How does cas-group-attribute work?

[Aaron Cayard-Roberts]

Hello all, 

We've been using guacamole for a couple of years with CAS for authentication 
and it's been great. We recently upgraded our system to 1.4 and everything has 
been working great. 

Currently, we're handling our groups (and connections) through the database 
extension but I was interested in trying out the cas-group-attribute. Is this 
option compatible with the database extension? I was expecting either new 
groups to be created and/or the membership of the groups to be updated based on 
the cas-group-attribute values of the user's sessionbut that doesn't seem 
to be happening. 


-Aaron 

-- 
Aaron Cayard-Roberts 
Senior Systems and Security Administrator 
Information Technology Services 
Earlham College 
801 National Road West 
Richmond, IN 47374 
Phone: 765-983-1851 

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

[Mauricio Silveira]

Hey Mike, thanks for the quick response. ( Sorry for the e-mail sent 
direct to you, long time since last time i sent mails to a Mailing List)



It's not just about key-press/events.

If I open a guacamole RDP session, click the URL/address bar, and press 
enter, it is just the same behaviour as pressing F5 key. Clicking the 
address refresh button : same behaviour.



PS: I had to close all incognito windows, then reopen after editing 
nginx config and restarting nginx to perform tests.



Steps:

1.) Login, enter any RDP Connection, copy Connection URL, logoff guacamole

( prferably enter private/incognito mode )

2.) Paste Connection URL, enter credentials, wait for logon

3.) Click the address bar and simply press enter.

Result: Black, screen

4.) press Ctrl+Alt+Shift for user menu

5.) Now click username, disconnect

Result: It doesn't disconnect / whatever happens here.

6.) Repeat steps 4 and 5, same results.

7.) Now click logoff, it works, gets logged off from guacamole.



Quick Update:

a) Repeat steps 1-4 above

b) Now click settings

c) Click at the tiling connection at bottom right

It goes back into the Connection.


I'm just presenting a strange behaviour ( not happening in 1.3.0 ).


Thanks,

Mauricio Silveira


On 3/7/22 16:54, Mike Jumper wrote:
On Mon, Mar 7, 2022 at 11:41 AM Mauricio Silveira 
 wrote:


Hi.

I've done extensive tests, trying to figure out why a browser refresh
(hitting F5) was causing a RDP session to turn into a black screen
( not
sure about other connection types ), but Ctrl+Alt+Shift still works -
using nginx + guacamole 1.4.0. Apache proxying was working fine.

After trying different distros, versions and package versions, I
found
this thread:
https://lists.apache.org/thread/prl1yzwfgfyvn2qn6qqsc6ytdgmn8yl6 ,
and
gave the change of X-Frame-Options from DENY to SAMEORIGIN a shot.
Immediate fix.

Haven't given it a deeper look to confirm, just tried with guacamole
1.3.0 and it works fine even with X-Frame-Options DENY .

I found this possible problem, because I was testing full-screen by
pressing F11, then F5 to reload guacamole session with the new window
size in full screen.

This might be a bug, maybe not, just writing it down to help others
dealing with this possible issue.


No, this is not a bug. Guacamole already does everything it can to 
handle all keyboard interaction. It cannot control whether the 
browser, OS, etc. take control of certain keys or shortcuts. It can 
only request that the browser send it everything, and hope that 
the browser will do so.


https://guacamole.apache.org/faq/#keyboard-shortcuts

- Mike

Guacamole 1.4.0 Issues setting up SAML authentication

[Michael Vasile (Student Employee)]

Hi all,

Trying to configure SAML on Guacamole for the first time. I have recently built 
a new Guacamole environment running version 1.4.0, and am having issues with 
having our IdP communicate back to the SAML extension.

When attempting to authenticate using SAML, the authentication fails with this 
error in the logs:
SAML response did not pass validation: The response was received at 
http://[HOSTNAME]/guacamole/api/ext/saml/callback instead of 
https://[HOSTNAME]/api/ext/saml/callback.

The ACS on the IdP is specified as the 
https://[HOSTNAME]/api/ext/saml/callback, so it seems that there is some 
configuration issue or Guacamole or the web server (I am using Nginx for 
reverse proxying).

Any ideas?

Thanks,
Mike

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

[Mike Jumper]

On Mon, Mar 7, 2022 at 11:41 AM Mauricio Silveira 
wrote:

> Hi.
>
> I've done extensive tests, trying to figure out why a browser refresh
> (hitting F5) was causing a RDP session to turn into a black screen ( not
> sure about other connection types ), but Ctrl+Alt+Shift still works -
> using nginx + guacamole 1.4.0. Apache proxying was working fine.
>
> After trying different distros, versions and package versions, I found
> this thread:
> https://lists.apache.org/thread/prl1yzwfgfyvn2qn6qqsc6ytdgmn8yl6 , and
> gave the change of X-Frame-Options from DENY to SAMEORIGIN a shot.
> Immediate fix.
>
> Haven't given it a deeper look to confirm, just tried with guacamole
> 1.3.0 and it works fine even with X-Frame-Options DENY .
>
> I found this possible problem, because I was testing full-screen by
> pressing F11, then F5 to reload guacamole session with the new window
> size in full screen.
>
> This might be a bug, maybe not, just writing it down to help others
> dealing with this possible issue.
>

No, this is not a bug. Guacamole already does everything it can to handle
all keyboard interaction. It cannot control whether the browser, OS, etc.
take control of certain keys or shortcuts. It can only request that the
browser send it everything, and hope that the browser will do so.

https://guacamole.apache.org/faq/#keyboard-shortcuts

- Mike

guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

[Mauricio Silveira]

Hi.


I've done extensive tests, trying to figure out why a browser refresh 
(hitting F5) was causing a RDP session to turn into a black screen ( not 
sure about other connection types ), but Ctrl+Alt+Shift still works - 
using nginx + guacamole 1.4.0. Apache proxying was working fine.



After trying different distros, versions and package versions, I found 
this thread: 
https://lists.apache.org/thread/prl1yzwfgfyvn2qn6qqsc6ytdgmn8yl6 , and 
gave the change of X-Frame-Options from DENY to SAMEORIGIN a shot. 
Immediate fix.



Haven't given it a deeper look to confirm, just tried with guacamole 
1.3.0 and it works fine even with X-Frame-Options DENY .



I found this possible problem, because I was testing full-screen by 
pressing F11, then F5 to reload guacamole session with the new window 
size in full screen.



This might be a bug, maybe not, just writing it down to help others 
dealing with this possible issue.



Thanks,

Mauricio Silveira


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Enabling TLS on the Connection - updating the keystore

[Kevin Cameron]

I am looking to enable TLS between Guac and my Linux VM running XRDP.  I have a 
cert on XRDP and when I connect with Windows I do not get the "this is an 
invalid cert trust window" so I know the cert is OK (it is provisioned by our 
local cert provider).

When I enable TLS on the connection in Guacamole I have to click on the "ignore 
cert" option for the connection to be accepted.

Mar  7 18:43:47 mt02e1gws0005v guacd[2885]: No known host keys provided, host 
identity will not be verified.
Mar  7 18:43:47 mt02e1gws0005v guacd[2885]: Loading keymap "base"
Mar  7 18:43:47 mt02e1gws0005v guacd[2885]: Loading keymap "en-us-qwerty"
Mar  7 18:43:47 mt02e1gws0005v guacd[2885]: Certificate validation failed
Mar  7 18:43:47 mt02e1gws0005v guacd[2885]: RDP server closed/refused 
connection: SSL/TLS connection failed (untrusted/self-signed certificate?)
Mar  7 18:43:47 mt02e1gws0005v guacd[2885]: User 
"@09c27536-0232-4d8a-9554-31f7a4ff5698" disconnected (0 users remain)
Mar  7 18:43:47 mt02e1gws0005v guacd[2885]: Last user of connection 
"$84e6f47c-6fd4-4e46-88a9-55b1cd8d2ea9" disconnected

How do I add our cert chain to Guacamole so it will accept our certs?  I am 
using Tomcat 9 and tried to import the cert with keytool -import -alias 
saas_priv -file my_file.crt  but is there a special keystore I have to specify?

Thanks,
Kevin

Kevin Cameron
Senior Cloud Orchestration Engineer

[https://apps.kinaxis.com/email-signature/images/Kinaxis-logo-150px.png]

O: +1 (343) 803-3972 | M: +1 (613) 850-3955

[https://apps.kinaxis.com/email-signature/images/icon-linkedin-32px-lightblue.png]
  
[https://apps.kinaxis.com/email-signature/images/icon-twitter-32px-lightblue.png]
    
[https://apps.kinaxis.com/email-signature/images/icon-facebook-32px-lightblue.png]
    
[https://apps.kinaxis.com/email-signature/images/icon-youtube-32px-lightblue.png]
    
[https://apps.kinaxis.com/email-signature/images/icon-instagram-32px-lightblue.png]
 
Follow Kinaxis on LinkedIn  for the 
latest supply chain insights.

Confidential. This email and any attachments hereto may contain private, 
confidential, and privileged material for the sole use of the addressee. Any 
review, copying, or distribution of this email (or any attachments thereto) by 
others is strictly prohibited. If you are not the intended recipient, please 
return this email to the sender immediately and permanently delete the original 
and any copies of this email and any of its attachments. Thank you.

Re: [EXT] IDE recs?

[Tushar Sheth]

Thanks for these suggestions!

On Sat, Mar 5, 2022 at 4:12 PM Nick Couchman  wrote:

> I recommend NetBeans - it's what I use for writing/editing Guacamole code.
> It has good C/C++, Java, JSON, CSS, JS, and HTML extensions. It integrates
> well with Maven for building the client-side code.
>
> -Nick
>
> On Sat, Mar 5, 2022 at 3:06 PM Leath, Austin  wrote:
>
>> Microsoft Visual Studio Code. It is perfect for any coding project. Tons
>> of extensions to customize your workflow.
>>
>>
>> On Mar 5, 2022, at 1:58 PM, Tushar Sheth  wrote:
>>
>> 
>> We're making some modifications to the guac code - both in
>> guacamole-server and guacamole-client.
>>
>> What IDE do you all recommend/what are you all using?
>>
>> I'm on macos.
>>
>> Tushar
>>
>>

Re: Understanding Sharing Profile for Non-Admins

[Rasmus Haslund]

Is it not possible to pre-share a connection that another non-admin user can 
use to “monitor” a users connection?

With best regards,
Rasmus Haslund
Principal Technologist & VMCT Program Manager | Veeam Software | Phone: +40 372 
821 972 | Twitter: @haslund

From: "Leath, Austin" 
Reply to: "user@guacamole.apache.org" 
Date: Tuesday, 1 March 2022 at 18.40
To: "user@guacamole.apache.org" 
Subject: RE: Re: Understanding Sharing Profile for Non-Admins

CAUTION - This email originated from outside of Veeam. Do not click links or 
open attachments unless you recognize the sender.

Hello, we are utilizing the guacamole API and are really wanting to know if 
there is a PATCH API endpoint that allows us to add sharing profile connection 
permissions to user groups programmatically. All of the sharing profile 
connections are already created, all we need to do is figure out a way to add 
permissions for specific user groups to access them

I have been using some documentation that I found on GitHub that covers another 
version of Guacamole (Version 1.1.0), and while I know it is out of date it has 
mostly everything we need to create synchronization scripts.

I made an issue in that GitHub project that better describes what we are 
looking for: 
https://github.com/ridvanaltun/guacamole-rest-api-documentation/issues/8


On 2022/03/01 01:08:18 Mike Jumper wrote:
> On Mon, Feb 28, 2022, 12:42 Khoe, Yonathan 
> mailto:yo...@unt.edu>> wrote:
>
> > Hello,
> >
> > We set up sharing profiles for all of our connections under an admin
> > account.  We want the ability for our students to be able to generate a
> > share link to their connection viewing (to their professor) when they are
> > remoted to a machine.  We thought that this was the idea when we create the
> > sharing profiles individually and giving them a read-only option and name,
> > but it turns out that our students cannot see the “Share” button when
> > opening the Guacamole menu (ctrl+alt+shift).  The student accounts
> > themselves do not have any permissions; the user groups that the students
> > belong to also do not have permissions set (we only use it to assign the
> > connection groups).  Are we missing something in terms of letting
> > non-admins to be able to generate a share link to be given to other people?
> >
>
> You need to additionally grant the users (or the relevant group) access to
> the sharing profile, not just the connection. Only users with access to a
> particular sharing profile will be able to share the relevant connection
> using that profile.
>
> - Mike
>