Re: Database issue installing version 1.0.0

[Nick Couchman]

On Thu, Mar 28, 2019 at 9:01 AM  wrote:

> We have a new machine that we’re setting up with Guacamole, and I’m
> putting version 1.0.0 on it (we have 2 others that are running 0.9.13
> currently).  When I try to implement the MySQL database portion, I’m
> getting the following errors in /var/log/messages (this is a RHEL 7.6
> server):
>
>
>
> Mar 28 08:56:26 armt server: Loading class `com.mysql.jdbc.Driver'. This
> is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The
> driver is automatically registered via the SPI and manual loading of the
> driver class is generally unnecessary.
>

Interesting.  This might merit a JIRA issue - looks like a warning that we
need to change the JDBC driver.


> Mar 28 08:56:26 armt server: 08:56:26.452 [http-bio-8080-exec-5] ERROR
> o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
>
> Mar 28 08:56:26 armt server: ### Error querying database.  Cause:
> java.sql.SQLException: The server time zone value 'EDT' is unrecognized or
> represents more than one time zone. You must configure either the server or
> JDBC driver (via the serverTimezone configuration property) to use a more
> specifc time zone value if you want to utilize time zone support.
>

Looks like this:
https://issues.apache.org/jira/browse/GUACAMOLE-760

-Nick

>

Re: Clipboard config

[Nick Couchman]

On Thu, Mar 28, 2019 at 7:15 AM Will Payne  wrote:

>
> Hi,
>
> Is there any way of disabling all clipboard functionality?
>


There are two new parameters that got merged about a month ago that allow
you to disable clipboard integration, both Copy and Paste support.

https://github.com/apache/guacamole-client/pull/379
https://github.com/apache/guacamole-server/pull/214

Unfortunately they are not slated for 1.1.0, but for 1.2.0, so won't make
it to the next release.

-Nick

Re: Clipboard config

[Nick Couchman]

>
> Guacamole seems like it's going to be really useful for us but we
> really, really need to be able to prevent data leakage - the fact SSH
> connections are essentially graphical is a big win for us but the
> ability to highlight text and have it appear in a text area in the
> browser is a showstopper. It would be nice if, moving forward, the
> ability to enable/disable a new feature was added at the same time as
> the feature itself.
>
>
Totally understand - I've worked in industries before where this was really
important, and I can definitely understand the requirement to do so.
Hopefully 1.2.0 will following 1.1.0 pretty quickly, so hopefully it won't
be too long before we're able to get you that feature :-).

-Nick

Re: radius plugin with linotp/privacyidea

[Nick Couchman]

On Sat, Mar 30, 2019 at 01:27 Mike Jumper  wrote:

>
>>> I'm not sure that it could be changed as implemented - basically it just
>> copies the text provided by the RADIUS server in the Challenge part of the
>> Challenge/Response as a way to be flexible about what the RADIUS server may
>> be asking for.  While it may be a OTP in this case, there are other
>> scenarios where you might ask for a PIN, or the answer to a security
>> question, etc., so when I wrote it I was trying not to limit it to OTP
>> scenarios, only.
>>
>
> That "Reply-Message = please enter otp:" string looks like something isn't
> being parsed right. Shouldn't it say "please enter otp:"?
>

Ahem.  Yes.  That deserves a bug in JIRA and a few minutes of work to clear
up.

-Nick

Re: Copie Paste Not Working

[Nick Couchman]

On Thu, Mar 28, 2019 at 3:22 PM ivanmarcus  wrote:

> Hopefully Firefox will implement this soon (there appears to be a working
> draft: https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API)
> but in the meantime I assume the only way to guarantee operation in any
> browser is the key combination [not wanting to start a flamewar but we
> simply don't use Chrome, nor IE, here]?
>
>
It would be nice if all of them implemented it, yes, as that's pretty much
the way to guarantee a uniform experience across multiple browsers.

But, yes, in the meantime, the key combo would be required for Firefox.  I
use Chrome pretty exclusively and both the extension and the Async API work
well.

-Nick

Re: Copie Paste Not Working

[Nick Couchman]

On Thu, Mar 28, 2019 at 3:34 PM ivanmarcus  wrote:

> Do you know if the extension and API work with Chromium? It wasn't
> entirely clear from the brief search I just did.
>

I believe Chromium supports this, yes.

-Nick

Re: Copie Paste Not Working

[Nick Couchman]

On Thu, Mar 28, 2019 at 2:50 PM ivanmarcus  wrote:

> You need to use CTRL+SHIFT+ALT in order to copy/paste between remote and
> local sessions.
>

You do not have to do this, no.  It is one way to accomplish it; however,
there's a Clipboard extension and, more recently integration with the
Clipboard API.


> It's largely described here:
> https://guacamole.apache.org/doc/gug/using-guacamole.html#using-the-clipboard
>
>
Yep, that's a good one.  There's also this link:

http://guacamole.apache.org/faq/#clipboard

-Nick

Re: POST /guacamole/api/tokens HTTP/1.1" 500

[Nick Couchman]

On Mon, Apr 1, 2019 at 8:47 AM Oliver.Zhang 
wrote:

> The tomcat error log is :
>
> ### Error querying database.  Cause: java.sql.SQLException: Access denied
> for user 'guacamole_user'@'10.66.204.13' (using password: YES)
>
> ### The error may exist in
> org/apache/guacamole/auth/jdbc/user/UserMapper.xml
>
> ### The error may involve
> org.apache.guacamole.auth.jdbc.user.UserMapper.selectOne
>
> ### The error occurred while executing a query
>
> ### Cause: java.sql.SQLException: Access denied for user 
> 'guacamole_user'@'10.66.204.13'
> (using password: YES)
>
>
>
>
>
> My guacamole.properties is:
>
> # MySQL properties
>
> mysql-hostname: 10.66.204.10
>
> mysql-port: 3306
>
> mysql-database: *
>
> mysql-username: *
>
> mysql-password: *
>
> mysql-default-max-connections: 1000
>
> mysql-default-max-group-connections: 1000
>
>
>
>
>
> why it still access to mysql 10.66.204.13 and not the 10.66.204.10?
>
>
>
>
>

This message is telling you that the user is logging in *from*
10.66.204.13, presumably the host where Guacamole is running.  This just
means that the MySQL user either doesn't have an entry for logging in from
that host, or the credentials are incorrect.  Try logging in using the
mysql-username and mysql-password values from a MySQL command line client
on the same system where Guacamole is running.

-Nick

Re: Chrome problems

[Nick Couchman]

On Mon, Apr 1, 2019 at 1:33 PM elvelux  wrote:

> I have recently discovered that the error only occurs connecting by https,
> no
> by http.
>
>
I use Guacamole 1.0.0 with Chrome and HTTPS routinely with no issues.

-Nick

Re: OTP Lost

[Nick Couchman]

On Mon, Apr 1, 2019 at 1:33 PM Kamal Ezzaki  wrote:

> is there any way if a user lost his way to authentificate ? is there any
> way to reset his authentification ?
>

You delete the totp-* attributes from the database for that user.  They are
stored in the guacamole_user_attributes table.

-Nick

Re: Later Compile Error

[Nick Couchman]

On Mon, Feb 25, 2019 at 3:30 PM Robert Dinse  wrote:

>
>   I've had issues with openjdk missing libraries which is why I went
> with
> the oracle version, but did find java-8 available on oracle even though 9
> is
> not so installed it.  Still not starting but I'm not sure I've got
> everything
> in java right quite yet.
>
>
I, too, have experienced issues with some stuff not working with OpenJDK,
but I'm reasonably certain that Guacamole runs fine with it - I think I use
it on a couple of my test/dev systems that I both compile and run on.

-Nick

Re: Later Compile Error

[Nick Couchman]

On Mon, Feb 25, 2019 at 2:56 PM Robert Dinse  wrote:

>
>   Ok, here are the logs from starting tomcat with guacamole.war in the
> /var/lib/tomcat8/webapps directory.  It does not create the directory
> guacamole and deploy but the sample war files provided with tomcat8 do
> properly
> deploy and operate on this server.
>
>   Here is a link to the catalina.log file:
>
>   https://www.eskimo.com/forums/viewtopic.php?f=6=492
>
>   Here is a link to the localhost log file:
>
>   https://www.eskimo.com/forums/viewtopic.php?f=6=493
>
>
I think you've hit the following issue:
https://issues.apache.org/jira/browse/GUACAMOLE-736

Looks like maybe you're using Java 11?  There's a pull request in for this:
https://github.com/apache/guacamole-client/pull/382

But it won't make it into the 1.1.0 release.  For the time being you'll
need to use a version of Java under version 11 - version 8 and 9 known to
work.

-Nick

Re: Later Compile Error

[Nick Couchman]

On Mon, Feb 25, 2019 at 3:12 PM Robert Dinse  wrote:

>
>   Java9 does not appear to be available anymore for Ubuntu 18.10:
>
> E: Package 'oracle-java9-installer' has no installation candidate
>
>
You might look for OpenJDK - looks like OpenJDK 8 and 11 are available, so
try OpenJDK8.  Otherwise you can download Oracle Java 8 from java.com.

Re: guacamole radius

[Nick Couchman]

On Sun, Feb 24, 2019 at 12:01 AM drhy  wrote:

> Hi Nick,
>
> A further clarification from PlayerOne and myself.
>
> We have been testing Radius with MySQL and have been able to successfully
> configure a Guacamole Group with Connections attached to it. When we then
> make Guacamole Users members of that Group, only the Users who are
> Guacamole
> Administrators see the Group's Connections. So in practice ordinary
> (non-Admin) Users don't see any Connections. (The Users and the Group match
> the User, Group and Group membership in Active Directory.)
>

It's probably related to one of two currently opened issues:

https://issues.apache.org/jira/browse/GUACAMOLE-696
https://issues.apache.org/jira/browse/GUACAMOLE-715

The first issue deals with the fact that group permissions within the
database are not applied to users authenticated under a different
extensions.  So, for example if you have "Group 1" in JDBC, with "User 1"
as a member of that group, you've assigned permissions to "Group 1" for a
certain connection, and "User 1" authenticates with RADIUS, the permissions
assigned to "Group 1" will *not* be applied.  This is a slight nuance in
how permissions are applied, and will likely be tweaked to function more
how people expect it to work in 1.1.0.  In 1.0.0, you'd have to have "Group
1" present in the RADIUS extension (which doesn't do groups at all, so that
would be difficult), or you'd have to assign permissions directly to "User
1" in the JDBC module.

The second issue is a bug that requires that, for groups matched between
authentication extensions (specifically between LDAP and JDBC), users are
not given permissions of their group unless they already exist in the JDBC
extension.  This is unintended behavior, and should also be corrected in
1.1.0.

I suspect the scenario you're hitting is the one documented in 696.

-Nick

Re: Compile Error

[Nick Couchman]

On Sun, Feb 24, 2019 at 5:48 AM Robert Dinse  wrote:

>
>   Pulled the source from github and attempted to compile on Ubuntu
> 18.10 but
> got the following error:
>
> guac_svc/svc_service.c: In function ‘VirtualChannelEntry’:
> guac_svc/svc_service.c:56:5: error: ‘strncpy’ output may be truncated
> copying 7 bytes from a string of length 7 [-Werror=stringop-truncation]
>   strncpy(svc_plugin->plugin.channel_def.name, svc->name,
>   ^~~
>   GUAC_RDP_SVC_MAX_LENGTH);
>   
>
>   Any suggestions as to how to fix?  Normally an error like this would
> not stop a compile but directives are given that cause all warnings to be
> treated as errors so this stops the compile.
>

Looks like you're hitting this issue:

https://issues.apache.org/jira/browse/GUACAMOLE-637

which has an active pull request that is being review and will hopefully be
merged, soon.  Should be fixed in version 1.1.0.

https://github.com/apache/guacamole-server/pull/209

-Nick

Re: RDP Settings/Requirements for Windows Server 2016 and above

[Nick Couchman]

On Mon, Feb 25, 2019 at 8:12 PM PlayerOne  wrote:

> It looks as though I have to disable the setting in Windows RDP settings
> that
> forces NLA only, then I can get TLS with ignore server cert working. I can
> push out a group policy to disable the settings, but I'd rather get NLA
> working if possible.
>
> Are there any recommendations to getting NLA working?
>
>
I use NLA routinely with Guacamole with no issues.  I do have to use
Connection Parameters to pass through the username and password so that I
don't have to store them directly in the database:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

-Nick

Re: set tomcat user?

[Nick Couchman]

On Mon, Feb 25, 2019 at 8:09 PM Robert Dinse  wrote:

>
> I've got a bit of a disaster on my hands. I am in the process of
> installing
> guacamole. Got guacamole-server and guacamole-client built, so far so
> good.
> Tried to deploy but guacamole.war would not deploy in the Ubuntu 18.10
> environment. Discovered this is because the version of Java, guacamole
> won't
> run in Java 11, needs Java 8. Okay, since I have no other java application
> it
> seemed reasonable to just de-install jdk-11 and install oracle-java-8
> (jdk-8 is
> missing some libraries). So installed it and then tomcat wouldn't start.
> Found
> out when you build Tomcat it has a library that is specific to the Java
> version. So I snagged Tomcat source and built it and now tomcat runs and
> deploys guacamole.war correctly. However it is running as root, when you
> install the package in Ubuntu it runs as tomcat8, and that is how I would
> like
> it to run. But I can't figure out where in the configuration you set that.
> Does
> anyone know how to do this?
>
>
A couple of notes for you:
- You can install Tomcat from the distribution without having to compile it
from source.  The website has binaries available.
- The way to change the user running Tomcat is simple to change the user
you run the startup.sh script as.  So, if you want to run it as tomcat8,
run "sudo -u tomcat8 /path/to/tomcat/bin/startup.sh".  You may have to
change permissions on the path where you installed Tomcat to the tomcat8
user.

-Nick

Re: Guac 9.14 MySQL

[Nick Couchman]

On Mon, Feb 25, 2019 at 6:02 PM sciUser 
wrote:

> Hello,
>
> Have a question; in the Guacamole there is a field called Automatically
> create drive: check box.
> I am unable to find this in table or column in the MySQL
> "guacamole_connection_parameters" table.
>
>
It's not a table or column, it's a row in the table you mentioned.  It's
keyed by the identifier of the connection and the parameter name, and the
value will be true.

-Nick

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

[Nick Couchman]

On Sun, Feb 24, 2019 at 9:07 PM drhy  wrote:

> Hi PlayerOne,
>
> I'm using guacadmin to enter a zero-length password for a standard
> (non-admin) user, me.
> I enter a single space, then backspace, in each of the two password fields,
> then Save.
>
> In this scenario I can be authenticated via Radius and AD using my AD
> password. If I ensure the password field on the login page is zero-length
> then I am logged in anyway and presented with the connections I would
> normally get. Is that your scenario ?
>
>
Why are you using a zero-length password in the JDBC module?

-Nick

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[Nick Couchman]

On Tue, Feb 26, 2019 at 9:57 AM wouterve  wrote:

> I've just tested it and it works! Now, only users member of the SG
> 'Company -
> Aftersales' have access to guacamole!
>
> Great!


> Thanks a lot!
>
> regarding the syntaxis (ldap-user-search-filter:
> (&(objectClass=person)(memberOf=cn=aftersales,ou=groups,dc=example,dc=com))
> , is this defined by Guacamole or is this just standard LDAP (just wetting
> my feet into this)
>
>
This is standard LDAP filter syntax - it is passed through the LDAP
extension after being encoded to verify that nothing bad (e.g. LDAP
Injection) is going on.

-Nick

Re: Guacamole Authentication

[Nick Couchman]

On Tue, Feb 26, 2019 at 5:16 AM Robert Dinse  wrote:

>
>   Is it possible to configure quacamole not to require authentication
> with
> the VNC server at the receiving end doing it?
>
>
Guacamole Client currently does not allow anonymous access, so this isn't
possible out of the box, so to speak.  I can think of a couple of ways you
could do this with the existing authentication modules that would make this
relatively seamless:
- If you have a CAS or OpenID provider, you can do SSO such that users who
may already be logged into another service would be able to authenticate
transparently.
- You could use the header module along with some httpd or nginx
authentication configuration to transparently authenticate through the web
server.

Alternatively a custom authentication provider could be implemented that
would authenticate users against some set of criteria that would make this
more seamless/transparent.

-Nick

Re: Can't print in RDP sessions

[Nick Couchman]

On Wed, Feb 27, 2019 at 3:18 PM Fabián Rodríguez 
wrote:

> Hi,
>
> I am using Guacamole 1.0.0 in Debian 9 with Tomcat 8, database
> authentication with self-sgned SSL certificate.
>
> After following the installation documentation
>  I documented
> my initial 0.9.14 installation steps here
> . I then recently used this script
> 
> to update, while working around  a small bug
> . VNC, SSH and
> RDP remote sessions are used daily without problems.
>

Just FYI, that script is not maintained by the project.


> I can't seem to get a prompt to save the PDF file generated when printing
> in RDP sessions.
>
> I initially had to symlink all files in /usr/local/lib/freerdp to 
> /usr/lib/x86_64-linux-gnu/freerdp,
> for example (see this bug report
> ):
>

The Docker image you're using is also not the official Guacamole project
Docker image, and not maintained by the project, so we cannot provide any
support for it.  If you'd like the one associated with the project, use
gaucamole/guacamole and guacamole/guacd.


> ln -s /usr/local/lib/freerdp/guacdr-client.so
> /usr/lib/x86_64-linux-gnu/freerdp/guacdr-client.so
>
> After reboot guacdr started normally:
> Feb 27 14:35:19 guacamole guacd[14998]: guacsnd connected.
> Feb 27 14:35:19 guacamole guacd[14998]: guacdr connected.
>
> When connected, a new printer "Guacamole PDF printer" (as I named it)
> showed up. When I start printing there is no error, only a message on my
> local browser notifications "Waiting for guacamole.domain.lan...:" and
> nothing happens.
>
> Ghostscript is installed, in /var/syslog I see:
>
> Feb 27 14:44:51 guacamole guacd[23876]: Device 0 (Imprimante Guacamole
> PDF) connected successfully
> Feb 27 14:45:07 guacamole guacd[23876]: Print job created
> Feb 27 14:45:07 guacamole guacd[23876]: Created PDF filter process
> PID=24158
> Feb 27 14:45:07 guacamole guacd[24158]: Running gs
>
> And a gs process is running continuously:
>
> PID TTY  STAT   TIME COMMAND
> 24158 ?  S  0:06 gs -q -dNOPAUSE -dBATCH -dSAFER -dPARANOIDSAFER
> -sDEVICE=pdfwrite -sOutputFile=- -c .setpdfwrite -sstdout=/dev/null -f -
>
> But nothing happens...
>
> If I close the session then a file dialog to save appears, the resulting
> file is very small (255 bytes) and of course corrupted but it has PDF
> headers.
>

The issue you're running into is likely this one:

https://issues.apache.org/jira/browse/GUACAMOLE-506

I don't know anything about how that Docker container you're using is set
up, but I suspect it's using HTTP(S) and not WebSocket(/WSS).

-Nick

>

Re: LDAP Cannot Find Specific User

[Nick Couchman]

On Wed, Feb 27, 2019 at 3:44 PM avocado  wrote:

> I have had Apache Guacamole running with LDAP + MySQL for quite some time
> now. I have not had many issues, but I have come across a new one. When I
> search for users, I am unable to find a certain user. I have
> *ldap-user-base-dn:* at the very root of my domain, so I know that OU isn't
> an issue. I use *ldap-user-search-filter:* to filter for a certain group
> membership, but I have removed and re-added the user to the group.
> Typically, once I add a user to the group, log out, and log in the user
> appears. I have ~100 users, and have never seen this before. Does anyone
> know where I can even look for a log that might point me in the direction
> of
> the problem?
>
>
Check the catalina.out file from Tomcat to see if there are any errors.  If
not, try bumping up logging (
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging)
and see if it provides any additional information.

-Nick

Re: Can't get SSH key to work

[Nick Couchman]

On Fri, Mar 1, 2019 at 4:18 PM Julien Nicoulaud 
wrote:

> I did some more digging and I found that:
>
>- RSA keys are only supported in PEM format. But since OpenSSH 7.8
>(2018), ssh-keygen changed its default format. I opened
>https://issues.apache.org/jira/browse/GUACAMOLE-745
>- ED25519 keys are definitely not supported, the key loading code
>explicitly looks for hardcoded RSA or DSA headers here:
>
> https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L40
>I opened a feature request:
>https://issues.apache.org/jira/browse/GUACAMOLE-746
>
> But both need to wait for a new libssh2 release including this commit:
> https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e
>


Thanks for the research, Julien!

-Nick

>

Re: Audio

[Nick Couchman]

On Fri, Mar 1, 2019 at 2:59 PM sciUser  wrote:

> In regards to the Audio channel, are there any specific ports that need to
> be
> opened or is port 3389 enough?
>
>
For RDP you don't need anything additional - since RDP includes audio, it
will be handled within RDP and Guacamole.

For VNC, audio has to be forwarded over PulseAudio, which is a separate
port and service.  Instructions for setting it up are within the VNC
configuration guide for Guacamole:
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#vnc

-Nick

Re: Necessity for remove a field from Edit User window

[Nick Couchman]

On Mon, Feb 25, 2019 at 10:45 AM Gabriel Huerta Araujo <
huert...@globalhitss.com> wrote:

> Hi Mike
>
>
>
> This is what I have (0.9.14)
>
>
>
> "USER_ATTRIBUTES" : {
>
>
>
> "FIELD_HEADER_GUAC_EMAIL_ADDRESS"   : *"Email address:"*,
>
> "FIELD_HEADER_GUAC_FULL_NAME"   : *"Full name:"*,
>
> "FIELD_HEADER_GUAC_ORGANIZATION": *"Organization:"*,
>
> "FIELD_HEADER_GUAC_ORGANIZATIONAL_ROLE" : *"Role:"*
>
>
>
> },
>
>
>
>
>
> . And this URL(
> https://github.com/apache/guacamole-client/blob/87aa2e6c34d11bb30626c6c27a42796506493ffd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json#L93)
> shows what you indicate in es.json file
>
>
>
> "USER_ATTRIBUTES" : {
>
> "FIELD_HEADER_DISABLED": "Login disabled:",
>
> "FIELD_HEADER_EXPIRED" : "Password expired:",
>
> "FIELD_HEADER_ACCESS_WINDOW_END"   : "Do not allow access after:",
>
> "FIELD_HEADER_ACCESS_WINDOW_START" : "Allow access after:",
>
> "FIELD_HEADER_TIMEZONE": "User time zone:",
>
> "FIELD_HEADER_VALID_FROM"  : "Enable account after:",
>
> "FIELD_HEADER_VALID_UNTIL" : "Disable account after:",
>
> "SECTION_HEADER_RESTRICTIONS" : "Account Restrictions",
>
> "SECTION_HEADER_PROFILE"  : "Profile"
>
> },
>
>
>
>
>
> So in version 0.9.14 I am using I do not see these translations in es.json
> translation file.
>

This indicates that these items have not been translated into Spanish,
yet.  I believe some Spanish translations were updated in 1.0.0 (from
0.9.14), so you might check the latest available version and see if those
work.  If you can provide any of them, you're welcome to contribute to the
project by completing those translations.

-Nick

> <#m_-8686812617529953945_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

Re: Can't get SSH key to work

[Nick Couchman]

On Tue, Feb 26, 2019 at 2:57 PM Julien Nicoulaud 
wrote:

> No useful info in debug mode (see my first message, it has a log with
> guacd debug logging)
>

Hmmm...not really sure what's going on, here.  I'm able to successfully use
it with the following steps:
- Guacamole from git master, with JDBC module
- On the destination system, under the account I want to log in under
(testuser), do "ssh-keygen -t rsa -b 1024" and don't set a passphrase
- Add the public key to the authorized_keys file (actually, there were no
other authorized_keys entries, so just copied .ssh/id_rsa.pub to
.ssh/authorized_keys
- Configure Guacamole SSH connection to the host, with a fixed username,
and pasting in the private key with header and footer
- Start the connection

It connects fine - no issues, here.

-Nick

>

Re: WebsocketTunnel

[Nick Couchman]

On Wed, Feb 27, 2019 at 10:46 PM Robert Dinse  wrote:

>
>   Yea, this is very weird.  If I launch guacd in the forground it tells
> me vnc protocol not supported when it tries to connect.  Yet, when I did
> the
> configure I did --with-vnc and at the end it showed vnc: yes.
>
>
Sounds like it might be a library linking issue.  If you do "ldd -r
/path/to/guacd/install/lib/libguac-client-vnc.so.0.0.0" do you get any
missing libraries or library errors?

-Nick

Re: guacd - parallel builds

[Nick Couchman]

On Wed, Feb 27, 2019 at 10:43 PM Robert Dinse  wrote:

>
>   Something is wrong that causes parallel builds of guacd to fail.
> When
> I first made it I used make -j13 to fully take advantage of a six core
> processor.  It said vnc not supported even though it was configured in.
>
>
H...I use parallel builds routinely without problems - I'm usually
doing "make -j5" to optimize for a 2-core system, but it works fine for
me.  I'm generally building on CentOS7,

-Nick

Re: Necessity for remove a field from Edit User window

[Nick Couchman]

On Fri, Mar 1, 2019 at 8:26 PM Gabriel Huerta Araujo <
huert...@globalhitss.com> wrote:

> Ok Nick
>
>
>
> But one million question is if these translations are not available yet in
> this version how it is possible they can be showed in screen?
>
>
>
>
You must be running Guacamole 1.0.0 - those translations are present in the
following file:

https://github.com/apache/guacamole-client/blob/1.0.0/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/es.json

-Nick

Re: More Fun

[Nick Couchman]

On Sat, Mar 2, 2019 at 4:15 AM Robert Dinse  wrote:

>
>   I tried to use Zer0CoolX's branding.jar extension but it did not
> work as
> intended.  It did not change the text at all and the logo was very low
> contrast
> and smaller than the actual image he used.  When I tried to substitute my
> own
> logo it did not display at all.
>

You'll have to be a little more explicit about what you tried, and
preferably provide the code you're using (Github is your friend).

As an aside, this has been asked enough on the mailing lists that I've
opened up a JIRA issue to add some documentation to the Guacamole Manual on
the branding process.  I'll take a stab at documenting it within the manual.

https://issues.apache.org/jira/browse/GUACAMOLE-747


>
>   So far sound is not working either with vnc / pulseaudio (and I did
> make
> the recommended changes to pulse audio conf and the catalina.out log is
> showing it connecting to the pulseaudio server, but still no sound, and
> also tried with rdp using Xrdp as the server, no sound there either.
>

I need to give this a shot, too - I've done it before, but it's been a
while, so worth taking another look.  Just haven't had a chance, yet.


>
>   It would be nice if there were a way to disable the teardown session
> function in the home page as I'm using a common login for multiple users
> because authentication is either done by ssh or xdmcp on the server.  I'd
> really like to disable the login as well and just have it login as said
> user.
>

We (the project) have resisted (re-)implementing an authentication
extension that doesn't actually authenticate.  There actually used to be
one (noauth) and it was deprecated in 0.9.14 and removed completely in
1.0.0.  Within Guacamole Client, *some* form of authentication should be
done - bypassing authentication entirely really isn't a good idea.  I'm
definitely sympathetic to your situation, though - I've been there in the
past, where I had Guacamole authenticating with different credentials than
RDP sessions that users were logging into, and I didn't like having my
users required to enter credentials twice.  However, there should be some
middle ground - some means by which to authenticate users coming into
Guacamole without requiring them to enter credentials twice.  You could do
some sort of certificate-based authentication with the web server (httpd or
nginx) and then use the header module to pass through the authentication to
Guacamole?  Not something I've ever actually tried, but I'm just thinking
out loud.  Obviously that requires maintaining and distributing
certificates, which is its own challenge, but might be preferable to
bothering users with multiple credential requirements.

-Nick

Re: More Fun

[Nick Couchman]

On Sat, Mar 2, 2019 at 3:50 PM Robert Dinse  wrote:

>
>   If there were an NIS / Unix / Pam authentication module then I'd use
> that but I am unwilling to have to have users register yet another password
> and I can't get their existing passwords since they are encrypted.  And
> since all the servers they are going to are already accessible via ssh and
> x2go an additional layer of authentication does nothing but inconvenience
> the customer.  Since it does pass through the real IP in the header, I
> should
> be able to write fail2ban rules to cover brute force password guessing.
>
>
I think someone posted a link a while back to a PAM authentication module
for Guacamole, so that might be an option.

I'm guessing the servers they log into are not configured to authenticate
with LDAP?

-Nick

Re: 1.0.0 LocalStorage auth instead of cookies

[Nick Couchman]

On Sun, Mar 3, 2019 at 12:40 AM Lev Dubinets  wrote:

> Hi,
>
> Prior to 1.0.0 I had a reverse proxy in front of Guacamole that modified
> the GUAC_AUTH cookie paths so that I could have two browser windows open
> with two different Guacamole sessions (one at domain .com/username1 and
> other at domain .com/username2).
>
> With 1.0.0 and the LocalStorage changes theres no way to "path" the
> entries at all. What are some recommended solutions for this? Is it
> possible to write some kind of auth plugin to use cookies instead of
> localstorage?
>

I don't think this would work, no - you could write an authentication
extension that would authenticate with cookies, yes, but I don't think this
would solve the issue you're seeing, because, once logged in, Guacamole
would still issue a token based on the LocalStorage method of storing data
within the browser, which would likely circumvent your cookie-based
authentication.

What is it that you're trying to accomplish, in the end?  Why do you
need/want two different sessions under two different accounts?  On the rare
occasions that I require this, I usually end up using Chrome's Incognito
mode for the second session, but I wouldn't consider my usage routine, so I
can understand that there might be situations that don't lend themselves
quite as easily to that.

-Nick

>

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

[Nick Couchman]

On Thu, Feb 21, 2019 at 8:10 AM Kamal Ezzaki  wrote:

> h I get it now , the concept is to create a new user in guacamole
> interface *without* *password* . this stop him from connection by usingg
> jdbc , and after this you create a user with the same identity in radius .
> and by this way you make sure that guacamole go to radius for
> authentification and you jdbc for Users Data . Thank you very much For your
> Help People and if anyone have a question I m ready to answer
>

Yep, glad you got it.  One minor note - when you create a user in the
Guacamole web interface and do not specify a password, Guacamole generates
a random password and assigns it.  This is for security reasons so that the
account is protected.

-Nick

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

[Nick Couchman]

On Thu, Feb 21, 2019 at 3:23 AM Kamal Ezzaki  wrote:

> Hello,  i change the name of radius module so that it's loaded first and
> Guacamole check in radius server first than go back to jdbc but the
> problème is how to not go back to jdbc and check only radius if the user
> existe than go to jdbc for users data ( permission , connections ).
>

To assign permissions to RADIUS users in the JDBC module, you need to
create users in the JDBC module with the same username as the RADIUS
users.  You can then assign permissions to the user within JDBC, and the
user logging in with RADIUS will get those permissions.  Guacamole bases
this "stacking" on the username, so the usernames must be identical.

Version 1.0.0 introduced user groups; however, the way user groups are
currently implemented in Guacamole it will *not* work to create your RADIUS
users in JDBC, and then create a group in JDBC and assign the permissions
that way.  The group would need to be present in the RADIUS module, and the
RADIUS module currently does not implement group retrieval.  So,
unfortunately, for now, you would need to create those users in JDBC and
individually assign connection permissions to the user accounts in JDBC.

-Nick

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[Nick Couchman]

On Thu, Feb 21, 2019 at 4:17 AM wouterve  wrote:

> Hi,
>
> Strangely, I don't see any error output in /var/log/tomcat7/catalina.out
>
> Then I tried to use the following:
>
>
> I do receive the following error:
>
>
>
> (still using the same userbase
>
> so, how could I limit the users to only the aftersales security group
> please?
>
>
Any screenshots you were trying to post inline got stripped out.

If you're trying to limit to a certain set of users within LDAP, I'd
suggest using the ldap-user-search-filter parameter in
guacamole.properties, which will allow you to define the LDAP filter used.
You could do something like:
ldap-user-search-filter:
(&(objectClass=person)(memberOf=cn=aftersales,ou=groups,dc=example,dc=com))

Obviously adjust that to the type of object you actually want to find, and
the location of the group.

-Nick

Re: Authentication Changes in 1.0.0

[Nick Couchman]

On Mon, Mar 4, 2019 at 7:16 PM Lee  wrote:

> Mike, thank you for your feedback. I've forwarded that onto my teammates to
> look into. I agree, I'd prefer to not go in a route that is going to be
> constantly against the design of Guacamole, and the links you provide might
> be a great alternative I did not see while looking at the
> SimpleAuthenticationProvider code. If that ANONYMOUS_IDENTIFIER pathway
> allows a second session without re-using the existing one, that would
> probably be a perfect work-around to the problem. If that isn't quite
> right,
> I'll explore the extension API options.
>
>
Based on what you've said in your other thread, it does sound like you're
fighting the interface rather than working with it :-).

One thing that is worth noting is that Guacamole does create persistent
URLs for connections within the interface - so, when you see something like:

https://guacamole.example.com/guacamole/#/client/MzkAYwBwb3N0Z3Jlc3Fs

The end part of it (/client/MzkAYwBwb3N0Z3Jlc3Fs) will always take you to
the same connection, because it encodes the connection type (connection or
connection group), the data source name, and the identifier, within that
identifier.  So, one idea would be to create links to these connections (on
a home page or separate page somewhere) and then use some sort of SSO
extension (CAS, OpenID, maybe Header) to log users in so that they could
transparently open those connections.  The connections could be stored in
the JDBC module, stacked with a SSO module, so that permissions could be
assigned within JDBC but still transparently log users in.

Another idea would be to use the common Guacamole pieces (guacd,
guacamole-common and guacamole-common-js) and build your own web
application around the protocol and common components rather than trying to
squeeze the full Guacamole Client into your environment, if it doesn't fit.

-Nick

Re: Newbie Question : Guacamole with HTTPS

[Nick Couchman]

On Fri, Feb 22, 2019 at 4:04 AM Kamal Ezzaki  wrote:

> Hello, I m using Guacamole1.0.0 in centos 7, I Read the Configuration Page
> about Proxing Guacamole , i m using tomcat and i did added this
> Configuration :
>
> vi /etc/guacamole/apache.conf
>
> 
> Order allow,deny
> Allow from all
> ProxyPass http://192.168.1.2:8080/guacamole/ flushpackets=on
> ProxyPassReverse http://192.168.1.2:8080/guacamole/
> 
>
> vi /etc/tomcat/server.xml
>
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>clientAuth="false" sslProtocol="TLS"
>  />
>
> and than restart tomcat and restart guacd and when i try
> https://192.168.1.2:8443/  give me innacessible
>
>
You don't need to restart guacd, you need to restart Tomcat.  Guacamole has
two distinct components, Guacamole Server (guacd), which listens on port
4822, and Guacamole Client, which runs in Tomcat.  Guacamole Client
presents the Web interface in Tomcat, and connects to Guacamole server
(guacd).  The configuration you're changing above is the Tomcat
configuration, so you need to restart Tomcat.

Also, check and see if there is a firewall running on your system - if so,
you'll need to open port 8443 on the firewall.

Finally, while you can do TLS (HTTPS) support directly in Tomcat, most
people don't - most people use a reverse proxy of some sort (httpd, nginx)
to front the Tomcat configuration.  There are a wide variety of reasons for
this - one of them is that you normally cannot run Tomcat on a port lower
than 1024 (like 443) under a non-root account, and running Tomcat as root
is a really bad idea.  Instructions for proxying Guacamole Client behind
httpd and nginx can be found in the manual:

http://guacamole.apache.org/doc/gug/proxying-guacamole.html

-Nick

>

Re: Newbie Question : Guacamole with HTTPS

[Nick Couchman]

On Fri, Feb 22, 2019 at 6:21 AM Kamal Ezzaki  wrote:

> it's fine now i set up i reverse proxy nginx and the https work perfect
> and for anyone wanna know how i just followed this tuto :
> https://www.digitalocean.com/community/tutorials/how-to-encrypt-tomcat-8-connections-with-apache-or-nginx-on-centos-7
>
>
Make sure you also use the manual page that I sent earlier - there are a
couple of options for the proxy on nginx that need to be set, particularly
for the actual connection tunneling to work correctly and avoid issues with
that.

-Nick

Re: Later Compile Error

[Nick Couchman]

On Mon, Feb 25, 2019 at 2:53 AM Robert Dinse  wrote:

>
>   It says it failed to due to previous errors but there are about 100
> lines
> of error messages so not sure what is relevant.  The ROOT starts okay.
>
>
Maybe just post the whole log (minus any sensitive information) on
pastebin, and link it here?

-Nick

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

[Nick Couchman]

On Mon, Feb 25, 2019 at 1:04 AM drhy  wrote:

> Hi PlayerOne and vnick,
>
> I think I also read that MySQL creates a salted password when a new user is
> created - but I wasn't sure.
>

Yes, if you leave the password field alone (don't enter anything, at all),
Guacamole Client will generate a random, strong password for the user and
populate it.  You probably do not want to actually clear out the password
field - better to have a random/strong password there that no one actually
knows than to clear it out.


>
> But when guacadmin was administrating that new user, for example by adding
> a
> Group or adding Connections, The web  GUI would report "Passwords not
> identical" for the two user password fields. I would then have guacadmin
> delete both passwords, allowing the changed user to be saved. I then found
> that the user could logon with no password = alarm bells.
>
>
I'm not sure why you'd be getting the "passwords are not identical" if you
didn't actually modify the field.  If you leave it along completely you
should not get this message and you shouldn't have to worry about it.


> Hence to make sure that couldn't happen, whenever I created a user via the
> MySQL command line, I explicitly used a Powershell/.Net method to generate
> a
> password and assign it to the new user. And now I know that whenever a user
> is administrated via the web GUI, a random password must be provided by
> guacadmin.
>
> All this applicable when using Radius with MySQL - I haven't adequately
> tested any other authentication combinations.
>
> Not sure if my understandings are correct though.
>
>
I think you've more or less got it, just the step of manually blanking the
field should not be necessary - if you leave it alone entirely, and if
you're using the WebUI to create the users, it should have a strong, random
password in it.  If you're using a PowerShell script to create the users
directly in the MySQL database you would need to do the random password
step yourself, within that script.

-Nick

Re: Request - Please wait message after entering credentials (Radius Auth Azure MFA)

[Nick Couchman]

On Sun, Feb 24, 2019 at 9:03 PM drhy  wrote:

> As PlayerOne says, not sure if this is the place for requests, but I
> endorse
> his suggestion.
>

The place to enter feature requests in on the Apache JIRA instance for
Guacamole:

https://issues.apache.org/jira/browse/GUACAMOLE

-Nick

Re: Connection problems with RDP

[Nick Couchman]

>
> We wrote our own client, using guacamole-common-js (also version 1.0.0).
> Websockets the client app opens against the web server go through AWS ALB
> and then through eBay's Fabio load balancer (they also expose the web
> server as HTTPS).
>
>
I'd start, here, looking at this.  If you wrote your own client, it's
possible something is going on there that is sub-optimal and causing
issues.  Have you tried the same connection load to the same systems using
the official Guacamole Client?  You don't have to use it long-term -
Guacamole is designed to be used in applications that you write/design, but
for the purposes of performance testing and debugging, it might be useful
to at least try out the Guacamole Client with the same load level and see
if the problems are the same.


> 7. We do see that upon connecting, both the guacd container and the web
> server container have CPU load (it could be higher than 100% utilization
> when opening ~20 connections).
> The specs of the containers themselves:
> guacd runs with 2000mhz / 6gb / 30mbits.
> The web server runs with 2000mhz / 2gb / 10mbits.
>
>
I suspect that this is really at the root of all of the issues you are
having - if you're seeing > 100% CPU utilization on both your guacd and
Tomcat compute instances, then much of the other behavior you've described
could be attributed to "resource starvation" - the inability of the guacd
threads and/or Tomcat to get timely access to the CPU that it needs.
Again, I'd advise trying out the official Guacamole Client with these same
resource levels and same connection load and see what happens - is the
resource utilization at the same level, and do the same symptoms show up.

Also, you mention high CPU utilization, here, but have you checked on
memory utilization, as well?

-Nick

Re: Authentication Changes in 1.0.0

[Nick Couchman]

On Wed, Feb 27, 2019 at 18:06 Lee  wrote:

> Hello,
>
>   I'm seeing a change in behavior I'm not sure how to work around. I'm
> using
> the docker image guacamole/guacamole:1.0.0 with a custom authentication
> provider extending SimpleAuthenticationProvider. With guacamole 0.9.14, I
> saw calls to getAuthorizedConfigurations in the authentication provider
> with
> every user request. This was great, as it allowed a single user to have
> multiple sessions open in separate tabs as the function could return
> different hosts/protocols/usernames/passwords.


Perhaps you could share your code?  And what you're trying to accomplish?
You can have multiple connections open on the client in different tabs, and
you can link directly to these different connections, and each connection
can have its own host, protocol, username, and password.


-Nick

Re: Audio

[Nick Couchman]

On Thu, Feb 28, 2019 at 2:01 AM Robert Dinse  wrote:

>
>Ok, making progress.  It was not connecting to pulseaudio because I
> had
> forgotten to open a hole in the firewall for it, now that that is done it
> indicated it connects but still I get no sound:
>

What have/are you trying on both the remote side and the browser side to
get this to work?  It sounds to me like you've got everything set up, and
the log files seem to indicate that things are working as expected.  I'm
wondering if the remote side (VNC server) has the output going to a
different location than the remote TCP sink?

-Nick

Re: Guacamole RDP Probleme with VM machine

[Nick Couchman]

On Fri, Mar 1, 2019 at 8:31 AM Kamal Ezzaki  wrote:

> *Hello again, *
> i have a probleme with RDP connexion From Guacamole to WIndows 7 | 10 .
> i tried to connect to windows 10 from another windows and it's work
> i tried to connect from guacamole to my physical machine ( Windows 10 )
> and it's work
> i tried to connect from a VM Windows 10 to another Windows 10 and it's Work
> i tried telnet 3389 and it's work too
> But when i tried to connect Guacamole with a VM windows it's not working
> and this is my log file :
>
> Feb 16 18:55:18 localhost guacd[94927]: Creating new client for protocol
> "rdp"
> Feb 16 18:55:18 localhost guacd[94927]: Connection ID is
> "$8f7d1cb3-d4f8-403a-b907-6ef8eb5673ba"
> Feb 16 18:55:18 localhost guacd[110757]: No security mode specified.
> Defaulting to RDP.
>

This is most likely your issue.  If you don't specifically set the RDP
security mode, it defaults to RDP.  Newer versions of Windows require NLA
authentication, so you'll likely need to set the security mode to NLA and
try, again.  You can also try TLS and see if that works.  If you use NLA
you will also have to specify the username and password at connection time,
either by putting that information in the configuration or by using tokens.

-Nick

Re: Can't print in RDP sessions

[Nick Couchman]

>
> And a gs process is running continuously:
>>
>> PID TTY  STAT   TIME COMMAND
>> 24158 ?  S  0:06 gs -q -dNOPAUSE -dBATCH -dSAFER -dPARANOIDSAFER
>> -sDEVICE=pdfwrite -sOutputFile=- -c .setpdfwrite -sstdout=/dev/null -f -
>>
>> But nothing happens...
>>
>> If I close the session then a file dialog to save appears, the resulting
>> file is very small (255 bytes) and of course corrupted but it has PDF
>> headers.
>>
>
> The issue you're running into is likely this one:
>
> https://issues.apache.org/jira/browse/GUACAMOLE-506
>
> I don't know anything about how that Docker container you're using is set
> up, but I suspect it's using HTTP(S) and not WebSocket(/WSS).
>
> I am not using Docker so not sure how the default installation would have
> the same problem.
>

And the issue I linked is not specific to Docker.  I was talking about
Docker because that's what it sounded like you have, but, even if you're
not on Docker, I still suspect that there's an issue with HTTP(S) vs.
WS(S), and that you're not using WSS.  That's what GUACAMOLE-506 deals with
- Docker or no.

-Nick

Re: Can't get SSH key to work

[Nick Couchman]

On Tue, Feb 26, 2019 at 12:37 PM Julien Nicoulaud <
julien.nicoul...@gmail.com> wrote:

> Actually this is not due to ED25519, I can't get any SSH key to work,
> guacd always fails with "Auth key import failed: (null)".
>
> Tried ED25519 keys, RSA 1024b, and RSA 4096b keys.
> Tried keys with and without passphrase.
> Tried setting the passphrase in the web UI or at the connection prompt.
> Tried changing db from postgres to mysql.
> Tried removing new lines from key / adding blank line before header or
> after footer / converting between unix and windows new lines.
>
> Running out of ideas...
>
>
Can you put guacd into debug logging (GUACD_LOG_LEVEL=debug) and get the
logs and see if anything more useful is returned?

-Nick

Re: GUACAMOLE 0.9.9 - RECORDING

[Nick Couchman]

On Thu, Feb 21, 2019 at 5:34 PM Eriel Perez 
wrote:

> Greetings friends from the list.
>
> I have the GUACAMOLE version 0.9.9 and it works well with RDP to a
> computer with windows.
>
> I need to record the sessions. As much as I look for I can not find a
> manual that explains how to do it.
>
>
You should start by upgrading to a modern version of Guacamole.  1.0.0 is
the latest available.  You can download from the Guacamole website:

http://guacamole.apache.org

-Nick

Re: guacd timeout waiting for a connection

[Nick Couchman]

On Thu, Feb 21, 2019 at 6:11 PM McRoy, Jeffrey (GE Healthcare) <
jeffrey.mc...@ge.com> wrote:

> Hi Everyone,
>
>
>
> Is it possible to set the amount of time guacd waits for a connection
> using the protocols it supports (VNC, Telnet, etc.)?
>
>
>

Jeff,
The answer (I think) is, it depends.  First, configuring the timeout is not
currently implemented in Guacamole, so it's going to require some
modifications  There is a JIRA issue out there for it -
https://issues.apache.org/jira/browse/GUACAMOLE-600 - and I started working
on this and investigating possible ways to do it, and it looks like some of
the underlying libraries don't support configuring this value.  In
particular, the FreeRDP and libvncclient libraries don't really have a way
to specify this, and they provide the wrapper around the actual underlying
socket calls, so I'm not sure how doable this is.  Maybe it would be
possible within the guacd to somehow wrap the calls and implement a
timeout, anyway, not sure - maybe some of the other developers can comment
on that.

-Nick

Re: Custom User Attributes

[Nick Couchman]

On Wed, Feb 20, 2019 at 3:20 AM Dennis  wrote:

> Thanks for your fast reply.
> That way I can only attach this attribute temporarily to the user object,
> right?(maybe i misunderstood the concept of decorate)
> It should be possible to edit this attribute(stored in the DB) via the
> guacamole backend(edit user, new user)
>

Yes, you can do this - you can create new Form objects within the module
that have the attributes you wish to attach to the users.  It's reasonably
straight-forward.


>
> My solution atm:
> I've customized the jdbc-mysql extension to add this attribute to the
> backend. (and it seems to work perfectly)
> I think there is no easy to achieve this at the moment.
>

This is essentially what you're doing with decoration, but without touching
the source code of the original module.  It definitely takes a little
getting used to, but it is pretty easy once you get it down.

-Nick

>

Re: guacamole radius

[Nick Couchman]

>
>
> Thanks.
> After a careful re-read of your postings and the JIRA I now realize that if
> both the username and MySQL Group name exist in Active Directory (which
> Radius is authenticating against) and the password is correct, then the
> user
> will be presented with the Guacamole Connections assigned to the MySQL
> Group.
>
>
Yep - hopefully we'll be able to address this, either by clarifying
documentation or modifying functionality a bit, in 1.1.0.

-Nick

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

[Nick Couchman]

On Wed, Feb 20, 2019 at 3:44 PM drhy  wrote:

> Hi,
> If you look at the script you'll see that it changes the name of the
> Authentication Providers slightly. The Providers are loaded and executed by
> Guacamole in alphanumeric sequence, so renaming is needed to ensure Radius
> is loaded before MySQL.
> -David
>
>
Yes, because of how modules are loaded and how authentication errors are
handled, if you're using RADIUS to do 2-Factor authentication
(Challenge/Response), you'll need to make sure that module is loaded and
evaluated, first, so that authentication succeeds before the JDBC module is
queried.  You should still be able to assign permissions from the JDBC
module to RADIUS-authenticated users.

-Nick

Re: Guacamole AND FreeRadius ( Probleme with Users data )

[Nick Couchman]

On Wed, Feb 20, 2019 at 12:03 PM Kamal Ezzaki 
wrote:

> This is My guacamole.properietes file
> # MySQL properties
> #mysql-hostname: localhost
> #mysql-port: 3306
> #mysql-database: guacamole_db
> #mysql-username: guacamole_user
> #mysql-password: passroot
> # Radius properties
> radius-hostname: 192.168.132.132
> radius-shared-secret: guacrad
> radius-auth-protocol: pap
> mysql-hostname: localhost
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: **
>
>
> And I think that the real question is how can i configure guacamole to see
> if the user existe in radius than go back to mysql
>

I'm not sure if this is related to the other conversation on the list, but
as was suggested on the other thread you might try renaming the modules
such that RADIUS is loaded and evaluated, first, and then create
connections and assign permissions in the JDBC module.

Please note that the RADIUS module does not really have any User Group
support at the moment, so based on the way that 1.0.0 handles group
membership and permissions you will not be able to assign permissions to
JDBC groups and have those permissions apply to users who log in with
RADIUS.  This will likely get addressed in the future, but that's how it
works in 1.0.0.

-Nick

Re: Add an extra button to the Authentication Page

[Nick Couchman]

On Mon, Feb 18, 2019 at 8:48 AM Dennis Hoffmann 
wrote:

> Hi,
>
> i want to add an extra button to the Custom Authentication Page.
> If a user clicks on that button i want to catch this event in my extension
> and execute some code.
> Should I add this button to my HTML-templatefile? If the answer is yes :
> how can i catch this event in my code?
>
>
For adding a button, I'd suggest you make this part of your extension and
just add the HTML and AngularJS code into your extension.  You can update
the existing HTML using the  tags, as documented here:

http://guacamole.apache.org/doc/gug/guacamole-ext.html#ext-patch-html

You'll need to implement both the HTML template and also the AngularJS code
to fire off something to your extension when the new button is clicked.
Depending on how the extension is written, you could have your extension
listen on a REST endpoint:

http://guacamole.apache.org/doc/gug/guacamole-ext.html#ext-rest-resources

This is implemented by overriding the getResource() method in either the
AuthenticationProvider implementing class or in the UserContext
implementation, and having that return an object that implements the
required REST handlers for talking to the AngularJS app.  You could then
call these REST endpoints from the AngularJS code.

-Nick

Re: Guacamole missdrawing UI elements

[Nick Couchman]

On Mon, Feb 18, 2019 at 6:34 AM AlexC_  wrote:

> Hi!
>
> I've been running into problems making Guacamole draw properly UI elements
> on certain programs. Right after refreshing the page everything looks fine,
> but when any given UI element leaves the screen or is hidden it stops
> drawing entierly until you refresh the page again. Here's a screenshot of
> the problem:
>
> <
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t834/guacamole1.png>
>
>
> Where the buttons on the left are the ones properly drawn and the ones on
> the right are missing the black border after opening one of the dropdown
> menus.
>
> As for technical info this is the latest version of ENVI, made by Harris
> Geospatial Solutions and running on a Debian 8 machine. Guacamole is at
> version 1.0.0 and running on a server with PHP7.1 and Tomcat 8.
>
> Closest problem I managed to find was
> https://sourceforge.net/p/guacamole/discussion/1110834/thread/353c7465/ ,
> but after enabling most of the enviromental vars listed at the end of the
> thread I haven't managed to fix it.
>
> Anyone has some pointers on what could be the cause of the problem? Thanks
> for your time!
>
>
 What protocol are you using in Guacamole to connect to the remote system?
Presumably either VNC or RDP (with XRDP)?  Have you tried messing around
with any of the options for either of those protocols that control screen
drawing?  Some of them are available in Guacamole.  Also, presumably this
works fine with either a standard RDP or VNC client, and you're only
experiencing issues in Guacamole?

Also, have you monitored performance and resource utilization on the
Guacamole server, both for Tomcat and guacd?

-Nick

Re: Guacamole URL ReWrite

[Nick Couchman]

On Wed, Mar 13, 2019 at 3:46 PM sciUser 
wrote:

> Hello,
>
> I am looking for documentation (Not extension) on rewriting the session url
> so that the token or username password are removed and a /mysubhere is
> placed.


Depending on what you're really trying to accomplish, the stock Guacamole
Client already does this.  If you use the client (without modifications),
you'll see that the web application that loads in your browser just has
/guacamole/#/ on it, and then /guacamole/#/client/ when you
access a client, etc.  All of the calls that actually contain parameters
are done in the background, hidden from the user.  It isn't that you can't
see them at all - if you open the Developer Console and watch all of the
network traffic you will see them - but the user doesn't normally see them.

If you're trying to get rid of the ?token= piece entirely from all of the
REST API calls, this isn't possible without significant code modification -
the back-end Java application has to have some way of identifying the
client making the request, and that's currently implemented by a POST call
to /api/tokens with the username and password, and then subsequent calls
with the ?token= parameter on the REST API endpoints.  In order to
completely get rid of the ?token= on the REST API calls you would have to
completely rewrite both the front-end JavaScript and back-end Java code to
use something other than that token to identify the session (cookies,
perhaps).


>
> I would need to see code examples.
>

Depending on what you're trying to do (see above), the Guacamole Client
already behaves this way, by running a web application in the browser that
handles all of the API calls internally, hiding them from the user.


>
> Currently we get username password passed in for autologin but like to hide
> that.
>

As I have mentioned repeatedly, you do not have to do a GET call with
?username=username=password - you can POST to the /api/tokens
endpoint to obtain the token.  Thus, username and password will not be part
of any URLs.  You'll still have to deal with the token parameter
requirement, as noted above.

-Nick

Re: ctrl-alt-del in rdp

[Nick Couchman]

On Thu, Mar 14, 2019 at 9:53 AM Not Speedy  wrote:

> oh thanks. I'll try that from a standard keyboard.  The issue I'm hitting
> is with chromebooks. Chromebooks  don't have a standard keyboard. They
> don't have an insert,del,home,page up, page down, etc
>
>
Ah, that makes sense.  You can file a JIRA issue for adding the Hot Key
sequence to the Guacamole Menu, that makes sense in these situations.

-Nick

Re: could an option to show-or-not the password entry field for authentication be implemented

[Nick Couchman]

On Thu, Mar 14, 2019 at 12:32 PM brian mullan 
wrote:

> This is just a feature request.
>
> When entering the information into the Connection configuration form.
>
> I want to just enter:
>
> Username:   ${GUAC_ADMIN}
> Password:${GUAC_PASSWORD}
>
> as you know when entering the password field though it (by defuault)
> puts "*" for each character you type for security reasons.
>
> However, as good a typist as I am I still make a mistake sometimes BUT
> because
> all the characters are ""
>
> I don't know it until later when someone tries to actually login and it
> fails because
> I typed something like:
>
> Password:   ${GUAC_PASDWORD}  instead of ${GUAC_PASSWORD}
>
> could their be a small selection Check-Box the Admin could Check put next
> to that field to "Show Entry" so while you are typing or afterward you
> could verify that you typed is:
>
>   Password:   ${GUAC_PASSWORD}   ??
>
>
This already exists - next to the password field is a little padlock icon -
if you click that it will switch the password field to plain text.

-Nick

>

Re: OpenID Connect + JDBC

[Nick Couchman]

On Thu, Mar 14, 2019 at 14:48 Jim  wrote:

> Since OpenID connect only handles authentication and not associated
> connections, I'm working on providing OpenID users with their related
> connections. My question is: what database entries that map to the OpenID
> user are required to assign a connection to an OpenID Connect User? I
> assume
> a "guacamole_entity" entry with the corresponding email/username is
> required, but what about a "guacamole_user" entry?


You'll need both an entity and a user - basically the user account from
OpenID needs to match the account (username) in the database, and then the
permissions assigned to the DB user will be applied.  The entry in the user
take will require the entry in the entity table.

-Nick

Re: guacd not starting on boot

[Nick Couchman]

On Sun, Mar 10, 2019 at 8:07 PM Robert Dinse  wrote:

>
>   I have guacd installed, built with the --with-systemd flag and it
> does
> not install a systemd file but an initd file which systemd recognizes and
> says it installs however, while systemctl start guacd works fine and
> systemctl enable guacd indicates it did the right thing, it does not start
> upon boot, I have to manually start it.  Because some of the things it uses
> are on NFS partitions, I suspect it's trying to start before NFS is up and
> failing.
>
>
A couple of notes:
- The "--with-systemd" flag is not valid.  The flag is
"--with-systemd-dir=", where directory is the location where
you'd like the systemd files installed.  Can you please verify if that's
the flag you're using, and if you're specifying a directory, like
/etc/systemd/system or /usr/lib/systemd/system?
- Have you tried removing the initd file, reloading systemd (systemctl
daemon-reload) and seeing if the systemd unit then references the unit file
(assuming it's actually being installed)?
- If you have guacd running in a situation where NFS is required for guacd
to start you're going to have to make some modifications to either the
initd script or the systemd script.  It sounds like, in this case, that the
issue is not with either the guacd initd or systemd files, but with a
customized environment you have.  That's fine - we certainly don't expect
every environment to follow the ones we're used to; however, you may have
to do a little tweaking to the scripts to make them wait for NFS to be up
before starting guacd, if guacd is on a NFS share.  I would suspect even if
you get the systemd script to install that you'll still have the same
issue, because the standard systemd unit file we provide does not require
NFS to be up.  Fortunately, those changes should be relatively trivial to
either the initd script or the systemd unit file.

-Nick

Re: guacd not starting on boot

[Nick Couchman]

On Sun, Mar 10, 2019 at 11:04 PM Robert Dinse  wrote:

>
>   Ok, rebuilt with the correct --with-systemd-dir=/lib/systemd/system
> and
> now I had more problems.  Launched out of init.d it ran as root, launced
> out
> of systemd, the unit file it created has User=daemon so it runs as daemon.
> Problem with that is only root has access to /var/run and to the
> encryption key
> file so I changed it back to root despite that being less secure.
>

Or you could change permissions on the files so that the daemon user has
access to them.  For the encryption key, this should be pretty
straight-forward:

chown daemon /path/to/encryption/key

For /var/run, I'm not sure why the daemon user would need access to that
directory?  I suppose it could if you're adding "-p /var/run/guacd.pid" to
the command line or specifying a PID file in the guacd configuration, but
by default there are no requirements for this.  Furthermore, with systemd
in particular, I'm not sure that's there much value to having it generate a
PID - system runs things in the foreground by default and manages tracking
the PID of the daemon, so there's really not much you'd need the PID file
for.

If you do want that PID file in /var/run, for whatever reason, in most
distributions that run systemd /var/run is managed by tmpfilesd, and can be
configured by adding the appropriate file to /etc/tmpfiles.d with the files
and/or directories and the required ownership and permissions.


>
>   Lastly it still failed because it tried to start before /misc was
> mounted
> which is where the key file was so I modified the unit file line:
>
> After=network.target
>
> to:
>
> After=network.target misc.mount
>
>  /misc is the file system where I have the encryption certs and keys.
>
>  Now it starts properly after a reboot.  Downside, as with when it ran
> out of /etc/init.d, it is running as root which from a security perspective
> is undesirable.
>

But, this is your choice, not a requirement - you've changed it from daemon
to root to resolve other issues that should be resolved with either a chown
(or ACLs) and proper configuration.


>
>  What guacd should have is an item that goes into guacd.conf for user
> and
> group so it can start as root, write the pid file and read the necessary
> cert and key files, and then switch to said user and group just like Apache
> httpd and tomcat do.
>

httpd does this, Tomcat does not.  Tomcat is started by the startup.sh
script, and that script must be run under the account that you want running
Tomcat.  Tomcat does not implement user context switching at startup, and
should (IMHO) *never* be started as root.


>
>  Then it could be both secure and functional.
>

There may be some value to looking into doing this - having the initial
user be root and then switch to another user - but please understand that
it is not required to make guacd both "secure and functional" as it is
implemented today.  There is no reason at all that you cannot set
permissions on all of the required items - GUACAMOLE_HOME (/etc/guacamole),
encryption keys and certificates, and the necessary /var/run entries - to
the user specified in either the init script or the systemd file (+
tmpfiles.d) so that guacd runs under a non-root account.  You don't have to
use the daemon user if you don't want to - this was a convenient default
for the systemd unit file when we added it - you can create a separate user
for guacamole (I often use "guac") and change permissions to that user
along with the systemd script, and you will be able to operate in both a
"secure and functional" fashion.

Furthermore, there are other methods you could use to protect guacd and the
required files, like chroot jails or Docker containers.  Docker is already
available, and, while chroot jails are not implemented by default, the
requirements for guacd are reasonably simple enough that it should be
doable with minimal effort.

The point here is that, while there may be some value to having guacd start
under root and switch internally, there's no reason you have to do this in
order to make guacd function and function securely.

-Nick

Re: guacd not starting on boot

[Nick Couchman]

On Mon, Mar 11, 2019 at 7:37 AM Robert Dinse  wrote:

>
>   /var/run is a tempfs file system and recreated at each boot so
> changing
> the perms on it are gone on the next boot.  As for the encryption key, lots
> of things run as daemon, I don't want them all having access to the key.
>

Yes.  I addressed both of these issues in my previous e-mail:
- /var/run is managed by tmpfilesd on most systems where it is completely
temporary and that also run systemd.  So, you can put rules into
/etc/tmpfiles.d that create these files for you.
- You do not have to use the "daemon" user.  It was a convenient default
for the purposes of creating and distributing the systemd unit file, but
you can run guacd under any user account that you like.  Again, as already
mentioned, I generally create a "guac" user account and run both Tomcat and
guacd under that user account. This way I can 1) make sure neither guacd or
Tomcat are running as root, and 2) that both have the necessary access to
the files and folders under /etc/guacamole that define the configuration
for Guacamole, including sensitive information like certificates/keys,
database username/password, etc.


>
>At any rate, that's my suggestion for functionality.
>

Appreciated.  You're welcome to file a feature request in JIRA for this and
see where it goes.  The point is, it isn't required to get where you want
to go.


>
>I still have some other issues to work out but they're with my hosts
> not with guacamole.  I have sound working on debian and mint.  Have not
> been
> able to get it to work on ubuntu yet nor on any redhat derived system, I
> get
> connection refused from the pulseaudio port on those machines even after
> adding
> the suggested configuration change to /etc/pulse/default.pa.
>
>
RedHat has firewalld enabled and active by default, I believe, so it's
possible that's blocking something.  Not sure about Ubuntu.

-Nick

Re: Guacamole Interface Blank Page

[Nick Couchman]

On Thu, Mar 7, 2019 at 5:48 AM Mike Jumper  wrote:

> On Thu, Mar 7, 2019, 02:43 Kamal Ezzaki  wrote:
>
>> *Hello after i restart my centos server i get a blank Page and when i
>> check out my log files i have ths error : *
>> *Mar  7 05:42:16 localhost server: 05:42:16.838 [http-bio-8080-exec-3]
>> ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error:Mar  7
>> 05:42:16 localhost server: ### Error querying database.  Cause:
>> com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link
>> failure*
>>
>
> Double check that the network details for your database server in
> guacamole.properties are correct.
>
> Assuming they are, I recommend checking your SELinux audit logs. Tomcat
> may be being denied network access to MySQL.
>
>
Or, if this was right after you restarted your system, make sure that MySQL
is starting up and is set to start on boot.

-Nick

Re: The RDP virtual drive

[Nick Couchman]

On Fri, Mar 8, 2019 at 9:26 AM Kamal Ezzaki  wrote:

> So the real job of the virtuelle drive is to save uploaded files just in
> the guacamole server not in the machine that i m connected to ?
>

No, I would not say that - I would say that the storage for the virtual
drive is done by guacd, and that the purpose of it is to facilitate file
transfer between the Guacamole web application (open in the browser) and
the remote/target system.  However, it does not provide a method for
accessing the folders and/or files outside of the Guacamole web application
- so, unless you specifically share it with another protocol, like WebDAV
or CIFS, you cannot go to Windows Explorer or a terminal on your client
system and access the files.  You can see/access them from your client
through the web interface (see attached screenshot), but not via Windows
Explorer.

-Nick

Re: The RDP virtual drive

[Nick Couchman]

On Fri, Mar 8, 2019 at 8:50 AM Kamal Ezzaki  wrote:

>
> [image: 8.PNG]
>
> [image: 4.PNG]
>

So, are you trying to get to that folder from your client system, where
you're accessing Guacamole from a web browser?

-Nick

Re: The RDP virtual drive

[Nick Couchman]

On Fri, Mar 8, 2019 at 9:12 AM Kamal Ezzaki  wrote:

> Yes and i m trying to get access to these files from a windows machine but
> i can't find the virtuelle drive
>

You'll need to share that folder/drive from the system running guacd.
Guacamole provides the shared drive on the RDP side and the file
upload/download through the menu, but does not provide any additional
access to those files outside of those methods.  So, you'll need to share
it with some other protocol - WebDAV, SMB/CIFS, etc. - if you want to
access it outside of the RDP connection or the Guacamole menu.

-Nick

Re: HIDE LOGIN PROCEDURE IN RDP

[Nick Couchman]

On Thu, Mar 7, 2019 at 2:49 PM Amarjeet Singh  wrote:

> I mean to hide the windows rdp login not guacamole login.
> I want to show loading or connecting dialog box till windows rdp login
> completes.
> Ready event is the event which will be generated when windows login will
> be completed.
> As of now it can be generated when any static virtual channel is ready
> example...
> Device redirection tell us that user has logged on and we can generate
> ready event based on that
>
>
It sounds like you've figured out a way to do it.  I'm not sure I see the
point in it, at least in trying to put it into the main Guacamole code, as
I don't find the Windows Logon screen terribly bothersome, and I would
argue that people would rather know that the login is proceeding and where
the process is than to have it hidden behind a "Connecting to Guacamole"
dialog box for the amount of time it takes to establish the session and log
in.  That's just my personal feeling, though.

If we were going to make the change, however, I would argue that Device
Redirection is an unreliable way of accomplishing this.  What if the user
isn't redirecting any devices?  What if they're trying, but it isn't
allowed by the remote server?  What if it fails?

I guess my bottom-line question is: why do this?  What's the point of
hiding the Windows login screen?  Why does it matter, and is it really
worth the trouble of trying to figure out some way to determine when
Windows is logged in.  Maybe others on the list have opinions on this?

-Nick

Re: deactivate TOTP on user

[Nick Couchman]

On Tue, Mar 19, 2019 at 5:39 AM Christian Kraus 
wrote:

> Hi,
>
>
> Is there a way to deaktivate TOTP for a user after it was enabled (through
> password change, or administrator rights) ?
>
>
>
I don't know that there's currently a way within the web interface.  If you
want to disable it for a particular user you'll have to remove the
attributes within the "guacamole_user_attributes" table for that particular
user.  If you want to disable it altogether just remove the TOTP module
from the extensions folder.

-Nick

Re: MariaDB or driver update might break guacamole

[Nick Couchman]

On Sat, Mar 16, 2019 at 1:31 PM Not Speedy  wrote:

> this is more of an fyi..I updated my system today and guacamole broke.  I
> noticed this in my tomcat logs..
> Cause: java.sql.SQLException: The server time zone value 'CDT' is
> unrecognized or represents more than one time zone. You must configure
> either the server or JDBC driver (via the serverTimezone configuration
> property).
>
> To get around this, I set the global timezone to match the timezone on the
> server.
>
>  (confirm path of your OS timezone info)
> mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root MySQL
>
> then connect to instance and
> SET GLOBAL time_zone = America/Chicago;
>
> I don't know if this is a bug with the db or driver. it could be an
> intentional change. If its intentional, it might be handy to add a
> connection string option to guacamole.properties to handle this.
>

It seems like several different languages and systems have started warning
about unreliable guessing of timezones.  PHP did this a while back, and
you're supposed to either set it at a system level or within the code.  So,
not terribly surprising that it's making its way into other places, too.

If you want to you can enter a feature request (or maybe minor bug?) for
this in the Guacamole JIRA instance so we can track getting that added.
Probably worth taking a look at the other DBs and seeing if they need it
added, as well.

-Nick

Re: SQL Server incoming request has too many parameters

[Nick Couchman]

On Tue, Mar 19, 2019 at 3:14 AM Kok Hooi Chew  wrote:

> Sorry for the small image earlier on
> [image: image.png]
>
>
Depending on where you're copying and pasting from, the actual text, rather
than an image of it, might be more useful in the future :-).

Regarding the issue you're seeing, it looks like there is a SQL Server
limitation of 2100 parameters:

https://blogs.msdn.microsoft.com/emeadaxsupport/2009/09/01/how-to-fix-sql-error-too-many-parameters-were-provided-in-this-rpc-request/

Soit looks like this probably merits a bug report on the Guacamole JIRA
page, and we'll have to figure out how to break up requests and results
within the SQL Server driver into chunks.



-Nick

>

Re: Guacamole and Terminalserver Printing

[Nick Couchman]

On Tue, Mar 19, 2019 at 3:29 AM Martin Herold 
wrote:

> It seems to be a printing issue. Do I have to change configuration on the
> terminalserver GPOs about printer handling?
> The terminalserver should create a guacamole-printer each time somebody
> logged in and it should delete that printer the user logged out. Right?
>
>
I'm a little unclear what the issue you're experiencing is - I'm guessing
one of the following:
- Printing was working fine with terminal services and regular printers
configured on the terminal server, but now you're trying to pass through
printers from Guacamole, and that's not working?
- Printing was working fine being passed through from traditional RDP
clients, but is not working from Guacamole?
- Printing is working, but there's just a lot of extra messages in the logs?

There may indeed be some GPO changes that have to be made depending on what
the policy is for redirecting devices, but it would be useful to know what
behavior you're seeing.

-Nick

Re: deactivate TOTP on user

[Nick Couchman]

On Tue, Mar 19, 2019 at 8:46 PM Fertig, Brian 
wrote:

> Nick,
>
>
>
> Is it possible to setup a way in the GUI to allow us to reset the TOTP in
> the event it needs done?  How can we request this?
>
>
>

It could definitely be implemented, yes - I'm going to go with my favorite
catch phrase of the evening (apparently): add a feature request to JIRA :-).

https://issues.apache.org/jira/projects/GUACAMOLE

-Nick

>

Re: LDAP Questions

[Nick Couchman]

On Tue, Mar 19, 2019 at 12:01 PM Fertig, Brian 
wrote:

> Nico,
>
> I am trying to latter.  When a user is trying to log into Guac I want that
> users credentials presented to AD to see if they can.  If they can then
> allow them to login.  At least based on the documentation I assume this is
> how I have it setup.
>
>
Part of the issue you're running into is that the LDAP authentication
module is a bit limited.  There's actually a JIRA issue already out there
that seeks to loosen up the restrictions a bit, but it hasn't been worked,
yet:

https://issues.apache.org/jira/browse/GUACAMOLE-536

Basically, right now there are two modes of authentication:
- Search & Bind: You specify a bind DN for an account to search the
directory, Guacamole searches LDAP for the user that tries to bind as the
user that has been located within the tree.  So, if you specify, in your
guacamole.properties file, ldap-search-bind-dn of
"cn=search,ou=accounts,dc=example,dc=com", and you try to log in as
"testuser", Guacamole will first bind as the cn=search user, search for
"testuser", assuming testuser is found (say,
cn=testuser,ou=users,dc=example,dc=com), Guacamole will re-bind as the
cn=testuser account using the password specified.
- Derive DN: You don't specify the ldap-search-bind-dn, but you do specify
ldap-user-base-dn as "ou=users,dc=example,dc=com", then Guacamole derives
the DN as cn=,ou=users,dc=example,dc=com and attempts to bind
with that password.  Using the "testuser" account from before, Guacamole
would derive the DN to cn=testuser,ou=users,dc=example,dc=com, and then use
the provided password to bind.  This mode is really only useful in the
situation where you have a flat directory tree where all users (or at least
all users that are going to be logging in to Guacamole) are found in the
same OU.  You can simulate this within your LDAP tree by creating account
aliases within a particular OU (ou=Guacamole_Users,dc=example,dc=com) and
allowing the Guacamole module to dereference aliases.

The JIRA issue above deals specifically with Active Directory-style
authentication, where the directory allows you to bind with
@ (e.g. testu...@example.com).  Hopefully that'll get
added at some point, when we have time to work on it.

Hopefully this helps.

-Nick

Re: LDAP Questions

[Nick Couchman]

On Tue, Mar 19, 2019 at 8:45 PM Fertig, Brian 
wrote:

> Thanks Nick.  I ended up creating a service account and letting it roll.
> I vaguely remember this config a year ago when I set it up before.  I’ve
> got TOTP, MySQL, and LDAP setup.  Its humming.  Thanks!
>
>
>
Yeah, service account is what I do, as well.  In the future it'd be nice to
be able to do the @ authentication model, but service
account does the job, for now.

-Nick

Re: Setting up HTTP header authentication

[Nick Couchman]

On Tue, Mar 19, 2019 at 7:56 PM Dmitry Katsubo  wrote:

> Dear Guacamole community,
>
> I have difficulties with setting up HTTP header authenticator. I have read
> the manual ([1]) but I still cannot make it working.
>
> First of all I am not sure if I should set "auth-provider" property in
> /etc/guacamole/guacamole.properties, e.g. do I need to add:
>
> auth-provider:
> org.apache.guacamole.auth.header.HTTPHeaderAuthenticationProvider
>

No, you do not need this - this option has been completely removed from the
code and has no effect.


>
> ?
>
> If I leave it unset, I get the following log:
>
> 20:38:21.077 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule
> - Loading extension: "guacamole-auth-header-1.0.0.jar"
> 20:38:21.708 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule
> - Extension "HTTP Header Authentication Extension" loaded.
> 20:38:21.914 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule
> - Binding AuthenticationProvider
> "org.apache.guacamole.auth.file.FileAuthenticationProvider".
> ...
> 20:38:35.919 [http-nio-127.0.0.1-8080-exec-5] INFO
> o.a.g.r.auth.AuthenticationService - User "admin" successfully
> authenticated from [10.14.1.22, 127.0.0.1].
> 20:38:35.922 [http-nio-127.0.0.1-8080-exec-5] DEBUG
> o.a.g.a.f.FileAuthenticationProvider - Reading user mapping file:
> "/etc/guacamole/user-mapping.xml"
> 20:38:35.949 [http-nio-127.0.0.1-8080-exec-5] DEBUG
> o.a.g.r.auth.AuthenticationService - Login was successful for user "admin".
>

This is good - it indicates that the HEADER module is installed correctly,
loading, and functioning.


>
> and after I open Guacamole I see "admin" user name in right top corner
> (hence HTTP header authenticator worked OK), but I am not automatically
> connected to the server. I suppose I need to add an entry
> to /etc/guacamole/user-mapping.xml, so I did:
>
> 
> 
> 
> vnc
> vncserver
> 5901
> secret
> UTF-8
> 
> 
> 
>
> but that does not help (same result after restarting Tomcat). What I want
> to achieve is that authenticated user is automatically connected to VNC
> server.
>

This is where I get a little fuzzy - it's been quite a while since I
actually used the file authentication module for much of anything.  I
believe their may be some limitations to the stacking done with that module
- that is, I don't know that the file authentication module actually
recognizes the user accounts as authenticated from other modules.  I'm not
saying for certain that it doesn't, just that there's some distant memory I
have that maybe that module doesn't work that way, and that connections
specified in the File provider will not necessarily be available to users
authenticated through other modules.

You say that you don't get automatically connected to the VNC server - do
you see the connection at all on the home screen?  Or is it a blank screen,
with no connections?

My suggestion would be to use the JDBC module to store connections.  It
requires a little bit of extra work and a few extra resources to configure,
but definitey works with the other modules and also gives you some
flexibility in permission management among users.


>
> Another note concerning the structure of user-mapping.xml. [2] reads the
> following:
>
>   Each user is specified with a corresponding  tag. This tag
> contains all authorized connections for that user, each denoted with a
>  tag.
>
> however one page before it provides an example where  tag not
> necessarily contains :
>
> 
> vnc
> localhost
> 5900
> VNCPASS
> 
>
> So what is the rule: should  contain s tags or can
> it also describe one connection?
>

The File provider handles both cases - either the single connection
specified within the  context, or multiple
connections specified within their own  contexts.

-Nick

Re: How to handle groups from openid?

[Nick Couchman]

On Mon, Mar 18, 2019 at 10:08 PM thebetterjort 
wrote:

> Mike,
>
>   I wish I could be more help. This is the only thing I have written
> involving groups.
> https://github.com/httpsOmkar/keycloak-hasura-connector
>
>
No worries - you're welcome to put in a feature request on the JIRA page
for this.  I've thought about adding similar capability to the CAS module,
since it can retrieve arbitrary parameters, like Group Membership, from
whatever backend it's authenticating against, and pass those through.

https://issues.apache.org/jira/projects/GUACAMOLE

-Nick

Re: Screen Record re-encode

[Nick Couchman]

On Tue, Mar 19, 2019 at 2:28 PM sciUser 
wrote:

> I am playing around with the screen recording, that is fine it generate the
> file to the path I want it, but when making the file in to a m4v video I
> get
> this error>
>
> WARNING: Layer index out of bounds: -1
>
>
I can't remember off the top of my head, but I think this was an issue
resolved in 1.0.0.

-Nick

Re: Correct Syntax for Curl

[Nick Couchman]

On Thu, Mar 14, 2019 at 18:57 sciUser  wrote:

> Anyone know the correct syntax for curl syntax to generate a token for a
> user?


https://davidwalsh.name/curl-post-file

curl -X POST -F 'username=guacuser' -F 'password=password'
https://example.com/guacamole/api/tokens

(I haven't actually tried it, just a guess at this point.)

-Nick

Re: ctrl-alt-del in rdp

[Nick Couchman]

On Wed, Mar 13, 2019 at 17:56 Not Speedy  wrote:

> Would it be possible to send the ctrl-alt-del combo through the
> shift-ctrl-alt menu?  I'm currently testing guacamole, and it appears that
> user can't change their passwords through other means.  for example,
> windows 10 will instruct the user to use the key combo, and doesn't appear
> to offer any other means.  enabling the windows on-screen keyboard is a
> work around, but its cumbersome for the general office population.
> supporting/talking them through it is not easy either!
>

In 1.0.0 we added Ctrl-Alt-End, which matches the key sequence that several
other RDP clients use.

-Nick

Re: extend guacamole mysql connection table?

[Nick Couchman]

On Sat, Mar 9, 2019 at 2:57 PM jacksonp  wrote:

> We would like to add a custom field to the connection table to store an
> additional attribute of the device we are connecting to.  Is there a best
> practice or recommendation for this so we don't break something down the
> road?
>

It kind of depends on what you're trying to do - more detail might help to
determine that - but the best way to do this (in my opinion) would be to
create a custom extension that decorates the connections, and uses the
ability of the JDBC module to store arbitrary attributes.  An example of
this in practice is the TOTP extension, which decorates User objects from
the database, storing the relevant TOTP information in the
guacamole_user_attribute table.  I've also written a Wake-on-LAN extension
(currently has a pull request) that decorates Connection objects, storing
the MAC address in the guacamole_connection_attribute table.  You can do
similar things for user groups and connection groups.

Using this method would definitely help prevent breaking something down the
road, as you're working within the schema defined in the database and not
modifying it, which has a higher risk of being broken or overridden by
future changes to the database schema.

-Nick

Re: extend guacamole mysql connection table?

[Nick Couchman]

On Sat, Mar 9, 2019 at 4:01 PM jacksonp  wrote:

> Thanks Nick, I want to store the vmware machine name and/or UUID we are
> connecting to with guac VNC.  I can then pull this field value and pass it
> to an ansible tower API to do automation tasks on the backend.
>
> Can you point me to some code where you did this?
>

Ah, yeah, very doable.  My WOL code is here:

https://github.com/necouchman/guacamole-client/tree/jira/513/extensions/guacamole-auth-wol

It's a little rough right now - has not been reviewed, yet, but it works
and I've been over it a few times trying to clean things up.  Let me know
if you have specific questions about the code - I've tried to make it as
simple as possible, but no doubt there's something in there that will cause
everyone to scratch their heads and go, "What was he thinking?!"

-Nick

Re: Guacamole Password settings

[Nick Couchman]

On Fri, Mar 8, 2019 at 1:31 AM Christian Kraus 
wrote:

> Hi,
>
>
> are there any guacamole.propertiy settings to enforce/set password
> complexity with database authentication (psotgres, mysql) ?
>
> I found https://jira.glyptodon.com/browse/GUAC-1546 but no description in
> Manual
>
>
>
>
This is documented in the manual, in the Database authentication section:

http://guacamole.apache.org/doc/gug/jdbc-auth.html

If you scroll down on that page to the section "Enforcing password
policies" you'll see the options that deal with password complexity with
the various databases that Guacamole supports.

-Nick

>

Re: Guacamole Password settings

[Nick Couchman]

On Fri, Mar 8, 2019 at 6:14 AM Christian Kraus 
wrote:

> OMG sorry did not scroll to that section down
>
>
> so for Docker install the syntax should be for example ?
>
>
> -e mysql-user-password-min-length: 8
>
>
>
>
It doesn't look like the Docker startup script actually supports setting
those parameters at this point in time.  So, you'd need to, instead, create
your own GUACAMOLE_HOME directory with a guacamole.properties file and pass
that through as a volume to the Docker container.

Alternatively in 1.0.0 you can enable the property for having configuration
done via environment variables (
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup
- enable-environment-properties) and then you could do that with the
following option:

-e MYSQL_USER_PASSWORD_MIN_LENGTH=8

-Nick

Re: The RDP virtual drive

[Nick Couchman]

On Fri, Mar 8, 2019 at 5:17 AM Kamal Ezzaki  wrote:

> i m sorry i didn't get it , Where i can find the uploaded files , in
> guacamole support it's look like this :
> [image: 6.PNG]
>

When you configured the Drive Path parameter in the Guacamole Connection,
where did you configure it to point?

-Nick

Re: Setting up HTTP header authentication

[Nick Couchman]

On Wed, Mar 20, 2019 at 6:24 PM Dmitry Katsubo  wrote:

> Thanks for reply.
>
> On 2019-03-20 01:26, Nick Couchman wrote:
>
> This is where I get a little fuzzy - it's been quite a while since I
> actually used the file authentication module for much of anything.  I
> believe their may be some limitations to the stacking done with that module
> - that is, I don't know that the file authentication module actually
> recognizes the user accounts as authenticated from other modules.  I'm not
> saying for certain that it doesn't, just that there's some distant memory I
> have that maybe that module doesn't work that way, and that connections
> specified in the File provider will not necessarily be available to users
> authenticated through other modules.
>
> That's why I decided to ask here in this maillist before I jump into the
> source code. As I see from the source code of header auth module, it only
> creates an instance of AuthenticatedUser hence there should be some other
> module in the chain that can pick up the user name from that object and
> create GuacamoleConfiguration and UserContext for it. In its turn file
> auth does not allow null password, see Authorization:181
> <https://github.com/apache/guacamole-client/blob/d1e928bea79ca81c827e9b6adedabc98eefdf701/guacamole/src/main/java/org/apache/guacamole/auth/file/Authorization.java#L181>
> hence this module will not deliver / populate connections for given user. I
> wonder how it is supposed to work?
>

I don't think that the not allowing of a null password is actually the
issue - I think the problem is that it just implements the
getAuthorizedConfigurations() method and not the authenticateUser() method,
which is what the other modules use to "stack" authentication.


> How Guacamole decides in which order to call providers? I order is
> undefined, then I don't see any reasonable way to make chaining possible.
> The only way out then is for HTTPHeaderAuthenticationProvider to extend
> FileAuthenticationProvider...
>

In general extensions are loaded and processed in alphabetical order, but
FileAuthenticationProvider is always loaded and processed last.  However,
the overall order only matters in certain corner cases for stacking, and,
in this case, the order does not matter so much as the fact that
FileAuthenticationProvider does not implement authenticateUser().  I could
be wrong about that, but I'm reasonably certain that's the issue.


> As for HTTPHeaderAuthenticationProvider implementation, I am a bit
> concerned. It uses such powerful tool as Guice / IoC just to perform static
> bindings? Then it's an overkill.
>

HTTPHeaderAuthenticationProvider only uses Guice to process configuration
information.  It is quite possible it is slightly overkill for this
implementation, and you're certainly welcome to propose changes and submit
pull requests if you have an idea of how it can be done more efficiently.


> You say that you don't get automatically connected to the VNC server - do
> you see the connection at all on the home screen?  Or is it a blank screen,
> with no connections?
>
> I don't see any connections on home screen. In other words, I see only
> blank white panes.
>

Yeah, this further indicates that the File provider does not stack with the
other modules.


> My suggestion would be to use the JDBC module to store connections.  It
> requires a little bit of extra work and a few extra resources to configure,
> but definitey works with the other modules and also gives you some
> flexibility in permission management among users.
>
> I would like not to go that way. Maybe it's not so complicated to setup,
> but I would like to keep everything simple.
>

That's understandable; however, this means you really have two options:
- Write a custom module, similar to the FileAuthenticationProvider, that
reads input from a file and stacks correctly with other modules.  This
should be pretty straight-forward, especially if you just want to write a
module that contains configurations and not actual authentication
information, and just map users or groups to those configurations.
- Propose changes to the FileAuthenticationProvider that allows it to
"stack" with the other modules, and (possibly, if you're up to it) submit a
pull request for those changes and have that functionality added to a
future version (1.1.0 scope is fixed, so it would be 1.2.0 or later).


>  The File provider handles both cases - either the single connection
> specified within the  context, or multiple
> connections specified within their own  contexts.
>
> Could you please put that phrase into documentation? As an option I can
> create a pull request.
>

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#basic-auth

We can be more explicit about it if you think it necessary, but I'm
reasonably certain the examples in the documentation cover both scenarios.

-Nick

>

Re: HTTP head auth user setup

[Nick Couchman]

On Fri, Mar 22, 2019 at 9:15 AM Will Payne  wrote:

>
> > Where are you storing connections?  I assume JDBC?
>
> I had to check (I just followed some quick instructions on setting it up
> on Docker) but it's in the mysql DB.
>
> Also hadn't noticed that groups were only there in 1.0.0 - I'd reverted
> to 0.9.14 because the settings menus in 1.0.0 were full of input headers
> showing things like "MANAGE_USER_GROUP.SECTION_HEADER_USER_GROUP |
> TRANSLATE" and I thought I would tackle one issue at a time :)
>

This is usually due to browser cache issues, so clearing your browser cache
should also take care of these things.

-Nick

Re: HTTP head auth user setup

[Nick Couchman]

On Fri, Mar 22, 2019 at 8:34 AM Will Payne  wrote:

>
> Hi,
>
> With the HTTP header authorisation extension, is there a way to set what
> connections an unknown user will see? Or of setting certain connections
> as 'public'?
>

There's no way within Guacamole, itself, to "simulate" user permissions for
a particular/unknown user.  With the header authentication module, though,
it should be pretty easy to set up a simulation environment - you can set
up the module, then configure your reverse proxy with some simple
authentication that lets you put in any number of users and see what
happens as you authenticate with each of them.

Also, there's no way within Guacamole currently to set a connection as
"public" or even at this point to set default permissions.  So, if you
haven't explicitly assigned permissions to a user or group of users, the
connection will not be automatically visible to new/unknown users.

-Nick

Re: HTTP head auth user setup

[Nick Couchman]

On Fri, Mar 22, 2019 at 8:54 AM Will Payne  wrote:

> > There's no way within Guacamole, itself, to "simulate" user
> > permissions for a particular/unknown user.  With the header
> > authentication module, though, it should be pretty easy to set up a
> > simulation environment - you can set up the module, then configure
> > your reverse proxy with some simple authentication that lets you put
> > in any number of users and see what happens as you authenticate with
> > each of them.
>
>
> Thanks. That's a pain.
>

You're welcome to file a JIRA request for such a feature.  I've seen other
pieces of software (Owncloud/Nextcloud come to mind) that have the ability
to simulate a particular user, and I don't think it would be terribly
difficult to come up with something like that for Guacamole, it just needs
a feature request and then someone to work on it :-).


>
> We do have an LDAP directory of users (but not passwords so the auth
> needs handling elsewhere). Is it possible to use the LDAP user/group
> info in conjunction with HTTP header auth?
>
>
Well, maybe - it depends.  User groups are new in Guacamole 1.0.0, and
there will be some tweaks to them in 1.1.0 to correct a couple of bugs and
also address some confusion in the way it is implemented.  I suspect in
1.0.0 it will not work as you'd like it to.

Where are you storing connections?  I assume JDBC?

-Nick

Re: Software Publication

[Nick Couchman]

On Thu, Mar 21, 2019 at 3:50 PM sciUser 
wrote:

> Hello,
>
> Does Guacamole allow software to be published like Citrix xenapp?
> Say I have office 2019 on VM and want to have a user only access it with
> out
> doing Windows GPO's is this possible?
>

Guacamole supports the "RemoteApp" parameters for RDP, which allow you to
publish applications on a Windows Remote Desktop system and then create a
connection that runs that application without anything else (desktop,
window manager, etc.).  Windows Server provides the method for publishing
remote apps - the Enterprise versions of Windows 7/10 require that you get
a separate utility to configure the RemoteApp applications, but it's pretty
easily available.

So, if that's what you're looking for, Guacamole can support making those
connections.  However, XenApp (and VMware Horizon) go a step further and
make the application appear to be seamlessly running on the local desktop.
Guacamole will not do that out of the box, although it's probably not
terribly difficult to port the Guacamole Web App to NodeJS and accomplish
something similar.

-Nick

Re: HTTP head auth user setup

[Nick Couchman]

On Fri, Mar 22, 2019 at 10:45 AM Will Payne  wrote:

> On 2019-03-22 12:59, Nick Couchman wrote:
>
> > You're welcome to file a JIRA request for such a feature.
>
> Oh, I don't particularly care about simulating what a specific or
> unknown user would see - that's easy enough to test. I meant that it's a
> pain that you can't *set* what a pre-authenticated but undefined user
> will see. But yes, maybe I should file a request for *that* feature :)
>

Ah, yes - I think with user groups permissions like that became a bit
easier, because you can set the permissions for the group.  But I had also
thought about trying to implement some sort of "default permission"
configuration that would allow assigning permissions ahead of time to users
that aren't already defined.  I'm not sure that would necessarily make
sense today, because you have to explicitly create either users or groups
in the JDBC module before you can actually assign permissions to them.
With one of the changes underway, however, to auto-create JDBC users when
they are successfully authenticated elsewhere, this may make more sense.


>
> Am guessing adding LDAP into the mix is the only way forward.. Is there
> any rough expected date for 1.1.0? Not sure I want to battle to get it
> working just for the way it's implemented to change.
>

Soon-ish, hopefully.  Unfortunately the big blocker on it is getting
FreeRDP 2.0 support into the code, which is somewhat of a mountain of a
task.  Mike is knee-deep (or maybe neck-deep these days) in that.  Once
that gets completed, reviewed, and pushed through, the remaining changes
are reasonably light-weight and should be able to get reviewed relatively
quickly.


>
> I suppose the only other option at the moment is to revert to 0.9.14 and
> use the noauth extension.. At least that way I can easily, I assume, get
> everyone seeing the connections.
>
> > This is usually due to browser cache issues
>
> Ah - yep, I redeployed 1.0.0 and, after a bit of a kick, the browser
> shows the correct form headings.
>

There's a JIRA issue out there for this, too - there are ways to "version"
the static components such that they'll get refreshed when the version
changes, but it hasn't been implemented, yet.

-Nick

Re: Setting up HTTP header authentication

[Nick Couchman]

On Thu, Mar 21, 2019 at 8:38 PM Dmitry Katsubo  wrote:

> On 2019-03-21 00:12, brian mullan wrote:
>
> On 2019-03-21 15:33, Nick Couchman wrote:
>
> I don't think that the not allowing of a null password is actually the
> issue - I think the problem is that it just implements the
> getAuthorizedConfigurations() method and not the authenticateUser() method,
> which is what the other modules use to "stack" authentication.
>
> Nick, if you check SimpleAuthenticationProvider.authenticateUser():142
> <https://github.com/apache/guacamole-client/blob/7e7b6fde4cd63ac8ec21e2ee900ae865d15a4c36/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleAuthenticationProvider.java#L142>
> you will see that if there are configurations available, user is created
> on-the-fly.
> Further look into the source code revealed that things are a bit more
> complicated. All modules perform user comparison based on the information
> from Credentials instance, see for example
> UserService.retrieveAuthenticatedUser():361
> <https://github.com/apache/guacamole-client/blob/658ce7884695cbe0c04b29f0b6fa365312dbe2fd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java#L361>
> and the only place where this object is created at is
> TokenRESTService.getCredentials()
> <https://github.com/apache/guacamole-client/blob/c890919d5bbb9ccc8243f04caae07c78a032ef07/guacamole/src/main/java/org/apache/guacamole/rest/auth/TokenRESTService.java#L84>.
> That in its turn means that Guacamole cannot create Credentials instance
> other than from Authorization: Basic HTTP header, which means that front
> webserver/proxy authorization (which is not necessarily HTTP basic
> authentication) is not possible.
>

I think I understand what you're saying.  To be sure, the header module
does work - it will authenticate a user passed through from a Nginx or
httpd header authentication.  However, it will not pass through a password
to the File authentication provider (since there is not usually a password
present), so if the File authentication provider module requires that
password in order to retrieve the configuration, it will fail.  Maybe this
is what you're saying.


>
> I have identified the following workarounds, namely, if one of below
> patches is applied then everything starts working:
>
>- FileAuthenticationProvider.java.patch – this one overrides
>getUserContext() to enable configuration for
>authenticatedUser.getIdentifier().
>- AuthenticatedUser_Authorization.patch – this one injects username
>from header to Credentials and allows null passwords.
>
>
>
If you wish to contribute these you'll need to follow the contribution
procedure for the project, which generally means creating a JIRA issue and
then a pull request.

> I would like not to go that way. Maybe it's not so complicated to setup,
>> but I would like to keep everything simple.
>>
>
> That's understandable; however, this means you really have two options:
> - Write a custom module, similar to the FileAuthenticationProvider, that
> reads input from a file and stacks correctly with other modules.  This
> should be pretty straight-forward, especially if you just want to write a
> module that contains configurations and not actual authentication
> information, and just map users or groups to those configurations.
>
> With my respect to GUACAMOLE-493
> <https://issues.apache.org/jira/browse/GUACAMOLE-493> and GUACAMOLE-256
> <https://issues.apache.org/jira/browse/GUACAMOLE-256> after removing
> guacamole-auth-noauth Guacamole provided no means to replace it. It
> actually did what you say, and only was missing a header check.
>
>
Yes, we removed the NoAuth module without replacing it.  The project
determined that it was not worth continuing to keep it in the code, as the
value was limited and the end-goal of the module - transparently
authenticating users into Guacamole - was possible by several other more
secure means (SSO and parameter tokens, in particular).  It's also true
that the header module is very simple - it accepts that a user has been
authenticated up-stream and relies on other modules to provide
configurations.  This comes with a security caveat of its own - if you use
the header module it *must* be behind a reasonably secure front-end proxy
that won't allow someone to spoof the header that is then accepted by the
authentication module.  There are warnings about this in the manual.

> - Propose changes to the FileAuthenticationProvider that allows it to
> "stack" with the other modules, and (possibly, if you're up to it) submit a
> pull request for those changes and have that functionality added to a
> future version (1.1.0 scope is fixed, so i

Re: Difference between Connection and ActiveConnection (RDP)

[Nick Couchman]

On Wed, Feb 6, 2019 at 1:50 PM murat  wrote:

> Thank you Mike. I2m a new bee sorry for some questions :)
>
> is there any tutorial for jdbc-auth-base module?
>
> I have implemented to a tomcat server but i don't know how to test it from
> a
> browser.
>
>
You can find the manual, here:

http://guacamole.apache.org/doc/gug/

That has a good bit of information on setting up each of the components,
including JDBC, LDAP, etc.

-Nick

Re: Difference between Connection and ActiveConnection (RDP)

[Nick Couchman]

On Wed, Feb 6, 2019 at 4:49 AM murat  wrote:

> Hi,
>
> I wonder what is the difference between Connection and ActiveConnection?
>

A Connection defines the parameters and attributes needed to establish a
connection to a remote host.


>
> Because, when creating a sharing link, an active connection is needed. But
> in the basic authentication examples, i see no active connection after
> establish a RDP connection.
>
>
Active connection tracking is only implemented in the JDBC module, the
basic extension (and LDAP, etc.) do not track active connections, and will
not support connection sharing at this point in time.

-Nick

Re: guacamole radius

[Nick Couchman]

On Sat, Feb 16, 2019 at 8:40 PM drhy  wrote:

> Hi Nick,
>
> A small issue I have spotted in my testing of the Master/released version
> of
> 1.0.0 with Radius and JDBC/MySQL. The Radius to MySQL hand-off works
> perfectly as discussed in this thread, for Users who have directly linked
> Connections in MySQL, but where Users in MySQL are linked to a Group which
> in turn hold the Connections, then the User is successfully authenticated
> but then sees no connections.
>
>
This is probably related to the following issue:

https://issues.apache.org/jira/browse/GUACAMOLE-696

-Nick

Re: Users get by TOTP authentication

[Nick Couchman]

On Mon, Feb 18, 2019 at 10:47 AM Benjamin Griese  wrote:

> Hello everybody,
>
> this is kind of a uplicate of a post made by someone on guacamole-issues
> ML[1].
>
> I've setup a Guacamole system in my home environment for remote access.
> In order to make things secure, I thought I setup TOTP 2 factor
> authentication in conjunction with LDAP.
>
> I've found out the local guacadmin is successfully being asked for TOTP
> init.
> Even though LDAP users and even additional local users are not getting
> asked for TOTP init.
>
> I am using this docker-image in a kubernetes setup, if it does matter.
> https://github.com/oznu/docker-guacamole
>
>
> Is this a bug or a misconfigured setup?
>

This is perhaps a nuance of the configuration and how it works.  First, you
need the users to exist in the database authentication module, because
that's where the TOTP information gets stored.  Second, the users in the DB
module need to be allowed to update their own passwords (basically update
their own account), as that's what determines whether or not the user can
store information about themselves.

-Nick

>

Re: Guacamole Client API

[Nick Couchman]

On Tue, Feb 12, 2019 at 1:11 PM sciUser 
wrote:

> Do I have to run the Guacamole client API from the Guacamole server itself
> or
> can I call it from another server say hosting lab guides?
>
>
I'm not entirely sure which component you're referring to, but, in general:
- Guacamole Client (the portion that runs in Tomcat) can be separately from
guacd - the two do not have to run on the same system.  If you run them on
different servers you have to make sure that you configure the Guacamole
Client side to point to the correct Guacamole Server (guacd) instance.
- The portion that access the API actually generally runs on the browser.
The HTML and JS content is, by default, hosted in the same Tomcat container
as the rest of the Guacamole Client (Java classes, etc.), but this doesn't
have to be the case - you can separate them onto different sources.  The
issue you'll have is that you'll have to reconfigure the JS to point to the
correct place for the API, rather than just defaulting to the same host
from which it is running.
- You can also write custom code to make REST calls to the API endpoints
outside of the normal Guacamole WebApp - it's a standard REST API, and can
be accessed by any code/client that can be configured to make the calls.

Regards,
Nick

Re: Is there a way to get rid of "on Guacamole RDP" from drive-name?

[Nick Couchman]

On Tue, Feb 12, 2019 at 8:10 PM sciUser 
wrote:

> Say we don't want to write our own extension and want to alter the code
> directly.
> What file would we need to edit to rename G on Guacamole?
> <
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t768/GonGuac.png>
>
>
>
As you mentioned in a previous thread that you're using version 0.9.14,
you'd need to go into the guacd source code and change the RDPDR header
file that controls this:

https://github.com/apache/guacamole-server/blob/0.9.14/src/protocols/rdp/guac_rdpdr/rdpdr_messages.h

You can find the #define lines in that file that control those names.
You'll have to change them and recompile guacd.

However, it gets a bit more complicated than that, for a couple of
reasons.  First, we determined that, even though Microsoft claims that the
name of the volume needs to be a UTF16-encoded value, this is only true for
printer redirection, and it really should be a UTF8-encoded value, so the
"G on Guacamole RDP" has actually been a small bug for a couple of
versions.  It was corrected in the 1.0.0 release, at which time we also
made the redirection use the client name for the "Guacamole RDP" portion of
that.

So, you're welcome to fiddle with the guacd source code, if you like, but
I'd really suggest that you 1) update to 1.0.0, and 2) just configure
connection parameters for client-name and drive-name, at which point the
name of that drive with be  on .  There's no need
to write custom code or a customer extension to make that part work - you
just set up those connection parameters in whatever authentication module
you're using (File, JDBC, etc.).

-Nick

Re: API Session Token

[Nick Couchman]

On Fri, Feb 15, 2019 at 18:33 sciUser  wrote:

> Hello,
>
> With out using LDAP how would I get the user session token ?
> I like to not pass username and passwords in the URL but use the token to
> log them in.


No matter what extension you're using for authentication the way to obtain
a token is to POST to the /guacamole/api/tokens endpoint a form with the
username and password fields.  This is completely independent of what
authentication mechanism backs Guacamole.


>
> Also I changed the URL pointer on NGINX from /guacamole/ to /lab/ do I need
> to change  proxy_cookie_path* /guacamole/ /guacamole/*; to /bal /lab/;  as
> well?
>

As of 1.0.0 I believe Guacamole client is completely cookie-free, so you
shouldn't have to use that option.  However, why not just deploy the WAR
file as lab.war, in which case the path within Tomcat will match Nginx and
you won't have to worry about the rewriting.

-Nick

Re: Facing Issue while connecting to remote-app using QuickConnect Ext

[Nick Couchman]

On Tue, Feb 5, 2019 at 3:00 PM  wrote:

> Hi Nick,
> Can you give some work around regarding this case!!
>
>
>
I've done a little bit of research on this, and apparently there are some
known issues with the URL encoding in Java and the pipe characters.  What
I've read indicates that using the %7C replacement should work, but I've
not tried it, so I'm not certain.  If I get a chance I'll try to figure
something out, but I don't have any answers for you, now.

-Nick