[Nick Couchman]

On Wed, Nov 22, 2017 at 3:05 AM,  wrote:

> Hi Nick
>
>
>
> Any idea what to do with this?
>
>
>
> BR
>
> Adrian
>
>
>

The only thing I can think at this point is that it's related to the
following recently-closed JIRA issue:

https://issues.apache.org/jira/browse/GUACAMOLE-424

Can you try building guacd from the most recent github master and see if
the problem still exists?

-Nick

Re: X Forwarding on an SSH connection

[Nick Couchman]

On Fri, Dec 1, 2017 at 15:53  wrote:

> Is it possible to forward X  when connected to an SSH session in
> guacamole?  For example, if I was connected and wanted to edit a file using
> gedit in Linux, how can we make that work?
>
>
>

Not using SSH, no.  Guacamole does not implement an X server.  You could do
this with VNC or run xrdp on the Linux host, but that's about it.  Mike is
currently working on a X.org video driver that talks the guacamole
protocol,  which will also work, but that's not done, yet.

-Nick

Re: 答复: how to download a file form sftp to a connection in the guacamole?

[Nick Couchman]

>
>
> Drag is supported. Just drag the file over the Guacamole display and drop
> it. The file will be uploaded to the SFTP server within the default upload
> directory.
>
> - Mike
>
> If I understand the scenario correctly, the Guacamole connection
(RDP/Telnet/VNC) is being pointed at a different host than the SFTP
connection, and the question is how to have files sent to the SFTP server
automatically show up on the host that Guacamole is connecting to.  Maybe
I'm misunderstanding the question, though??

-Nick

Re: How to get GuacamoleConfiguration from url?

[Nick Couchman]

On Tue, Dec 12, 2017 at 2:29 PM, genesis  wrote:

> Hi, first of all I would like to congratulate the team for this amazing
> product.
>
> I would like to provide the GuacamoleConfiguration data from a encrypted
> string in URL, without authentication, with multiple connections, for
> example:
>

I'm having a little trouble understanding what you're trying to do.  When
you say you would like to provide the "GuacamoleConfiguration" data from an
encrypted string in the URL, are you saying that you are providing all of
the data - hostname, protocol, port, username, password, etc., - encoded in
the URL?  Or you're providing a connection identifier in the URL and then
mapping that on the servlet side?  The later is the way Guacamole currently
works - I wouldn't call it in encrypted token, I'd called it encoded.


>
> http://guacamoleclient:8090/#/{ENCRYPTED_TOKEN_1}
>
> First thing I did is to replace the noauth extension method
> getAuthorizedConfigurations to take the config from the encrypted token,
> and
> it worked fine.
>

Please bear in mind that the noauth extension is deprecated and likely to
be removed from future versions.  Building an application upon this module
is not likely to be a good long-term move, unless you intend to maintain
the noauth module yourself in a separate repository from the main Guacamole
code.


>
> The problem im facing now is for multiple connections at the same time. If
> I
> click on another URL with a different GuacamoleConfiguration of the first
> one, a tab will open but with the same connection of the first URL.
>

Again, if you can clarify what you mean by GuacamoleConfiguration in the
token in the URL, that might help figure out where to go from here.

Regards,
Nick

Re: Screen reader/JAWS over Guac?

[Nick Couchman]

On Tue, Dec 12, 2017 at 1:03 PM, Nick Couchman <vn...@apache.org> wrote:

> On Tue, Dec 12, 2017 at 12:39 PM, Antony Awaida <ant...@apporto.com>
> wrote:
>
>> Hi everyone:
>>
>> Has anyone tried to run a screen reader such as JAWS over Guacamole? if
>> so do you have a recipe for that?
>>
>> Thanks!
>>
>>
> What protocol are you interested in?  I'm not familiar with screen
> readers, including JAWS, but my guess is that this will partially depend on
> the screen reader's ability to parse images for text.  In the case of VNC
> and RDP when used through Guacamole, the output to the screen is an image
> and does not have a direct text representation.  Telnet and SSH protocols
> in Guacamole should be parsed out as text in the browser (which is
> demonstrated by the ability to select letters/words/lines of text), so
> those will probably work.
>
>
...but, apparently JAWS includes OCR support, so perhaps it will work fine
with Guacamole?!

-Nick

Re: RDP connection problems

[Nick Couchman]

On Mon, Dec 18, 2017 at 5:02 AM, Pieter Temmerman 
wrote:

> Hi List,
>
>
> Would it be possible to receive a debug version of all.min.js for 0.9.3,
> equivalent to this issue:
>

Just a point of clarification - you said 0.9.3 both here and in the
original post (0.9.3-incubating).  I'm guessing you mean 0.9.13-incubating,
but please confirm.

-Nick

Re: Unreachable RDP desktop after renaming computer

[Nick Couchman]

>
> Hi Nick,
>
> Thanks very much for the reply. Would DNS caching be an issue if I'm using
> IP addresses only to create the connections in Guacamole? I should have
> clarified that I'm only using Amazon EC2 internal network IP addresses for
> the hostname in the Guacamole connections. Those IPs don't change, as far
> as
> I can tell, but I'll double-check that. I'm pretty sure they would if I
> powered the Windows machines completely off, but I'm only issuing a reboot.
>
>
Okay, yeah, that doesn't sound like DNS - it actually sounds like maybe the
IP is changing, or something else - the security group, maybe, or perhaps
the host firewall (if you're joining a Windows domain, maybe it's changing
the firewall settings from GPO)?

-Nick

Re: Kill session button in UI?

[Nick Couchman]

On Fri, Nov 17, 2017 at 1:16 PM, dan  wrote:

> I'll try this weekend.
>
>
>
Great.  And, just to clarify my remark, when I say "pulling the latest
code," I mean cloning the master branch of the github repo, not the latest
release on the Guacamole website.  Perhaps you already assumed that, I just
wasn't overly-clear about it.

-Nick

Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 20, 2017 at 8:10 AM,  wrote:

> I use Chrome and I use the Developer Console all the time.  I just tried
> it again and got nothing at all in the console.  I even had the
> catalina.2017-11-20.log file open and got nothing in there either.  Nothing
> happens.
>

Great.  What about on the Network tab?  When you click the Login button, do
you see it making any attempts to access anything network-side?  For
example, when I log in, I see a POST to the api/tokens REST endpoint with
the credentials, and I receive a 200 (OK) response.  You should see this
POST happen, and then some sort of return - 200 for OK (which I would not
expect in your case), 403 if the credentials are not accepted, or 500 if
there's a server-side error.

-Nick

Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 20, 2017 at 12:53 PM,  wrote:

> Looks like I get a 403 when it tries to access /guacamole/api/tokens.
>
>
>

There will be an initial 403 that happens when the page is loaded (this
prompts the login dialog to appear in the first place), but if you're
getting a 403 after entering the credentials and clicking Login, then
something is going wrong with the login process.  Can you dig into the 403
and see what type of error/response you're seeing?  Is it Invalid
credentials, insufficient credentials, or some other error?

I think we determined in the past that on your system the bulk of the
Tomcat messages are actually going to /var/log/messages instead of the
Tomcat-specific logs.  Can you do a "tail -f /var/log/messages" and attempt
the login, and see what gets displayed there?  You should get at least the
authentication failure message, if nothing else.

-Nick

Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 20, 2017 at 1:06 PM,  wrote:

> /var/log/messages doesn’t show anything at all when I try the login.
> Also, when I click Login, the area at the top of the Developer Tools window
> (with the times in it 2000ms, 4000ms, etc.) updates, but the list of
> javascript files that is accessed doesn’t change.  The tokens file/topic is
> in red, and it says that the Initiator is angular.js on line 9902.
>
>
>
Okay, a couple of things for you:

- This thread started out as an issue with the LDAP module/authentication,
but I'm fairly convinced it has absolutely nothing to do with LDAP.  Have
you tried removing the LDAP module and just using something like the JDBC
module, or even the simple file authentication module, and see if it works
at all like that?  I suspect it will not, but it would be good to confirm.
- What client platform are you running (Windows, Linux, etc.), and have you
tried it on more than one client system, and preferably on more than one
platform?
- This issue really sounds like some sort of security software intercepting
the browser's attempt to log in to the system.  Do you have any sort of A/V
or security extension installed in the browser (e.g. McAfee, Symantec,
etc.), any of the Chrome Enterprise Group Policies deployed, or any sort of
web security software running on the client, that could be blocking this
web page from actually submitting the data to the Guacamole system?  The
behavior you are describing sounds very much like something is stopping the
browser from actually making the call to the REST endpoint, and not like a
Tomcat/servlet issue.

-Nick

Re: guacamole ldap

[Nick Couchman]

2017-11-20 5:58 GMT-05:00 Falcy, Cedrik :

> Hello,
> I have a problematic, I have 300 connection posts to enter guacamole. Is
> it possible to import into guacamole all the computer names of the active
> directory or LDAP? If not, do you have a way to get all these posts back
> faster and not one by one?
>

As Xavier suggests, you can manipulate the database directly, insert the
rows into the DB with the desired values.  His script does the user sync
for LDAP <-> DB, but you could easily modify the script to insert the
connections, instead.

You could also write a script (bash with curl or an Ansible Playbook, for
example) that leverages Guacamole's REST API and loops through with the
desired information to create the connections via the Guacamole Client
API.  This would be slightly safer, since the API would check for the
required information and fail the insert operation if something was amiss.

-Nick

Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 20, 2017 at 1:52 PM,  wrote:

> We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing.  I
> disabled the LDAP extension and just used MySQL for the guacadmin user and
> could log in.  I do see the following information in /var/log/messages:
>
>
>
This sounds like the server-side, but are you able to temporarily disable
SELinux (set it to permissive mode, "setenforce 0") and then restart Tomcat
and see if it works with LDAP? I'm not suggesting this as a long-term fix,
just long enough to validate whether SELinux is, indeed, blocking LDAP
traffic, or if it's still something else?

-Nick

Re: Como asignar conexiones a un usuario autenticado de LDAP

[Nick Couchman]

On Fri, May 4, 2018 at 6:08 AM, rvarela  wrote:

> Buenas tardes Nick
>
> El contenido del archivo guacamole.properties es este:
>
> #Guacamole - Clientless Remote Desktop
> #Copyright (C) 2010  Michael Jumper
> #
> #This program is free software: you can redistribute it and/or modify
> #it under the terms of the GNU Affero General Public License as
> published by
> #the Free Software Foundation, either version 3 of the License, or
> #(at your option) any later version.
> #
> #This program is distributed in the hope that it will be useful,
> #but WITHOUT ANY WARRANTY; without even the implied warranty of
> #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> #GNU Affero General Public License for more details.
> #
> #You should have received a copy of the GNU Affero General Public
> License
> #along with this program.  If not, see .
>
>
> # Hostname and port of guacamole proxy
> guacd-hostname: localhost
> guacd-port: 4822
>
> # Auth provider class (authenticates user/pass combination, needed if using
> the provided login screen)
> auth-provider:
> net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
> user-mapping: /etc/guacamole/user-mapping.xml
>
> # LDAP properties
>
> ldap-user-base-dn: ou=usuarios,dc=proyectoasir,dc=net
>


Looks like you're missing the "ldap-config-base-dn" property in your
configuration file.  If you look in the LDAP chapter of the manual under
the Configuration section (
http://guacamole.apache.org/doc/gug/ldap-auth.html#idm140500641772816)
you'll see that, if you don't specify this, Guacamole will not look for
connections in the LDAP tree:

ldap-config-base-dn

The base of the DN for all Guacamole configurations. *This property is
optional.* If omitted, the configurations of Guacamole connections will
simply not be queried from the LDAP directory. If specified, this base DN
will be used when querying the configurations accessible by a user once
they have successfully logged in.

Each configuration is analogous to a connection. Within Guacamole's LDAP
support, each configuration functions as a group, having user members (via
the member attribute) and optionally group members (via the seeAlso attribute),
where each member of a particular configuration group will have access to
the connection defined by that configuration.
So, you need to specify this property.


>
> Cuando hago la orden ldapadd -x -D cn = admin, dc = proyectoasir, dc = net
> -W -f conexionwindows.ldif
> me indica esto:
>
> adding new entry "cn=conexionwindows,ou=usuarios,dc=proyectoasir,dc=net"
>
> Cuando hago la orden ldapsearch -x -D cn = admin, dc = proyectoasir, dc =
> net -W cn =conexionwindows. ldif me indica esto:
>
>
You have an error in your search.  You should *not* be searching for the
LDIF file, you should be searching for the name of the connection.  The
correct search would be:

ldapsearch -x -D cn=admin,dc=proyectoasir,dc=net -W cn=conexionwindows

You put "cn=conexionwindows.ldif" (with .ldif at the end) which won't
work.  However, I suspect the issue you're facing is just the missing
property in guacamole.properties.

-Nick

Re: problem connecting to windows 10

[Nick Couchman]

On Tue, May 8, 2018 at 3:33 PM, robertkwild  wrote:

> hi all,
>
> i have added a few connections -
>
> windows 7 via RDP
> centos 7 via VNC
> centos 7 via SSH
> windows 10 via RDP
>
> my problem is i can get all to work apart from my windows 10 client, i have
> entered in the details below -
>
> network
> hostname - given IP not dns name
> port - 3389
>
> authentication
> username - robw
> password - my password
> domain - robw-win
> security mode - tried everything now left blank as that is what my windows
> 7
> client uses and it works
>

Windows 10 generally requires NLA out of the box, if you don't change the
configuration.  I would make sure Security Mode is set to NLA and that you
also check the "Ignore Certificate" box under that, or import the
certificate into your system certificate store.

-Nick

Re: debugging custom auth provider

[Nick Couchman]

On Mon, May 14, 2018 at 4:49 AM, WebE  wrote:

> Hi,
>
> I have a task to configure guacamole where users can create a URL and use
> it
> for remote desktop. All parameter for connection are passed via url
> parameter.  The behavior is similar to guacamole auth plugin
>    which doesn't work with
> latest version.


Yes, looking at this source code, it says both that it is unmaintained, and
that it was written for 0.8.3.  A little out of date :-).


> I even tried from other  forked projects
>   .  After
> this plugin is loaded, the home page of guacamole is not loading and a rest
> exception is thrown in log.
>

We'd be happy to help debug this, you just have to be a little more
detailed about what "doesn't work" means, and what version of Guacamole you
are using.  It looks like this one should be compatible with the 0.9.14
released version, but it's hard to tell.  More detail will help.


>
> I tried using https://github.com/glyptodon/guacamole-auth-json plugin as
> well but could not succeed.
>
>
Mike can probably help out a little more with this one, but, again, would
help to know more details about your environment, and what you've tried to
get this working.


> Now I am trying to understand and build an custom auth provider. I have
> gone
> through the basic tutorial. I am able to build it and integrate it.
>
>  However I am not able to find any tutorial on how can I debug these
> plugins. Coming from .net background, it is bit difficult to do without any
> manual/documentation.
>
> Therefore kindly guide me what setup is required to debug these plugins. I
> do not need a step by step procedure but a starting point where I can grab
> some idea on how debug this plugin.
>
>
Again, we need to understand what you have tried so far and what the
results are.  Here are my suggestions:
- Read the fine manual: http://guacamole.apache.org/doc/gug/custom-auth.html
- Make sure that Tomcat logging is configured for debug mode, at least for
the Guacamole web app, so that you know you're getting all of the debug
information.  The easiest way to do this is to create a logback.xml in the
GUACAMOLE_HOME directory and configure it appropriately for debugging.
Instructions for this can be found, here:
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
- Make use of the log4j class within your code to write debug and trace
messages to the Tomcat log and then run things down from there.

-Nick

Re: More containers?

[Nick Couchman]

On Wed, May 9, 2018 at 11:57 AM, Joachim Lindenberg 
wrote:

> Hello,
>
> I assume I will have to upgrade guacamole in the near future. Rather than
> updating all dependencies and recompiling, I´d actually favor to use
> docker. Now initially I decided against docker because I didn´t like the
> database…
>

Well, you don't *have* to, but we're resolving a decent number of issues
and adding features along the way, so if you want the bug fixes and
features, you'll need to upgrade.  And, yes, Docker is designed to ease
this process.


> I am also running mailcow-dockerized (and the database drives up memory
> utilization L). mailcow-dockerized uses lots of containers plus a central
> configuration directory (which is filled via git, i.e. my configuration
> changes are locally merged with central ones). I am wondering whether you
> can/want to adopt similar separation and offer separate containers for
> guacd (as already), guacamole, and database (could be a choice of different
> database including lightweights J).
>

Yes, best practices for containers is to run a single workload per
container, so you should run your guacd instance, guacamole-client (Tomcat
+ Guacamole Client + Extensions), and Database in separate instances.


> As you already have an extension concept that wires guacamole and the
> database, I guess it should be possible to expose or copy the relevant
> directories/configuration from one container to the other and have that
> picked up. Ideally one can run not just one extension but multiple using
> distinct containers. Or edit the composition not to load a database.
>

Docker does allow you to make directories available from your host to the
containers, which also means you could share the configuration amongst the
various containers.  If you look at the very last section of the Guacamole
Manual on Docker (http://guacamole.apache.org/doc/gug/guacamole-docker.html)
you'll see an example of using the "-v" flag to forward a directory through
to a container.

However, I'm not sure what you mean by running "multiple extensions using
distinct containers" - this doesn't make sense to me.  All of your
extensions need to be present in the container where Tomcat is running the
Guacamole Client.  You could run a separate instance of the Tomcat client
for each extension, but these will not be magically linked together -
you'll have one container with one extension (JDBC, for example) running,
another container with another one, etc., and different clients that behave
differently.  If you want to use multiple extensions with the Guacamole
Client, you should run all of these extensions in a single container with
the Guacamole Client.

-Nick

Re: LDAP+database - Credential duplication?

[Nick Couchman]

On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
f.wolfhei...@googlemail.com> wrote:

> I'm trying to set up guacamole with LDAP authentication and would like to
> use postgresql as storage for the connection parameters. Looking at the
> provided database schema files for postgresql (001-create-schema.sql), the
> user information entered into the database requires a password. I'm
> wondering whether this means that the LDAP user credentials need to be
> duplicated and entered into the database? The guacamole manual however
> suggests that once a user is successfully authenticated using the
> credentials stored in LDAP, the guacamole database will trust this user and
> will use the information present in the database for this user (
> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>

Yes, this is correct.

> "Data can be manually associated with LDAP users by creating corresponding
> user accounts within the database which each have the same usernames as
> valid LDAP users. As long as the username is identical, a successful login
> attempt against LDAP will be trusted by the database authentication, and
> that user's associated data will be visible."
>
> Actually, I'd like to prevent storing password information in the database
> and only use the LDAP passwords for authentication. Is this supposed to
> work? May I just adjust the database schema and leave the password field
> empty?
>
The password for the user from LDAP is not copied to or stored in the
database.  The database does require a user password to be set; however, if
you leave this blank when creating users in the admin interface one will be
randomly generated.  Similarly, if you are importing users directly into
the database you could generate random values for this field and the LDAP
authentication will still work, and it will *not* update/store the LDAP
password in the DB.


> BTW: Thanks for providing this great product. I've used it to host
> workshops for up to 50 people, providing each of them access to a graphical
> desktop. It's working great. :-)
>
>
Glad you like it and it is working out for you - I always love hearing
real-life success stories!

-Nick

Re: Tomcat8/Apache/Debian: Unable to start guacamole HTTP Status 404 and exceptions in tomcat logs

[Nick Couchman]

On Sun, May 13, 2018 at 6:34 AM, Prometheus  wrote:

> Hi, I am trying to make guacamole (0.9.9+dfsg-1) to run under Debian
> (unstable). The default tomcat installed using apt along with guacamole
> is tomcat8. The problem is that I get HTTP Status 404 when trying to
> access http://myhost:8080/guacamole
>
> I look into the log files of tomcat and I see that there are two
> exceptions shown below (or visit https://paste.gnome.org/pgnkvfvs4)
> but I haven't managed to find any info on these:
>


Okay, a couple of things jump out to me:
- You're using a very old version of Guacamole.  0.9.9 is several years old
- we're at 0.9.14, now, with a 1.0.0 release looming somewhere out in the
near-future.  Also, I've no idea what the +dfsg-1 part of that release
number is - looks like either a distribution-specific release, or one that
someone else came up with.  I'd start by using the latest version from the
Guacamole web site, http://guacamole.apache.org.
- The reason you're getting a 404 error is because the application is not
deploying, at all.  The exceptions you note are preventing it from working,
so there is no application present at /guacamole, which causes Tomcat to
throw a 404 error.  I'm not entirely certain what the error you're getting
means and why exactly it's occurring, but I'll venture two guesses.  First,
there's an error about the guacamole.xml context configuration in the
tomcat configuration directory.  I'm not sure if you've tried to manually
create that or if it was part of whatever version of guacamole you
installed, but something about that XML file may be causing problems.
Second, it's possible that the JAR that you're trying to deploy is invalid
- corrupted, zero size, something like that.  Could be wrong about both of
those, just my speculation.

Best advice at this point is to go get the latest version from the
Guacamole web site and deploy that, and read the deployment instructions,
there.

-Nick

Re: RD Gateway Issue

[Nick Couchman]

On Fri, May 11, 2018 at 12:04 AM, 张立强  wrote:

> Hi there,
>
> It looks like the guacamole connected to the target windows successfully
> and then disconnected immediately.
> Please note that we are using freerdp-1.1.0, we googled something that
> someone says it is probably an issue of freerdp.
> I am wondering which version was used when developing guacamole, maybe we
> can use the same version, or anyone who achieved this could tell me your
> detailed version.
>
> Any help or idea is appreciated, thanks
>
>
This has been discussed in the following Guacamole JIRA issues:

https://issues.apache.org/jira/browse/GUACAMOLE-40
https://issues.apache.org/jira/browse/GUACAMOLE-370

Guacmaole is developed to work with multiple version of FreeRDP; however,
certain RDP features are only implemented in certain versions of FreeRDP
(like Gateway/Broker support), so if you need those you'll have to use the
version that supports it.  Broker/Gateway support is particularly
problematic because it is supported only in an unreleased FreeRDP version
that you have to grab from a certain branch of the github repo.

-Nick

Re: Import csv mysql

[Nick Couchman]

It sounds to me like there is some sort of issue with the password import -
either it is not being imported at all, or it is being translated
incorrectly during the import.  When you complete the CSV import and look
at the field, can you confirm that the password value in the table is
*identical* to the value when you set it, and that the parameter name is
correct?

-Nick

On Fri, May 11, 2018 at 8:19 AM, cedrik  wrote:

> Hello everyone,
>
> I import new connections with a csv file directly into the mysql database.
> The import works perfectly.
> The problem is that the connection does not work.
> He tells me that the password is not good.
> Yet he is very well informed in the settings.
> When I erase the password in the settings and I retype the same password,
> the connection works very well.
>
> Can someone tell me why guamacole acts as if there is no password while he
> is well informed.
>
> Thanks !
>
>
>
> --
> Sent from: http://apache-guacamole-general-user-mailing-list.
> 2363388.n4.nabble.com/
>

Re: LDAP+database - Credential duplication?

[Nick Couchman]

On Fri, May 11, 2018 at 3:26 PM, Chris Duncan  wrote:

> Thanks for the pointer, however, could you clarify where I make use of
> these parameter tokens? When I configure a connection do I put the token
> variables in the username and password fields?
>

Yes, exactly - so, in the username field you would put ${GUAC_USERNAME} and
in the password field ${GUAC_PASSWORD}.

-Nick

Re: Como asignar conexiones a un usuario autenticado de LDAP

[Nick Couchman]

On Fri, May 4, 2018 at 7:22 AM, rvarela  wrote:

> Nick
>
> La versión de guacamole que estoy utilizando es la 0.9.14
>
> el archivo de error de tomcat7 está ubicado en
> /var/lib/tomcat7/logs/catalina.out y me indica esto:
>
> may 04, 2018 1:12:12 PM
> com.sun.jersey.server.impl.application.WebApplicationImpl _initiate
> INFORMACIÓN: Initiating Jersey application, version 'Jersey: 1.17.1
> 02/28/2013 12:47 PM'
> may 04, 2018 1:12:13 PM
> com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory
> getComponentProvider
> INFORMACIÓN: Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to
> GuiceManagedComponentProvider with the scope "Singleton"
> may 04, 2018 1:12:15 PM
> com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory
> getComponentProvider
> INFORMACIÓN: Binding
> org.apache.guacamole.rest.extension.ExtensionRESTService to
> GuiceManagedComponentProvider with the scope "PerRequest"
> may 04, 2018 1:12:15 PM
> com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory
> getComponentProvider
> INFORMACIÓN: Binding org.apache.guacamole.rest.
> language.LanguageRESTService
> to GuiceManagedComponentProvider with the scope "PerRequest"
> may 04, 2018 1:12:15 PM
> com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory
> getComponentProvider
> INFORMACIÓN: Binding org.apache.guacamole.rest.patch.PatchRESTService to
> GuiceManagedComponentProvider with the scope "PerRequest"
> may 04, 2018 1:12:15 PM
> com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory
> getComponentProvider
> INFORMACIÓN: Binding org.apache.guacamole.rest.auth.TokenRESTService to
> GuiceManagedComponentProvider with the scope "PerRequest"
> may 04, 2018 1:12:15 PM
> com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory
> getComponentProvider
> INFORMACIÓN: Binding org.apache.guacamole.rest.session.SessionRESTService
> to
> GuiceManagedComponentProvider with the scope "PerRequest"
> may 04, 2018 1:12:15 PM org.webjars.servlet.WebjarsServlet init
> INFORMACIÓN: WebjarsServlet initialization completed
> may 04, 2018 1:12:15 PM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFORMACIÓN: Despliegue del directorio /var/lib/tomcat7/webapps/ROOT de la
> aplicación web
> may 04, 2018 1:12:17 PM org.apache.coyote.AbstractProtocol start
> INFORMACIÓN: Starting ProtocolHandler ["http-bio-8080"]
> may 04, 2018 1:12:17 PM org.apache.catalina.startup.Catalina start
> INFORMACIÓN: Server startup in 22773 ms
> 13:12:31.137 [http-bio-8080-exec-2] INFO  o.a.g.r.auth.
> AuthenticationService
> - User "rvarela" successfully authenticated from 10.2.10.124.
>
>
> Is your user account being logged in with your LDAP username/password, or
is it from the user-mapping.xml file?

-Nick

Re: Como asignar conexiones a un usuario autenticado de LDAP

[Nick Couchman]

On Fri, May 4, 2018 at 6:41 AM, rvarela  wrote:

> Nick.
>
> He puesto la orden que me has indicado ldapsearch -b dc=proyectoasir,dc=net
> -x -D cn=admin,dc=proyectoasir,dc=net -W cn=conexionwindows y me sale
> esto:
>
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: Select User Connection Restricted by Source IP

[Nick Couchman]

>
>
> > Off the top of my head:
> >
> > * You step away from the computer and need to check something via your
> > phone.
> >
> > * You lock your screen at work without logging out from guac, head home,
> > and need to log in again.
> >
> > * You are using an anonymizing service which changes IP occasionally.
> >
> > - Mike


> Sure, all of the three cases are valid, but regardless of their
> justifiability they are perfect case for attacker to mask his activity.
>

This could be said of many different pieces of functionality, at many
different levels across many different technologies.  The perfectly secure
computer is locked in a safe and completely powered off, but it isn't very
useful.  The perfectly usable computer is accessible to everyone with no
restrictions, but lacks any notion of security.  The rest of the spectrum
is a trade between security and functionality.  Perhaps in your use-case or
environment restricting users to a single IP is a requirement or something
that you strongly desire.  That's great, you're welcome to implement it
that way.  For most of the rest of us, our ability to use the software from
multiple IP addresses concurrently is an acceptable risk with beneficial
functionality, and there are other risks that merit more time and attention
- like multi-factor authentication.


> Whether to enable them or not is a matter of choice and a matter of
> required
> defense grade.
>
>
I agree, and if you'd like to implement a modification or an extension that
restricts users to only log in from a single IP at a time, you are welcome
to - the software is open source, and can fork/modify/contribute to it.
It's how I got started contributing to the project :-).  However, you
should understand that, because many other people don't consider this a
requirement it is unlikely that 1) it will be adopted as a default behavior
of the software, or 2) that other developers will spend time implementing
such a feature in the near-term.

-Nick

Re: DNS or IP access without port number

[Nick Couchman]

On Tue, May 15, 2018 at 1:21 AM, Asbern  wrote:

> Hi all,
>
>
>
> I have successfully deployed guacamole, I could access via
> https://ip:8443/guacamole, but is it possible to access using IP alone
> without the port and the path?
>
>
>
>
>
Yes, it is possible to do both.  Deploying Guacamole without a path is
relatively simple - instead of naming the WAR file guacamole.war when you
copy it into the webapps folder, you name it ROOT.war.  The special name
"ROOT.war" causes it to be deployed at the base of the Tomcat install.

The port number requires a little bit more work, mainly because of security
restrictions.  Tomcat cannot run on any port lower than 1024 unless it is
run as the root user, which is not something you want to do.  So, the best
way to get Guacamole (or anything Tomcat-related) deployed on ports lower
than 1024 (like standard HTTP/HTTPS ports 80/443) is to proxy it through
either Nginx or Apache httpd.  There are instructions for this in the
Guacamole manual:

http://guacamole.apache.org/doc/gug/proxying-guacamole.html

The other alternative is to use iptables to redirect traffic at the lower
ports to the higher ports, as described on the following pages:

https://glassonionblog.wordpress.com/2011/04/08/tomcat-redirecting-traffic-from-port-8080-to-80-using-iptables/
https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+on+Port+80+or+443+using+iptables

These methods *usually* work, but there can be issues with links
redirecting to the port Tomcat is actually running on, which are overcome
by the Proxy method.  It's usually worth investing the time in getting the
proxy configuration up and running - it's not that complicated, and, once
configured, works a lot more seamlessly.

-Nick

Re: custom record name

[Nick Couchman]

On Tue, May 15, 2018 at 8:19 AM, Leonardo Oliveira Ortiz <
leonardo.or...@marisolsa.com> wrote:

> Hello.
>
>
>
> How configure custom record names? We want something like
> “$USERNAME-$DATE.rec”
>
>
>
You can use tokens in the recording name.  They are documented here:
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

For what you're trying to do, you'd use something like:
/path/to/recordings/${GUAC_USERNAME}-{GUAC_DATE}.rec

See the documentation for the full list of available tokens.

Thanks for this amazing Project!
>

Glad you like it!

-Nick

Re: Increase FPS in VNC Session

[Nick Couchman]

On Wed, Apr 11, 2018 at 10:22 AM, JimL  wrote:

> Hi,
>
> Is it possible to increase the frame rate received through WebSocket in VNC
> session?
>
> For example, in TurboVNC, in case of low network, I can adjust the image
> compression level to increase my frame rate. Is this possible through
> Guacamole? Is it also possible to disable any image compression on
> Guacamole
> to give lossless image output?
>

Guacamole currently lacks the settings for compression to be able to do
this within the Guacamole Client interface; however, it can be done in
source code.  If you find such settings useful, you can open a JIRA issue
and request it as a feature.  However, compression is generally only a
problem if your system is either CPU or memory-bound, so if you're not
seeing excessive CPU utilization or memory problems, disabling it may not
make any difference.


>
> If such modifications are possible, could you give me some pointers on how
> to go about it in the source code?
>
>
They should be possible.  I suggest taking a look at the
LibVNCServer/LibVNCClient documentation:

https://libvnc.github.io/doc/html/group__libvncclient__api.html

It contains information on the function calls for setting encoding and
compression.  The Guacamole Server code initializes the VNC (rfb) client,
here:

https://github.com/apache/guacamole-server/blob/b61a6ab758177b4d4cec4a3a0a2f51a3e76c3772/src/protocols/vnc/vnc.c#L127



You can see there that the encodings get initialized from the provided
options, and then the call to rfbInitClient contains two parameters set to
NULL - you can set those as documented in the API documentation and see
what happens.

-Nick

Re: Guamole with ldap getting error.

[Nick Couchman]

On Thu, May 17, 2018 at 09:56 Jaya Chandra  wrote:

> Also, below is the error
>
> slapd[1179]: conn=1062 fd=13 ACCEPT from IP=[::1]:49136 (IP=[::]:389)
>  slapd[1179]: conn=1062 op=0 BIND
> dn="cn=ppadmin,ou=AETC,ou=Users,ou=Admins,dc=AETC,dc=INTERNAL" method=128
>  slapd[1179]: conn=1062 op=0 RESULT tag=97 err=49 text=
>  slapd[1179]: conn=1062 op=1 UNBIND
>  slapd[1179]: conn=1062 fd=13 closed
>   slapd[1179]: conn=1063 fd=13 ACCEPT from IP=[::1]:49604 (IP=[::]:389)
>   slapd[1179]: conn=1063 op=0 BIND
> dn="cn=ppadmin,ou=AETC,ou=Users,ou=Admins,dc=AETC,dc=INTERNAL" method=128
>   slapd[1179]: conn=1063 op=0 RESULT tag=97 err=49 text=
>   slapd[1179]: conn=1063 op=1 UNBIND
>   slapd[1179]: conn=1063 fd=13 closed
>

Yes, slapd is telling you exactly the same thing that ldapadd told you:
your credentials are incorrect.  Either you're using a user account that
doesn't exist (ppadmin), the wrong DN for that account, or an incorrect
password for that account.

This is not an issue with Guacamole, nor is anyt wrong with your LDAP
server or client - you just need to use the correct credentials to log in.

If you're looking for help in resolving this issue you will have much
better success on one of the Open LDAP mailing lists.

-Nick

Re: Guamole with ldap getting error.

[Nick Couchman]

On Wed, May 16, 2018 at 11:05 jaya  wrote:

> Hi
>
> Iam getting below error while connecting to ldapadd.
>
> ldap_bind: Invalid credentials (49)


It is exactly as it is telling you - you're using incorrect credentials.
Check to make sure they are correct - both the ones you're using to log in
and the credential for searching of you've entered that.

-Nick

Re: open new tabs for connections

[Nick Couchman]

On Tue, May 15, 2018 at 2:55 PM, robertkwild  wrote:

> hi all,
>
> atm when im in guacamole and connect to a session ie RDP VNC etc it opens
> the connection on the current tab so i have to click back to access the
> admin panel and i loose my current connection to that server
>
> is there a way so that when i connect to a session it opens it in a new tab
>

Yep, Right-Click -> Open in New Window/Tab.  :-)

Unless you mean, is there a way to make that the default, so that
left-clicking *always* opens in a new Window/Tab, in which case the answer
is, no, there is no option for that today.

-Nick

Re: 9.14 - Built failed with 2 error

[Nick Couchman]

On Thu, May 24, 2018 at 4:38 PM, sebastienbeausoleil <
sebast...@nubilogic.com> wrote:

> Hi, I tried to build the guacamole-server 9.14 but here is the 2 errors
> happening during the make process:
>
> make  all-recursive
> make[1]: Entering directory '/guacamole/guacamole-server-0.9.14'
> Making all in src/libguac
> make[2]: Entering directory '/guacamole/guacamole-server-0.9.14/src/libguac'
>   CC   libguac_la-audio.lo
>   CC   libguac_la-client.lo
>   CC   libguac_la-encode-jpeg.lo
>   CC   libguac_la-encode-png.lo
>   CC   libguac_la-error.lo
>   CC   libguac_la-hash.lo
>   CC   libguac_la-id.lo
>   CC   libguac_la-palette.lo
>   CC   libguac_la-parser.lo
>   CC   libguac_la-pool.lo
>   CC   libguac_la-protocol.lo
>   CC   libguac_la-raw_encoder.lo
>   CC   libguac_la-socket.lo
>   CC   libguac_la-socket-broadcast.lo
>   CC   libguac_la-socket-fd.lo
>   CC   libguac_la-socket-nest.lo
>   CC   libguac_la-socket-tee.lo
>   CC   libguac_la-timestamp.lo
>   CC   libguac_la-unicode.lo
>   CC   libguac_la-user.lo
>   CC   libguac_la-user-handlers.lo
>   CC   libguac_la-user-handshake.lo
>   CC   libguac_la-wait-fd.lo
>   CC   libguac_la-encode-webp.lo
>   CC   libguac_la-socket-ssl.lo
>   CCLD libguac.la
> ar: `u' modifier ignored since `D' is the default (see `U')
> make[2]: Leaving directory '/guacamole/guacamole-server-0.9.14/src/libguac'
> Making all in src/common
> make[2]: Entering directory '/guacamole/guacamole-server-0.9.14/src/common'
>   CC   libguac_common_la-io.lo
>   CC   libguac_common_la-blank_cursor.lo
>   CC   libguac_common_la-clipboard.lo
>   CC   libguac_common_la-cursor.lo
>   CC   libguac_common_la-display.lo
>   CC   libguac_common_la-dot_cursor.lo
>   CC   libguac_common_la-ibar_cursor.lo
>   CC   libguac_common_la-iconv.lo
>   CC   libguac_common_la-json.lo
>   CC   libguac_common_la-list.lo
>   CC   libguac_common_la-pointer_cursor.lo
>   CC   libguac_common_la-recording.lo
>   CC   libguac_common_la-rect.lo
>   CC   libguac_common_la-string.lo
>   CC   libguac_common_la-surface.lo
>   CCLD libguac_common.la
> ar: `u' modifier ignored since `D' is the default (see `U')
> make[2]: Leaving directory '/guacamole/guacamole-server-0.9.14/src/common'
> Making all in tests
> make[2]: Entering directory '/guacamole/guacamole-server-0.9.14/tests'
> make[2]: Nothing to be done for 'all'.
> make[2]: Leaving directory '/guacamole/guacamole-server-0.9.14/tests'
> Making all in src/common-ssh
> make[2]: Entering directory 
> '/guacamole/guacamole-server-0.9.14/src/common-ssh'
>   CC   libguac_common_ssh_la-buffer.lo
>   CC   libguac_common_ssh_la-dsa-compat.lo
>   CC   libguac_common_ssh_la-rsa-compat.lo
>   CC   libguac_common_ssh_la-sftp.lo
>   CC   libguac_common_ssh_la-ssh.lo
>   CC   libguac_common_ssh_la-key.lo
>   CC   libguac_common_ssh_la-user.lo
>   CCLD libguac_common_ssh.la
> ar: `u' modifier ignored since `D' is the default (see `U')
> make[2]: Leaving directory '/guacamole/guacamole-server-0.9.14/src/common-ssh'
> Making all in src/terminal
> make[2]: Entering directory '/guacamole/guacamole-server-0.9.14/src/terminal'
>   CC   libguac_terminal_la-buffer.lo
>   CC   libguac_terminal_la-char_mappings.lo
>   CC   libguac_terminal_la-common.lo
>   CC   libguac_terminal_la-display.lo
>   CC   libguac_terminal_la-named-colors.lo
>   CC   libguac_terminal_la-palette.lo
>   CC   libguac_terminal_la-scrollbar.lo
>   CC   libguac_terminal_la-terminal.lo
>   CC   libguac_terminal_la-terminal_handlers.lo
>   CC   libguac_terminal_la-typescript.lo
> typescript.c: In function ‘guac_terminal_typescript_alloc’:
> typescript.c:133:46: error: ‘%s’ directive writing 6 bytes into a region of 
> size between 0 and 2047 [-Werror=format-overflow=]
>  sprintf(typescript->timing_filename, "%s.%s", typescript->data_filename,
>   ^~
> In file included from /usr/include/stdio.h:862:0,
>  from typescript.c:28:
> /usr/include/x86_64-linux-gnu/bits/stdio2.h:33:10: note: 
> ‘__builtin___sprintf_chk’ output between 8 and 2055 bytes into a destination 
> of size 2048
>return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
>   ^~
>__bos (__s), __fmt, __va_arg_pack ());
>~
> cc1: all warnings being treated as errors
>
>
I'm guessing that you're using a new-ish version of GCC - 7.x, maybe?  I
believe this issue was fixed in a commit to the master - can you try
checking out the git master branch and see if that compiles cleanly?

-Nick

Re: RDP Issue

[Nick Couchman]

On Thu, May 24, 2018 at 12:47 PM, jaya  wrote:

> Hi While Trying to connect to RDP iam getting below. error. You have been
> disconnected. In windows log i found below one. The connection is not using
> advanced RemoteFX RemoteApp graphics. Please help.


If you included an attachment or embedded image, it got stripped out.
Please post text of the error.  Also look at the guacd logs (and start
guacd in debug mode with "-L debug") and see if any errors show up there.

-Nick

Re: Live Preview Dashboard

[Nick Couchman]

On Mon, May 14, 2018 at 1:15 PM, petapixel  wrote:

> Thanks for the quick reply! I misspoke about the "live preview". The recent
> connections preview is definitely enough; doesn't need to be real-time.
>
> The goal is to generate a set of users and connections and then create a
> "master" user that can access all connections previous generated. An
> example
> would be: create 5 users, attach each user to a unique RDP connection with
> sharing profiles. Finally create a user that has all connections available
> and give that user a "dashboard link" that provides a "recent connections"
> type of preview for all the available connections. The "preview" could be
> blank or non-existent if the connection isn't being actively used. If the
> connection is active, it would be nice to have a screen sharing link
> generated "on-click" and opened a new tab or window. This would remove the
> need for all of the unique users to manually generate the screen sharing
> link and provide it to the master user.
>
>
This sounds really similar to things that several other folks have
requested - basically, the ability to "publish," more or less, shared
connections, either voluntarily (user clicks Share Connection and it makes
it available on the Guacamole Home Page) or forcibly (certain user always
has "shared" access to active connections.  I expect this will get
implemented at some point in the future - you might look through the JIRA
issues that are open and see if you can find one that matches what you're
asking for and follow that.

-Nick

Re: More containers?

[Nick Couchman]

On Sat, Jun 16, 2018 at 6:11 PM Mike Jumper 
wrote:

> On Sat, Jun 16, 2018 at 7:22 AM, Joachim Lindenberg <
> joac...@lindenberg.one> wrote:
>
>> ...
>>
>> (I am aware of that ADD is kind of deprecated). What I don´t understand
>> is why I use /ext/ and in fact the files end up in /root/.guacamole/.
>>
>
> Copying the provided template GUACAMOLE_HOME into place is part of the
> Docker image's startup process:
>
>
> https://github.com/apache/guacamole-client/blob/984ab48ce8dbbb5b9949ce1f5e5f774168b4830b/guacamole-docker/bin/start.sh#L340-L352
>
> The Docker image (somewhat confusingly) uses its own GUACAMOLE_HOME
> variable to define the location that should serve as the basis for the
> webapp's GUACAMOLE_HOME. As the GUACAMOLE_HOME environment variable has
> special meaning to the web application, it is explicitly forced back to
> ~/.guacamole/ with your custom value stored in GUACAMOLE_HOME_TEMPLATE:
>
>
> https://github.com/apache/guacamole-client/blob/984ab48ce8dbbb5b9949ce1f5e5f774168b4830b/guacamole-docker/bin/start.sh#L31-L33
>
> To some extent this also clarifies how to include multiple extensions:
>> just add all of them. However it is not really a modular approach then.
>>
>
> How is separating things into distinct extensions not modular?
>

I don't think the point was that extensions are not modular, I believe it
was that adding all possible extensions to the container defeats the
modular nature of extensions, and I agree.  The solution to trying to
figure out how to get multiple extensions into the Docker image should not
be to just dump them all in.


>
> ·   what I dislike about the docker file above is, that I have to
>> include the configuration with the code and force a rebuild on every
>> configuration change. Imho being able to separate code and data is one of
>> the key aspects in using containers.
>>
>
> I believe this is as aspect of the approach the unmodified Docker image
> already takes. With the exception of third-party customizations (which
> naturally can't be part of the mainline Docker image), the container is
> self-contained and driven by configuration provided through environment
> variables.
>
> You will need to dynamically generate your guacamole.properties during
> container startup (like the existing start.sh does) if you wish to avoid
> rebuilding the image.
>
> Maybe I am just unaware of a better approach, but what comes to my mind is
>> that it would be great to have distinct environment variables pointing to
>> extensions directory vs guacamole configuration. For compatibility reasons
>> the extensions directory variable can still default to the existing
>> definition.
>>
>
> I disagree here.
>
> Though the Docker image layers its own semantics on top of GUACAMOLE_HOME
> (let's set those aside for the moment as they are not a part of the
> webapp), the point of the main GUACAMOLE_HOME directory with respect to
> Guacamole configuration is to be able to rely upon convention. Once the
> location of GUACAMOLE_HOME is defined, the locations of all
> Guacamole-specific configuration files, all extensions, etc. are known and
> rigorous.
>
>
It's also worth noting that one of the changes to the current code that
will be released in version 1.0.0 is the ability to define any of the
guacamole.properties options using environment variables.  This was
introduced in GUACAMOLE-464, and should add some flexibility to the process
of configuring Guacamole in a container environment by allowing those
options to be configured entirely in the environment without writing the
guacamole.properties file, if you choose to do it that way.

-Nick

Re: adding audio support for vnc connections

[Nick Couchman]

On Sat, Jun 16, 2018 at 7:30 PM robertkwild  wrote:

> hi,
>
> now i have pulseaudio working on a vnc users connection
>
> how do i add audio for the other vnc connection users, so they all have
> audio
>
> atm it just works for one vnc user and not the others
>
> is this because pulseaudio only uses one port number?
>
>
This gets a little beyond my knowledge of PulseAudio - I think you're
probably on the right track in thinking that the single port number is the
issue - not necessarily the single port number, but the single instance of
PulseAudio on the VNC server, and the fact that PulseAudio is not "coupled"
in any way to the VNC session, means that it's hard (impossible) for
PulseAudio to know which user session should be associated with which
PulseAudio client.

There are two ways to work around this - one is to have a single user (VNC
Session, Pulse Audio Session) per VNC server so that you just avoid the
problem - you can use load balancing on the front-end to make it easy for
folks to connect, and the load balancing, either through Guacamole
(Connection Groups), HAProxy, or somethings like Amazon's Elastic Load
Balancer (ELB) would allow you to send the VNC and Pulse connections to the
same system.  With 1 VNC/Pulse session per system, you don't have to worry
about it.

The other option would be to run PulseAudio as a user process rather than a
system process, and start it up with the VNC session.  The theory would be
that you could put each user on a different PulseAudio port and have
PulseAudio start up as a user process when VNC launches their session.  In
reality, I don't know how well this would work - for one thing, you'd
either have to delay the startup on the PulseAudio client on the
client-side until PulseAudio were running on the server side (doable with
VNCViewer + PulseAudio, but harder with Guacamole), and, for another thing,
you'd have to have some way to dynamically calculate and allocate
PulseAudio ports, and communicate that over to the client such that either
the user knows which port to connect to or the client is able to determine
it automatically.  This wouldn't really work at all with Guacamole, it's
really only doable in a VNCViewer + PulseAudio setup, and, even then, it
would take a little doing to make it happen.

-Nick

Re: More containers?

[Nick Couchman]

On Sat, Jun 16, 2018 at 10:23 AM Joachim Lindenberg 
wrote:

> Hell Nick, all,
>
> I finally found some time to invest into experimenting with docker,
> docker-compose, and guacamole. Good news is, I can run guacamole dockerized
> now, even with docker-compose.
>
> Now the challenges:
>
> ·   as I am running an extension I wanted to make this available in a
> separate (data) container in order not to change your existing ones but
> expose a data volume with the extensions directory. This appears to be
> difficult and also depending on the version of compose (and file). Actually
> I gave up on that one for now, but any suggestions or examples welcome.
>
This is not difficult, this is impossible.  The extensions *must* be in the
same container as the main Tomcat instance that runs Guacamole.  These
extensions are loaded by the Guacamole Client as it is deployed by Tomcat,
so it is really not possible to run extensions in separate containers.  It
doesn't matter if you're sharing the GUACAMOLE_HOME directory or the Tomcat
WebApps directory or the entire filesystem between two containers, you
cannot run an extension in a separate container from the main Guacamole
Client (guacamole.war file).

- Nick

Re: 9.14 - RDP Printing not work SYSLOG shows "running gs"

[Nick Couchman]

On Wed, Jun 13, 2018 at 12:21 PM sebastienbeausoleil <
sebast...@nubilogic.com> wrote:

> Hi, I figure how to set the RDP Guacamole Virtual Printer, but when I
> print, it seams to be stuck with GhostScript
>
> Jun 13 16:05:56 guacamole2 guacd[2063]: No security mode specified. 
> Defaulting to RDP.
> Jun 13 16:05:56 guacamole2 guacd[2063]: Resize method: none
> Jun 13 16:05:56 guacamole2 guacd[2063]: User 
> "@cd977f4c-c79f-4a13-a8b8-b5cbd48a6f52" joined connection 
> "$617cce9c-e8d8-4237-bf10-b66c9dd16b7a" (1 users now present)
> Jun 13 16:05:56 guacamole2 guacd[2063]: Loading keymap "base"
> Jun 13 16:05:56 guacamole2 guacd[2063]: Loading keymap "en-us-qwerty"
> Jun 13 16:05:56 guacamole2 guacd[2063]: guacdr connected.
> Jun 13 16:05:56 guacamole2 guacd[2063]: guacsnd connected.
> Jun 13 16:05:57 guacamole2 guacd[2063]: Connected to RDPDR 1.12 as client 
> 0x0004
> Jun 13 16:05:57 guacamole2 guacd[2063]: Ignoring server capability set 
> type=0x0001, length=44
> Jun 13 16:05:57 guacamole2 guacd[2063]: Ignoring server capability set 
> type=0x0002, length=8
> Jun 13 16:05:57 guacamole2 guacd[2063]: Ignoring server capability set 
> type=0x0003, length=8
> Jun 13 16:05:57 guacamole2 guacd[2063]: Ignoring server capability set 
> type=0x0004, length=8
> Jun 13 16:05:57 guacamole2 guacd[2063]: Ignoring server capability set 
> type=0x0005, length=8
> Jun 13 16:05:57 guacamole2 guacd[2063]: Sending capabilities...
> Jun 13 16:05:57 guacamole2 guacd[2063]: Capabilities sent.
> Jun 13 16:05:57 guacamole2 guacd[2063]: Client ID confirmed
> Jun 13 16:06:03 guacamole2 guacd[2063]: User logged on
> Jun 13 16:06:03 guacamole2 guacd[2063]: Sending printer
> Jun 13 16:06:03 guacamole2 guacd[2063]: Registered device 0 (Guacamole 
> Printer)
> Jun 13 16:06:03 guacamole2 guacd[2063]: All supported devices sent.
> Jun 13 16:06:03 guacamole2 guacd[2063]: Device 0 (Guacamole Printer) 
> connected successfully
> Jun 13 16:06:24 guacamole2 guacd[2063]: Print job created
> Jun 13 16:06:24 guacamole2 guacd[2063]: Created PDF filter process PID=2074
> Jun 13 16:06:24 guacamole2 guacd[2074]: Running gs
>
> It just stays stuck at running gs and nothing append on the browser.
> --
>

What are you trying to print?  Anything special - very long, special
character sets, etc.?

Do you see the "gs" process running?

-Nick

Re: adding audio support for vnc connections

[Nick Couchman]

On Thu, Jun 14, 2018 at 8:55 PM robertkwild  wrote:

> ok i have succesfully done it via this command instead cutting out the acl
> network stuff -
>
> load-module module-native-protocol-tcp auth-anonymous=1
>
> now on the guacamole server when i click the connection it works
>
> but when i connect via vnc client ie realvnc it doesnt work so how can i
> get
> the vnc client to get the audio
>
>
I kind of doubt it'll work with just the straight VNC Client - the VNC
client would have to support audio, itself, and I don't know that any of
them do.  In Guacamole, this is all handled by guacd - guacd makes the VNC
connection, and then it makes a separate PulseAudio connection, and
encapsulates all of it in the Guacamole protocol stream.  So, as soon as
the VNC + PulseAudio connection hits guacd, it's no longer VNC +
PulseAudio, it's Guacamole.  The VNC client would have to do exactly the
same thing that guacd is doing - that is, it would need to make both the
VNC connection *and* the PulseAudio connection in order to provide the
audio.  Perhaps one of the VNC clients does that, I'm not sure - I haven't
used them in a long time - but I kind of doubt it.

The one option you do have with something like VNCViewer is to run the
PulseAudio system as a client on the same system that's running the
VNCViewer software, and make the network connection to the VNCServer's
PulseAudio port.  Guacamole abstracts these details from you, for the most
part - that is, with Guacamole, you're not required to manually establish
separate connections for both VNC and Pulse - guacd does it all for you.
If you're using VNCViewer, though, you'll have to do it manually.

-Nick

Re: adding audio support for vnc connections

[Nick Couchman]

On Thu, Jun 14, 2018 at 18:56 robertkwild  wrote:

> mmm... think i know why its not working
>
> as the vnc server is on a VM with no sound card im pretty sure this is why?



No, you shouldn't need a sound card - the whole point of doing it over the
network is that the hardware need not be present in the server, it's using
what is available on the system with the browser.

Does the VNC server have a firewall running - iptables/firewalld?  This
could be blocking things, as well.

-Nick

Re: 9.14: SSH Handshake failed (extremeswitches)

[Nick Couchman]

On Fri, Jun 15, 2018 at 12:49 PM cchance  wrote:

> docker image
> (https://github.com/oznu/docker-guacamole/blob/master/Dockerfile) so
> appears
> to be libssh2-1-dev
>
>
Two things:
1) That doesn't tell me the version of the library.
2) That is not the official Guacamole docker image, nor a fork of that
image.  It looks like it is based on the official tomcat Docker image,
which also appears to be Debian-based, but it's hard to know what versions
of packages are being loaded there.

Also, while libssh2 appears to support diffie-hellman-group1-sha1, it does
appear to support ssh-dsa host keys - the web site lists ssh-rsa and
ssh-dss.

-Nick

Re: 9.14: SSH Handshake failed (extremeswitches)

[Nick Couchman]

On Fri, Jun 15, 2018 at 11:48 AM cchance  wrote:

> To log in to these switches normally we have to do +ssh-dsa and
> +diffie-hellman-group-sha1 in my ssh config for a pc to be able to cleanly
> ssh to one of these switches so not sure if that is whats causing issues
> when it comes time to connect with Guacamole...
>
> But every time I try to connect I get an SSH Handshake failed after
> entering
> a password, same when using a private key... Always just SSH Handshake
> failed...
>
> Any idea what I can do to fix the problem?
>
>
What type of system are you running guacd on?  What version of libssh2 is
installed?

-Nick

Re: adding audio support for vnc connections

[Nick Couchman]

On Thu, Jun 14, 2018 at 6:18 PM robertkwild  wrote:

> no the vnc server and guacamole server are different machines
>
> vnc server ip is 172.16.9.27
>
> guacamole server ip is 172.16.9.16
>
> so do i enter this on the vnc server with pulseaudio installed in the
> "/etc/pulse/default.pa" -
>
> load-module module-native-protocol-tcp auth-ip-acl=172.16.9.16/21
> auth-anonymous=1 
>
>
Since it's an ACL, you probably want to put in:

load-module module-native-protocol-tpc auth-ip-acl=172.16.9.16/32
auth-anonymous=1

Depending on how pulse interprets the /21, you might be opening it up to
the entire 172.16.8.0/21 subnet, rather than just the guacd host.  If you
use the /32 it'll be limited to only the guacd host, which, with anonymous
authentication, is probably what you want.


> or can i just put this in -
>
> load-module module-native-protocol-tcp auth-anonymous=1
>
>
I'm not familiar enough with Pulse Audio's behavior to know if this would
be completely locked down (no access if missing the auth-ip-acl) or allow
everything (all access if missing auth-ip-acl).  But, either way, probably
not what you want.

-Nick

Re: RDP Issue

[Nick Couchman]

On Wed, May 30, 2018 at 1:10 PM, Jaya Chandra  wrote:

> Hi Nick
>
> Iam using  0.9.13-incubating
>  version.
>
> Thanks & Regards
>
>
You might try 0.9.14 or even the latest github master version, as there
have been several improvements in connection error handling in those two
versions.  I believe 0.9.14 introduced some additional checks for RDP
disconnect messages, and the git master includes a very recently-introduced
feature that warns about network instability.

If you update you will need to update both Guacamole Client and Server
(guacd).

-Nick

Re: Dynamic Session Creation

[Nick Couchman]

On Sun, May 20, 2018 at 4:58 PM, Felix Wolfheimer 
wrote:

> Hi Nick,
>
> thanks for your answer. Yes, I was talking about VNC sessions on Linux.
>  The scenario I have in mind is a cloud deployment with auto-scaling
> functionality:
>
> There's one instance where guacamole is installed. This instance is
> small, cheap, and runs 24/7. The applications used in the VNC sessions
> require decent 3D rendering performance and, thus, I want to host them
> on GPU instances. These instances are expensive and so I would like to
> only spin them up when there's demand for a session. I have a mechanism
> that can submit a script (which creates a VNC session) to a scheduling
> system (e.g. SLURM). This scheduling system is connected with an
> autoscaling mechanism, e.g., cfncluster, which starts session host
> instances if there's demand. The session starts on the new instance,
> and the session information is added to the guacamole_db.
> This is why I was thinking the it would be great to have a mechanism to
> trigger the submission of the session creation script to the scheduling
> system when a user logs in. As the start of an instance needs a moment,
> I would like to have some way to inform the user about what's going on
> in the background.
>


That makes sense.  You should be able to do something like this in a
Guacamole extension - monitor the number of users connected to a particular
connection or connection group, and then trigger something every time
there's a connect or disconnect.  I would imagine the most useful thing
would be event listeners:

http://guacamole.apache.org/doc/gug/event-listeners.html

If you trigger an action every time a connection is established or
terminated, you can scale it in such a way that you always have 1 or more
spare instances running (depending on how frequently and quickly you expect
users to connect), and that would do the trick.  If you wanted to go even
leaner than that, you could trigger it at user logon/logoff such that an
instance was started when a user logged on to Guacamole, and, if there was
sufficient time between logon and the user attempting to connect, this
might work, as well, without having to keep as many (any?) spare instances.

The other option is to use an external load balancer to accomplish this and
then just point Guacamole at the load balancer.  I'm all for implementing
cool extensions for Guacamole, but this may have some benefits,
particularly in cloud-type environments where you're given these tools.
I'm thinking of AWS where you can do EC2 + Elastic Load Balancer (ELB) and
ELB will actually manage the number of spare EC2 instances for you.  The
plus side to this is that, at least in the case of AWS, it's already
implemented.  You can also do some similar stuff with a load balancer like
HAProxy, where you can look at the current user count vs. maximum count and
start up or shut down instances with a script of some sort based on that.
I've done this in the past and it worked reasonably well.

Anyway, plenty of possibilities for you - post back and let us know what
you do and how it works!

-Nick

Re: Connection history and recordings?

[Nick Couchman]

On Wed, May 16, 2018 at 1:05 AM, Joachim Lindenberg 
wrote:

> I am trying to understand what I need to do in my extension to enable
> connection-history and whether it is feasible to include the recordings
> there (i.e. some browser interaction rather than command line). So far I
> looked at
>
> http://guacamole.apache.org/doc/gug/administration.html#connection-history
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.html
>
> but I might miss a pointer.
>
> Also: is there any retention interval defined on these?
>
> Any hint?
>
> Thanks, Joachim
>

The biggest issue is that the recordings are generated by guacd, while the
extension is part of the Guacamole Client.  In order to integrate the two
you will need some way to couple the recordings on the guacd side with
whatever method you use to track them on the Guacamole Client side.

And, to answer your second question, neither guacd nor the Guacamole Client
currently enforce any retention interval on the recordings - there is no
setting for it, and it's up to you to keep them cleaned up.  Again, once
you have your extension written and you've found a way to connect the
recordings generated by guacd to the connections you may find it easier to
also implement a way to enforce retention.

-Nick

Re: 4-eyes session view without user sharing the connection

[Nick Couchman]

On Mon, Apr 9, 2018 at 3:51 AM, Kalle Jääskeläinen <
kalle.jaaskelai...@gmail.com> wrote:

> Hi,
>
> I tried to search for old posts as well as Jira but could’t find a easy
> answer to the following.
>
> Is it somehow possible for an admin (e.g. guacadmin who can see and kill
> active connections) to jump into the session and watch it real time without
> user first sharing the connection and sending the sharing URL?
>
> In case of 3rd party vendor access, we would like to be able to watch the
> sessions without requiring user to share the connection first.
>
> Ideally this would be a feature in the UI in Active Connections where you
> could select the session and have a “Watch Session” button next to “Kill
> Session”.
>
> thanks
>
>
This is currently not implemented, though there have been several requests
for it lately, so it seems to be gaining some popularity.  I believe there
are two different JIRA issues open right now that deal with various aspects
of this.

-Nick

Re: Using the Caddy web server as a reverse proxy

[Nick Couchman]

On Tue, May 29, 2018 at 7:34 AM, Chris Duncan  wrote:

> Hi,
>
> I've been using the Caddy web server (https://caddyserver.com) as a
> reverse proxy with great success. Does anyone else here use Caddy? Are
> there any plans to add a Caddy section to the Guacamole manual?
>
>
To be honest, I've never even heard of it up until now.  Not sure if there
are any other opinions on adding documentation, but I'm not opposed to it -
I've certainly been on the admin side of trying to find documentation for
integrating Open Source Project X with Commercial Product Y and believe
more knowledge is better :-).  You're welcome to fork the guacamole-manual
repo on github (https://github.com/apache/guacamole-manual), modify it, and
submit a pull request with the changes to add that documentation in to the
manual.

-Nick

Re: Device redirection issue

[Nick Couchman]

On Fri, Jun 1, 2018 at 7:05 AM, Oliver.Zhan 
wrote:

> In the guacamole When i remote access a win7 that is playing a music, but
> I can not hear the sounds.
>
>
>

If you connect from another RDP client on the same system that you're
logging in with Guacamole, can you hear the sound?

Can you describe your Guacamole environment:
- Guacamole Client version
- Guacamole Server version
- FreeRDP version
- What browser you're using, including version

?


> But In the guacamole User's Guide document, it say that Audio redirection
> will be enabled by default.
>

Yes, it will -you must explicitly disable audio support if you don't want
it.


>
>
> Then I enable the Support audio in console , I still can not hear the
> sounds.
>
>
>
> What is wrong? Please help me Nick.
>

It's best to address the entire community - this isn't my project or my
mailing list, so best to include everyone.  There are many people who have
fought with RDP Audio issues and Guacamole, so their experiences may be
much more beneficial than my advice.

-Nick

Re: Guacamole 0.9.14 with remote mysql db

[Nick Couchman]

On Mon, May 28, 2018 at 10:34 AM, riccardopiccoli <
riccardopiccoli...@gmail.com> wrote:

> Hello everyone.
> I am experiencing an issue using remote MySQL database authentication on
> Guacamole 0.9.14.
> I am using Guacamole 0.9.14, compiled from source on ubunutu 18.04 LTS. My
> servlet container is Tomcat 8, and I am using MySQL as authentication
> database. As long as Guacamole (and guacd) and the MySQL instance are on
> the
> same machine (let's call it the "Guacamole Server"), everything is fine.
> The problem is, as soon as I try to use MySQL db on a different machine
> (let's call it a "DB Server") I get blank page on
> [guacamole-server]:8080/Guacamole/#/ (where the login form should be) and
> nothing else. Tomcat's webapp manager says that guacamole.war is working
> alright, and there are no errors from guacd on syslog. The only error
> message I get is a "500 Internal Server Error" (I pasted the full text at
> the end of this mail), which appears on catalina.out whenever I try to
> access (or refresh) [guacamole-server]:8080/Guacamole/#/.
> If I go back to using the local MySQL db, the login page and everything
> beyond it are good again.
> The only change I make in my configuration between the two scenarios is in
> /etc/guacamole/guacamole.properties, where I change "mysql-hostname:" from
> "loacalhost" to the static IP of my "DB Server", or vice versa.
> In either scenario, I can manually login to the remote MySQL instance of
> guacamole_db using -u guacamole_user -h [address-of-db-server].
> "Guacamole Server" and "DB Server" are on the same subnet and can ping each
> other. The "DB Server" is listening on 3306 and tcpdump shows mysql
> messages
> coming and going on both ends when I attempt to connect (and the login page
> stays blank).
> I have already tried rebuilding remote db from schemas (it was initially
> imported from dump), rebuild guacamole on a fresh ubuntu installation,
> setting blank password for guacamole_user, giving him ALL PRIVILEGES ON
> *.*,
> identifying him as 'guacamole_user'@'%' (instead of providing a
> restrictive
> source ip) and copying Connector/J to "DB Server", but everytime I get the
> same error.
> I think a similiar issue has already been documented in this thread
> (https://www.mail-archive.com/user@guacamole.incubator.
> apache.org/msg02356.html)
> but it looks like no solution was found at the time.
> If anyone has any idea on what could be causing this, please let me know.
>
> The error code in catalina.out is:
>

You might need to provide a more complete error log, or put your Guacamole
instance into DEBUG or TRACE logging (described in the manual, using the
logback.xml file).

I would check a couple of things:
- On the system running Guacamole, using the MySQL client to try to connect
to your remote database server, using the same credentials you expect
Guacamole to use.
- When you say DB server is listening on 3306, make sure it's listening on
all interfaces and not just on the localhost interface.
- Make sure no network firewalls are preventing or dropping the traffic.

-Nick

Re: SSH sessions show blank screen after login

[Nick Couchman]

On Fri, Jun 1, 2018 at 11:24 AM, dedwards913 
wrote:

> Thanks Nick.  When I try SSH from the guac server command line, I get
> "connection refused".
>

This sounds like a network issue.  Is the system running guacd on a
different network from your desktop?  It almost sounds like there's an ACL
or firewall preventing the guacd system from communicating with the devices
you're trying to manage.

-Nick

Re: http-bio-8080-exec-17] WARN o.a.i.d.pooled.PooledDataSource - Execution of ping query 'SELECT 1' failed: The last packet successfully received from the server was 50,901,742 milliseconds ago.

[Nick Couchman]

On Fri, Jun 29, 2018 at 12:24 jaya  wrote:

> Hi
>
> I saw below error.
>
> http-bio-8080-exec-17] WARN  o.a.i.d.pooled.PooledDataSource - Execution of
> ping query 'SELECT 1' failed: The last packet successfully received from
> the
> server was 50,901,742 milliseconds ago.


This indicates connectivity problems between the system running Guacamole
Client (Tomcat) and the system running the database that you're using.  If
they running on the same system this could indicate that the database had
crashed.  If you're running the database and Tomcat on different systems
then it could indicate a connectivity problem between the systems.

-Nick

>
>
> Also, my section is connecting out. In guacamole properties i have put
> time
> out  connection for 60 minutes and asking for login again. Please help me.


What property did you set, what value did root specify, and how long is it
taking to time out?

-Nick

Re: Debian Stretch and FreeRDP ca1cec6

[Nick Couchman]

On Tue, Jun 26, 2018 at 9:44 AM Rocky Borrego 
wrote:

> Hi!
>
> Last year I was able to get RPD working with Display Update.  I got it
> working by building FreeRDP ca1cec6 on Debian Jessie following the
> instruction in the FreeRDP wiki
> .
>
> We are now upgrading to Debian Stretch and tried the same process but am
> getting the follwoing build error:
> CMake Error at channels/client/CMakeLists.txt:27 (list):
>   list sub-command REMOVE_DUPLICATES requires list to be present.
>
> Is there workaround for getting ca1cec6 to build on Stretch?  Or is there
> a more recent version that can be used with Guacamole and Debian Stretch
> that will provide support for Display Update?
>
>
This is not the FreeRDP mailing list, and, while Guacamole uses FreeRDP,
this is not the place to find support for it.  Please try the FreeRDP
support resources - mailing lists, forums, etc. - as listed on their site:
http://freerdp.net/.

-Nick

Re: Debian Stretch and FreeRDP ca1cec6

[Nick Couchman]

Currently versions 1.0, and 1.1, and 1.2 (not released, but available with
git) will work for Guacamole.  Version 2.0 support is underway, but it is a
non-trivial effort and is not slated for the upcoming 1.0.0 release, so
it's not getting a lot of attention at the moment.

On Tue, Jun 26, 2018 at 3:16 PM Rocky Borrego 
wrote:

> Nick, you are right.  Please allow me to rephrase the question.
>
> Which version of FreeRDP is compatible and supported by Guacamole 0.9.14
> that will provide support for Display Update within a Guacamole RDP
> connection?
>
> Rocky
>
> [image: NextStep Cloud] <https://htmlsig.com/t/001C08SWE>
>
> Rafael 'Rocky' Borrego
> 847.778.2033
>
> NextStep Cloud
> 847.801.9250
> *Any Program. Any Device. Any Time.*
>
>
>
>
> On Tue, Jun 26, 2018 at 11:39 AM Nick Couchman  wrote:
>
>>
>>
>> On Tue, Jun 26, 2018 at 9:44 AM Rocky Borrego 
>> wrote:
>>
>>> Hi!
>>>
>>> Last year I was able to get RPD working with Display Update.  I got it
>>> working by building FreeRDP ca1cec6 on Debian Jessie following the
>>> instruction in the FreeRDP wiki
>>> <https://github.com/FreeRDP/FreeRDP/wiki/Compilation>.
>>>
>>> We are now upgrading to Debian Stretch and tried the same process but am
>>> getting the follwoing build error:
>>> CMake Error at channels/client/CMakeLists.txt:27 (list):
>>>   list sub-command REMOVE_DUPLICATES requires list to be present.
>>>
>>> Is there workaround for getting ca1cec6 to build on Stretch?  Or is
>>> there a more recent version that can be used with Guacamole and Debian
>>> Stretch that will provide support for Display Update?
>>>
>>>
>> This is not the FreeRDP mailing list, and, while Guacamole uses FreeRDP,
>> this is not the place to find support for it.  Please try the FreeRDP
>> support resources - mailing lists, forums, etc. - as listed on their site:
>> http://freerdp.net/.
>>
>> -Nick
>>
>

Re: MS SQL Cluster

[Nick Couchman]

On Wed, Jun 27, 2018 at 11:04 AM JARRETT, Martyn (MEDWAY NHS FOUNDATION
TRUST)  wrote:

> Have setup a new Guacamole 0.9.14 server with MS SQL authentication,
> however it fails to connect to our SQL cluster instance.
> ServerName\InstanceName. How would I set the instance name in the config as
> it refuses to read any back slashes?
>
>
>
> Thanks in advanced.
>
>
Where are you putting this information?  In the host field or the database
name field?

You might check out Microsoft's site on their JDBC driver (assuming you're
using the MS JDBC driver):
https://docs.microsoft.com/en-us/sql/connect/jdbc/building-the-connection-url?view=sql-server-2017

Looks like you can use braces to escape special characters, so I would try
the following things:
ServerName{\}InstanceName
ServerName\\InstanceName

The double-backslash may work, or you can try as Microsoft is suggesting
with the braces around the slash.  If you can't get anything to work you
might open up a JIRA issue on this - we may need to add a property to the
SQL Server module configuration to account for instance names.

-Nick

Re: Debian Stretch and FreeRDP ca1cec6

[Nick Couchman]

On Wed, Jun 27, 2018 at 11:23 AM Rocky Borrego 
wrote:

> I just build Guacamole server with FreeRDP 1.1 and "Display Update" does
> not work.  How can I get "Display Update" to work?
>

What do you mean by "Display Update"?

-Nick

Re: Debian Stretch and FreeRDP ca1cec6

[Nick Couchman]

On Wed, Jun 27, 2018 at 12:39 PM Rocky Borrego 
wrote:

> Windows Server 2016.
>
>
>>
Based on some digging, it looks like this will only work with an unreleased
version of FreeRDP:

https://jira.glyptodon.org/browse/GUAC-865

According to that thread, the commit that fixes this in the FreeRDP API is
actually later than the 1.2.0 beta release (never actually got released).
>From what I can see in the FreeRDP github repo, that commit is in the
master branch along with several of the 2.0.0 branches, so it probably will
work once Guacamole can compile against FreeRDP 2.0.0 (not a trivial
exercise).  There's a JIRA issue already open for that effort:

https://issues.apache.org/jira/browse/GUACAMOLE-249

-Nick

Re: Debian Stretch and FreeRDP ca1cec6

[Nick Couchman]

On Wed, Jun 27, 2018 at 12:14 PM Rocky Borrego 
wrote:

> [image: Screen Shot 2018-06-27 at 11.12.32 AM.png]
>

What version of Windows are you connecting to?

Re: Segfault with guacamole 0.9.14

[Nick Couchman]

>
> What version of the libvncserver/libvncclient are you building against?
>
> # dpkg -l | grep vncclient
> ii libvncclient1:amd64 0.9.11+dfsg-1+deb9u1 amd64 API to write one's own
> VNC server - client library
>

HmmmI can't remember if there are any version-specific issues with that
version of libvncclient, but I'd expect the segfault message to happen in
libvncclient not the Guacamole library, if that were the case.


> Any special configuration for VNC?
>
> for the client, this is nothing special
>
> Are you trying to use encryption?
>
> No encryption
>
> no password, trought reverse ssh with ssh-key without passphrase
>
> Jun 27 16:10:34 pulsemaster kernel: [717204.421339] guacd[28944]: segfault
> at 10 ip 7f9ead26c692 sp 7f9eaec7ad10 error 4 in
> libguac-client-vnc.so.0.0.0[7f9ead264000+13000]
>
At this point I'd probably need a core dump or gdb stack trace to track
down the issue.

You can see if any of the following issues match the scenario you're
running into:
https://issues.apache.org/jira/browse/GUACAMOLE-424
https://issues.apache.org/jira/browse/GUACAMOLE-428

Those issues are related - one deals with VNC password issues, but it looks
like the fix takes care of at least a couple of scenarios.  It looks like
that's not fixed in the 0.9.14 code but will be in the 1.0.0 code, so you
could try building guacd from the git repo, either the master branch or the
staging/1.0.0 branch.

-Nick

Re: Segfault with guacamole 0.9.14

[Nick Couchman]

On Wed, Jun 27, 2018 at 10:01 AM Nicolas Lécureuil <
nicolas.lecure...@siveo.net> wrote:

> *Hi,
>
> i rebuilded guacd 0.9.14 ( using my own build debs )
>
> # dpkg -l | grep guac
> ii  guacamole   0.9.14-4  
>   all  HTML5 web application for accessing remote desktops
> ii  guacamole-auth-mysql0.9.14-1  
>   all  Guacamole Mysql Identification
> ii  guacd   0.9.14-1  
>   amd64HTML5 web application for accessing remote desktops 
> (proxy daemon)
> ii  guacd-dbgsym0.9.14-1  
>   amd64Debug symbols for guacd
> ii  libguac-client-rdp0:amd64   0.9.14-1  
>   amd64HTML5 web application for accessing remote desktops 
> (RDP support)
> ii  libguac-client-rdp0-dbgsym:amd640.9.14-1  
>   amd64Debug symbols for libguac-client-rdp0
> ii  libguac-client-ssh0:amd64   0.9.14-1  
>   amd64HTML5 web application for accessing remote desktops 
> (SSH support)
> ii  libguac-client-ssh0-dbgsym:amd640.9.14-1  
>   amd64Debug symbols for libguac-client-ssh0
> ii  libguac-client-vnc0:amd64   0.9.14-1  
>   amd64HTML5 web application for accessing remote desktops 
> (VNC support)
> ii  libguac-client-vnc0-dbgsym:amd640.9.14-1  
>   amd64Debug symbols for libguac-client-vnc0
> ii  libguac-dev:amd64   0.9.14-1  
>   amd64Guacamole proxy daemon (core library headers)
> ii  libguac11:amd64 0.9.14-1  
>   amd64HTML5 web application for accessing remote desktops 
> (library)
> ii  libguac11-dbgsym:amd64  0.9.14-1  
>   amd64Debug symbols for libguac11
> *
>
>
What version of the libvncserver/libvncclient are you building against?

> *
>
> Each time i use the vnc plugin i can see a segfault in the logs.
>
> Jun 27 14:48:28 pulsemaster kernel: [712278.556955] guacd[25572]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9ead477d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:49:35 pulsemaster kernel: [712345.817333] guacd[25612]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9eadc78d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:50:41 pulsemaster kernel: [712412.051393] guacd[25655]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9eacc76d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:51:47 pulsemaster kernel: [712477.883688] guacd[25700]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9ead477d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:52:54 pulsemaster kernel: [712544.755122] guacd[25746]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9eadc78d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:54:03 pulsemaster kernel: [712613.432083] guacd[25794]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9eacc76d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:55:08 pulsemaster kernel: [712678.871467] guacd[25836]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9ead477d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:55:29 pulsemaster kernel: [712699.432836] guacd[25883]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9eadc78d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:57:39 pulsemaster kernel: [712829.633618] guacd[26029]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9eacc76d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:58:35 pulsemaster kernel: [712885.994620] guacd[26072]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9ead477d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
> Jun 27 14:59:20 pulsemaster kernel: [712931.152907] guacd[26119]: segfault at 
> 10 ip 7f9eaea6f692 sp 7f9eadc78d10 error 4 in 
> libguac-client-vnc.so.0.0.0[7f9eaea67000+13000]
>
> I use a debian stretch.
> The vnc server is installed on a windows 10 ( TightVNC )*
>
> Any special configuration for VNC?  Are you trying to use encryption?
Anything else different about your VNC server configuration?  Have you
tried against other VNC servers on other target?

-Nick

Re: Keyboard Lock, direct keyboard access

[Nick Couchman]

On Wed, Jun 27, 2018 at 18:21 uxes  wrote:

> As a first thing that I can think of is classic scenario when I'm used to
> shortcut `Ctrl + w` in terminal, which delete last word before my cursor,
> in
> any browser this shortcut means `close actual tab`, which is impossible to
> prevent. Feature Keyboard Lock is solution.


Makes sense.


>
> Next thing could be all sort of shortcuts like you said "Ctrl-Alt-Del" and
> "Alt + F4", im going to try them on some Windows as soon as i get some in
> my
> hands in following days.
>

As I mentioned before, even with Keyboard Lock I imagine some of these will
not be intercepted.  CAD is a particularly special one that will almost
certainly be intercepted by the O/S, at least in Windows-based browsers.  I
have not looked at the full specification, but I suspect there will always
be some exceptions, as there should be.


-Nick

Re: Keyboard Lock, direct keyboard access

[Nick Couchman]

On Wed, Jun 27, 2018 at 18:06 uxes  wrote:

> Hello,
> I'm wondering if you guys are going to implement full access to keyboard
> which is going to be ready in following chrome ( Chrome for desktop release
> 68   ) that can be
> useful in case of controlling some RDP.
>
> https://w3c.github.io/keyboard-lock/
>

Interesting.  Do you have specific things you're thinking this would be
useful for?  It seems like a lot of the key combos may still be intercepted
by the O/S (e.g. Ctrl-Alt-Del), but I'm curious if there are keys you're
thinking might be useful here?

-Nick

Re: Keyboard Lock, direct keyboard access

[Nick Couchman]

On Wed, Jun 27, 2018 at 18:37 ivanmarcus  wrote:

> FWIW I've had several users wanting alt-tab and alt-q (the latter was a
> specific shortcut for a prog that we were able to change to ctrl-q which
> worked).
>
>
Yeah, I can see the value there.


> Emulating RD as much as possible would be good, IIRC the main thing that
> doesn't work there is just ctrl-alt-del (for which there's a different
> method).
>
>
We recently added Ctrl-Alt-End support to Guacamole for emulating CAD in
remote sessions, which matches behavior of other RDP clients.

-Nick

Re: Cannot access Users setting page

[Nick Couchman]

On Fri, Jun 22, 2018 at 15:42 johnseekins  wrote:

> After a re-install of 0.9.14 (to address some problems with the way our
> system was set up) we currently see the following error every time we try
> to
> access the Users setting page:
>
> Jun 22, 2018 3:36:31 PM com.sun.jersey.spi.container.ContainerResponse
> mapMappableContainerException
> SEVERE: The RuntimeException could not be mapped to a response, re-throwing
> to the HTTP container
> org.apache.ibatis.exceptions.PersistenceException:
> ### Error querying database.  Cause: java.lang.IllegalArgumentException: No
> enum constant
> org.apache.guacamole.net.auth.permission.SystemPermission.Type.


This type of error usually indicates a mismatch between guacamole
components - that is, you have version 0.9.13-incubating of guacamole.war
and 0.9.14 of the JDBC extension, or something similar.  Please verify that
your components are all exactly the same version and from the same source -
of you compiled the JDBC module from the git repo, also use that
guacamole.war version.  If your downloaded a version from the web site,
make sure all of the components are from that same version from the site.

Also try restarting Tomcat to make sure everything is loaded from scratch.

-Nick

Re: 9.14: SSH Handshake failed (extremeswitches)

[Nick Couchman]

On Fri, Jun 22, 2018 at 11:53 PM cchance  wrote:

> i switched to the guacamole/guacd docker container and still have the same
> issue, it seems the issue is DSA, some of my switches have a different
> version that supports RSA and that logs in right away but DSA doesn't seem
> to work when the switch has a DSA key on the server side, it doesn't appear
> to work and gives a handshake failed.
>
>
>
The Docker image currently published (0.9.14) still uses an older version
of libssh2 from CentOS7.  Version 1.0.0, when it is released, switches to
Debian stable as its base, and will have an updated libssh2.  You can build
the Docker image from the current git repo and get this Debian-based image,
but you'll have to build manually.

>From my earlier response I speculated about DSS vs. DSA - I'm not an expert
on SSH or Cryptography, but some further reading indicates that DSA is an
implementation of DSS, so the later versions of libssh2 *probably* will
support your Extreme switches.  However, again, you need to make sure
you're actually using that later version, and the 0.9.14 Docker image
available in Docker hub will not have that.

-Nick

Re: How to Troubleshoot loading Extensions? eg Duo

[Nick Couchman]

On Wed, Jun 20, 2018 at 5:10 PM kintaroju  wrote:

> Hi,
>
> I recently got my Guacamole install working with 0.9.13-incubating, and the
> only issue I have at the moment is to get the Duo extension to load. I've
> checked the /var/log/messages, and the tomcat logs but unfortunately i came
> up empty handed.
>
>
How are you installing the extension?  When you say you've just got it
running, are you using other extensions (JDBC, for example), or just the
built-in XML file authentication?

The Tomcat logs are definitely what you want.  Depending on how you're
running Tomcat (installed via package, or direct download), those logs may
be located in one of several different places, or integrated into Syslog.
I tend to not use the package install in CentOS because it's pretty old - I
usually download and extract it to a different location and just run it
from there.  However, you want to be looking at the "catalina.out" file, or
whatever the equivalent is for how logging is configured for your
particular Tomcat instance.

When you say you've come up empty handed, what do you mean?  Do you see any
of the messages about the load process?  Or none at all?

Once you determine where the correct logs are you can put Guacamole Client
into Debug mode.  This is covered in the Configuring Guacamole chapter:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging

That should give you some more verbose logging and help you track down the
issue.

One other note - make sure the components are the same version.  If you've
just got 0.9.13-incubating running, then make sure your Duo extension is
also 0.9.13-incubating.

-Nick

Re: How to Troubleshoot loading Extensions? eg Duo

[Nick Couchman]

On Mon, Jun 25, 2018 at 8:57 PM kintaroju  wrote:

> Hi,
>
> i did make sure it is the duo extension that is based on 0.9.13, and placed
> the extension in mulitple locations:
>
> /var/lib/guacamole/extensions
> /etc/guacamole/extensions
>
> Also the way i installed it was from this project:
>
> https://sourceforge.net/projects/guacamoleinstallscript/
>
> Unfortunately it didn't pickup duo extension for some strange reason.


This script is not officially associated with nor maintained by the
Guacamole project.  That's probably why it didn't pick up the Duo module,
but it's hard to say.


> Also
> when i created the logback.xml in /etc/guacamole or /var/lib/guacamole
> nothing happened on the console when i restarted the guacd service. The
> default logback file i used was part of that doc link you sent:
>
>
In version 0.9.13-incubating, the default GUACAMOLE_HOME directory is the
.guacamole folder inside the home directory of the user running Tomcat.  I
doubt that's /var/lib/guacamole, so you might need to track that down and
create the .guacamole folder, and place that file there.  This behavior
changed in 0.9.14, where it looks for several locations, including
/etc/guacamole in addition to the one mentioned above.

-Nick

Re: Debug Logs

[Nick Couchman]

On Tue, Jun 26, 2018 at 6:35 AM yashp  wrote:

> Hi,
>
> I am trying to study some behaviour in 0.9.14 and installed it from scratch
> according to the tutorial on the website and am using tomcat.
>
> I modified the logback.xml as root level="debug" and ref="GUAC-DEBUG".
> I ran guacd using the command *guacd -L debug*
>
>
Which logback.xml file?  Where did you place it?


> I am unable to view the verbose debug logs in Catalina.out.
>
> Where can I view the logs?
>
>
This depends on your installation of Tomcat.  In some distributions Tomcat
messages are forwarded to Syslog and are available in the same place as
other logs (/var/log/messages or journalctl).

-Nick

Re: Direct login to Windows from Gucamole web

[Nick Couchman]

On Mon, Jul 2, 2018 at 11:07 AM Kallen Petr  wrote:

> May I ask here for a help howto configure direct login to windows from
> Guacamole web page ?
>
>
> What I am need…
> I have a Windows terminal server with IP 10.10.10.11. On this system i
> have two users (username1 and username2).
> I am need login directly to terminal server when I fill in username and
> password from Guacamole login page.
>
> Authentification muset be fully directed by the Windows system.
> We not use Active Directory.
>
> Is it possible ?
>
>
Yes, I believe what you're looking for is tokens:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

The ${GUAC_USERNAME} token will be replaced with the username of the
currently logged-in Guacamole user; ${GUAC_PASSWORD} will be replaced with
the user's password.  The most common use-case for this is when using LDAP
authentication in Guacamole where it is pointed at Active Directory, so
your Guacamole username/password will be identical to your Windows
username/password.

-Nick

Re: NLA issue with Unicode usernames

[Nick Couchman]

On Mon, Jul 2, 2018 at 3:51 PM Aleksander Andrijenko 
wrote:

> Hi,
>
>
>
> Is there any fix for the Jira reported issue in 2017:
>
>
>
> https://issues.apache.org/jira/browse/GUACAMOLE-413
>
>
>
> Russian usernames are failing NLA authentication in Guacamole 0.9.14 with
> MySQL.
>
>
>

None that I know of.  The JIRA issue is still open, which is a pretty good
indication that it has not been resolved, yet.

-Nick

Re: can guacamole record the commands used by the remote users for linux ?

[Nick Couchman]

On Mon, Jun 25, 2018 at 1:16 AM Oliver.Zhan 
wrote:

> can guacamole record the commands used by the remote users for linux ?
>
>
>
> like this :
>
> 1
>
> exit
>
> admin
>
> centos-10.65.128.6
>
> sysadmin
>
> 2018-06-19 18:05:42
>
> 2
>
> sftp
>
> admin
>
> centos-10.65.128.6
>
> sysadmin
>
> 2018-06-19 18:05:25
>
> 3
>
> sudo -i
>
> admin
>
> centos-10.65.128.6
>
> sysadmin
>
> 2018-06-19 18:04:09
>
>
>


Guacamole can be configured to record the sessions, both graphically (for
RDP and VNC), and text-based (for Telnet and SSH), such that a history
could be retrieved.  Graphical sessions can also be run through the guaclog
binary, which can provide you with a log of mouse movements and
keystrokes.  However, there is no utility available today in the Guacamole
source code that would give you the output that you have above - you would
need to write your own utility to parse the recordings and then generate
the list from above.  It would be slightly challenging to do this in a
reliable way - you'd have to figure out how to determine when the user
enters a command (presses return, for example), and how to determine when
that particular keystroke is actually the execution of a command verses
responding to a prompt, etc.

I'll point out that, while Guacamole certainly has some components that
would give you the ability to make this happen, that's not its primary
role, and you'd probably be better off implementing something at the O/S
level to tell you this and using that information rather than trying to get
Guacamole to do this for you.  For example, the auditd framework available
in most Linux distributions can detect and log execution events.  Usually
that's done via syslog, so you can take that log output and send it to a
file, or to a central syslog server, or perhaps even a ELK stack, and get
the sort of succinct graphical representation you're looking for.

-Nick

Re: Direct login to Windows from Gucamole web

[Nick Couchman]

On Tue, Jul 3, 2018 at 6:17 AM Kallen Petr  wrote:

> Hi Nick and thanks for your answer.
> May I ask for any example howto call it from my direct URL ?
>
>
I'm not sure what you mean by your direct URL?  Those tokens are put into
the configuration when you create a connection - you would put in
${GUAC_USERNAME} in the username field and ${GUAC_PASSWORD} in the password
field in the connection configuration, and the values are automatically
substituted in.

-Nick

Re: Accessing webServer page using Guacamole

[Nick Couchman]

On Tue, Jul 3, 2018 at 2:02 AM ivanmarcus  wrote:

> Perhaps I'm missing your point but "Apache Guacamole is a clientless
> remote desktop gateway", it's not a browser.
>
>
> Yes, if this is what you're trying to do:

https://issues.apache.org/jira/browse/GUACAMOLE-57

Then, no, Guacamole does not do that.  It is not designed to be a generic
proxy or SSL VPN for any/all connections, it is a remote desktop
client/proxy.

-Nick

Re: tree support in user-mapping.xml

[Nick Couchman]

On Sun, Apr 29, 2018 at 3:10 PM, Joachim Lindenberg 
wrote:

> Hello,
>
> I do have my extension for Hyper-V, that does authentication and
> authorizations for my Hyper-V guests. However I also would like to include
> some of my infrastructure (SSH, VNC, etc.) into the solution – and
> preferably not as a flat list but with some hierarchy. I do understand that
> I can run a database and insert all information, likely in parallel to my
> own extension. However I think that´s overkill (with one user, and system
> load and backup is an issue) and would prefer if the user-mapping.xml
> 
> could be extended to support a (simple, i.e. one level totally fine) tree
> structure.
>
>
>
No, the basic file authentication (user-mapping.xml) extension does not
support any organization to the connections.  The JDBC module is actually
the only module that does - all of the other modules that support
connections (LDAP, upcoming QuickConnect, and Basic File Authentication)
simply put the connections in a single, flat root group with no ability to
organize them.  If you need this functionality, you need to use the JDBC
module - it's worth the very slight overhead and additional 10 minutes of
work to get it set up.

-Nick

Re: VPAT for Guacamole

[Nick Couchman]

On Tue, May 1, 2018 at 12:46 PM, jhaber  wrote:

> Do you know if Guacamole has a VPAT for Section 508 compliance for a
> government procurement?
>
>
I don't know of one, unless ASF has a boilerplate one or Mike has one
stashed somewhere...

-Nick

Re: tree support in user-mapping.xml

[Nick Couchman]

On Sun, Apr 29, 2018 at 15:52 Joachim Lindenberg 
wrote:

> Hi Nick,
>
> I totally disagree. The delta is not just time, but the need of a full
> blown database that I need to operate with plenty of cpu, memory, and disk
> usage.
>

I understand your point, but the Guacamole JDBC schema is very small, and
it should be possible to tune parameters on MySQL/MariaDB/PostgreSQL such
that it uses minimal system resources.  Furthermore, depending on how many
connections your environment grows to, the indexing within the database
could make locating and loading those records less resource-intensive than
reading through serially through an XML file.  If your environment isn't
that large, then I fail to see why you need the organization/tree structure
anyway??

Both out of curiosity and in order to try to see where you're coming from,
what kind of environment are you operating in that requires you be so
conservative with resources that you can't afford a small MySQL/MariaDB
instance?

-Nick

Re: AW: tree support in user-mapping.xml

[Nick Couchman]

On Sun, Apr 29, 2018 at 16:13 Paulo Gonçalves  wrote:

> I agree with you about the resources usage just for that.
>
> Maybe you can try to use a H2 database with MySQL Compatibility Mode (I
> don't know if it works, never tried it).
>

I did start working on a SQLite module for the JDBC extension -
unfortunately I ran into a bug with the JDBC SQLite driver that is impeding
progress on that front.  I avoided H2 for some reason - maybe I'll revisit
that.

Re: Como configurar Guacamole para utilizarlo con LDAP

[Nick Couchman]

2018-04-29 17:08 GMT-04:00 rvarela :

> He seguido los pasos del manual (capitulo 7) de la web de Apache
> guacamole, y
> ahora me puedo conectar con un usuario del directorio activo a guacamole,
> pero lo que no se como se hace es asignarle maquinas a las que se pueda
> conectar...
>
> Con usuarios normales en el archivo user-mapping indicamos el usuario y le
> configuramos las maquinas a las que va a tener acceso ya sea por RDP, VNC o
> SSH, pero en el usuario del directorio activo no se como se hace.. por que
> yo me conectar y claro no tiene ninguna maquina a la cual se pueda
> conectar.
>
> Alguien me puede aclarar esto??
>
> Muchas gracias.
>
>
You need to either create the connections in Active Directory, by extending
the LDAP schema, creating the connection objects, and then assigning the
proper LDAP group memberships.  The schema changes and information are here:


Or, you can use the JDBC module and create the connections there, and the
matching user accounts and assign permissions that way.  This is covered in
this section:

http://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database

Re: how to upgrade guacamole server from 0.9.13 to 0.9.14?

[Nick Couchman]

On Tue, Jul 3, 2018 at 9:21 PM Oliver.Zhan 
wrote:

> I used guacamole server version is 0.9.13, but the ssh connection always
> occured error:
>
> guacd11608 : INFO: SSH
> connection successful.
> guacd: ath.c:193: _gcry_ath_mutex_lock: Assertion `*lock == ((ath_mutex_t)
> 0)' failed.
> guacd11604 : INFO:
> Connection "$fe2119fe-2a3f-470e-9985-46f56e5b32c0" removed.
>
>
>
> I wan to upgrade from 0.9.13 to 0.9.14, how to upgrade?  Please help me.
> Thks!
>
>
>

Depending on how you installed 0.9.13, it should be similar to the install
process.  For guacd (guacamole-server) you'll need to build the new version
of the server and install it, making sure that you either replace the old
version completely or make sure that you start up the new version if you
install to a new location.

For guacamole-client, you can either download the pre-built binaries (WAR
for the main client deployment and JAR files for the authentication
extensions) and deploy those over the existing ones.  If you're using the
JDBC authentication modules you will also need to bring your database
schema up-to-date with one of the schema upgrade files.

You can find all of these instructions in the following pages:

http://guacamole.apache.org/doc/gug/installing-guacamole.html (Main
installation page)
http://guacamole.apache.org/doc/gug/jdbc-auth.html (JDBC authentication,
includes upgrade notes throughout the page)

-Nick

Re: guacamole admin utility

[Nick Couchman]

On Sun, Dec 31, 2017 at 10:05 AM, Nick Couchman <vn...@apache.org> wrote:

> On Sun, Dec 31, 2017 at 5:24 AM, Michael Niehren <mich...@niehren.de>
> wrote:
>
>> Hi Nick,
>>
>> my intention was to administrate guacamole without using the client
>> interface. With an console utility you can do much more things like
>> - monitoring the usage in realtime (Nagios)
>> - automatically kill a session running longer than x minutes ...
>> - showing the current login's in another application
>> - ...
>>
>
> As a lifelong proponent of using the command line over GUIs whenever
> possible, I definitely understand the desire to have a utility that would
> allow this.  A couple of things I would point out in this regard:
> - You still probably want to do this on the Guacamole Client side, not on
> the guacd side.  guacd does not keep track of Guacamole Client usernames -
> the sessions are tracked by UUID - so you'd have to interface with the
> client, anyway, or try to determine which UUID to manipulate based on the
> parameters of the connection, which seems sketchy at best.
> - Doing this on the client side ought to be pretty straight-forward,
> though, because you can make use of the wonderful REST API that the web
> interface already uses.  Everything that is done on the Guacamole Client
> web UI, with the exception of the tunnel itself, is handled via REST API
> calls that returns JSON-formatted data.  So, it should be pretty
> easy/straightforward to create a command line utility, written in C,
> Python, Java, NodeJS, or even just using bash + curl, to login to the API
> and get the TOKEN, and then perform whatever administrative tasks you want
> to do, which would be pretty much anything you can do on the web side,
> including the things you mentioned above, but also things like user
> management, connection management, permissions, etc.
>
> I do really like the idea of creating a command-line utility to go along
> with the Guacamole Client package - maybe some of the other developers
> could weigh in on whether they think this would be something worth rolling
> into the overall Guacamole Client package, at which point we could create a
> JIRA issue to track the request.  If you're at all familiar with REST APIs
> and programming languages, you could start implementing one on your own :-).
>
> -Nick
>


Here's a quick/simple example of a Python-based utility that logs in to
Guacamole, gets active connections, and logs out:

https://pastebin.com/6LdWCwdm

-Nick

Re: guacamole admin utility

[Nick Couchman]

On Sun, Dec 31, 2017 at 5:24 AM, Michael Niehren  wrote:

> Hi Nick,
>
> my intention was to administrate guacamole without using the client
> interface. With an console utility you can do much more things like
> - monitoring the usage in realtime (Nagios)
> - automatically kill a session running longer than x minutes ...
> - showing the current login's in another application
> - ...
>

As a lifelong proponent of using the command line over GUIs whenever
possible, I definitely understand the desire to have a utility that would
allow this.  A couple of things I would point out in this regard:
- You still probably want to do this on the Guacamole Client side, not on
the guacd side.  guacd does not keep track of Guacamole Client usernames -
the sessions are tracked by UUID - so you'd have to interface with the
client, anyway, or try to determine which UUID to manipulate based on the
parameters of the connection, which seems sketchy at best.
- Doing this on the client side ought to be pretty straight-forward,
though, because you can make use of the wonderful REST API that the web
interface already uses.  Everything that is done on the Guacamole Client
web UI, with the exception of the tunnel itself, is handled via REST API
calls that returns JSON-formatted data.  So, it should be pretty
easy/straightforward to create a command line utility, written in C,
Python, Java, NodeJS, or even just using bash + curl, to login to the API
and get the TOKEN, and then perform whatever administrative tasks you want
to do, which would be pretty much anything you can do on the web side,
including the things you mentioned above, but also things like user
management, connection management, permissions, etc.

I do really like the idea of creating a command-line utility to go along
with the Guacamole Client package - maybe some of the other developers
could weigh in on whether they think this would be something worth rolling
into the overall Guacamole Client package, at which point we could create a
JIRA issue to track the request.  If you're at all familiar with REST APIs
and programming languages, you could start implementing one on your own :-).

-Nick

Re: guacamole admin utility

[Nick Couchman]

On Sun, Dec 31, 2017 at 9:39 AM, Jonathan Hunter 
wrote:

> Hi Both,
>
> For what it's worth, I would also find this kind of functionality
> extremely helpful.
>
>
Good to know.  Sounds like there are a few folks :-).


> I am not a skilled Java or web developer, but am using Guacamole in
> conjunction with HTTP authentication and an LDAP authentication back-end to
> allow users to connect to VMs. In my use case, one of the VM connections
> has its logon credentials stored in guacamole, such that any user with
> sufficient permission to access this connection will be logged into the VM
> with a specific username/password, as the application being accessed needs
> to be run in a specific way.
>

The good news is that REST APIs are pretty usable by people even not
skilled Java/web developers - if you can do a little scripting, you can
write something in Python or JavaScript that will interact with the REST
endpoints and accomplish what you need.  That said, I'm thinking there may
be a larger calling here for a more official CLI tool, but we'll see if the
other developers have any input on that.


>
> But, if user A connects and starts to use the application, and then later
> on user B uses the same connection, this new 'user B' connection will
> disconnect the 'user A' session. So, I would like to make a status page
> available so that people can see if there is an active connection at the
> moment. Given my web coding skills, something like this proposed CLI would
> be much more within my reach, than having to create something in HTML/JS.
> Yes, this information is available in the Guacamole settings screen, but
> that is only available for administrators and isn't obvious for a user who
> is unfamiliar with Guacamole concepts.
>

I would say that, in your scenario, "it depends" on whether this would
actually happen or not.  For example, if your "application" is an SSH
session, then presumably you can have multiple users connect to the same
connection without one disconnecting the other, or being blocking by the
other.  If your "application" is a Windows Terminal Server, again, multiple
users can connect.  If it is a VNC session or a Windows Workstation (VDI)
session, then, yes, either the second user disconnects the first or gets
blocked.


>
> I would also dearly love to be able to use something like nagios or cacti
> to monitor active connections, etc.
>

Using the REST API should make this possible, as well.  I use Cacti to
monitor via SNMP, but Cacti is very extensible and should be able to ingest
data from REST endpoints, and I believe that NAGIOS, Zabbix, etc., also
make provisions for pulling data from REST interfaces.  I definitely see
the desire, here, but I think it's all doable using the REST interface
already provided in the Guacamole Client.

On the monitoring note, though, this does highlight the difference between
the Guacamole Client and guacd, so this does depend on what you're looking
to monitor.  I would venture a guess that most Guacamole users are using
the Guacamole Client on the same system as guacd, and just using it in a
1-to-1 relationship - that is, a single guacd instance for the Guacamole
Client interface.  Guacamole is designed to be scalable, though, such that
you could use multiple guacd back-ends for a single Guacamole Client, or
point multiple Guacamole Clients as a single guacd backend.  So, in more
complex setups, while the REST API provides easy ways to monitor the
Guacamole Client side, there is not much on the gaucd side that would allow
for monitoring of the backend.


>
> (Not on this exact same topic.. but if there was a way of having a shared
> connection by default, so that user A and user B could both view the same
> RDP/VNC/etc. display at the same time.. then that would be even better for
> me. But, that is another topic of conversation, I think)
>
>
I believe this is possible, although you might want to start a separate
discussion thread on this and build out a little more what you're trying to
accomplish.  Guacamole does allow for shared connections, such that a user
can connect to one and then someone else can connect in either a R/W or R/O
fashion and view/control the same session.  I just don't know what you mean
when you say "by default" and how that would work out.  But, definitely
something to open on a separate thread.

-Nick

Re: user-mapping.xml errors

[Nick Couchman]

On Thu, Jan 4, 2018 at 2:49 PM, timrvt 
wrote:

> I have 0.9.13 installed basic-auth
> I can login to the console but the only thing I see are a recent
> connections
> (nothing) and all connections(nothing)
>
> when I edit user-mapping.aml and add a connection entry ..I then cant login
> to the console as that user (internal error ..reconnecting in 15 secs
> message)
>

Is guacd running on the host where you have the Guacamole Client running?
Or, if on another host, have you configured Guacamole Client to point to
the correct host?

Can you see the connection coming in to gaucd?  Is there anything logged on
that side - in syslog (/var/log/messages, journalctl, etc.)?

-Nick

Re: SSH handshake failed: only RSA keys possible?

[Nick Couchman]

On Sat, Dec 23, 2017 at 10:41 PM, NTMMFTS  wrote:

> It appears that libssh2 includes the aes256-cbc key exchange method
> supported
> by pfSense, so I modded the ssh.c code and let it compile during
> installation using hanaciamiento's guacamole install script
> (https://sourceforge.net/projects/guacamoleinstallscript/), but guacamole
> won't load at all afterwards.
>
> Here's the code and where I inserted it in ssh.c in the
> guac_common_ssh_create_session function:
>
> /* Open SSH session */
> // existing code
>
> /* added preferred method for key exchange method supported by
> pfSense */
> int returnval = libssh2_session_method_pref(session,
> LIBSSH2_METHOD_CRYPT_CS, "aes256-cbc");
> if (returnval != 0) {
> guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
> "Setting session preferred key exchange method to
> AES256-CBC
> failed.");
> free(common_session);
> close(fd);
> return NULL;
> }
>
> /* Perform handshake */
> // existing code
>

First, I don't think this should be necessary to get it working if libssh2
supports that crypt method.  I believe it will use any supported method
without having to set it as a preferred method, no?  That said, setting it
as preferred should not impede the connection, either, so this should be
fine.


>
> Anyone want to comment on this approach or try to get it working?
>

With guacd in debug mode (guacd -L debug), what messages do you see during
the SSH connection?  Also, when you say it "won't load at all with it
afterwards," what does this mean?  It segfaults?  Or guacd runs but the
connection doesn't start?  Or sometihng else?

-Nick

Re: Connection Error if no username and password is provided. [ Disabling Single sign On ] : CRITICAL

[Nick Couchman]

On Sun, Jan 7, 2018 at 8:11 AM, Amarjeet Singh  wrote:

> NLA is not enabled. Not related to NLA .
>
> Errors are as follows :-
>
>>
>> Jan  7 08:09:48 localhost guacd[11753]: Created static channel
>> "hyprint"...
>> Jan  7 08:09:48 localhost guacd[11753]: Authentication requested but
>> username or password not given
>>
>>
Okay, but this error indicates that the server is expecting some form of
authentication up-front...which is usually NLA.  Have you explicitly either
disabled NLA or enabled the lower authentication levels for RDP on the
Windows server?

Also, for the Guacamole connection, are you specifying "RDP" for the
encryption type?  Can you post the values for the connection parameters,
minus any sensitive information?

-Nick

Re: Same shared Drive redirected to all users : Privacy and Security breach

[Nick Couchman]

On Sun, Jan 7, 2018 at 9:48 AM Amarjeet Singh  wrote:

>  If I don't pass username and password then ${GUAC_USERNAME} fails to
> resolve [ *Scenario : I want users to enter username and password on
> Windows screen* ]. It create directory with it's own name i.e.
> ${GUAC_USERNAME}
>
>
> So, Creating filesystem solved this issue and It created directories of
> users at runtime using "*enable-create-drive*" parameter.
>
> Now, I need to look into the following to achieve quotas per sub-volumes
> or each user's directory. :-
>
> ZFS or btrfs, for example, allow for sub-volumes and quotas per-volume,
>> per-user, and/or per-group
>>
>
>  Using SFTP  is a good idea though but in case I want the user to enter 
> *username
> and password* on the Windows screen then It would fail.
>
> *Can't save username and password on the user-mapping.xml file for
> security purposes.*
>

I would not use the user-mapping.xml file for the size of production
environment that you're using.  First, I'm not certain that the tokens
(${GUAC_USERNAME} and ${GUAC_PASSWORD}) actually work with the simple/basic
file authentication mechanism.  Mike can verify this.  Second, storing
usernames/passwords in user-mapping.xml for 500 users seems like a bad idea.

If you're considering scaling to this level, I suggest using one or more of
the extension modules for authentication - at least the JDBC module, and
perhaps that in combination with something, like LDAP.  If you're using
active directory for the Windows servers you're connecting to this makes a
lot of sense, because the username/password used to log in to Guacamole
will match to the servers you're logging into.  If you're not, it still
might make sense to track users in some sort of database - either JDBC or
LDAP - as this will provide continuity across the environment.

-Nick

Re: Getting error while connecting to Windows 10 [ NLA disabled ]

[Nick Couchman]

On Sun, Jan 7, 2018 at 9:38 AM, Amarjeet Singh  wrote:

> It means I will get the Windows [ operating system ] screen with  invalid
> credentials or Guacamole prompt.
>
>
Yes, the version of Guacamole with the fix applied should give the correct
error message if authentication fails, and not given a "Server Unreachable"
message.

-Nick

Re: Same shared Drive redirected to all users : Privacy and Security breach

[Nick Couchman]

On Sun, Jan 7, 2018 at 10:09 AM, Amarjeet Singh 
wrote:

> Nick, Requirement is not to save username and password anywhere. It should
> be logged in by the user itself.
>
>
Yes, I understand and agree.


> That is causing issue to create shared drive with username or
> ${GUAC_USERNAME}
>

I don't think so.  The ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens come
from the username and password that the user logs into *Guacamole* with,
not the username/password for the connection.

As an example, if let's say you have Guacamole configured to use LDAP
authentication, and you are storing your connections in JDBC.  Guacamole
LDAP is configured to point to Active Directory, and you have a user,
test_user, and the LDAP/AD password for that user is DoNotCopyMe.  The user
is connecting to a Windows server, via RDP, joined to the same AD domain
where LDAP is configured, server1.  Here's how the flow would work:
- User logs into Guacamole at https://guacamole.example.com/guacamole, with
username test_user and password DoNotCopyMe
- Guacamole, upon successful login, registers ${GUAC_USERNAME} as test_user
and ${GUAC_PASSWORD} as DoNotCopyMe.
- The user starts the connection to server1, which has the username
parameter set to ${GUAC_USERNAME}, the password parameter set to
${GUAC_PASSWORD}, and the Drive Path parameter set to /tmp/${GUAC_USERNAME}.
- The connection automatically logs into the server because the Guacamole
username and password is passed through to the RDP connection through the
tokens.
- The connection maps the /tmp/test_user directory through to the RDP
connection by resolving the username token.


>
> ${GUAC_USERNAME} works if Single sign on is there i.e. username and
> password is provided. it fails if username and password is not there.
>
>
Well, that depends on what you mean by "Single sign on" and "is [not]
there."  The actual username and password do not have to be saved in the
connection in order to be made available; however, the user has to log in
to be logging in to Guacamole.  So, if you're using some sort of anonymous
Guacamole authentication (the deprecated noauth extension, for example),
then the GUAC_USERNAME and GUAC_PASSWORD tokens will not be available.  If
you're using a SSO login method (OpenID, SAML, CAS without ClearPass), then
the GUAC_USERNAME token will be available while the GUAC_PASSWORD token may
or may not, depending on your configuration.  If you're using LDAP or JDBC,
then both the GUAC_USERNAME and GUAC_PASSWORD token should be available.

How are your users authenticating to Guacamole?

-Nick

Re: Disable Automatic Reconnect

[Nick Couchman]

On Sat, Jan 6, 2018 at 8:51 PM, Valeriu  wrote:

> The workaround that I found to work was to add two lines of code in the
> client source code, then compile and update the guacamole war file in the
> tomcat directory.
>
> Follow the steps for building the guacamole client from source code as
> stated here
> http://guacamole.apache.org/doc/gug/installing-guacamole.
> html#building-guacamole-client
> but before running the "mvn package" command edit the file
> guacamole/src/main/webapp/app/client/controllers/clientController.js in a
> basic text editor.
>
> In the text file, search for the line containing "// Determine whether the
> reconnect countdown applies" and change the next line to be "var countdown
> =
> null;" to disable the auto-reconnect feature.
>

I don't recommend doing this, as there are probably situations where it
would be better if the auto-reconnect does actually happen.  Completely
disabling this behavior, across the entire Guacamole install, for all
connections, seems ever so slightly excessive.

With regard to the original post for this issue, there are a couple of
things worth noting:
- If you're using release 0.9.13-incubating or older, there is a bug for
RDP connections that does not correct take into account why the RDP session
ended.  In certain situations this can cause an automatic reconnect when it
would not normally happen, which may be contributing to the perception that
this feature is not desirable.  I suggest trying either the version in the
current git master release, or waiting until 0.9.14 comes out see if that
makes the issue any less bothersome.
- There is also a JIRA issue (
https://issues.apache.org/jira/browse/GUACAMOLE-360) that deals with how
Guacamole deals with a single user trying to start the same session from
multiple locations.  This may be of interest, depending on the scenario
being discussed.

-Nick

Re: SEG FAULT ERROR after connecting it gets disconnected

[Nick Couchman]

On Wed, Jan 10, 2018 at 04:51 Amarjeet Singh  wrote:

> Hi Team,
>
>
> I am getting the following error  in guacd logs:-
>
>>
>>
>> *Jan 10 04:47:17 localhost kernel: guacd[27423]: segfault at 0 ip
>> 7f114a898036 sp 7f1136305b18 error 4 in libc-2.17.so
>> [7f114a763000+1b8000]*
>> Jan 10 04:47:17 localhost guacd[27416]: Connection
>> "$f3eb6922-faea-46ae-b305-701c29deb2e7" removed.
>> Jan 10 04:47:17 localhost guacd: guacd[27416]: INFO:#011Connection
>> "$f3eb6922-faea-46ae-b305-701c29deb2e7" removed.
>
>
>
> Guacamole Version : 0.9.13 , FreeRDP version : 1.1.0 , Centos 7
>
> It is disconnecting after connecting the RDP session. Please help me to
> resolve the above.
>
> Thanks and Regards,
> Amarjeet Singh
>
Can you run with gdb to get the full stack trace?

-Nick

Re: Do Guacamole RDP supoprts touch screens.

[Nick Couchman]

On Wed, Jan 17, 2018 at 1:15 AM, Amarjeet Singh 
wrote:

> Hi Team,
>
> Do Guacamole RDP supports touch screens as well ?
>
> If yes, What is the configurations required to make it work ?
>
> I have tested on the touch monitor where it was not working.
>
> Can anyone help me out here ?
>
> Thanks in Advance !!
>
> Amarjeet Singh
>
>
As far as I know, there is nothing special you should have to do to allow
Guacamole to work with Touch Screens.  Touch Screens simply provide a way
of inputting mouse events - cursor position update and clicks - into a
system using a screen rather than a mouse.  As long as the client has the
drivers installed for the touch screen and it works on the client device,
that input should translate fine into Guacamole, as it would any other
remote desktop client or web page.

If you're expecting to be able to pass the touch screen through to the
remote system such that you can configure touch screen drivers on the
system you're connecting to, then, no, that will not work; however, this
should not be necessary to allow you to use the touch screen so long as the
client is configured for it.

Perhaps you could provide a little more detail on what you're trying to do,
what works, and what you're having trouble getting working?

-Nick

Re: Disable Automatic Reconnect

[Nick Couchman]

On Thu, Jan 18, 2018 at 5:20 PM, Jonathan Hankins <
jhank...@homewood.k12.al.us> wrote:

> Nick,
>
> I've filed a bug report for this: https://issues.apache.
> org/jira/browse/GUACAMOLE-484
>
> -Jonathan Hankins
>
>
Great, thank you.  Maybe we can get this patch applied here in the
near-future.  If Frode doesn't want to put in the PR, I can do it.

-Nick

Re: GUACAMOLE-335 GUACAMOLE_HOME changes

[Nick Couchman]

On Fri, Jan 19, 2018 at 2:29 PM,  wrote:

> Hi
>
> for 0.9.14 i see changes to GUACAMOLE_HOME as per GUACAMOLE-335
>
> what happens in the case of an upgrade from .9.13 to .9.14 when,
>
>  .guacamole exists in the tomcat folder , example,
> /usr/share/tomcat7/.guacamole/  .
> which holds /extensions and /lib but whre the guacamole.proterties file is
> symlinked to /etc/guacamole/guacamole.properties
>
> it seems in this system  the GUACAMOLE_HOME would really be
>  /usr/share/tomcat7/.guacamole/ , but after the upgrade it would assume
> /etc/guacamole , since it exists.
>

My advice would be to make sure that only one of those directories exists
in one of those locations, and remove any symlinks or extra directories
that may add confusion.  If you're going to use /etc/guacamole, use it and
remove the .guacamole directory from the Tomcat user's folder.  If you're
going to use the .guacamole directory from the Tomcat user's folder, remove
/etc/guacamole.  Things should work with symlinks in place, but it will
only serve to add confusion to the configuration.

-Nick

Re: LDAP Guacamole 0.9.14

[Nick Couchman]

>
> I've rebooted whole server to make sure all services is restarted.
> Maybe I've wrong installed LDAP extension ? I do not
> I've only copied jars to extension folder:
> /etc/guacamole/extensions
> guacamole-auth-jdbc-mysql-0.9.9.jar
> guacamole-auth-ldap-0.9.9.jar
>
> /etc/guacamole/lib
> mysql-connector-java-5.1.45-bin.jar
>
> What more should I do ?
> My catalina.out file:
> https://pastebin.com/JW2kker7
>
>
>
Okay, now I'm confused.  Are you using version 0.9.9 or version 0.9.14?
They're not generally compatible, so you need to pick one version and stick
with it - I'd recommend 0.9.14.  Make sure the version of the guacamole.war
you're deploying matches the extensions.


>
> Yes, Im not programmer and don't knwo how to specify/store RDP connections
> in MySQL.
> FOllowed
> https://sourceforge.net/p/guacamole/discussion/1110834/
> thread/b66cf159/?limit=25
>
> BTW: there is nothing about
> # Auth provider class
> in guacamole.properties file.
>
> What auth-provider: net.sourceforge. should i write ? Or its obsolete line
> ?
>
>
You seem to be using very old versions and documentation.  First, you don't
need to be a programmer - there is a very nice administrative GUI for
managing the JDBC extension that lets you create the connections inside the
database from a Web UI.  Second, the auth-provider property has been gone
from Guacamole for quite some time.

Please make sure you're referencing the most recent documentation (and
using the most recent versions):

http://guacamole.apache.org/doc/gug/

The manual, at that location, has configuration instructions for LDAP and
JDBC, including how to integrate the two.

Regards,
Nick

Re: VNC

[Nick Couchman]

On Wed, Jan 17, 2018 at 4:06 PM, Hawkins, Richard <
richard.hawk...@medctrbarbour.org> wrote:

> I know this has been brought up before.  I have had a Guac server
> running for a long time.   Version 9.10
>
> Now all of a sudden, out of the blue,  it will not connect to VNC
> servers on my clients.
>
> Error Below
>
> Jan 17 14:38:12 gremote kernel: guacd[2713]: segfault at 57d00 ip
> 7f0d445e5ab2 sp 7f0d46fbcbe8 error 4 in
> libvncclient.so.0.0.0[7f0d445db000+1d000]
>
>
Any chance the VNC password changed or is incorrect?   Segfaults have been
noted in a few situations, and at least one of them is when there is an
incorrect or missing VNC password sent to the server.

Otherwise, if you can run GDB on guacd and get the stack trace, that would
be useful in figuring out where exactly it's failing.  If you're not up to
doing that, at least post details of what VNC server you're connecting to,
versions of libvnc, etc.

-Nick

Re: Disable Automatic Reconnect

[Nick Couchman]

On Tue, Jan 9, 2018 at 1:32 PM, Jonathan Hankins <
jhank...@homewood.k12.al.us> wrote:

> Nick, can you link the bug report for the RDP reconnect bug in
> 0.9.13-incubating? I originally reported an issue at
> http://apache-guacamole-general-user-mailing-list.
> 2363388.n4.nabble.com/Need-guidance-with-suspected-auto-
> reconnect-bug-td2118.html and then found that Frode Langelo
> 's
> patch at http://apache-guacamole-general-user-mailing-list.
> 2363388.n4.nabble.com/Error-message-when-disconnecting-a-
> Windows-Server-2012-tp1835p2129.html fixed the issue I was having.
>
> I am curious if this is the bug you referenced and if Frode's patch was
> the fix incorporated into the codebase.
>
>
Okay, does not look like that patch made it into the codebase anywhere.
I'm curious if Mike or Frode have any input on why that would not have been
included?

Is there a current JIRA issue out there for this bug?  If not, can you file
one for this and reference those discussions and that patch?  It looks like
a pretty simple change, so long as it doesn't negatively impact something
else, and getting this pushed into the Guacamole Server code should be
relatively painless.

-Nick