Hi all, I compiled the latest and greatest server and client yesterday from master to try out google auth topt extension.
I got everything working great (first time I built it from source) to a point where I login using password, get a QR code for new account get “Apache Guacamole (topttest (or guacadmin)) entry to the Google Authenticator (android) application with changing code, but when I enter it, it just keeps on saying "Verification failed. Please try again.” Both topttest (normal account with only change password permission) and guacadmin has the same behavior. If I take topt extension out, the users (topttest, guacadmin) can access ok using just the password. I’m using mySQL, schema etc built using the scripts I got from master. After failed login attempts (tried both topttest and guacadmin) mySQL shows mysql> SELECT * FROM guacamole_user_attribute; +---------+-------------------------+----------------------------------+ | user_id | attribute_name | attribute_value | +---------+-------------------------+----------------------------------+ | 1 | guac-totp-key-confirmed | false | | 1 | guac-totp-key-secret | XXVBQ3HTHLJMXRNPMD57ZIZG2ZIN2U43 | | 5 | guac-totp-key-confirmed | false | | 5 | guac-totp-key-secret | YAKJNQMMZKY2MVIVCGSV6TMXLOUD2VIR | +---------+-------------------------+----------------------------------+ 4 rows in set (0.00 sec) mysql> SELECT * FROM guacamole_user; +---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+ | user_id | username | password_hash | password_salt | password_date | disabled | expired | access_window_start | access_window_end | valid_from | valid_until | timezone | full_name | email_address | organization | organizational_role | +---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+ | 1 | guacadmin | ?E?}IN;?$???u?Ul??,-}?c;?J)?A` | ?$???+%(???zy?B??`d?iųw??"d | 2018-04-15 07:21:55 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | ??W~v??YD??'?GG;F??n-? | 2018-04-15 10:36:21 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | 5 | topttest | ??e ??wG?x?v? ?F??mT=A??w?" | ?BۘF;?f??xk???i???P?m\f? | 2018-04-15 10:54:14 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | +---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+ 3 rows in set (0.00 sec) mysql> SELECT * FROM guacamole_user_permission; +---------+------------------+------------+ | user_id | affected_user_id | permission | +---------+------------------+------------+ | 1 | 1 | READ | | 1 | 1 | UPDATE | | 1 | 1 | ADMINISTER | | 1 | 4 | READ | | 1 | 4 | UPDATE | | 1 | 4 | DELETE | | 1 | 4 | ADMINISTER | | 4 | 4 | READ | | 4 | 4 | UPDATE | | 1 | 5 | READ | | 1 | 5 | UPDATE | | 1 | 5 | DELETE | | 1 | 5 | ADMINISTER | | 5 | 5 | READ | | 5 | 5 | UPDATE | +---------+------------------+------------+ 15 rows in set (0.01 sec) Tomcat logs show only: Sun Apr 15 11:02:17 EEST 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. ==> localhost_access_log.2018-04-15.txt <== 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/ HTTP/1.1" 304 - 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/app.css?v=0.9.14 HTTP/1.1" 200 49878 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/app.js?v=0.9.14 HTTP/1.1" 200 304771 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/images/logo-144.png HTTP/1.1" 200 9167 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/languages HTTP/1.1" 200 151 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/patches HTTP/1.1" 200 352 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/translations/en.json HTTP/1.1" 200 37198 192.168.100.11 - - [15/Apr/2018:11:02:18 +0300] "POST /guacamole/api/tokens HTTP/1.1" 403 237 ==> catalina.out <== 11:02:30.987 [http-bio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService - User "topttest" successfully authenticated from 192.168.100.11. ==> localhost_access_log.2018-04-15.txt <== 192.168.100.11 - - [15/Apr/2018:11:02:31 +0300] "POST /guacamole/api/tokens HTTP/1.1" 403 1433 ==> catalina.out <== 11:03:00.822 [http-bio-8080-exec-9] INFO o.a.g.r.auth.AuthenticationService - User "topttest" successfully authenticated from 192.168.100.11. ==> localhost_access_log.2018-04-15.txt <== 192.168.100.11 - - [15/Apr/2018:11:03:00 +0300] "POST /guacamole/api/tokens HTTP/1.1" 400 188 Permissions of the extension are the same as with jdbc, and the other stuff built using the 0.9.14 manual. I have not added any topt specific things to guacamole.properties. What could be the issue, what to check? Have I missed a step somewhere? Thanks for your help. — kalle