Hi Nick, I believe header authentication is loading properly, I see this in the logs:
DEBUG o.a.g.extension.ExtensionModule - [0] Binding AuthenticationProvider "org.apache.guacamole.auth.header.HTTPHeaderAuthenticationProvider". INFO o.a.g.extension.ExtensionModule - Extension "HTTP Header Authentication Extension" loaded. I set up an authenticated script to dump CGI environment using the same apache config and it shows REMOTE_USER = [email protected] for my kerberos authenticated connections. I have created users in guacamole for griznog and [email protected] (via the gui as guacadmin). A failed login attempt looks like this in the logs: server: 12:03:54.687 [http-apr-8080-exec-3] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection server: 12:03:55.084 [http-apr-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Created connection 1290256496. server: 12:03:55.084 [http-apr-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1290256496 ... server: 12:03:55.087 [http-apr-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1290256496 is GOOD! server: 12:03:55.089 [http-apr-8080-exec-3] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Preparing: SELECT guacamole_user.user_id, guacamole_user.username, password_hash, password_salt, password_date, disabled, expired, access_window_start, access_window_end, valid_from, valid_until, timezone, full_name, email_address, organization, organizational_role, MAX(start_date) AS last_active FROM guacamole_user LEFT JOIN guacamole_user_history ON guacamole_user_history.user_id = guacamole_user.user_id WHERE guacamole_user.username = ? GROUP BY guacamole_user.user_id server: 12:03:55.119 [http-apr-8080-exec-3] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Parameters: griznog(String) server: 12:03:55.146 [http-apr-8080-exec-3] DEBUG o.a.g.a.j.user.UserMapper.selectOne - <== Total: 1 server: 12:03:55.147 [http-apr-8080-exec-3] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.jdbc.JDBC4Connection@4ce7c070] server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.jdbc.JDBC4Connection@4ce7c070] server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1290256496 ... server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1290256496 is GOOD! server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1290256496 to pool. server: 12:03:55.150 [http-apr-8080-exec-3] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/usr/share/tomcat/.guacamole/user-mapping.xml" does not exist and will not be read. server: 12:03:55.151 [http-apr-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [10.210.255.254, ::1] for user "griznog" failed. I thought it might be that my REMOTE_USER has the kerberos realm attached and I've been trying to figure out how to user REMOTE_USER to set a different variable with @realm stripped off, but so far my attempts have failed. Thanks, jbh On Wed, Mar 21, 2018 at 9:59 AM, Nick Couchman <[email protected]> wrote: > On Tue, Mar 20, 2018 at 6:39 PM, John Hanks <[email protected]> wrote: > >> Hi, >> >> I have guacamole working with an Apache reverse proxy which does kerberos >> authentication and guacamole using HTTP header auth and mysql (mariaDB on >> CentOS 7). I'd like to have the user auth with apache and then have that >> accepted by guacamole but when I attempt connect in the logs I get: >> >> server: 15:27:03.592 [http-apr-8080-exec-3] WARN >> o.a.g.r.auth.AuthenticationService - Authentication attempt from >> [10.210.255.254, ::1] for user "griznog" failed. >> server: 15:27:09.804 [http-apr-8080-exec-7] WARN >> o.a.g.r.auth.AuthenticationService - Authentication attempt from >> [10.210.255.254, ::1] for user "griznog" failed. >> >> I then get the guacamole login screen and can log in with the password >> set in the users entry in the database. I've tried with an empty password >> in the database entry for the user, but that fails as well, however with >> only one warning in the logs. >> >> What I would like to do is to have the database just used to store >> user/connection info and let the web proxy handle all the authentication. >> Is that possible and if so, how do I configure that? >> >> > Do you have the header authentication extension loaded? Can you verify in > your logs that it is loading correctly? > > Also, if the user is being passed through with some header other than > REMOTE_USER, you'll need to configure the header name that is used by the > header extension. See: > http://guacamole.apache.org/doc/gug/header-auth.html > > If you've verified that it's loading, and you're still having issues, then > you'll need to post logs and probably your Apache httpd configs back here > so we can try to help figure out what's going on. > > -Nick >
