Re: Upload more than 60 files

[Mike Jumper]

No, and I wouldn't recommend doing that as it would affect the size of
structures and may break ABI compatibility with anything that isn't rebuilt.

It would be better to improve the handling of file transfers within the
webapp such outstanding transfers are automatically deferred and retried if
the server reports that you've hit the limit.

- Mike


On Mon, Mar 28, 2022, 14:08 Denis Bessa  wrote:

> Hi, thanks for your response.
>
> Is there any way to change this restriction without compiling the source
> code?
> --
> *De:* Mike Jumper 
> *Enviado:* domingo, 27 de março de 2022 03:26
> *Para:* User 
> *Assunto:* Re: Upload more than 60 files
>
> On Sat, Mar 26, 2022, 19:06 Nick Couchman  wrote:
>
> On Wed, Mar 23, 2022 at 12:10 PM Denis Bessa  wrote:
>
> Hi,
>
> I have a Guacamole Server running on Kubernetes. It works perfectly,
> except for one thing: users can't upload more than 60 files throug the RDP
> connection.
>
> When they try to do so, they receive this error message:
>
>
> (An internal error has occurred within the Guacamole Server...)
>
>
> Can you check the catalina.out file and see if there's any indication of
> the error?
>
>
> Is there any limitations with the number of file uploads?
>
>
> Probably, but I don't think it's 60.
>
>
> The Guacamole server uses a static limit of 64 simultaneous streams per
> connection:
>
>
> https://github.com/apache/guacamole-server/blob/master/src/libguac/guacamole/client-constants.h#L33
>
> Streams exceeding that limit are rejected by the server until existing
> streams close.
>
> - Mike
>
> [image: denis@bessa.digital] *Denis Bessa*
>
> *CEO +55 31 3236-9200*
> --
> Contabilidade Bessa
> *bessa.digital*
>
> Precisa falar comigo? Clique aqui
> <https://teams.microsoft.com/l/chat/0/0?users=denis@bessa.digital> e me
> chame no Microsoft Teams
>

Re: Upload more than 60 files

[Mike Jumper]

On Sat, Mar 26, 2022, 19:06 Nick Couchman  wrote:

> On Wed, Mar 23, 2022 at 12:10 PM Denis Bessa  wrote:
>
>> Hi,
>>
>> I have a Guacamole Server running on Kubernetes. It works perfectly,
>> except for one thing: users can't upload more than 60 files throug the RDP
>> connection.
>>
>> When they try to do so, they receive this error message:
>>
>>
>> (An internal error has occurred within the Guacamole Server...)
>>
>>
> Can you check the catalina.out file and see if there's any indication of
> the error?
>
>
>> Is there any limitations with the number of file uploads?
>>
>>
> Probably, but I don't think it's 60.
>

The Guacamole server uses a static limit of 64 simultaneous streams per
connection:

https://github.com/apache/guacamole-server/blob/master/src/libguac/guacamole/client-constants.h#L33

Streams exceeding that limit are rejected by the server until existing
streams close.

- Mike

Re: stalled guacd processes

[Mike Jumper]

Mind retesting with a build of guacamole-server from git master or
"staging/1.5.0"? Changes were recently merged that should address this.

- Mike


On Mon, Mar 21, 2022 at 1:17 AM Philippe MARASSE
 wrote:

> Hello,
>
> Again, with usage of ghostscript, lots of stalled guacd processes :
>
> root@guacd-dc:~# ps auxf | grep guacd
> root  975526  0.0  0.0   6196   728 pts/0S+   09:15
> 0:00  \_ grep guacd
> guacd 239034  0.0  0.4 1305732 8428 ?Ssl  mars03  12:27
> /opt/guacd-1.4.0/sbin/guacd -f
> *guacd 773326  0.0  0.4 1318236 9736 ?Sl   mars16   0:09  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 776152  0.0  0.4 1318236 9964 ?Sl   mars16   0:15  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 778194  0.0  0.4 1324056 9964 ?Sl   mars16   0:08  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 786275  0.0  0.4 1348344 9588 ?Sl   mars16   0:14  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 788503  0.0  0.1  47920  3836 ?Smars16   0:08  |
> \_ gs -q -dNOPAUSE -dBATCH -dSAFER -dPARANOIDSAFER -sDEVICE=pdfwrite
> -sOutputFile=- -c .setpdfwrite -sstdout=/dev/null -f -*
> *guacd 828165  0.0  0.4 1423284 9956 ?Sl   mars17   0:10  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 830466  0.0  0.2  46292  4152 ?Smars17   0:05  |
> \_ gs -q -dNOPAUSE -dBATCH -dSAFER -dPARANOIDSAFER -sDEVICE=pdfwrite
> -sOutputFile=- -c .setpdfwrite -sstdout=/dev/null -f -*
> *guacd 830678  0.0  0.4 1423316 9804 ?Sl   mars17   0:04  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 830695  0.0  0.1  46292  3992 ?Smars17   0:05  |
> \_ gs -q -dNOPAUSE -dBATCH -dSAFER -dPARANOIDSAFER -sDEVICE=pdfwrite
> -sOutputFile=- -c .setpdfwrite -sstdout=/dev/null -f -*
> *guacd 860958  0.0  0.5 1357748 10256 ?   Sl   mars18   0:07  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 862243  0.0  3.8 1423284 76780 ?   Sl   mars18   0:14  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 863245  0.0  0.7 1480688 14932 ?   Sl   mars18   0:00  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 863329  0.0  4.6 1423284 92264 ?   Sl   mars18   0:11  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 866151  0.0  1.8 1322788 37152 ?   Sl   mars18   0:01  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 871034  0.0  4.5 1334216 89992 ?   Sl   mars18   0:06  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> guacd 973738  0.1  4.0 1355708 81364 ?   Sl   08:09   0:06  \_
> /opt/guacd-1.4.0/sbin/guacd -f
> guacd 974720  0.6  5.5 1355652 110296 ?  Sl   08:46   0:10  \_
> /opt/guacd-1.4.0/sbin/guacd -f
>
> I'm seeking directions to narrow the issue. Some usage of ghostscript
> worked fine, other hangs.
>
> Regards.
>
>
> Le 10/03/2022 à 17:00, Philippe MARASSE a écrit :
>
> Hello,
>
> It occurs more frequently since I've upgraded to guacd 1.4.0, I see
> stalled process used a few days ago :
>
> # ps auxf | grep guacd
> root  548250  0.0  0.0   6196   716 pts/0S+   16:48
> 0:00  \_ grep guacd
> guacd 239034  0.0  0.6 1231968 13364 ?   Ssl  mars03   6:07
> /opt/guacd-1.4.0/sbin/guacd -f
> *guacd 450284  0.0  1.1 1323840 22476 ?   Sl   mars08   0:11  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 459214  0.0  1.1 1319924 23760 ?   Sl   mars08   0:01  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 460026  0.0  4.5 1330532 90820 ?   Sl   mars08   0:03  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 462567  0.0  5.4 1357880 109208 ?  Sl   mars08   0:04  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> *guacd 488863  0.0  5.0 1332036 101260 ?  Sl   mars09   0:18  \_
> /opt/guacd-1.4.0/sbin/guacd -f*
> guacd 534541  0.1  5.7 1348296 114428 ?  Sl   08:14   0:34  \_
> /opt/guacd-1.4.0/sbin/guacd -f
> guacd 544071  0.1  6.4 1423284 128796 ?  Sl   14:11   0:09  \_
> /opt/guacd-1.4.0/sbin/guacd -f
> guacd 545739  0.2  5.9 1423680 118572 ?  Sl   15:15   0:15  \_
> /opt/guacd-1.4.0/sbin/guacd -f
>
> All of them looks like :
>
> # grep 460026 /var/log/daemon.log
> Mar  8 14:08:22 guacd-dc guacd[460026]: No security mode specified.
> Defaulting to security mode negotiation with server.
> Mar  8 14:08:22 guacd-dc guacd[460026]: guacd[460026]: INFO:#011No
> security mode specified. Defaulting to security mode negotiation with
> server.
> Mar  8 14:08:22 guacd-dc guacd[460026]: guacd[460026]: INFO:#011Resize
> method: none
> Mar  8 14:08:22 guacd-dc guacd[460026]: guacd[460026]: INFO:#011No
> clipboard line-ending normalization specified. Defaulting to preserving the
> format of all line endings.
> Mar  8 14:08:22 guacd-dc guacd[460026]: guacd[460026]: INFO:#011User
> "@6c8b6aee-7840-4c64-b4a0-a72c40501d86" joined connection
> "$afe8dfaf-77fc-4c6b-8271-680b3a06ce1a" (1 users now present)
> Mar  8 14:08:22 guacd-dc guacd[460026]: Resize method: none
> Mar  8 14:08:22 guacd-dc guacd[460026]: No clipboard line-ending
> normalization specified. 

Re: Mailing list commands

[Mike Jumper]

I don't think there's a way to change the subscription, but if you
subscribe to the digest version and then unsubscribe from the non-digest
version, you shouldn't miss anything.

- Mike

On Sun, Mar 20, 2022, 18:58 Stuart Blake Tener 
wrote:

> Mike,
>
> In as much as it seems I am already subscribed, can you perhaps indicate
> what the mechanism would be now so that I can change to a digest format and
> yet not have to unsubscribe and miss messages?
>
> Thanks!
>
>
> Stuart
>
> Quoting: Mike Jumper 
>
> I believe you just need to email *-digest-subscribe instead of *-subscribe
> when subscribing to the list. For example:
>
> user-digest-subscr...@guacamole.apache.org
>
> - Mike
>
> On Sun, Mar 20, 2022, 09:19 Stuart Blake Tener 
> wrote:
>
>>
>>
>>
>>
>> *List members, Is there an easy way I can command the mailing list to
>> substantiate messages in a digest manner? Thanks in advance.*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Very Respectfully, Stuart Blake Tener, BScCS, N3GWG (Extra), MROP
>> Computer Scientist / FCC Licensed Radio Operator Las Vegas, NV /
>> Philadelphia, PA (310) 358-0202 Mobile Phone (215) 338-6005 Google Voice*
>>
>
>
> Very Respectfully,
>
> Stuart Blake Tener, BScCS, N3GWG (Extra), MROP
> Computer Scientist / FCC Licensed Radio Operator
>
> Las Vegas, NV / Philadelphia, PA
>
> (310) 358-0202 Mobile Phone
> (215) 338-6005 Google Voice
>

Re: Mailing list commands

[Mike Jumper]

I believe you just need to email *-digest-subscribe instead of *-subscribe
when subscribing to the list. For example:

user-digest-subscr...@guacamole.apache.org

- Mike

On Sun, Mar 20, 2022, 09:19 Stuart Blake Tener 
wrote:

> List members,
>
> Is there an easy way I can command the mailing list to substantiate
> messages in a digest manner?
>
> Thanks in advance.
>
> Very Respectfully,
>
> Stuart Blake Tener, BScCS, N3GWG (Extra), MROP
> Computer Scientist / FCC Licensed Radio Operator
>
> Las Vegas, NV / Philadelphia, PA
>
> (310) 358-0202 Mobile Phone
> (215) 338-6005 Google Voice
>

Re: Single connection and the control panel

[Mike Jumper]

On Wed, Mar 9, 2022 at 7:12 AM Brad Saxton  wrote:
>
> Unless I'm missing something, there seems to be an issue for users who only 
> have one connection defined.
>
> For users with only one connection, Guacamole automatically makes that 
> connection upon login without displaying the Guacamole home page.

Yes, this is by design. If a user has access to only one connection,
they are taken to that connection immediately instead of forcing the
user to select their single connection from a list of one choice.

> If though, only one active connection per user is permitted, this causes an 
> issue. If the user was already logged in from another computer and only 1 
> connection per user is allowed, this causes an issue. The user gets an error 
> about exceeding the number of allowed connections and only "Reconnect" or 
> "Logout" are displayed. The user cannot get to the control panel in order to 
> kill the other connection.

If necessary, you can go to the settings screen by pressing
Ctrl+Alt+Shift to open the Guacamole menu. The usual dropdown menu
with "Settings", "Logout", etc. is there.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

[Mike Jumper]

On Tue, Mar 8, 2022 at 9:31 AM Toine  wrote:

> ...
> Previous behavior, before (with Guacamole-client 1.3):
> I click on that link and I'm immediately connected to my remote host.
>
> Current behavior, after (with Guacamole-client 1.4):
> I click on that link and visually, all I get is a black screen in my
> browser.
> If I refresh in my browser, it's not better.
> If I edit the URL to remove the tokens, and validate that URL in the
> address bar, then it works.
>
> Again, if I set X-Frame-Options to SAMEORIGIN, the above issue disappears.
>

Can you see in browser dev tools the specific request that is blocked
unless "SAMEORIGIN" is set?

As far as frames are concerned, Guacamole uses an iframe to initiate
downloads of files and an object to receive local resize events, but this
has been the case long before 1.4.0. It's not immediately clear why
anything would behave differently in 1.4.0 vs 1.3.0 solely due to
"X-Frame-Options".

- Mike

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

[Mike Jumper]

On Mon, Mar 7, 2022 at 11:41 AM Mauricio Silveira 
wrote:

> Hi.
>
> I've done extensive tests, trying to figure out why a browser refresh
> (hitting F5) was causing a RDP session to turn into a black screen ( not
> sure about other connection types ), but Ctrl+Alt+Shift still works -
> using nginx + guacamole 1.4.0. Apache proxying was working fine.
>
> After trying different distros, versions and package versions, I found
> this thread:
> https://lists.apache.org/thread/prl1yzwfgfyvn2qn6qqsc6ytdgmn8yl6 , and
> gave the change of X-Frame-Options from DENY to SAMEORIGIN a shot.
> Immediate fix.
>
> Haven't given it a deeper look to confirm, just tried with guacamole
> 1.3.0 and it works fine even with X-Frame-Options DENY .
>
> I found this possible problem, because I was testing full-screen by
> pressing F11, then F5 to reload guacamole session with the new window
> size in full screen.
>
> This might be a bug, maybe not, just writing it down to help others
> dealing with this possible issue.
>

No, this is not a bug. Guacamole already does everything it can to handle
all keyboard interaction. It cannot control whether the browser, OS, etc.
take control of certain keys or shortcuts. It can only request that the
browser send it everything, and hope that the browser will do so.

https://guacamole.apache.org/faq/#keyboard-shortcuts

- Mike

Re: Understanding Sharing Profile for Non-Admins

[Mike Jumper]

On Mon, Feb 28, 2022, 12:42 Khoe, Yonathan  wrote:

> Hello,
>
> We set up sharing profiles for all of our connections under an admin
> account.  We want the ability for our students to be able to generate a
> share link to their connection viewing (to their professor) when they are
> remoted to a machine.  We thought that this was the idea when we create the
> sharing profiles individually and giving them a read-only option and name,
> but it turns out that our students cannot see the “Share” button when
> opening the Guacamole menu (ctrl+alt+shift).  The student accounts
> themselves do not have any permissions; the user groups that the students
> belong to also do not have permissions set (we only use it to assign the
> connection groups).  Are we missing something in terms of letting
> non-admins to be able to generate a share link to be given to other people?
>

You need to additionally grant the users (or the relevant group) access to
the sharing profile, not just the connection. Only users with access to a
particular sharing profile will be able to share the relevant connection
using that profile.

- Mike

Re: Please remove me from the list

[Mike Jumper]

Guys, please do not email the entire user@ list with requests to be
removed, regardless of what you have done thus far. *You are emailing all
subscribers.*

All you need to do is email user-unsubscribe@ (using the email account you
subscribed with) and then follow the instructions in the confirmation email.

If you tried the above and it's not working, email me directly and I'll
take a look. Please do not continue emailing the list like this.

- Mike

On Tue, Feb 15, 2022, 10:47 Hazem Murad  wrote:

> Same here, I asked many times to be removed but receiving those emails.
> Can the admin please remove me.
>
> On Wed, 16 Feb 2022 at 1:08 AM, Paula Carboné 
> wrote:
>
>> Hi again, I have sent multiple emails to
>> user-unsubscr...@guacamole.apache.org asking to be unsubscribed from the
>> list, yet I keep receiving emails everyday. What should I do?
>>
> --
> Sent from Gmail Mobile
>

Re: interrupted screen recording raw file?

[Mike Jumper]

You can avoid this going forward by first checking whether the recording
file is locked. Guacamole acquires an advisory lock on recordings while
they are in progress, and releases the lock when they're complete. This is
how the "guacenc" tool is able to detect in-progress recordings.

- Mike


On Fri, Feb 11, 2022, 10:22 Tushar Sheth  wrote:

> That's what I figured- thanks!
>
> Tushar
>
> On Fri, Feb 11, 2022 at 12:43 PM Nick Couchman  wrote:
>
>> On Fri, Feb 11, 2022 at 12:10 PM Tushar Sheth 
>> wrote:
>>
>>> We made a script to automate processing of screen recording raw files to
>>> mp4.
>>>
>>> The script starts by pushing raw files from our guacamole server to
>>> google cloud storage and then to a second server where the processing
>>> happens.
>>>
>>> Of course, we didn't test this enough (argh!!) and our script pushed a
>>> raw file out of the guac server during an active session that we were
>>> recording- in other words, the raw file was still getting added to.
>>>
>>> As a result of this, we only have in the raw file what happened before
>>> the file was pushed. After that, it seems that no further data collection
>>> for the screen recording occured (no new continuing raw file was created
>>> for the remainder of the active session).
>>>
>>> I know it's a long shot, but any ideas on whether guacamole may have
>>> continued building a raw file or collecting that data somewhere?
>>>
>>>
>> guacd writes the recording files wherever you've told it to in the
>> connection parameter, and nowhere else, so if it isn't in that location I
>> think you're out of luck.
>>
>> -NIck
>>
>>>

Re: Proxying Guacamole with Apache2 HTTP Server and SAML - New issue with 1.4

[Mike Jumper]

On Thu, Feb 10, 2022 at 11:14 AM Martin Twerski  wrote:

> Upgraded from 1.3 to 1.4 where I had SAML working. I have updated the
> plugin to the new sso one. I get an error when trying to use SAML auth  -
> [http-nio-8080-exec-2] WARN  o.a.g.a.s.a.AssertionConsumerServiceResource -
> Authentication attempted with an invalid SAML response: SAML response did
> not pass validation: The response was received at
> http://example.fqdn.com/guacamole/api/ext/saml/callback instead of
> https://example.fqdn.com/api/ext/saml/callback
>
>
>
> If I set saml-strict to false, no issues with login. If I revert to 1.3
> plugin, no issues.
>
>
>
> My reverse proxy in front of Guacamole is Apache. I have followed this:
> https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html (The
> section about  “Apache and mod_proxy” as well as “Setting up the Remote IP
> Valve”).
>
>
>
> My proxy is not on the same box as Guacamole.
>
>
>
> Any ideas on how to resolve this?
>
>
>
> Instead of changing the path of the application within the proxy, try
> renaming "guacamole.war" to "ROOT.war" so that Tomcat serves the
> application from / directly.
>
>
>
> I also recommend looking at the docs for the current release:
>
>
>
> https://guacamole.apache.org/doc/gug/reverse-proxy.html
>
>
>
> The link you reference above is a snapshot of ancient 0.9.7 docs (6+ years
> ago).
>
>
>
> - Mike
>
>
>
> Mike,
>
> Thanks for the link to the current docs. I was using an old bookmark and
> didn’t realize it was a versioned copy.
>
>
>
> I don’t think the path is the issue – it appears to be an http vs https
> issue. I have switched it to the root (rename war file to ROOT.war) and now
> get this error:
>
> [http-nio-8080-exec-4] WARN  o.a.g.a.s.a.AssertionConsumerServiceResource
> - Authentication attempted with an invalid SAML response: SAML response did
> not pass validation: The response was received at
> http://example.fqdn.com/api/ext/saml/callback instead of
> https://example.fqdn.com/api/ext/saml/callback
>
> How do I get Guacamole to “receive the response” at https?
>

Try adding the "X-Forwarded-Proto" header via your proxy config. The HTTP
side of the proxied connection probably can't otherwise tell that the
user-facing side is actually HTTPS.

- Mike

Re: Proxying Guacamole with Apache2 HTTP Server and SAML - New issue with 1.4

[Mike Jumper]

On Thu, Feb 10, 2022, 10:37 Martin Twerski  wrote:

> Upgraded from 1.3 to 1.4 where I had SAML working. I have updated the
> plugin to the new sso one. I get an error when trying to use SAML auth  -
> [http-nio-8080-exec-2] WARN  o.a.g.a.s.a.AssertionConsumerServiceResource -
> Authentication attempted with an invalid SAML response: SAML response did
> not pass validation: The response was received at
> http://example.fqdn.com/guacamole/api/ext/saml/callback instead of
> https://example.fqdn.com/api/ext/saml/callback
>
>
>
> If I set saml-strict to false, no issues with login. If I revert to 1.3
> plugin, no issues.
>
>
>
> My reverse proxy in front of Guacamole is Apache. I have followed this:
> https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html (The
> section about  “Apache and mod_proxy” as well as “Setting up the Remote IP
> Valve”).
>
>
>
> My proxy is not on the same box as Guacamole.
>
>
>
> Any ideas on how to resolve this?
>

Instead of changing the path of the application within the proxy, try
renaming "guacamole.war" to "ROOT.war" so that Tomcat serves the
application from / directly.

I also recommend looking at the docs for the current release:

https://guacamole.apache.org/doc/gug/reverse-proxy.html

The link you reference above is a snapshot of ancient 0.9.7 docs (6+ years
ago).

- Mike

Re: guacd segmentation fault

[Mike Jumper]

On Thu, Feb 10, 2022, 05:28 Vieri  wrote:

> Hi,
>
> Everything seems to work fine on my system except for RDP connections. In
> syslog I can see this segfault:
>
> ...
>
> I'm using freerdp 2.4.1.
>

Was this the same version of FreeRDP that was present when guacamole-server
was built, or was FreeRDP upgraded after the Guacamole build?

How was FreeRDP installed? If from a distribution package, what
distribution and what exact version does the package manager show?

How was guacamole-server installed? Built from source from the 1.4.0
.tar.gz, built from git, or something else?

If an older version of guacamole-server was installed before, was the old
version of guacd restarted and might there be files from the older build of
guacamole-server still hanging around?

- Mike

Re: 2FA: using TOTP authenticators (examples)

[Mike Jumper]

On Wed, Feb 9, 2022 at 5:53 AM Vieri  wrote:

> Here's what I did to make it work.
>
> I edited APP.NAME in
> /guacamole/src/main/frontend/src/translations/en.json
>

This has absolutely no impact on TOTP, and I do not recommend patching the
source like this. If you want to override translation strings, the way to
do this in a stable manner is with an extension:

https://guacamole.apache.org/doc/gug/guacamole-ext

Again, however, this has no impact on TOTP whatsoever. It's a coincidence
that the timing of this change correlated with TOTP working as expected.

and set the exact same string to totp-issuer.
>

Changing "totp-issuer" will also have no impact whatsoever. It's purely
cosmetic. It just tells the authenticator app what name to use for the
convenience of the user.

Rebuilt guacamole-client.
>
> Works now with authenticator apps.
>
> Any ideas why one can't customize totp-digits and totp-mode whlle using
> these apps (eg. Google Authenticator or MS Authenticator)?


THESE values (totp-digits and totp-mode) are the only change that you
needed to make, and the only reason that specific authenticator apps would
not work. Some TOTP apps like Google Authenticator will silently ignore the
TOTP digits and mode, instead assuming that the defaults will always be
used. The authenticator app then begins generating invalid TOTP codes.

You do not need to change "totp-issuer" or edit the source.

- Mike

Re: GUAC_ID is required

[Mike Jumper]

On Wed, Feb 9, 2022 at 8:12 AM chomik MChamster 
wrote:

> Hi Experts,
>
> I have three instances of guacamole, deployed using the steps from the
> official guacamole manual with mysql and saml authentication.
> From one of those instances I am getting the "GUAC_ID is required" error:
>
> tomcat9[505209]: 15:53:04.502 [http-nio-8080-exec-3] DEBUG
> o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket
> tunnel.
> tomcat9[505209]: org.apache.guacamole.GuacamoleClientException: Parameter
> "GUAC_ID" is required.
>
> I did read through this thread -
> https://www.mail-archive.com/user@guacamole.apache.org/msg07521.html but
> I'm not a developer, nor am I building a custom app or anything like that
> (as far as I can tell). The strangest thing to me is that I deployed all
> three instances following the same process. I have checked the
> guacamole.properties as well as SAML authentication settings on Azure side
> but am unable to find the apparent issue.
> Wondering if you could point me to what could be the reason for this error
> and/or maybe help me understand where is this GUAC_ID taken or generated
> from.
>

That parameter, as well as several others, dictate the details of the
request to connect. They are always automatically submitted by the web
application.

Are your three instances behind a balancer? Any chance they may be
different versions, and requests from one are being misrouted by the
balancer to another?

Are you sure that this error is coming from legitimate connection attempts,
and not bogus WebSocket connection attempts from someone probing your
server?

- Mike

Re: Guacamole File transfer issue

[Mike Jumper]

On Sun, Jan 30, 2022, 05:34 Giorgio  wrote:

> Hello,
>
> Seeking your help overcoming the following error
>
>  91108#91108: *83 client intended to send too large body: 409063424 bytes,
>

This is an error from Nginx, not Guacamole.

In short. unable to push a file larger than 57-60Mbytes to rdp.
>

409063424 is ~400M, not 57-60M.

Pulling a file though have no issues.
>
> Yes I use a reverse proxy on my Guacamole server.
>
> Nginx.conf file was amended.inside the http section. with the following
> statement .
> *client_max_body_size 200M;*
>

400M > 200M.

I tried with reverse proxy bypassed , same obstacle.
>

The above error is specifically from Nginx. If you are bypassing Nginx for
testing, then the above error cannot be occurring. Nginx must still somehow
be involved.

If you are going around Nginx and are no longer seeing this error, but are
still unable to transfer the file, please send your Guacamole and guacd
logs.

- Mike

Re: RDP sessions freeze on resize

[Mike Jumper]

Sorry - that's resize method set to "reconnect", not "resize".

On Wed, Jan 26, 2022, 15:43 Mike Jumper  wrote:

> So far, testing on my own XRDP connection with a deployment of 1.4.0 and
> resize method set to "resize", I'm not seeing any issue. There is a brief
> pause as the session with XRDP is re-established, but no hanging.
>
> Do you see anything in XRDP's logs that might indicate it's having trouble
> handling the resize?
>
> Anything in the guacd logs?
>
> My suspicions would currently be that something is amiss on the XRDP side,
> and that there isn't anything specific to 1.4.0 causing what you're seeing.
>
> - Mike
>
> On Tue, Jan 25, 2022, 23:47 michael böhm  wrote:
>
>> Hi,
>>
>> could anyone recreate this in his environment? Should I open a Jira
>> ticket?
>>
>> Best wishes
>>
>> Michael
>>
>>
>> *Gesendet:* Montag, 10. Januar 2022 um 11:36 Uhr
>> *Von:* "michael böhm" 
>> *An:* user@guacamole.apache.org
>> *Betreff:* RDP sessions freeze on resize
>> Hi everyone,
>>
>> I open an RDP session to a Linux host running xrdp in Guacamole 1.4.0.
>> When I resize the browser window by pointing the mouse to the edge of the
>> window, the RDP session freezes immediately. I have to use ctrl + shift +
>> alt menu to disconnect / reconnect manually. Oddly, this does not happen
>> when I maximize / minimize the browser window.
>>
>> I tested on Windows and Linux as Client OS and Firefox and Chrome /
>> Chromium as browsers.
>>
>> Resize Method is set to Reconnect. If I remember correctly, in 1.3.0
>> everything worked fine.
>>
>> Is this a known issue in 1.4.0 or should I do something different? Can
>> you reproduce this or is it something with my setup?
>>
>> Thanks and best wishes
>>
>> Michael
>> - To
>> unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For
>> additional commands, e-mail: user-h...@guacamole.apache.org
>> - To
>> unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For
>> additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: RDP sessions freeze on resize

[Mike Jumper]

So far, testing on my own XRDP connection with a deployment of 1.4.0 and
resize method set to "resize", I'm not seeing any issue. There is a brief
pause as the session with XRDP is re-established, but no hanging.

Do you see anything in XRDP's logs that might indicate it's having trouble
handling the resize?

Anything in the guacd logs?

My suspicions would currently be that something is amiss on the XRDP side,
and that there isn't anything specific to 1.4.0 causing what you're seeing.

- Mike

On Tue, Jan 25, 2022, 23:47 michael böhm  wrote:

> Hi,
>
> could anyone recreate this in his environment? Should I open a Jira ticket?
>
> Best wishes
>
> Michael
>
>
> *Gesendet:* Montag, 10. Januar 2022 um 11:36 Uhr
> *Von:* "michael böhm" 
> *An:* user@guacamole.apache.org
> *Betreff:* RDP sessions freeze on resize
> Hi everyone,
>
> I open an RDP session to a Linux host running xrdp in Guacamole 1.4.0.
> When I resize the browser window by pointing the mouse to the edge of the
> window, the RDP session freezes immediately. I have to use ctrl + shift +
> alt menu to disconnect / reconnect manually. Oddly, this does not happen
> when I maximize / minimize the browser window.
>
> I tested on Windows and Linux as Client OS and Firefox and Chrome /
> Chromium as browsers.
>
> Resize Method is set to Reconnect. If I remember correctly, in 1.3.0
> everything worked fine.
>
> Is this a known issue in 1.4.0 or should I do something different? Can you
> reproduce this or is it something with my setup?
>
> Thanks and best wishes
>
> Michael
> - To
> unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional
> commands, e-mail: user-h...@guacamole.apache.org
> - To
> unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional
> commands, e-mail: user-h...@guacamole.apache.org

Re: Re: Fw:ssh typescripts recording

[Mike Jumper]

On Wed, Jan 26, 2022, 00:27 Simon  wrote:

>
> thanks .
>
> but there another issue. here is guacd log
>
> ```
>
> guacd[8]: INFO: Connection "$1b98e104-5690-4678-a8e8-a2b3101b" removed.
>
> guacd[8]: INFO: Creating new client for protocol "ssh"
>
> guacd[8]: INFO: Connection ID is "$9723599a-bbf3-49e1-8262-fe04a1c6bb6a"
>
> guacd[3235]: INFO:
> User "@d2be2022-cbfc-4f16-9300-6a036f153a14" joined connection 
> "$9723599a-bbf3-49e1-8262-fe04a1c6bb6a" (1 users now present)
>
> guacd[3235]: ERROR: Creation of recording failed: No such file or directory
>
> guacd[3235]: ERROR:
> Creation of typescript failed: No such file or directory
> ```
>
> it shoud be create dir auto as i config
>

Only the final directory of the path is auto-created. The other parts must
already exist.

See:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#text-session-recording-typescripts

- Mike

Re: 2FA not showing QR

[Mike Jumper]

On Wed, Jan 19, 2022, 22:05 Don Eugene Paul Viado 
wrote:

> Hi,
>
> When in 1.3.0, when a new user created they can login with initial
> password and if 2FA is activated they are presented with QR code to enroll
> in device.  This doesn't work now in 1.4.0.  Does anyone have the same
> issue and can you please advise how it is fixed?
>

Can you provide any more detail? How is it not working, specifically? Are
you seeing an enrollment prompt that's missing a QR code, or is it as if
TOTP isn't enabled at all? What other extensions are installed?

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Mike Jumper]

On Tue, Jan 18, 2022, 01:44 Antoine G.  wrote:

> On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote:
> > We do not plan to release patches for lower versions. Essentially, 1.4.0
> > is the patch.
>
> Thank you for your answer.
>
> Just to be sure I understand the CVE and the stack, do you confirm that
> technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd
> in 1.3.0) is enough to patch the CVE?
>

Yes.

- Mike

Re: Connection list empty since upgrade to Guacamole 1.4

[Mike Jumper]

On Sun, Jan 16, 2022, 16:42 LatChee  wrote:

> Hi there,
>
> I upgraded to Guacamole 1.4 and since then the connections list under
> settings is empty.
> However, I can still create new connection or new group. Those then show
> up in the "Home" page and can be used to connect to a machine.
>
> Would you be able to help me with this issue?
>

Are you sure your user account has permission to see the connections in
question?

Has your group membership changed at all (including externally)?

What are you using for authentication?

- Mike

Re: Guacamole update: on-screen keyboard and printing

[Mike Jumper]

On Thu, Jan 13, 2022 at 2:46 AM Vieri  wrote:
>
> On Thursday, January 13, 2022, 09:55:26 AM GMT+1, Mike Jumper 
>  wrote:
>
> >> I can even send the "empty" PDF file that the client downloads if that can 
> >> be of any help.
> >
> > Sure - I'd be interested to see the content received.
>
> I'm attaching the PDF. You should see "printer test" on the first page. 
> Instead, it's blank.
>

It looks like the issue lies in GhostScript itself, perhaps due to an
update that affects the command-line options accepted by "gs". Within
the PDF you attached, there's junk at the top consisting of
errors/warnings from GhostScript:

Error: /undefined in .setpdfwrite
Operand stack:

Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--
--nostringval--   2   %stopped_push   --nostringval--
--nostringval--   --nostringval--   false   1   %stopped_push   .run
exec2   --nostringval--   --nostringval--   --nostringval--   2
%stopped_push   --nostringval--
Dictionary stack:
   --dict:764/1123(ro)(G)--   --dict:0/20(G)--   --dict:75/200(L)--
Current allocation mode is local

Searching around for the above error, there's a post that suggests the
"-c .setpdfwrite" option has been deprecated by GhostScript:

https://stackoverflow.com/questions/57787990/strange-error-on-ghostscript-conversion-ps-to-pdf

That option is indeed passed to "gs" in the case of the print filter
command used by the RDP support:

https://github.com/apache/guacamole-server/blob/b2ae2fdf003a6854ac42877ce0fce8e88ceb038a/src/protocols/rdp/print-job.c#L34-L54

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Guacamole update: on-screen keyboard and printing

[Mike Jumper]

On Tue, Jan 11, 2022, 22:19 Vieri  wrote:

>  On Tuesday, January 11, 2022, 11:43:54 PM GMT+1, Mike Jumper <
> mjum...@apache.org> wrote:
>
> > Are you running a copy of the webapp that has been modified from the
> mainline .war in any way?
>
>
> No, these are the exact commands I run on my system:
>
> # wget
> https://apache.org/dyn/closer.lua/guacamole/1.4.0/binary/guacamole-1.4.0.war?action=download
> -O HMANsq.war
> # mv ./HMANsq.war /var/lib/tomcat-8.5-hman/webapps/HMANsg.war
> # /etc/init.d/tomcat-8.5-hman restart
>  * Stopping 'tomcat-8.5-hman'
> ...
> [ ok ]
>  * Starting tomcat-8.5-hman
> ...
> [ ok ]
>
> I can even send the "empty" PDF file that the client downloads if that can
> be of any help.
>

Sure - I'd be interested to see the content received.

Do you see any warnings in the Guacamole logs regarding the HTTP tunnel?

If I roll back to using the previous server printing to PDF works fine (I
> get a PDF with the right content).
>

Are you saying that if you run the 1.3.0 guacd with the 1.4.0 webapp, the
problem disappears?

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Mike Jumper]

On Wed, Jan 12, 2022 at 4:52 PM  wrote:
>
> Hello,
>
> Can this vulnerability be protected by a WAF such as Modseurity?
>

I would not recommend relying solely on a WAF to defend against a
known issue in any application. With the issue in question being
patched in the latest release (1.4.0), your best option is to upgrade
to 1.4.0 and thus deploy the relevant patch.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

[Mike Jumper]

On Wed, Jan 12, 2022, 01:41 Jürgen Kuri  wrote:

> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: high
> >
> > Description:
> >
> > Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> > received from a SAML identity provider. If SAML support is enabled,
> > this may allow a malicious user to assume the identity of another
> > Guacamole user.
> >
> > Credit:
> >
> > We would like to thank Finn Steglich (ETAS) for reporting this issue.
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> > For additional commands, e-mail: user-h...@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>

The SAML authentication extension for the webapp.

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Mike Jumper]

On Wed, Jan 12, 2022, 01:41 Jürgen Kuri  wrote:

> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: moderate
> >
> > Description:
> >
> > Apache Guacamole 1.3.0 and older may incorrectly include a private
> > tunnel identifier in the non-private details of some REST responses.
> > This may allow an authenticated user who already has permission to
> > access a particular connection to read from or interact with another
> > user's active use of that same connection.
> >
> > Credit:
> >
> > We would like to thank Damian Velardo (Australia and New Zealand
> > Banking Group) for reporting this issue.
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> > For additional commands, e-mail: user-h...@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>

The web application (.war).

- Mike

Re: guacamole-server compilation error

[Mike Jumper]

On Tue, Jan 11, 2022 at 2:12 PM Vieri  wrote:
>
> Hi,
>
> When I try to build 
> https://apache.org/dyn/closer.lua/guacamole/1.4.0/source/guacamole-server-1.4.0.tar.gz?action=download
>  I get this error:
>
> x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../..-Werror -Wall 
> -I../../src/libguac  -O2 -pipe -c -o guacenc-instruction-cfill.o `test -f 
> 'instruction-cfill.c' || echo './'`instruction-cfill.c
> ffmpeg-compat.c: In function ‘guacenc_avcodec_encode_video’:
> ffmpeg-compat.c:140:5: error: ‘av_init_packet’ is deprecated 
> [-Werror=deprecated-declarations]
>   140 | av_init_packet();
>   | ^~
> In file included from /usr/include/libavcodec/bsf.h:30,
>  from /usr/include/libavcodec/avcodec.h:44,
>  from video.h:27,
>  from ffmpeg-compat.h:24,
>  from ffmpeg-compat.c:21:
> /usr/include/libavcodec/packet.h:488:6: note: declared here
>   488 | void av_init_packet(AVPacket *pkt);
>   |  ^~
>
>
> I have ffmpeg-4.4.1.
>
> This is a part of the configure script output:
>
> 
> guacamole-server version 1.4.0
> 
>...
>Services / tools:
>
>   guacd .. yes
>   guacenc  yes
>   guaclog  yes
>
>FreeRDP plugins: /usr/lib64/freerdp2
>Init scripts: no
>Systemd units: no
>
> Any clues?
>

Do you need guacenc? If not, you can disable that part of the build by
passing the "--disable-guacenc" option to the configure script.

The above build issue is specific to guacenc and newer FFMpeg. It's
been fixed, but that fix is not part of 1.4.0:
https://issues.apache.org/jira/browse/GUACAMOLE-1330

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Guacamole update: on-screen keyboard and printing

[Mike Jumper]

Are you running a copy of the webapp that has been modified from the
mainline .war in any way?

- Mike

On Tue, Jan 11, 2022, 09:10 Vieri  wrote:

> Hi,
>
> After 2+ years of Guacamole running fine with the same version (and
> dependencies) I decided it was time to update the whole system.
> So the new system has a new freerdp lib, a new tomcat (but still 8.5), new
> guacd, etc.
> The clients and the target systems however are the same.
>
> There are two major issues I've encountered.
>
> On a Linux client with Firefox 95.0.1 amd64 the on-screen keyboard is
> always there no matter which other "input method" I choose. This does not
> occur with Google Chrome.
>
> Printing to a virtual PDF device opens a valid PDF file with a blank page.
>
> The target RDP systems are Windows 10, 7 and Server 2012.
>
> Installing the WAR file from the older Guacamole server does not change
> this behavior.
>
> So I'm guessing the problem might be with either freerdp or guacd. At
> least as far as the second issue is concerned (printing).
>
> The guacd log doesn't display any errors:
>
> guacd[29594]: Device 0 (PDF local) connected successfully
> guacd[29594]: Ignoring printer cached configuration data
> guacd[29594]: Print job created
> guacd[29594]: Created PDF filter process PID=29882
> guacd[29594]: Reading output from filter process...
> guacd[29882]: Running gs
> guacd[29594]: Beginning print stream: (*test. Notepad).pdf
> guacd[29594]: Sending 474 byte(s) of filtered output.
> guacd[29594]: Sending 2156 byte(s) of filtered output.
> guacd[29594]: End of print stream.
> guacd[29594]: Print job completed.
> guacd[29594]: Print job closed
>
> I have ghostscript 9.55.0.
>
> Any clues?
>
> What can I try?
>
> Regards,
>
> Vieri
>
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

[SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

[Mike Jumper]

Severity: high

Description:

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
received from a SAML identity provider. If SAML support is enabled,
this may allow a malicious user to assume the identity of another
Guacamole user.

Credit:

We would like to thank Finn Steglich (ETAS) for reporting this issue.

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

[SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

[Mike Jumper]

Severity: moderate

Description:

Apache Guacamole 1.3.0 and older may incorrectly include a private
tunnel identifier in the non-private details of some REST responses.
This may allow an authenticated user who already has permission to
access a particular connection to read from or interact with another
user's active use of that same connection.

Credit:

We would like to thank Damian Velardo (Australia and New Zealand
Banking Group) for reporting this issue.

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Odd Ctrl-Shift-Alt Behavior

[Mike Jumper]

On Thu, Jan 6, 2022, 16:53 Nick Couchman  wrote:

> On Thu, Jan 6, 2022 at 7:17 PM Hankins, Jonathan <
> jhank...@homewood.k12.al.us> wrote:
>
>> Hey Nick, I am not seeing this. It sounds like Alt is "sticking" somehow
>> though, almost like it's toggling instead of momentary. I have seen this in
>> various situations with different remote desktop / web consoles / nested
>> sessions / whatever over the years -- alt+tab and alt stays "pressed"
>> inside the session. Curious if, when Ctrl-Alt-End doesn't work, if you do
>> it again, does it work (i.e., 1st attempt "toggled" alt keypress off, so
>> session actually receives all 3 the second attempt?).
>>
>>
> Yeah, Jonathan, I think you're correct - it seems to be "toggling" it
> somehow or another. I'll have to play around a bit more and see if I can
> consistently reproduce the behavior, and maybe I'll do a "git bisect" and
> try to track down where it changed. It's definitely slightly different
> between 1.3.0 and 1.4.0 - something changed enough that my usage of it is
> impacted.
>

So far, Ctrl+Alt+Shift for me is behaving just like it always has. Menu
opens, menu closes, keys pressed in any order.

- Mike

Re: [ANNOUNCE] Apache Guacamole 1.4.0

[Mike Jumper]

On Thu, Jan 6, 2022 at 3:50 PM Mike Jumper  wrote:
>
> On Thu, Jan 6, 2022 at 3:30 PM International Security Providers
>  wrote:
> >
> > hey everyone, it's great to see the new release!
> > I currently use a docker-setup and noticed that "latest" isn't 1.4 yet.
> > will this happen soon, or should I change my tags to 1.4?
>
> It should already be 1.4.0. I think the Jenkins job that rebuilds the
> Docker images just hasn't been updated to point to 1.4.0, and it thus
> replaced the "latest" tag with the previous release. I'll verify the
> build and rerun.

Things should now be correct. Let us know if you still see the wrong version.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [ANNOUNCE] Apache Guacamole 1.4.0

[Mike Jumper]

On Thu, Jan 6, 2022 at 3:30 PM International Security Providers
 wrote:
>
> hey everyone, it's great to see the new release!
> I currently use a docker-setup and noticed that "latest" isn't 1.4 yet.
> will this happen soon, or should I change my tags to 1.4?

It should already be 1.4.0. I think the Jenkins job that rebuilds the
Docker images just hasn't been updated to point to 1.4.0, and it thus
replaced the "latest" tag with the previous release. I'll verify the
build and rerun.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: SAML in a loop

[Mike Jumper]

On Wed, Jan 5, 2022, 06:32 Tobias Heim  wrote:

> Hi Mike,
>
>
>
> Thanks a lot for your suggestions! I think it’s related to nginx, yes –
> with the X-Forwarded-Proto and X-Forwarded-Host I got further (before, it
> told me the URL for the callback would be http:/localhost:8080/…), but it
> still does not work due to the following problem:
>
>
>
> 15:24:42.905 [http-nio-8080-exec-6] WARN
> o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted
> with an invalid SAML response: SAML response did not pass validation: The
> response was received at https://myserver/*guacamole*/api/ext/saml/callback
> instead of https://myserver/api/ext/saml/callback
>
>
>
> Somehow I cannot get rid of the extra /guacamole/ in that path, even when
> setting all the headers you provided to me..
>
>
>
> Do you know how to do that?
>

Instead of altering the request path within Nginx, I would rename the .war
file to "ROOT.war". That will cause Tomcat to serve the application
directly from "/" instead of "/guacamole".

- Mike

Re: SAML in a loop

[Mike Jumper]

On Wed, Jan 5, 2022, 04:55 Nick Couchman  wrote:

> On Wed, Jan 5, 2022 at 6:41 AM Tobias Heim  wrote:
>
>> Hey team,
>>
>> we upgraded guacamole from 1.3 to 1.4 – in the old version, using SAML
>> with Duo authenticator was fine.
>>
>> But now it seems some information is not considered anymore as using
>> SSO-SAML means landing in a login loop – it always forwards from
>> https://ourguacamoleserver/api/ext/saml/login to the external address of
>> DUO and back and again and again..
>>
>> Did the callback address change from /api/ext/saml/callback to something
>> else maybe?
>>
>> Do you know what may cause this issue? The only chance for me to get out
>> of this loop was to enable the manual login window..
>>
>>
>>
>
> No, the callback address did not change. You'll probably need to look at
> logs for both Guacamole Client (Tomcat or whatever app server you're using)
> and see if there's any reason being returned by the system for the login
> failure. You may even need to enable some debugging - either for the web
> app in general or using the saml-debug property in guacamole.properties (or
> both) to see additional messages.
>
>
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
>

Tobias, are you using Nginx for SSL termination perchance? If so, try
adding the following to what you already have in your Nginx config:

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;

I encountered something similar recently, and I think that some of the
dependency updates affected the headers required with respect to
determining the true URL applicable to things like the SAML ACS.

With the above, you will likely also need a RemoteIpValve entry in Tomcat's
server.xml, if you don't already have it:

https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve

- Mike

Re: [ANNOUNCE] Apache Guacamole 1.4.0

[Mike Jumper]

On Tue, Jan 4, 2022, 02:46 Piviul  wrote:

> Il 04/01/22 10:17, Mike Jumper ha scritto:
>
> On Tue, Jan 4, 2022, 00:34 Piviul  wrote:
>
>> [2022-01-04 09:08:35] [info] 09:08:35.687
>> [https-openssl-nio-8443-exec-2] ERROR
>> o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel
>> to guacd failed: java.net.ConnectException: Connection refused
>> (Connection refused)
>> [2022-01-04 09:08:35] [info] 09:08:35.778
>> [https-openssl-nio-8443-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet
>> - HTTP tunnel request failed: java.net.ConnectException: Connection
>> refused (Connection refused)
>>
>
> This means guacd is not running or is not listening on the expected
> address.
>
> but guacd seems to work correctly:
>
> # systemctl status guacd.service
> ...
> Jan 04 08:51:22 guacamoletest systemd[1]: Started LSB: Guacamole proxy
> daemon.
> Jan 04 08:51:22 guacamoletest guacd[186]: Listening on host ::1, port 4822
>
> guacd seems to be running... please can you help me to verify if guacd is
> listening on the expected address?
>

According to the above, it's listening on IPv6 localhost. If Java is
resolving localhost to the IPv4 address, then that would explain why the
connection fails.

Try manually overriding the bind host for guacd to 127.0.0.1:

https://guacamole.apache.org/doc/gug/configuring-guacamole.html?highlight=bind_host#configuring-guacd

- Mike

Re: Fetch API-token not working in 1.4.0

[Mike Jumper]

On Tue, Jan 4, 2022, 01:36 michael böhm  wrote:

> Hello everyone
>
> I upgraded to 1.4.0 and since then I cannot fetch the API token using this
> example Python code:
>
> ##
>
> #!/usr/bin/python3
> import sys
> import json
> import requests
> import os
>
> guac_host = "127.0.0.1"
> guac_port = "8080"
> guac_api_base = "http://{}:{}/guacamole/api/".format(guac_host, guac_port)
> guac_username = "guacadmin"
> guac_password = "***PASSWORD***"
>
> os.environ['NO_PROXY'] = '127.0.0.1'
>
> def get_guac_api_token(guac_username, guac_password):
> api_url = "{0}tokens".format(guac_api_base)
> text_body = "username={0}={1}".format(guac_username,
> guac_password)
> response = requests.post(api_url, data=text_body.encode("utf-8"))
>
> if not response.status_code == 200:
> print(response.status_code)
> print(response.content)
> print("Error acquiring guacamole api-token. Aborting")
> return(None)
>
> json_response = response.content.decode()
> json_response = json.loads(json_response)
> return json_response["authToken"]
>
> api_token = get_guac_api_token(guac_username, guac_password)
>
> if api_token is None:
> exit(1)
>
> ##
>
> Output is:
>
> 500
> b'{"message":"Unexpected internal
> error","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Unexpected
> internal
> error"}},"statusCode":null,"expected":null,"type":"INTERNAL_ERROR"}'
> Error acquiring guacamole api-token. Aborting
>
>
> Has there anything changed from 1.3.0 where everything is working fine?
>

Not directly, but a number of dependencies were upgraded, including Jersey.
It's possible the newer Jersey is more strict in its request handling.

If you can throw up a packet capture to see the actual content of the
request, I would compare that against the request sent by the browser
during login to see where the difference lies.

My guess is that you are missing a header in the Python code, presumably
"Content-Type: application/x-www-form-urlencoded".

- Mike

Re: limit login attempts

[Mike Jumper]

On Mon, Jan 3, 2022, 23:26 Vieri  wrote:

> Hi,
>
> I believe this question has already been asked, but I can't seem to find
> an answer in the docs or mailing list archives.
>
> My Guacamole login mechanism uses LDAP (AD server). Now, I could configure
> the AD server to  disable user accounts after 3 login attempts.
> However, I'm wondering of Guacamole itself has a way to limit user login
> attempts.
>

Not within Guacamole itself, but within the Guacamole server:

If you install fail2ban and configure it to recognize the invalid login
messages in the Guacamole logs, then brute-force login attempts are
automatically blocked at the firewall level.

- Mike

Re: [ANNOUNCE] Apache Guacamole 1.4.0

[Mike Jumper]

On Tue, Jan 4, 2022, 00:34 Piviul  wrote:

> Il 04/01/22 06:53, Piviul ha scritto:
> > Hi Nick, thank you very much; there is a way to know the version I
> > have installed? I think I have the 1.1 version of guacamole on a
> > debian buster...
> ok, I can confirm, I have the 1.1 version. Now I have compiled the
> server, replaced the client and replaced the extensions but i get the
> following error when I try to connect to an rdp connection:
> [2022-01-04 09:08:35] [info] 09:08:35.687
> [https-openssl-nio-8443-exec-2] ERROR
> o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel
> to guacd failed: java.net.ConnectException: Connection refused
> (Connection refused)
> [2022-01-04 09:08:35] [info] 09:08:35.778
> [https-openssl-nio-8443-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet
> - HTTP tunnel request failed: java.net.ConnectException: Connection
> refused (Connection refused)
>

This means guacd is not running or is not listening on the expected address.

Do you think that it is better to upgrade from 1.1 to 1.4 upgrading one
> release at time i.e. 1.1->1.2 and then 1.2->1.3 and finally 1.3->1.4?
>

No, there are no incremental changes that would need to be layered like
that. You can go directly from any 1.x release to any other 1.x release.

- Mike

Re: compile warning

[Mike Jumper]

On Mon, Jan 3, 2022, 23:19 Piviul  wrote:

> When I try to compile the guacamole 1.4 server on a debian buster I get
> this error:
> > configure: error:
> >   
> >You are building against a development version of FreeRDP. Non-release
> >versions of FreeRDP may have differences in behavior that are
> > impossible to
> >check for at build time. This may result in memory leaks or other
> > strange
> >behavior.
> >
> >*** PLEASE USE A RELEASED VERSION OF FREERDP IF POSSIBLE ***
> >
> >If you are ABSOLUTELY CERTAIN that building against this version of
> > FreeRDP
> >is OK, rerun configure with the --enable-allow-freerdp-snapshots
> >   
>
> I don't think I have a development version of FreeRDP, I have installed
> the freeRDP version released in buster...


You do - the version of FreeRDP in the main Debian Buster repository is a
non-release git snapshot.

For a stable release, you'll need the buster-backports repository or a
newer Debian like Bullseye.

OK, I can continue adding as
> suggested the flag --enable-allow-freerdp-snapshots but if someone can
> help me to understand this warning...
>

Please don't do this - the warning is there for a reason. The proper
solution is not to bypass the warning with that flag, but to install a
stable release of FreeRDP.

- Mike

Re: about TOTP auth only work with default settings

[Mike Jumper]

On Sun, Jan 2, 2022, 21:55 Bruce Cheng  wrote:

> Hi,
>
> I current use Apache Guacamole version 1.3.0 with Mysql+LDAP( Active
> Directory)+Totp successfully, I config TOTP with the following settings in
> /etc/guacamole/guacamole.properties
>
> # TOTP properties
> totp-issuer: MYCLOUD
> #totp-digits: 8
> totp-digits: 6
> totp-period: 30
> totp-mode: sha256
>
> When I change the value of totp-digits from 6 to 8 and restart tomcat, I
> scan the first QRcode via my mobile, My authenticator app only showed 6
> digits but not 8 digits. I also saw the web page show "enter the 8-digit
> authentication code ". Of course, it was shown as a failure.
>
> When I remarked those settings (except " totp-issuer "), I could sign on
> it.
>
> May I know if this is the bug or what kind of settings I should use?
>

It's not a bug - not all authenticator apps support these settings, and
some will silently ignore them.

Unless you have confirmed that your authenticator app supports these
settings, the correct settings to use on the Guacamole side are the
defaults.

- Mike

[ANNOUNCE] Apache Guacamole 1.4.0

[Mike Jumper]

The Apache Guacamole community is proud to announce the release of
Apache Guacamole 1.4.0.

Apache Guacamole is a clientless remote desktop gateway which supports
standard protocols like VNC, RDP, and SSH. We call it "clientless"
because no plugins or client software are required; once Guacamole is
installed on a server, all you need to access your desktops is a web
browser.

The 1.4.0 release features support for connection tiling, broadcasting
keyboard events across multiple connections, and authentication with
encrypted and signed JSON. Established support for single sign-on has
been improved, multi-touch support for RDP has been added, and
problems with audio input support for RDP have been corrected.

A full list of the changes in this release, along with links to
downloads and updated documentation, can be found in the release
notes:

http://guacamole.apache.org/releases/1.4.0/

For more information on Apache Guacamole, please see:

http://guacamole.apache.org/

Thanks and Happy New Year!

The Apache Guacamole Community

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: RDP Credentials

[Mike Jumper]

On Sun, Dec 19, 2021, 01:44 Abramson, Eli
 wrote:

> Hi,
>
> Is it possible to create and connect to an RDP host without setting the
> credentials during the creation of the connection template?
>
> Does Guacamole have the option to ask the user for credentials via UI?
>

Yes, if you don't set those parameters, the user will be prompted.

You can also use credential pass-through using parameter tokens if your
users' desktop credentials will match their Guacamole credentials (common
with LDAP):

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

- Mike

Re: Log4j vulnerability exposure

[Mike Jumper]

On Thu, Dec 16, 2021, 13:02 Mike Jumper  wrote:

> On Thu, Dec 16, 2021, 12:54 Tim Worcester 
> wrote:
>
>> Not affected: https://github.com/apache/guacamole-website/pull/97
>>
>
> The live version of the above:
>
> https://guacamole.apache.org/security/#not-affected-by-cve-2021-44228
>

Also, Jose, as you mentioned Glyptodon, there is similar clarification
there:

https://glyp.to/doc/latest/faq-for-cve-2021-44228-42598682.html

- Mike

Re: Log4j vulnerability exposure

[Mike Jumper]

On Thu, Dec 16, 2021, 12:54 Tim Worcester 
wrote:

> Not affected: https://github.com/apache/guacamole-website/pull/97
>

The live version of the above:

https://guacamole.apache.org/security/#not-affected-by-cve-2021-44228

- Mike

Re: Sharing Profile Questions

[Mike Jumper]

On Wed, Dec 8, 2021, 08:37 Nick Couchman  wrote:

> On Wed, Dec 8, 2021 at 5:43 AM Barak, Tal 
> wrote:
>
>> Hello,
>>
>>
>>
>> I will appreciate your help with the following two questions:
>>
>>
>>
>>1. Is there a way to create a sharing profile link which only
>>authenticated users will able to view/use? When I create a sharing profile
>>link from the menu, the link can be used by all users including anonymous
>>users.
>>
>>
>> Not creating the link, no - the entire point of creating a sharing
> profile link is that you can provide that link to anyone and they will able
> to use it, whether or not they are signed in to Guacamole. It's honestly
> been a while since I messed around with connection sharing - it isn't
> something I use all that much - so I can't remember if there's any other
> way for users to access that shared connection.
>
>
>
>>
>>1.
>>2. I understand that users with administrative privilege can view an
>>existing session even if a sharing profile link wasn’t generated and no
>>sharing profile is defined under the connection settings
>>(If I understand correctly, this can be done by going, as an
>>administrator, to sessions -> active connections and then clicking on the
>>link in the left side of the desired connection row).
>>
>>However, when using this method, the administrator joins the session
>>with full controls, as opposed to sharing profile which you can limit to
>>read-only. Is there a way to limit administrators when they join sessions
>>so they will have read-only permissions only?
>>
>>
>>
>
> No, there is no way to limit administrators to read-only access to the
> connections - that's part of what being an Administrator in Guacamole
> entails.
>

This is possible through an extension (decorate the GuacamoleTunnel
returned for the active connection, apply a filter that rejects inbound
instructions except for "sync" and "nop").

In general, I think it could be a useful feature to have the guac UI
automatically disable mouse/keyboard input for joined active sessions, with
some button or similar unlocking the session when the admin needs control.

- Mike

Re: Simple extension not working

[Mike Jumper]

On Wed, Dec 8, 2021, 02:17 sam g  wrote:

> Hello,
>
> I can't figure out how to make the simple extension describe here
> https://guacamole.apache.org/doc/gug/guacamole-ext.html , "Updating
> existing HTML", to work.
>
> ...
>
> The build is successful:
> [INFO] Building tar:
> /home/sam/guacamole-client-1.3.0/target/guacamole-client-1.3.0.tar.gz
> [INFO]
> 
> [INFO] Reactor Summary:
> [INFO]
> ...
> [INFO] guacamole-auth-saml 1.3.0 .. SUCCESS [
> 0.744 s]
> *[INFO] guacamole-toto 1.3.0 ... SUCCESS [
> 0.122 s]*
> [INFO] guacamole-client 1.3.0 . SUCCESS [
> 2.615 s]
> [INFO]
> 
> [INFO] BUILD SUCCESS
> [INFO]
> 
>
> Tomcat is stopped, the war copied in the right place, Tomcat is started.
> I checked and the html file and the manifest are in the war.
> Still, nothing is displayed on the logon page.
>
> What am I missing? How can I debug this?
>

There is a bit of a misunderstanding here about what an extension is. An
extension does not need to be part of the guacamole-client build or source
tree, nor will being part of the build have any effect on the .war, nor
will the presence of a guac-manifest.json *in the .war file* have any
impact on the webapp.

An extension is an independent .jar file that contains a
guac-manifest.json. This is part of the point of extensions: they can be
developed independently of the mainline source and installed without
rebuilding the source.

To create an extension, you create a .jar file that follows the format
described in the documentation:

https://guacamole.apache.org/doc/gug/guacamole-ext.html#ext-file-format

To install an extension, you copy the .jar produced into
GUACAMOLE_HOME/extensions/ (typically "/etc/guacamole/extensions"), just as
you would any of the standard extensions like the database support:

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-home

When the Guacamole webapp starts up, it will look through that directory
for .jar files containing a guac-manifest.json and load those extensions.

An example is provided demonstrating the basics of the extension format and
how HTML can be modified:

https://github.com/apache/guacamole-client/tree/master/doc/guacamole-branding-example

- Mike

Re: Copy/paste functionality

[Mike Jumper]

On Thu, Dec 2, 2021 at 11:17 PM Rasmus Haslund
 wrote:

> Hi folks,
>
>
>
> It is my understanding that for RDP connections copy/paste functionality
> from outside Guacamole into the RDP session should work out of the box with
> Google Chrome; however, I can’t get it to work.
>
>
You should have been prompted by Chrome to grant clipboard access. If you
initially refused that prompt, you'll need to click the clipboard icon in
the URL bar to change that setting and allow access.

If you were not prompted at all, check that you are accessing Guacamole
over HTTPS. Chrome does not allow access to the local clipboard if the page
you're visiting is not served over a secure connection.

- Mike

Re: Run docker guacamole container as a non privileged user (inside the container)

[Mike Jumper]

On Thu, Dec 2, 2021 at 1:03 PM fed  wrote:

> Hi all,
>
> I am running guacd container and guacamole container with docker-compose
> but while guacd container run its process with a non privileged user,
> guacd, the guacamole container runs it's process as root.
> Not that I am a security expert but from what I know/read it would be
> better to run it as a non-root user.
>
> It's possible to change this? Or is it something planned for the next
> version?
>

Yes, this has been implemented for the upcoming release:
https://issues.apache.org/jira/browse/GUACAMOLE-890

- Mike

Re: LDAP AD - Group and Member Users

[Mike Jumper]

On Tue, Nov 30, 2021, 12:51 Milton Ferreira  wrote:

> Hi,
>
> Is there a query that links the "member users" of an ldap group?
>
> By using the parameters "ldap-group-base-dn" and
> "ldap-group-search-filter" in "guacamole.properties" the group name is
> obtained but members are not.
>
> In the "Groups" tab, selecting a group, in the "User Members" section,
> appears the message "This group does not currently contain any users.
> Expand this section to add users.". The "ldap-user-search-filter" parameter
> returns users but does not link to groups.
>

There is such a query on login, yes - a user's LDAP group memberships are
retrieved and take effect, inheriting any permissions granted to database
groups having the same name. These memberships are just not exposed in the
UI (the LDAP tab of the group states only that the group is read-only).

The UI that you're seeing is the tab for the database side of that group
and will show only database users/groups added as members.

- Mike

Re: Resizing Onscreen Keyboard

[Mike Jumper]

On Tue, Nov 30, 2021 at 10:25 AM Cervi, Theo  wrote:

> Hello, while using guac in a web browser I am unable to pass many keyboard
> shortcuts.
>

Which keyboard shortcuts specifically are giving you trouble?

- Mike

Re: Syn Azure Ad and Guacamole

[Mike Jumper]

On Sun, Nov 28, 2021 at 11:02 PM Bryan Ohana 
wrote:

> Hi Mike
>
>
>
> Oh my gosh I was doing everything wrong … NOW I can see my users, I should
> be able to see my groups as well right ?
>

If you map them as you did users, yes. You will need to provide the base DN
of those groups (see "ldap-group-base-dn").

Note that this is different from the "config" base DN, which is the base DN
of the "guacConfigGroup" objects used to represent connections. This is
only needed if you will be storing connection data directly in LDAP via
schema modifications, which is rare.

- Mike

Re: Syn Azure Ad and Guacamole

[Mike Jumper]

On Sun, Nov 28, 2021 at 9:18 AM Bryan Ohana 
wrote:

> Hi Mike !
>
>
>
> Thanks for that I have connected my LDAPS with guacamole with the
> following guacamole properties BUT when I log in I get the error “ERR_13207
> VALUE ALREADY EXIST” Already exists in the attribute. The error allow me to
> log in but even as Global Administrator I have NO admin rights on
> Guacamole… Any Insights ?
>
>
Can you confirm that, when attempting to log in as an administrator:

* You are logging in with LDAP credentials (the username matches the
"sAMAccountName" attribute of an account in LDAP, and the password you are
using is what has been set for that account in LDAP)
* The username that you provide is also identical to the username of a
database user having admin privileges, such as "guacadmin"
* The password being provided is distinct from the password set for that
user in MySQL, if any. (The MySQL extension has a filename that sorts
earlier than the LDAP extension, and so will get the first shot at
authenticating the user. If it's MySQL that successfully authenticates the
user, the LDAP extension won't attempt to retrieve anything. The MySQL
extension, on the other hand, will gladly trust the authentication result
of the LDAP extension and provide additional data.)

For example, if:

1) There is a user in your LDAP directory with "sAMAccountName" set to
"guacadmin".
2) The "guacadmin" user exists in your MySQL database and has admin
permissions.
3) You log in with the username "guacadmin" and the LDAP password of the
LDAP user mentioned in #1 above.

then you will have access to the admin UI of Guacamole (by virtue of having
admin permissions granted within the database), and you will be able to see
LDAP users within the overall user list as Guacamole will automatically
unify the available users of both the LDAP and MySQL datasources.

- Mike

Re: Syn Azure Ad and Guacamole

[Mike Jumper]

On Fri, Nov 26, 2021, 04:00 Bryan Ohana 
wrote:

> I have attached my Guacamole.properties, I’m logging with one Domain admin
> on Azure AD and I cannot see any other Azure AD users in the User List on
> Guacamole..
>
Ah, OK - I missed the part of your initial email where you said you are
using OpenID, and instead saw "AD" and assumed "LDAP".

With OpenID (or any SSO), Guacamole will receive only an assertion of a
user's identity when they log in, but otherwise has no means of knowing
anyone exists, regardless of what backend is behind that OpenID
implementation. User information flows in purely on a user-by-user basis.

To see users within AD, you will need to authenticate using LDAP. Guacamole
will then be able to bind directly to your AD server using LDAP and issue
queries.

- Mike

Re: Syn Azure Ad and Guacamole

[Mike Jumper]

On Fri, Nov 26, 2021, 02:13 Bryan Ohana 
wrote:

> Hi Everyone !
>
> I have configure guacamole and Azure Ad with Open ID and I’m able to
> connect fine with my AD accounts.
> The only problem is that the accounts in Guacamole are created only after
> I log in and not automatically synchronized with the existing users in AD.
>
> How can we synchronized Azure AD users to automatically exist in Guacamole
> ?
>

You don't, actually - synchronization is not necessary. If you want your AD
users to appear in Guacamole's user list when an admin logs in, you just
need to ensure that said admin exists in both AD and the Guacamole
database, with their AD counterpart at least having permission to query AD
users.

See:

https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database

- Mike

Re: Block certain commands for SSH

[Mike Jumper]

On Fri, Nov 26, 2021, 01:52 Yang Yang  wrote:

> Hello,
>
> Is it possible to set a list of commands that will be blocked when any
> user types in for SSH connection? This will be useful to protect the server
> from dangerous command such as “rm -rf /“.
>
> If the feature is not yet available, is it possible with guacamole? If I
> can get some time to have a try, should it be implemented with guacamole
> client or server (guacd)?
>

No, this is not possible for any SSH client:

Keep in mind that when you use SSH, you are not sending commands but
keystrokes. There is no way to know that a user's keystrokes are due to the
user running a command, typing documentation about that command, or
messaging their friend who happens to be named "rm -rf /".

The only way to reliably block anything like this would be on the SSH
server, within the shell interpreting the command. Only the shell truly
knows that what you are doing is typing a command.

- Mike

Re: RCE with SSRF and File Write as an exploit chain on Apache Guacamole

[Mike Jumper]

Well, besides being blatantly irresponsibly posted, it is indeed wrong (or
at least very mistaken):

* The described issue relies on full admin access. The ability to create
connections is considered an extremely high privilege for exactly the point
noted: a connection can write files (see below).

* It relies on an unofficial image that (1) runs both guacd and guacamole
on the same image and (2) does not limit the privileges of either. The
official images do neither of these things.

For example, from the documentation for an official extension that
specifically allows users to create connections:

http://guacamole.apache.org/doc/gug/adhoc-connections.html

"IMPORTANT: There are several implications of using this extension that
should be well-understood by administrators prior to implementing it: ...
The extension provides users the ability not only to establish connections,
but also to set any of the parameters for a connection. There are security
implications for this - for example, RDP file sharing can be used to pass
through any directory available on the server running guacd to the remote
desktop. ..."

- Mike

On Tue, Nov 23, 2021, 06:09 Joao Alexandre  wrote:

> Hi All,
>
> Is this new, old, fake, already patched, something to worry about,
> anything?
>
> https://thinkloveshare.com/hacking/hacking_guacamole_to_trigger_avocado/
>
> Best regards,
>
> João
>

Re: About uknown trouble.

[Mike Jumper]

On Mon, Nov 8, 2021 at 3:48 AM takuya morita  wrote:

> Hi, I'm Takuya.
>
> I used docker to build guacamole.
> Authentication is linked to AD.
>
> As a result of installing client certificates this time, users other than
> guacadmin cannot be authenticated.
> I do not know the cause.


What do you see in the Guacamole logs via "docker logs"?

What specifically changed between when things worked and now? How did you
install the certificates?

Have you received any reports like this from people other than me?


Sure - accidentally misconfiguring LDAP is a fairly common sticking point.
The logs should be a good resource for determining what exactly is failing
and why. If you were able to authenticate via LDAP until setting up LDAP
over SSL, I would expect to see some SSL-related log messages regarding
things like PKIX chain building or host verification, possibly due to the
JVM vs. the way the certificate(s) were installed.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Mike Jumper]

On Fri, Nov 5, 2021, 00:10 Maram, Saber  wrote:

>
> Hello,
>
> it is definetly possible, you need 2-3 full time devs to write ~3k lines
> of C then a extension with native host communication for client side and
> some frontend coding and ~2 months time.
>
> i know that so well since we did it already, the next we are working on is
> usb device redirection as soon the test's for smartcard implementation are
> done.
>

If you have such support implemented and working, I really think the path
forward should be contributing those changes for the benefit of all.

- Mike

Re: problems with cyrillic - clipboard +xRDP Linux

[Mike Jumper]

On Wed, Nov 3, 2021 at 3:59 AM Аверичев Андрей Валериевич <
a.averic...@rt-solar.ru> wrote:

> Good day!
> Faced one clipboard problem over RDP.
> Cyrillic text is not copied from the host machine to the guest machine.
> Spaces instead of text.
> Copying with side menu alt + ctrl + shift
> On the guest I use the xRDP server on Kali Linux. Guacamole Server 1.3
> runs on Kali Linux, also tested on Ubuntu 20.04.
> The host machine can be both Windows 10 and Ubuntu.
> There are such problems with the Cyrillic alphabet everywhere.
> The clipboard between machines using xDP, bypassing guacamole, works
> correctly.
> Maybe there is some solution? Would you recommend any other rdp servers or
> patches for Guacamole?
>

This shouldn't be the case with any modern RDP server. The RDP protocol
supports multiple clipboard encodings for transfer, with Guacamole
supporting both Unicode and "text" (ISO 8859-1). Guacamole itself uses
purely Unicode for its own clipboard and will prefer Unicode when
communicating with the RDP server. The only case that Cyrillic or other
characters not present in ISO 8859-1 should be absent on the remote side
when pasting content copied through Guacamole is if the RDP server
(somehow) is not accepting Unicode for clipboard data.

Testing copy/paste of Cyrillic text myself, I am able to copy/paste
Cyrillic from my local machine through Guacamole to a Windows RDP machine
without issue.

Do you see anything in the guacd logs?

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Guacamole dynamically create connections

[Mike Jumper]

On Wed, Nov 3, 2021, 08:58 Tim Worcester 
wrote:

> Mike,
>
> I have gotten this working with dynamically spinning up desktops when the
> user clicks the connectionGroup.  Unfortunately when I decorate the
> ConnectionGroup and override connect() I lose all of the active session and
> connection history tracking that the postgresql extension gives me.
>

Are you not invoking the connect() function of the decorated object when
your decorator's implementation of connect() is invoked?

- Mike

Re: Custom auth: updateAuthenticatedUser() not updating list of available connections

[Mike Jumper]

On Mon, Nov 1, 2021 at 3:37 PM Dustin Lang  wrote:

> Hi Nick,
>
> Thanks for your reply.  But I'm confused -- in
> updateAuthenticatedUser(AuthenticatedUser, Credentials), how can I get the
> current UserContext object associated with that auth user?
> SimpleAuthenticatedUser is a private class in SimpleAuthenticationProvider,
> otherwise I could cast it and .getAuthorizedConfigurations()...
>

For the UserContext, there is a separate updateUserContext() function that
receives the previous UserContext instance:

https://guacamole.apache.org/doc/1.3.0/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#updateUserContext-org.apache.guacamole.net.auth.UserContext-org.apache.guacamole.net.auth.AuthenticatedUser-org.apache.guacamole.net.auth.Credentials-

You can't otherwise directly obtain the single UserContext associated with
the AuthenticatedUser because there is no such thing - the relationship
between the AuthenticatedUser and the UserContext(s) is one-to-many, with
each extension having the opportunity to provide their own UserContext for
the AuthenticatedUser instance that may come from another extension. The
interface presented to the user will be a transparently unified view of all
the UserContexts associated with their Guacamole session.

You also do not have to implement updateUserContext() unless the data
exposed by your UserContext implementation needs to change relative to
newly-submitted credentials. Your UserContext can be dynamic and produce
differing sets of connections, users, etc. based on external factors that
are independent of user credentials, such as the contents of a database or
the contents of a REST request to some other service. It's also possible to
have the internal result of attempting to connect to a Connection vary
dynamically - you don't need to bake in static configuration and data ahead
of time, changing things only when an explicit update call occurs.

Beware that the results of REST API requests to Guacamole are cached by the
web application, so if you have confirmed that you are updating your
UserContext but are simply not seeing the results of those updates in the
UI, it may just be that you're seeing the old cached data.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

>

Re: How many connection have you made?

[Mike Jumper]

On Mon, Oct 25, 2021, 01:12 takuya morita  wrote:

> Hi, Guacamole support!
> I'm Takuya!
> Thank you for all your help and support.
>
> What is the maximum number of users that Guacamole can tolerate?


There is no specific maximum. The rule of thumb is that you should be able
to support 25 concurrent users for every CPU core and 2 GB of memory.

It would be nice to have a track record rather than a theoretical value.
> I'll need to know the specs of the server at that time.


The above number is from a load test that we performed at Glyptodon with
~2000 concurrent connections and a variety of server configurations. We
found this rule of thumb to be consistent for small numbers of connections
up to thousands, regardless of how those cores are split among your
Guacamole servers.

As long as you have the server power, there is no inherent limit.

Also, are there any points other than load balancing that I should be aware
> of when a large number of users connect at the same time?


Be sure to use the NIO (non-blocking) connector in your Tomcat's server.xml
rather than the default blocking connector, as the latter does not play
well with long-running TCP connections like WebSockets.

- Mike

Re: nested balancing connection groups, permission denied on connect

[Mike Jumper]

Can you describe your use case in more detail? This sounds like feature
request material, either for recursive groups (complex) or batch editing.

- Mike

On Wed, Oct 20, 2021, 13:02 Joseph Szabo  wrote:

> That's too bad.  I was looking to more easily take one roomful of
> computers out of the connect group.  I only have access to the web
> interface at the moment.
>
> Joseph Szabo
> CSS Lab Technical Services
> NBCS Lab Team
> System Administrator
> Rutgers University
>
>
> ------
> *From:* Mike Jumper 
> *Sent:* Wednesday, October 20, 2021 3:56 PM
> *To:* user@guacamole.apache.org 
> *Subject:* Re: nested balancing connection groups, permission denied on
> connect
>
> On Wed, Oct 20, 2021, 07:41 Joseph Szabo  wrote:
>
> Hi.  I'm trying to have one balancing connection group inside another
> (remote desktop).  When I click the top level one, it says:
>
> "You do not have permission to access this connection. If you require
> access, please ask your system administrator to add you the list of allowed
> users, or check your system settings."
>
> And yet I am the administrator.  Is there some extra setting I'm missing?
> Clicking the lower level group works to connect to a computer.  Before the
> error, it says:
>
> "Connected to Guacamole. Waiting for response..."
>
>
> You're not missing a setting - you just cannot have nested balancing
> groups. The connections within a balancing group will not be queried
> recursively and need to be direct children.
>
> The permission denied error you see is likely due to the connection group
> being "empty", at least as far as the webapp is concerned. There is no
> connection within the group to connect to.
>
> - Mike
>
>

Re: nested balancing connection groups, permission denied on connect

[Mike Jumper]

On Wed, Oct 20, 2021, 07:41 Joseph Szabo  wrote:

> Hi.  I'm trying to have one balancing connection group inside another
> (remote desktop).  When I click the top level one, it says:
>
> "You do not have permission to access this connection. If you require
> access, please ask your system administrator to add you the list of allowed
> users, or check your system settings."
>
> And yet I am the administrator.  Is there some extra setting I'm missing?
> Clicking the lower level group works to connect to a computer.  Before the
> error, it says:
>
> "Connected to Guacamole. Waiting for response..."
>

You're not missing a setting - you just cannot have nested balancing
groups. The connections within a balancing group will not be queried
recursively and need to be direct children.

The permission denied error you see is likely due to the connection group
being "empty", at least as far as the webapp is concerned. There is no
connection within the group to connect to.

- Mike

Re: problems with shared disk by rdp in ubuntu 20.04 I can't write to it

[Mike Jumper]

On Wed, Oct 13, 2021, 09:15 _mirohe _ 
wrote:

> Hi
>
> I have verified that connecting with the guacamole interface if I
> connect with a windows10 client machine that disk sharing works for
> me, but against the ubuntu 20.04 client machine it does not work
>
> I have verified that the docker guacd that I have is a version 1.3.0
> and a debian 10.7 and that it has the following freerdp packages
> installed:
>
> dpkg -l | grep rdp
>
> libfreerdp-client2-2:amd64 2.2.0+dfsg1-1~bpo10+1 amd64 Free Remote
> Desktop Protocol library (client library)
> libfreerdp2-2:amd64 2.2.0+dfsg1-1~bpo10+1 amd64 Free Remote Desktop
> Protocol library (core library)
>
> As the shared disk does not work through guacamole with ubuntu 20.04
> client machine, I have tried to access the client machine from my
> laptop using xfreerdp not using guacamole and it works for me with
> this command
>
> xfreerdp /u:profesor /p:mypassword /v:xx.xx.xx.xxx /w:1600 /h:900
> /drive:sharedisk,/home/myuser/Documents
>
> here if the shared disk works for me.
> I can't find anything in the logs to give me a clue as to what's going
> on with the shared disk or I don't know where to look.
>

I think you may be running into a known issue with XRDP 0.9.12 and older:

https://github.com/neutrinolabs/xrdp/issues/1505#issuecomment-593500038

XRDP 0.9.12 doesn't like the device ID that Guacamole uses for the drive,
resulting in things failing.

- Mike

Re: About ASF’a trademark policy.

[Mike Jumper]

On Tue, Oct 12, 2021, 17:18 takuya morita  wrote:

> Hi, I am Takuya.
> Thank you for everything.
>
> I'm thinking of changing the Guacamole logo to a completely different one
> of my own creation to use in a closed community.
>
> I've looked at the ASF’s trademark policy.
> As far as I can tell, I don't think this is a violation, is that correct?
>

I don't think this is a good place to discuss legal/trademark questions
that you have beyond locating the appropriate resources. If you are
uncertain after reading the FAQ and policy, the ASF provides resources for
asking trademark questions:

https://www.apache.org/foundation/marks/contact

Those would be the people to contact if anything is unclear.

There seems to be some confusion in your question regarding the way
software is modified (which would be a copyright and licensing issue) and
the concept of a trademark. I'm not a lawyer and can't provide you with
legal advice, so if you aren't sure what's allowed with respect to a
trademark, and the policy and documentation regarding this isn't clear to
you as-is, I recommend reaching out to the contacts above.

- Mike

Re: Where is html?

[Mike Jumper]

On Tue, Oct 12, 2021, 00:04 takuya morita  wrote:

> Hi, Guacamole support!
> I am Takuya.
>
> Is it a violation of the license to use the Guacamole logo in a different
> way?
>

Can you describe what you are planning to do specifically?

"Different" is a bit broad, but the logo and the "Guacamole" name are
trademarks of the ASF, so using the logo (or name) "in a different way"
would need to be considered in light of both the Apache license *and* the
ASF's trademark policy:

https://www.apache.org/foundation/marks/

See also the ASF trademark FAQ:

https://www.apache.org/foundation/marks/faq/

If not, what do I need to change to change the logo?
>

You can definitely rebrand things without issue. This is one of the
features of Guacamole's extension system:

https://guacamole.apache.org/doc/gug/guacamole-ext.html#ext-file-format

By the way, I don't intend to use it as an API.
>

I'm confused. What would this have to do with the logo?

- Mike

Re: [EXT] WELCOME to user@guacamole.apache.org

[Mike Jumper]

On Mon, Oct 11, 2021, 12:53 Sanjeevi Mahalingam
 wrote:

> Thank you, Nick.
>
> The AWS AMI contains both client and server configured.
>
> We can be able to login the Guacamole console and added new connection for
> RDP.
>
> When we tried to connect the RDP, we can see that the windows blue screen
> with message saying, “Waiting for Local Session manager" "Waiting for Group
> Policy Client".
>

These messages are being rendered by Windows over RDP. If you are seeing
these messages, you have already connected successfully, and are now just
waiting for Windows itself to prepare the desktop session.

- Mike

Re: Recommended Implementation - Multiple Guac Servers Necessary?

[Mike Jumper]

Hello,

You don't need multiple guacd servers, no. For 80-100 concurrent users,
typical desktop use would require guacd to have around 4 CPU cores
available, but it doesn't matter with respect to performance whether those
4 cores are split across multiple servers or all on the same server. Your
planned 12-core server should have more than enough power to support your
anticipated load.

The main benefit to leveraging multiple guacd servers (behind a TCP
balancer) is the ability to dynamically scale those servers and take one
down if needed, and the main caveat for leveraging multiple guacd servers
behind a balancer is that the balancer will prevent the screen sharing
feature from working (there will be a random chance that the guacd the
webapp is routed to by the balancer is not the guacd associated with the
connection being joined).

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .


On Thu, Oct 7, 2021 at 10:13 AM Khoe, Yonathan 
wrote:

> Hello,
>
> I jump abroad the Guacamole project at my university after a colleague
> from another college did.  I got his insights into their college setup
> involving 1 web server and 2 guacd servers as backbone.  I’m trying to get
> an understanding how/why this is necessary based on reading through the
> guac mailing archives.  I see many utilize single, relatively
> high-performance server with room for scaling.  If my college (1 college,
> not the entire university body) were to expect performance that is about
> 80-100 concurrent usage max, is it necessary to have the multi-server
> implementation in order to help with performance and reliability of our
> Guacamole service?  Depending on the answer, do the “backbone” guacd
> servers have to be configured as proxy servers (something that’s described
> in chapter 4 in the documentation)?
>
>
>
> For context, I have set up my college with the following:
>
> The server VM I have set up with apache tomcat and guacamole server:
>
>- Xeon Gold 6140 CPU @ 2.30GHz (alloted 6 cores)
>- 8GB RAM
>- 80GB Storage
>- Llvmpipe Graphics
>- RHEL 8.4
>- VMWare virtualization
>
>
>
> The supposed GuacD server that’s still a blank slate:
>
>- Xeon Gold 6140 CPU @ 2.30GHz (alloted 12 cores)
>- 16GB RAM
>- 80GB Storage
>- Llvmpipe Graphics
>- RHEL 8.4
>- VMWare virtualization
>
>
>
>
>
> Thank you,
>
> Yo Khoe
>
> CVAD IT
>
> University of North Texas
>
>
>

Re: Changing CSS

[Mike Jumper]

Cosmetic changes should be made through extensions rather than code
changes. Documentation on the extension format, which can include arbitrary
CSS, is here:

https://guacamole.apache.org/doc/gug/guacamole-ext.html#ext-file-format

The best way to determine the CSS to apply is to fiddle around with the
relevant elements in your browser's dev tools, adding additional CSS rules
until things look how you like. Once you have things the way you want, you
have the CSS to include in your extension.

- Mike


On Mon, Oct 4, 2021, 00:50 michael böhm  wrote:

> Hi,
>
> I got the task to change the color of of the text and icon in the "Filter"
> field to black to ensure a higher contrast from the background due to an
> accessibility audit.
>
> Can someone point me in the right direction on which part of the CSS I
> have to edit to accomplish this? How can I change it in the Docker version?
>
> Thanks and best wishes
>
> Michael
> - To
> unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional
> commands, e-mail: user-h...@guacamole.apache.org

Re: Please let me know how limit the connection.

[Mike Jumper]

You can. There is a global setting in guacamole.properties affecting all
balancing groups, and a field visible when you edit the balancing group
that affects only that individual balancing group.

The above limits apply only when you connect to the balancing group. There
are also other, per-connection limits that you can define that affect the
individual connections (regardless of whether they are in a group).

- Mike

On Thu, Sep 30, 2021, 18:38 takuya morita  wrote:

> I see.
>
> Does that mean I can't limit the connection to a single arbitrary
> balancing group?
>
> 2021年10月1日(金) 10:18 Mike Jumper :
>
>> On Thu, Sep 30, 2021, 17:55 takuya morita  wrote:
>>
>>> As it turns out, that setting did not achieve the behavior I wanted.
>>>
>>> I am trying with the following environment.
>>>
>>> Balancing group A ___ Balancing group B
>>>   |_ Balancing group C
>>>
>>> Set "maximum connections per user" to 1 for all groups
>>>
>>> Is it possible that the setting is not working?
>>>
>>
>> No, you cannot nest balancing groups. A balancing group will balance
>> across its child connections only. It will not attempt to balance
>> recursively across its entire subtree.
>>
>> - Mike
>>
>>

Re: Please let me know how limit the connection.

[Mike Jumper]

On Thu, Sep 30, 2021, 17:55 takuya morita  wrote:

> As it turns out, that setting did not achieve the behavior I wanted.
>
> I am trying with the following environment.
>
> Balancing group A ___ Balancing group B
>   |_ Balancing group C
>
> Set "maximum connections per user" to 1 for all groups
>
> Is it possible that the setting is not working?
>

No, you cannot nest balancing groups. A balancing group will balance across
its child connections only. It will not attempt to balance recursively
across its entire subtree.

- Mike

Re: guac h264_v4l2m2m

[Mike Jumper]

On Wed, Sep 29, 2021, 08:55 Maram, Saber  wrote:

>
> just info having now my first version of guacd with 45fps on a *ordoid
> xu4* with gpu encoding h264_v4l2m2m ...
>

Do you have a branch on GitHub that you can share?

What about the decoding portion on the client side?

... and my custum version of ffmpeg.
>

Why?

- Mike

Re: Please let me know how limit the connection.

[Mike Jumper]

On Wed, Sep 29, 2021, 08:26 takuya morita  wrote:

> Thanks for your reply.
>
> When there is only one user, I think I can limit the number of connections
> to one by setting the number of simultaneous connections to the number of
> users (in this case, one) in the connection group settings.
> However, I don't think this setting can limit the number of connections to
> one for each user when there are multiple users.
> I don't want one user to be able to have multiple connections at the same
> time.
>

This is what the "maximum connections per user" setting does. If you set
that value to 1, each unique user will only be able to have one connection
open to that connection/group at any time.

I believe this is already the default for balancing connection groups, to
avoid any one user monopolizing the connections within the group.

- Mike

Re: Please let me know how limit the connection.

[Mike Jumper]

On Wed, Sep 29, 2021 at 5:31 AM Nick Couchman  wrote:

> On Wed, Sep 29, 2021 at 3:21 AM takuya morita 
> wrote:
>
>> Hi, Guacamole.
>> I'm Takuya.
>>
>> Thanks for always answering my questions.
>>
>> I can connect from one PC to multiple PCs at the same time using
>> Guacamole.
>> Is there a setting that allows me to connect to only one PC at a time?
>
>
> I do not believe that there is any way currently to restrict a user to a
> maximum number of overall concurrent connections. You can restrict each
> connection or connection group such that users can only access the connect
> a single time, and you can set defaults on this that apply to all
> connections/connection groups which do not explicitly have a limit set, but
> I don't think you can limit the overall concurrent connections per user or
> client.
>

There is an overall, absolute limit available via guacamole.properties that
can be enforced on connections defined through the database:

https://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-concurrency
(See "mysql-absolute-max-connections",
"postgresql-absolute-max-connections", etc.)

Setting that limit will restrict the total number of connections maintained
across the entire web application, regardless of which Guacamole
connections/groups are being used and regardless of which user(s) are using
them.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Exhausted simultaneous connection error

[Mike Jumper]

On Mon, Sep 27, 2021 at 9:29 AM Stratton, Craig
 wrote:

> Hi Mike, Nick,
>
> Running out of ideas now, at least until the Firewall vendor responds to
> my support case.
>
>
>
> I have set the enable-websocket: false and also now changed Tomcat to SSL
> support, as shown in this syslog entry:
>
>
>
> “Sep 27 15:50:33 psmguc01 tomcat9[142913]: 15:50:33.634
> [https-openssl-nio-8443-e
>
> xec-15] INFO  o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP
> tunnel
>
> (not WebSocket). Performance may be sub-optimal."
>
>
>
> Still no joy, am in the same boat.
>
> ...
>
> I have a the Catalina log entry from 2 connection attempts, and even
> though WebSocket is disabled, it seems the first connection attempt still
> tries to use it.
>

There is no "enable-websocket" property and attempting to set it will have
no effect. You'll see some references to that property in ancient
documentation for versions of Guacamole back when WebSocket was still
considered experimental, but this has not been the case for years.
WebSocket is always enabled.

If your firewall vendor can help correct things such that WebSocket works,
that would be the best path forward.

If you want to block WebSocket entirely for now to attempt to work around
the firewall issues, you can set up a reverse proxy and configure that
proxy to explicitly block access to the WebSocket tunnel. For example,
Apache HTTPD normally has to be manually configured to handle WebSocket
traffic for Guacamole's WebSocket tunnel:

http://guacamole.apache.org/doc/gug/proxying-guacamole.html#websocket-and-apache

If you alter that to instead return 404, or set up a different reverse
proxy like Nginx and configure it to do the same, you will block WebSocket.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Exhausted simultaneous connection error

[Mike Jumper]

I believe there are cases where this error can appear due to WebSocket
being inadvertently blocked by a network device or proxy. If the WebSocket
connection attempt fails due to certain kinds of interference, the browser
will abruptly abort the connection attempt and server-side resources for
that connection will not be released by the time the client retries using
HTTP.

Do you see any warnings in the logs regarding WebSocket and the HTTP
fallback? Anything on the network that might be interfering?

- Mike

On Fri, Sep 24, 2021, 08:00 Stratton, Craig
 wrote:

> Hi Nick,
>
> Guacd version 1.3.0 running native on Ubuntu 20.04
>
>
>
> Apologies, I had read and understood that guacd should not be the problem
> and did not need restarting, but wrote that anyway for some reason.
>
> I had recently restarted it to change the loglevel.
>
>
>
> Client has been complied with Postgres, RADIUS and LDAP authentication,
> although could not get RADIUS to work and is disabled.
>
> User is authenticated against LDAP, and database Groups match defined LDAP
> groups, so no users defined in local database, they see database defined
> connections based on LDAP group membership. This all works as expected.
>
>
>
> Thank you,
>
> Craig
>
>
>
>
>
> *From:* Nick Couchman 
> *Sent:* 24 September 2021 14:42
> *To:* user@guacamole.apache.org
> *Subject:* Re: Exhausted simultaneous connection error
>
>
>
> *This message originated from outside your organization*
> --
>
> On Fri, Sep 24, 2021 at 7:48 AM Stratton, Craig <
> craig.strat...@pspsl.co.uk.invalid> wrote:
>
> Hi,
>
> I am continually running into this error and cannot seem to resolve it.
>
>
>
> “The Guacamole server is denying access to this connection because you
> have exhausted the limit for simultaneous connection use by an individual
> user. Please close one or more connections and try again.”
>
>
>
> There are no connections listed for the user when I look to close them.
>
>
>
> I have some connections set with default blank number of connections per
> user, some with 1 some with 10, but it happens on all of them.
>
>
>
> I can connect, disconnect, reconnect fine after creating a new connection,
> then if I try again the following day I get that error, even after closing
> properly.
>
>
>
> I have not set any of the guacamole.properties file entries to override
> any defaults on number of connections, as the way I read the manual, there
> are no limits by default.
>
>
>
> If I stop and restart guacd and tomcat, it makes no difference and still
> cannot connect, it will just randomly start working again after some
> undetermined timeout?
>
>
>
> Just to note, here, guacd is not related to this issue, as the connection
> tracking, including simultaneous connections, is done by Tomcat/Guacamole
> Client. I say that only to note that restarting guacd isn't going to do
> anything for this. Restarting Tomcat should clear things out, but you
> shouldn't need to mess with guacd. That said, guacd logs may help you to
> determine if an unexpected connection is coming through, so might not be a
> bad idea to pay attention to those.
>
>
>
> What version of Guacamole are you running? What configuration - Docker or
> native, MySQL, Postgres, etc.?
>
>
>
> -NIck
> Public Sector Partnership Services Limited (PSPS) is a Local Authority
> Trading Company, wholly owned by East Lindsey District Council, South
> Holland District Council and Boston Borough Council in Lincolnshire. PSPS
> delivers services to and on behalf of the three District Councils.
> Registered Company details: Public Sector Partnership Services Limited, 2
> New Bailey, 6 Stanley Street, Salford, Greater Manchester M3 5GS Registered
> in England, Number – 07289357 Confidentiality: This e-mail and its
> attachments are intended for the above named only and may contain
> confidential and privileged information. If you are not the intended
> recipient or the person responsible for delivering the email to the
> intended recipient, be advised that you have received this email in error
> and that any use, dissemination, forwarding, printing, or copying of this
> email is strictly prohibited. If you have received this email in error,
> please notify the sender. The views expressed in this message are my own,
> and any negotiations by email are subject to formal contract. Any
> correspondence with the sender will be subject to automatic monitoring for
> inappropriate content. Your information will be processed in accordance
> with the law, in particular current Data Protection legislation. If you
> have contacted Public Sector Partnership Services for a service then your
> personal data will be processed in order to provide that service or answer
> your enquiry. For full details of our Privacy Policy and your rights please
> go to our website at https://www.pspsl.co.uk/privacy. The information
> that you provide will only be used for Company purposes unless there is a
> legal authority to do 

Re: Configure GuacD in User Connection (JSON)

[Mike Jumper]

On Fri, Sep 24, 2021 at 12:51 AM Caleb Coverdale <
caleb.coverd...@provisioninfotech.com> wrote:

> Also not sure if I can tack on another question: anyway to disable
> database authentication and use only JSON requests?
>

Yes - remove the database extension .jar file from
/etc/guacamole/extensions. If only the JSON auth extension is present, then
only the JSON auth extension will be used.

I was wondering how I would set the parameters to use the proxy_hostname,
> and proxy_port with the JSON auth module.
>

There are no such parameters provided by the JSON auth extension. The
extension currently only uses guacamole.properties for the hostname and
port of guacd.

- Mike

Re: Problem with child connections and child connection groups

[Mike Jumper]

On Thu, Sep 23, 2021 at 2:41 PM Marcus Vinícius de Melo Rocha <
mvro...@gmail.com> wrote:

> Hi Mike!
>
> I myself have created the connection. Is it required to grant access to
> myself?
>

No, you automatically have full permissions for all connections you create.

What version of the MariaDB / MySQL "Connector/J" driver are you using?
There has been at least one past thread regarding children of connection
groups not appearing despite permission being granted, and the ultimate
solution was to update to the latest "Connector/J" driver from MariaDB:

https://lists.apache.org/thread.html/rf03dd3785ee1878bc470efe0b727ef75fce74eb914eadc40489d761f%40%3Cuser.guacamole.apache.org%3E

- Mike

Re: Problem with child connections and child connection groups

[Mike Jumper]

On Thu, Sep 23, 2021 at 2:04 PM Marcus Rocha  wrote:

> Hi all!
>
> I have installed guacamole today, both client and server, from git. My
> database is MariaDB 10.6. Seems to work fine but... When I create a child
> connection or a child connection group, this child is not displayed
> anywhere. I hace checked the connection grupo table and the connections are
> there, they are just "invisible" in the web interace.
>
> Any tips, please?
>

Hi Marcus,

No need to duplicate your original post - your message from earlier today
regarding the above did get sent out on this list:

https://lists.apache.org/thread.html/rb1cacf578a56af4da339dc6d92f501804063ee92417bd0ef096f6cd6%40%3Cuser.guacamole.apache.org%3E

- Mike

Re: Radius auth user add connection

[Mike Jumper]

On Thu, Sep 23, 2021, 10:50 Erdődi Zoltán  wrote:

> Good Day!
>
> How do I assign a connection to a user who is authenticated with a
> radius?
>
>
> [2021-09-23 16:04:13] [info] 16:04:13.139 [http-nio-8080-exec-1] DEBUG
> o.a.g.r.auth.AuthenticationService - Login was successful for user
> "XYZUSER".
> [2021-09-23 16:04:13] [info] 16:04:13.730 [http-nio-8080-exec-10] DEBUG
> o.a.g.rest.RESTExceptionMapper - Client request rejected: Session not
> associated with authentication provider "radius".
>
>
> Login ok, but no RDP connection.
> Where and how to define it ?
> guacamole.properties or user-mapping.xml .
>

Neither - you would use one of the supported databases (MySQL, PostgreSQL,
etc.) and create the connection in the admin web interface that becomes
available once a database is set up. You can then create the needed linkage
between RADIUS and the connection in the database by doing one of the
following:

* Create a user in the database using the web interface (without setting a
password) having the same username as the RADIUS user, and grant access to
the connection to that user. By not setting a password, the user will still
only be able to log in using RADIUS, but will inherit access to any
connections granted to their corresponding database user.

* Create a user group having the same name as a RADIUS group of which the
user is a member, and grant access to the connection to that group.

This is also how things work when combining LDAP with the database, except
that administration is made more convenient in the LDAP case since users
and groups can retrieved from the LDAP directory. Since users/groups can't
be pulled automatically from RADIUS, you need to enter them manually.

See https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database
for how this works in principle.

- Mike

Re: Problem with child connections and child connection groups

[Mike Jumper]

On Thu, Sep 23, 2021 at 11:00 AM Marcus Rocha  wrote:

> Hi all!
>
> I have installed guacamole today, both client and server, from git. My
> database is MariaDB 10.6. Seems to work fine but... When I create a child
> connection or a child connection group, this child is not displayed
> anywhere. I hace checked the connection grupo table and the connections are
> there, they are just "invisible" in the web interace.
>
> Any tips, please?
>

The child connection will only be visible to users that have been granted
access to that connection. If a user is granted access to the connection
group, but not the connections within the group, they will only be able to
see the group. This mirrors the behavior of file permissions for
directories and their contents, and allows things like creating a balancing
connection group that appears to non-administrative users as if it were a
normal connection.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Docker guacamole+guacd 1.2.0 gets stuck once a day randomly

[Mike Jumper]

On Wed, Sep 22, 2021 at 5:45 AM Regev Batchen  wrote:

> Hello, the postgres error happened again.
> I dont understand why postgrece started to get stuck after i updated to
> guacamole 1.3 , befor i had an error that it was only get stuck with no sql
> error.
> i use psql 12.3 and here are some logs, PLEASE let me know what else i can
> check and debug? i have 10 more containers on this docker-compose and only
> guacamole gets stuck.
>
> It just stop receiving api request and no logs are written to the guac
> containers.
> what causing this SELECT error?
>

Do you have the full message from the PostgreSQL container?

The log message you see from guacd (Error reading "select") is not actually
related to the database (which is only used by the webapp, not guacd). This
is guacd letting you know that a connection to guacd was established and
then closed during the Guacamole protocol handshake, the first message of
which happens to be called "select". This is the result of a healthcheck
ping within Docker and is not an error.

- Mike

Re: Dockerized Guac LDAP Config

[Mike Jumper]

The behavior described so far sounds like things are working: the groups in
question appear, and they show the correct data within each of the
datasource-specific tabs. You see two tabs for the group (LDAP and
PostgreSQL) because the same group exists within both datasources. Within
each of those tabs, you see data specific to the datasource associated with
that tab, and *only* data from that datasource.

While the PostgreSQL tab is selected, you see no group members from LDAP
because the tab is specific to PostgreSQL. No group members have been added
manually from PostgreSQL. This is fine and doesn't mean that the group will
not work - LDAP members of the LDAP version of that group will still
inherit permissions granted to the PostgreSQL version of that group, even
though you will not see LDAP members in the PostgreSQL tab.

When an LDAP user logs in that is a direct member of either of those groups
within LDAP, do they have the expected level of access inherited from those
groups? The UI will not show LDAP group members within the PostgreSQL tab,
but LDAP group members will inherit those permissions upon login when
Guacamole queries their group memberships.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .


On Tue, Sep 21, 2021 at 7:50 AM Kevin Leigeb 
wrote:

> Just wanted to check in one last time to see if anyone has any thoughts on
> what might be wrong here.
>
>
>
>
>
> *From:* Kevin Leigeb 
> *Sent:* Wednesday, September 15, 2021 1:25 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Dockerized Guac LDAP Config
>
>
>
> Yes to the first question. I’ve additionally created a guacadmin AD
> account so that I can log in as myself or that account and still see the AD
> account listings. When I open the user or group page, I see two tabs on the
> top; one for LDAP which shows a lock and tells me it can’t be edited and
> one for Postgres.
>
>
>
> For the guac client, I’m running the latest tag of the image from
> dockerhub which I pulled again yesterday morning to make sure it was up to
> date. Happy to pin it to a specific tag if that might help.
>
>
>
> *From:* Nick Couchman 
> *Sent:* Wednesday, September 15, 2021 1:11 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Dockerized Guac LDAP Config
>
>
>
> On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <
> kevin.lei...@wisc.edu.invalid> wrote:
>
> Hey All –
>
>
>
> I’ve been having a really rough go lately getting the LDAP configuration
> to work with Guacamole running in docker compose. I’m able to get users to
> successfully authenticate, but the group stuff and the connection between
> LDAP/Postgres seems to be the biggest sticking point for me.
>
>
>
> Perhaps I’m going about this the wrong way, but I’ve been attempting to
> set up LDAP to use some RBAC groups in our AD using the
> LDAP_USER_SEARCH_FILTER set to the following:
>
>
>
>
> (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))
>
>
>
> The idea here is to just get this working with two groups: admins and
> non-admins for the time being.
>
>
>
> The user page populates with the members of these groups as expected, but
> the group page is a different story. Ideally I’d like the two groups above
> to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER
> setting I’m having a hard time accomplishing this. If I set the group base
> DN to the OU of the two groups shown above, I see those groups but none of
> the members of the groups are the actual members pulled from AD as
> expected. Regardless of nested membership or direct membership in that
> group, the membership appears empty and the only options to add users are
> those manually created in the UI (so they also exist in the postgres DB).
>
>
>
>
>
> When you set the configuration for the group search dn, and you're looking
> at the groups, are you doing so as a user that is part of your AD tree,
> that is logged in via LDAP?
>
>
>
> Also, can you confirm what version of Guacamole Client you're running?
>
>
>
> -Nick
>
>
>
>
>

Re: RDP disconnects when a second user starts a different RDP session in a network device

[Mike Jumper]

On Tue, Sep 21, 2021 at 4:58 AM Jose Moreno Delgado 
wrote:

> Hi, we have a stable Guacamole solution running properly, but we have
> noticed that when a user is connected to a device through RDP and a second
> user runs a new RDP session (same or another device) drops and reconnect
> message appears in the screen of previously connected users. They are able
> to reconnect properly, but this is disturbing them because they lose their
> work. We have experienced this behavior using Guacamole 1.2.0 as native in
> a CentOS 7 machine and when using Guacamole 1.3.0 on docker system running
> in a Linux Ubuntu 20.0.4, can you tell us if this is a normal behavior? We
> don't have network problems (we have tested switches and cables/ports) and
> when using ssh tunnels to connect to same machines in alternate scenario
> this problem is not present. BR.
>

No, you should not experience any drops whatsoever. The system is
specifically designed and intended to provide access to a variety of
connections for multiple users concurrently, with no assumptions regarding
whether the connections made available to each user are logically different.

Is there anything on the network between your users and Guacamole that
might be interfering with connections? Do you see any warnings or errors in
the logs when you see unexpected behavior?

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: SSH session prompting user ID/PW on Cisco WLC 2504

[Mike Jumper]

On Tue, Sep 14, 2021, 22:49 Yousuf, Zeeshan 
wrote:

> Hello All,
>
>
>
> I need some assistance to iron out an issue I’m having with providing SSH
> connections for my Cisco WLC 2504 version 8.2.
>
>
>
> Issue:
>
> There is a radius server configured in my network, which authenticates the
> ssh sessions for cisco devices such as switches 3800 series. However
> specifically with Cisco WLC 2504, even though userid and password is
> specified for the connection in guacamole, WLC SSH session still prompts
> for the userID and password. After researching, it’s a known bug mentioned
> here  and
> here
> 
> on WLC 2504 which is supposed to have been fixed in version 8.6. However,
> WLC 2504 is EoL and no longer supporting AireOS version 8.6.
>
>
>
> Question:
>
> Is there any hack/tweak in Guacamole where Guacamole can automatically
> provide the userID and Password once ssh session is opened and prompts for
> entering userid/password?
>

No, not for SSH. This is the way things are done for Telnet, but SSH is
very well defined for providing a username/password.

The link above notes that the issue is due to the SSH implementation not
truly implementing SSH, but wrapping a Telnet session within SSH. Perhaps
you could connect with Telnet directly? You could then rely on the
Telnet-specific username/password prompt detection.

- Mike

Re: Guacamole Errored Out

[Mike Jumper]

On Tue, Sep 14, 2021 at 7:08 AM Asmodean Thor 
wrote:

> Hello!
>
> I believe that it was after this command that my guacamole installation
> broke:
>
> ```
> sudo apt install apache2 mariadb-server libapache2-mod-php7.4
> sudo apt purge apache2 mariadb-server libapache2-mod-php7.4
> ```
> ...
> The guacd service runs perfectly. Logs below.
>
> Please let me know if you need more information, the error screenshot is
> attached.
> ...


The screenshot originally attached shows a generic error from the Guacamole
webapp, not guacd. This would typically be due to some required service or
configuration option being missing/unavailable, such as the database server
being unreachable. Guacamole will log the details of the error that
occurred in the Tomcat logs.

What do you see in the Tomcat logs from Guacamole?

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Disable gcc checking

[Mike Jumper]

On Mon, Sep 13, 2021, 03:20 Paula Carboné  wrote:

> Hi guysss, is it possible to disable compiler checking while running
> configure script?
> I have tried with  --disable-option-checking, --disable-libtool-lock and
> --with-gnu-ld, but nothing seems to work and the output keeps displaying:
> *configure: error: no acceptable C compiler found in $PATH*
> (Obviously bc I have removed the gcc package) The point is, can the script
> be run without gcc installed? How?
>

You are definitely going to need a C compiler to build the source. It
doesn't have to be GCC, but it has to be something.

The configure script is right to bail out when there is no C compiler
present at all. It won't be able to run its own tests, let alone build the
source.

- Mike

Re: How to find unused VMs

[Mike Jumper]

On Sun, Sep 12, 2021, 21:34 takuya morita  wrote:

> Hi, I am Takuya.
>
> There are some things I want to achieve in using guacamole.
>
> I have 100 VMs, and 200 users can access them at any given time. All users
> will have the right to connect to all 100 VMs. When 97 VMs are in use, a
> user can access one of the remaining three. However, with the current
> Guacamole, it seems to be difficult to find the three unused VMs.
> Is there any way to solve this problem?
>

If you place all the VMs within a balancing connection group, you can
instead connect to the group and let Guacamole choose an available VM for
you.

- Mike

Re: Locking password view

[Mike Jumper]

On Wed, Sep 1, 2021 at 4:29 PM Alejandro Hernandez 
wrote:

> Hello!
>
> I have 2 admins for Guacamole (GUI level, not Linux level).
>
> Outside Guacamole those 2 persons do not share all of their passwords (ie.
> just one knows the domain admin password).
>
> Using Guacamole one could create a session so the other can use the domain
> admin.
>
> Since both are Guacamole admins, if the user that doesn't know the
> password edits the respective connection would be able to see and then know
> such password by simply, easily and quickly pressing the lock icon next to
> it.
>
> May I disable such lock icon? So they are able to enter any password
> anywhere but then unable to see such password so easily...
>
> I know that's doesn't make it entirely secure, but in that particular case
> I think it would be enough.
>

No, and you definitely *SHOULD NOT* do this. You should only grant full
admin-level access to users that truly should be able to see and edit
everything. The "administer system" permission is identical in principle to
the root user on Linux systems.

Your options here would be:

   1. Integrate Guacamole with your Active Directory using LDAP and use
   parameter tokens to pass through the user's own credentials, that way no
   credentials are stored:
   
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
   2. Do not grant these users full admin permission, but rather only any
   relevant "create" permissions. They will only be able to see, edit, and
   manage the connections or users that they create. Despite having admin
   access to *their* connections, they won't be able to see or touch the
   connections created by the other.
   3. Separate the systems, giving one admin access to one and the other
   admin access to the other.
   4. Leverage the upcoming vault support, when it's ready:
   https://issues.apache.org/jira/browse/GUACAMOLE-641

Do not grant full admin access to users unless those users truly need and
should have that kind of access. If they shouldn't have that kind of
access, or you feel the need to restrict that access, then that means they
definitely should not be given that level of access.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Maximum number of users that can be registered

[Mike Jumper]

On Sun, Aug 22, 2021, 17:42 takuya morita  wrote:

> Hi, I am Takuya.
> Thank you for answering my question before.
>
> Apart from that, I have a question.
> Did the official documents say what the maximum number of users is?
>
> If it does not say, please tell me.
>

There is no maximum.

- Mike

Re: Guacamole dynamically create connections

[Mike Jumper]

On Sun, Aug 22, 2021, 12:59 Tim Worcester 
wrote:

> Greetings,
>
> I have been looking through the code and I have been unable to find an
> event that I can intercept in guacamole-ext to allow me to dynamically spin
> up a desktop via some code, operator or controller in reaction to a user
> clicking on a connection-group.  Is there an event that I am missing or is
> this feature not currently supported?
>

You would implement the decorate() and redecorate() functions to decorate
the UserContext, Directory, Connection, and ConnectionGroup objects of
other extensions, overriding connect() to perform those additional
housekeeping tasks.

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#decorate-org.apache.guacamole.net.auth.UserContext-org.apache.guacamole.net.auth.AuthenticatedUser-org.apache.guacamole.net.auth.Credentials-

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#redecorate-org.apache.guacamole.net.auth.UserContext-org.apache.guacamole.net.auth.UserContext-org.apache.guacamole.net.auth.AuthenticatedUser-org.apache.guacamole.net.auth.Credentials-

There is a family of delegating objects provided by guacamole-ext to make
this sort of decoration easier (DelegatingUserContext, DelegatingDirectory,
etc.).

Your extension can also add attributes to the Connection and
ConnectionGroup objects to make the details of the desktop that needs to be
spun up editable to an admin.

- Mike

Re: Keep Session Alive

[Mike Jumper]

Yes, but that's ultimately up to the remote desktop server, not Guacamole.
Your remote desktop session should remain alive with any applications
running unless it's been configured otherwise.

For protocols without inherent session management like SSH, you would need
to run your task with something like "screen" or "tmux".

- Mike


On Fri, Aug 20, 2021, 14:34 Asmodean Thor  wrote:

> Is it possible to keep a session with an ongoing task to stay alive even
> if I close the tab I used to start it?

Re: How to upgrade Guacamole 1.0 to 1.3 on Ubuntu

[Mike Jumper]

On Tue, Aug 17, 2021 at 7:57 AM Roman Adyev  wrote:

> Thank you very much for the pointer but unfortunately I didn't find any
> article concerning update procedure there, only:
>
> Installing
>
> Configuring
>
> Administration
>
> Troubleshooting
>
> Etc.
>

To upgrade a native installation of 1.0.0 to 1.3.0, you go through the
installation steps again, effectively replacing your existing install with
the new one. The configuration files, their locations, etc. are all the
same, so you don't need to make any other changes beyond building the newer
guacamole-server, deploying the new .war, and updating your extensions.

If you were upgrading from a release prior to 1.0.0 like 0.9.14, there
would also be schema changes that need to be applied, but that will not be
the case for upgrading any 1.x release to any later 1.x release. If ever
the schema changes again, that release would get a full major number bump.

- Mike

Re: guacamole broken on Safari

[Mike Jumper]

This should now be fixed via
https://github.com/apache/guacamole-client/pull/639. The issue was that an
old CSS class, "tiled-client-list", was replaced with a corresponding
directive, "guac-tiled-clients" via commit c990043, but the style rule that
referenced "tiled-client-list" was not updated accordingly.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.


On Mon, Aug 16, 2021 at 8:46 PM Mike Jumper 
wrote:

> OK - after installing a copy of OS X "Catalina" within VirtualBox, I'm now
> able to reproduce this on the included older version of Safari. I'll start
> digging into what CSS changes are needed to un-break older Safaris.
>
> Michael Jumper
> CEO, Lead Developer
> Glyptodon Inc <https://glyp.to/>.
>
>
> On Fri, Aug 13, 2021 at 6:03 AM Leo Nikolaev 
> wrote:
>
>> Okay, I think this could be closed.
>>
>> I’ve done the tests, only the old versions of Safari are affected: 14.0
>> and below. As long as we have a relatively small share of old Safafi
>> browsers.
>>
>> Btw, I’ve tracked down the bug in current master, it all comes to wrong
>> heigth, which is not firing from somewhere deep inside tiles.
>>
>> Mike, thanks for your help :)
>>
>> Cheers,
>> Leo
>>
>> > On 13 Aug 2021, at 00:42, Mike Jumper 
>> wrote:
>> >
>> > On Wed, Aug 11, 2021 at 2:52 PM Leo Nikolaev 
>> wrote:
>> > You mean I should not see this issue on latest master? Is there a
>> different code there?
>> >
>> > The code on master should be the same code that you bisected - it just
>> happens that code from the specific commit that you found through the
>> bisect was already effectively undone by a later commit that would also
>> have been in the history when you did the bisect.
>> >
>> > All this means is that the result of the bisect is not as
>> straightforward as would be ideal.
>> >
>> > - Mike
>> >
>>
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
>> For additional commands, e-mail: user-h...@guacamole.apache.org
>>
>>

Re: guacamole broken on Safari

[Mike Jumper]

OK - after installing a copy of OS X "Catalina" within VirtualBox, I'm now
able to reproduce this on the included older version of Safari. I'll start
digging into what CSS changes are needed to un-break older Safaris.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.


On Fri, Aug 13, 2021 at 6:03 AM Leo Nikolaev  wrote:

> Okay, I think this could be closed.
>
> I’ve done the tests, only the old versions of Safari are affected: 14.0
> and below. As long as we have a relatively small share of old Safafi
> browsers.
>
> Btw, I’ve tracked down the bug in current master, it all comes to wrong
> heigth, which is not firing from somewhere deep inside tiles.
>
> Mike, thanks for your help :)
>
> Cheers,
> Leo
>
> > On 13 Aug 2021, at 00:42, Mike Jumper  wrote:
> >
> > On Wed, Aug 11, 2021 at 2:52 PM Leo Nikolaev 
> wrote:
> > You mean I should not see this issue on latest master? Is there a
> different code there?
> >
> > The code on master should be the same code that you bisected - it just
> happens that code from the specific commit that you found through the
> bisect was already effectively undone by a later commit that would also
> have been in the history when you did the bisect.
> >
> > All this means is that the result of the bisect is not as
> straightforward as would be ideal.
> >
> > - Mike
> >
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Remove translations

[Mike Jumper]

On Thu, Aug 12, 2021, 17:40 Alejandro Hernandez 
wrote:

> Hello! My first forum message! Greetings everyone!
>
> Quick question with perhaps not-so-quick answer:
>
> How may I remove from the dropdown list of languajes in the configuration
> section some translations? I want to keep just 3 of them in the list.
>
> Thanks
>

See the "allowed-languages" property:

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup

- Mike