On Tue, Nov 20, 2018 at 3:58 PM SergeyKh <mail4ser...@gmail.com> wrote:
> so the steps: > 1. built the documentation from the git > 2. built guacd + guacamole's war + extensions from the git as it described > in the manual > 3. installed all the dependencies on ubuntu 18. mysql 5.7.24, > tomcat 8.5.30.0 and all the stuff that is needed from the manual. > 4. set up mysql auth. it works as it should. i've got guacadmin, that i > used to make users and connections. everything is ok for now. > 6. then i made user with the the same username as my AD user that i want > to use via radius. the password is empty. (i did the same for ldap auth > and it worked well ) > 7. enabled radius auth extension. the names of the jars are: > 01-guacamole-auth-radius-1.0.0.jar > 02-guacamole-auth-jdbc-mysql-1.0.0.jar > 8. guacamole.properties: > radius-hostname: IP of my radius (I've tested with freeradius > and Rcdevs OpenOTP RADIUS Bridge) > radius-auth-port: 1812 > radius-shared-secret: secret > radius-auth-protocol: pap > 9. restart tomcat > 10. log in to guacamole with guacadmin from mysql works fine. any other > uses from mysql works fine. they authenticate, can manage their connections > and so on. > 11. log in to guacamole with AD user via radius. the user authenticates > well. i can see success login message logs in my radius and in tomcat's > catalina.out > but: > if the user has no connections i get: > "An error has occurred and this action cannot be completed. If the > problem > persists, please notify your system administrator or check your system > logs." > Okay, I tried this out myself and I have absolutely no issues making it work. Here are the exact steps I took to reproduce: 0) I'm running on CentOS7, latest updates installed. 1) Check out Guacamole Client and Server from git repos, and checkout the staging/1.0.0 branch (not sure if you're using this one or master? I have not tried with the master branch). 2) Install prereqs for Guacamole Server, build and install Guacamole server and start via "systemctl enable --now guacd" 3) Install openjdk 1.8.0 headless and devel 4) Download and unpack the latest Tomcat 8.5. Change ownership to daemon.daemon and start Tomcat. 5) Download and unpack the latest Maven 3.6.2. 6) Build Guacamole Client using the -Plgpl-extensions flag to build the RADIUS module. 7) Install, initialize, configure, and start the PostreSQL Server 8) Create the directories /etc/guacamole, /etc/guacamole/lib, and /etc/guacamole/extensions, and change ownership to daemon.daemon 9) Link the PostgreSQL JDBC driver into /etc/guacamole/lib 10) Edit the /etc/guacamole/guacamole.properties file and specify the PostgreSQL parameters and the RADIUS parameters. 11) Use the two SQL files in the PostgreSQL tarball to initialize the Guacamole database and create the guacadmin user. 12) Place the PostgreSQL JDBC extension and the RADIUS extension in /etc/guacamole/extensions. Rename similar to how you did it so that RADIUS loads and evaluates before PostgreSQL 13) Deploy the guacamole WAR file 14) Configure Nginx to proxy the Tomcat connection and configure SSL (should not matter whether you do this or not, I'm just trying to lay out the exact steps I went through) 15) Log in as guacadmin. Verify login works and am taken to the Guacamole Home screen. There are no connections, so it's essentially the empty screen with nothing available and the menu in the upper-right corner of the screen. This user account has full access to settings. 16) Log out and log in as a RADIUS user. Verify that the RADIUS login succeeds. I am using RADIUS with LinOTP, so I get prompted for PIN + OTP. Login works and I am taken to the blank Guacamole Home page, with the menu in the upper-right corner of the screen. This user only has access to preferences - no ability to administer the system. 17) Log back out and log in as the guacadmin user and create a connection. Verify that the connection works. 18) Log out and log in as RADIUS user. User still gets blank home page. 19) Log out and back in as guacadmin user. Create the RADIUS user in the JDBC module (using identical username to RADIUS user). Assign permissions for this user to access the connection that has been created. 20) Log out and back in as RADIUS user. User gets automatically connected to the available connection (this is expected behavior). 21) Log out and back in as guacadmin, and create another connection. Do not assign permissions for the RADIUS user to this connection, yet. 22) Log out and back in as RADIUS user. User still gets automatically connected to the only connection user has permission to. 23) Log out and back in as guacadmin, and assign permissions for the second connection to the RADIUS user. 24) Log out and back in as RADIUS user. RADIUS user now gets taken to the home screen and gets the option of which of the two connections they want to use. All of these steps execute without a problem, and everything works as expected. I am able to use Ctrl-Alt-Shift to get the menu and can disconnect from the session and get back to the home screen. > > if the user has only one connection he can use it because it starts > automatically right after login but if the user wants to log off that > connection (ctrl+alt+shift also gets error) and return to his > guacamole-web-stuff (the place where he can add and manage connections ) he > gets error: > "An error has occurred and this action cannot be completed. If the problem > persists, please notify your system administrator or check your system > logs." > > tomcat's localhost_access_log..txt has: > The contents of catalina.out would be more useful in diagnosing this. Additionally, you might want to put Guacamole Client into debug mode and look at catalina.out and see what message are thrown.: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging > so GET > /guacamole/api/session/data/radius/users/MY-AD-USERNAME?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64 > gets 404 > This is expected behavior, IIRC. -Nick >
