Removing users that don't have RD login permission
When rolling out Guacamole, I initially granted all users access but have since added a ldap-user-search-filter to guacamole.properties to restrict login to members in a specific OU. The search-filter is working correctly, as new users added to our domain do not appear in the user list until added to the OU defined in the ldap-search-filter and user removed from this OU are removed from the user list. The issue I'm running into is that all active directory users that were discovered during the initial deployment are still appearing. I'm using the the auth-jdbc-mysql and auth-ldap connectors to provide pass-thru authentication using AD credentials. The only users I see in the MySQL database are those that have been granted explicit access to remote desktops. Could I be missing another table where ldap users who haven't been assigned connections reside or is there a way to force ldap-search to rebind users based on the new ldap-user-search-filter? Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net
guacamole.properties environment variables
I've been playing around with passing MySQL and environment variables from .bashrc to guacamole.properties in an attempt to prevent db and searc-bind-user info from being stored in plain-text, but haven't had any luck. Is it possible to pass system variables to guacamole.properties?
Re: Configuring LDAP
I don't know if you paraphrased the config file, but I noticed the ldap-search-bind-dn common name doesn't have the space escaped. I wonder if guacd is treating the ldap-search-bind-dn cn as two separate entries, hence the "Multiple DNs possible" error? I'm not sure if it's required or not, but I fully qualified each LDAP parameter i.e. ldap-search-bind-dn: CN="Directory Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The search-bind-dn user should be part of the base-dn in case it isn't already. The relevant LDAP attributes from our working configuration are below. ldap-hostname: dc.local ldap-port: 389 ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net ldap-search-bind-dn: CN=guacamole,OU="Information Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,DC=net ldap-search-bind-password: X Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Fri, Dec 1, 2017 at 11:11 AM, wrote: > Just wondering if anyone has any ideas on how the LDAP is configured > below? This still isn’t working for me and I’d like to know why. > > > > Thanks, > > Harry > > > > *From:* Devine, Harry (FAA) > *Sent:* Monday, November 27, 2017 1:49 PM > *To:* user@guacamole.apache.org > *Subject:* RE: Configuring LDAP > > > > Here’s my current /etc/guacamole/guacamole.properties file: > > > > #MySQL properties > > mysql-hostname: localhost > > mysql-port:3306 > > mysql-database: guacdb > > mysql-username: guacuser > > mysql-password: guacadmin > > mysql-default-max-connections-per-user: 0 > > mysql-default-max-group-connections-per-user:0 > > > > #LDAP properties > > ldap-hostname:my.hostname > > ldap-port:389 > > ldap-encryption-method:none > > ldap-dereference-aliases:never > > ldap-search-bind-dn:cn=Directory Manager > > ldap-search-bind-password:pass123 > > ldap-user-base-dn:dc=example,dc=com > > #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com > > ldap-username-attribute:cn > > ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com > > > > > > When I use the ldap-username-attribute:cn setting, I get the error where > the Multiple DNs are what’s being complained about. If I use the other one > (the commented out one above), I simply get “Authentication attempted …… > failed”. We use the “cn=users,cn=accounts” string in other projects where > we communicate with our LDAP server, so I’m pretty sure that’s correct. > > > > Thanks, > > Harry > > > > *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us > ] > *Sent:* Monday, November 27, 2017 12:38 PM > *To:* user@guacamole.apache.org > *Subject:* Re: Configuring LDAP > > > > Harry, you said you tried "modifying ldap-username-attribute to be > cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. > Ldap-username-attribute should be an LDAP attribute name like cn. Could you > post your complete (redacted) guacamole.properties as you have it currently? > > > > Also, I saw that on a previous attempt today you got the log message: > > > > Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN > o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user > "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, > uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com] > > > > If you have two users under your search base with uid (or cn, or whatever > you are using for ldap-username-attribute) "harry.devine" you are going to > have to use a more specific search base or a more unique > ldap-username-attribute or a more restrictive search filter so that you > don't get multiple matches for the username you are typing into the > username field on the login page. > > > > I.e., the attribute you match against has to uniquely identify the user > beneath your search base for your query. > > > > -Jonathan Hankins > > > > On Mon, Nov 27, 2017, 10:10 AM Nick Couchman wrote: > > On Mon, Nov 27, 2017 at 10:02 AM, wrote: > > OK, so I tried that, including modifying ldap-username-attribute to be > cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the > Developer Tools, and the following error in /var/log/messages: > > > > Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN > o.a.g.r
Re: Configuring LDAP
>Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen". >Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve Smith". Are these users able to login successfully? Do they appear in the user list when logged in to the admin console? Double check that the ldap-user-base-dn is at the root of the AD structure and the ldap-search-bind-dn user is correctly qualified. As Mike said, try fully qualifying the base-dn attribute and post results. It may be that the ldap-auth module is querying your AD and returning incomplete information do this not being fully qualified. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Fri, Dec 1, 2017 at 1:37 PM, wrote: > OK I was able to get it to log in. Here’s what I changed in my > guacamole.properties to make it work: > > ldap-search-bind-dn:cn=”Directory Manager” > > ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com > > > > So the user logs in fine, but in /var/log/messages, I get the following > errors that I’m not sure are relevant or not: > > Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO > o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully > authenticated from 172.31.26.216. > > Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN > o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon > Moen". > > Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN > o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: > "Steve Smith". > > Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN > o.a.g.auth.ldap.user.UserService - Could not query list of all users for > attribute "cn": Error while querying users. > > > > VERY close now! Thoughts? > > Harry > > > > *From:* Erik Berndt [mailto:erikber...@superiorpaving.net] > *Sent:* Friday, December 01, 2017 12:19 PM > *To:* user@guacamole.apache.org > *Subject:* Re: Configuring LDAP > > > > I don't know if you paraphrased the config file, but I noticed the > ldap-search-bind-dn common name doesn't have the space escaped. I wonder if > guacd is treating the ldap-search-bind-dn cn as two separate entries, hence > the "Multiple DNs possible" error? > > > > I'm not sure if it's required or not, but I fully qualified each LDAP > parameter i.e. ldap-search-bind-dn: CN="Directory > Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The > search-bind-dn user should be part of the base-dn in case it isn't already. > > > > The relevant LDAP attributes from our working configuration are below. > > > > ldap-hostname: dc.local > ldap-port: 389 > ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net > ldap-search-bind-dn: CN=guacamole,OU="Information > Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving, > DC=net > ldap-search-bind-password: X > > > > > Erik Berndt / Systems Administrator > 5551 Wellington Rd, Gainesville, VA 20155 > <https://maps.google.com/?q=5551+Wellington+Rd,+Gainesville,+VA+20155+%0D+703&entry=gmail&source=g> > 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) > http://www.superiorpaving.net > > Need to open an IT support ticket? > http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net > > > > On Fri, Dec 1, 2017 at 11:11 AM, wrote: > > Just wondering if anyone has any ideas on how the LDAP is configured > below? This still isn’t working for me and I’d like to know why. > > > > Thanks, > > Harry > > > > *From:* Devine, Harry (FAA) > *Sent:* Monday, November 27, 2017 1:49 PM > *To:* user@guacamole.apache.org > *Subject:* RE: Configuring LDAP > > > > Here’s my current /etc/guacamole/guacamole.properties file: > > > > #MySQL properties > > mysql-hostname: localhost > > mysql-port:3306 > > mysql-database: guacdb > > mysql-username: guacuser > > mysql-password: guacadmin > > mysql-default-max-connections-per-user: 0 > > mysql-default-max-group-connections-per-user:0 > > > > #LDAP properties > > ldap-hostname:my.hostname > > ldap-port:389 > > ldap-encryption-metho
Re: report of activities on the server
Michael, Check the catalina.out log under the /etc/tomcatX directory. That should list the relevant user names and connects/disconnects. On Thursday, December 14, 2017, mniehren wrote: > Hi together, > > i want to create a report, which user was conneted to the guacamole-server > and how long. > > In the log of guacd i found entries of the form > User "@e51b35cd-32f8-4474-8f32-25a848ae201e" joined connection > "$971f2e6b-eac1-4386-bcd1-2879b7022ba8" > and > User "@e51b35cd-32f8-4474-8f32-25a848ae201e" disconnected > > but how can i find out which Login-Name belongs to the user and which > session name belongs > to the connection ? > > maybe someone can help > Michael > > > > > -- > Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ > -- Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net
report of activities on the server
>it would be unusual indeed for a Tomcat install to store its log files within its configuration directory Right you are! No more absent minded phone posting for me. Michael, Is this something you would mind sharing if you're successful? I, and I'm sure others would find this useful. On Thursday, December 14, 2017, Mike Jumper wrote: > On Thu, Dec 14, 2017 at 8:32 AM, Erik Berndt > wrote: >> Michael, >> >> Check the catalina.out log under the /etc/tomcatX directory. That should >> list the relevant user names and connects/disconnects. >> > > Probably /var/log/tomcat or /var/log/tomcatX. It would be unusual > indeed for a Tomcat install to store its log files within its > configuration directory. It's also possible that things may be logged > to /var/log/messages or journalctl. > > If you're using a database with Guacamole, an easier way to generate > such a report might be to just issue queries against the > guacamole_connection_history table. It stores exactly the information > you're looking for: > > http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-connection-history > > - Mike > -- Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net
Re: user-mapping.xml errors
Tim, What OS is the rdp server? If you're able to to access the console, I would suspect the issue lies there. Try checking /var/log/syslog or /var/log/tomcatX. That might give you some clues as to why the user mapping/authentication is failing. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Thu, Jan 4, 2018 at 2:49 PM, timrvt wrote: > I have 0.9.13 installed basic-auth > I can login to the console but the only thing I see are a recent > connections > (nothing) and all connections(nothing) > > when I edit user-mapping.aml and add a connection entry ..I then cant login > to the console as that user (internal error ..reconnecting in 15 secs > message) > > what am I doing wrong? any syntax seems to fail ssh ,rdp etc... > > user-mapping.xml > oot@cwbi-guac-rdp:>more user-mapping.xml > > username="admin" > password="cc45c6d8f3761ca58135b28654d7a97f" > encoding="md5"> > > > username="cwbiadmin" > password="cc45c6d8f3761ca58135b28654d7a97f" > encoding="md5"> > > rdp > 172.31.58.241 > > > > > > > > -- > Sent from: http://apache-guacamole-general-user-mailing-list. > 2363388.n4.nabble.com/ >
Re: user-mapping.xml errors
>rdp is a windows box which version? I believe server 2012 and above require NLA to properly authenticate RDP connections. Is NLA enabled in the guacamole connection settings? Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Fri, Jan 5, 2018 at 11:01 AM, timrvt wrote: > seems like any entry I put in user2 authorize section causes me to to be > able > to login to guacamle > ssh or rdp ..rdp is a windows box > > guacd is running on the same host > > > > -- > Sent from: http://apache-guacamole-general-user-mailing-list. > 2363388.n4.nabble.com/ >
Re: Do Guacamole RDP supoprts touch screens.
What kind of device are you running into issues on? I've had success using Guacamole on various mobile devices without any extra configuration being required. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Wed, Jan 17, 2018 at 1:15 AM, Amarjeet Singh wrote: > Hi Team, > > Do Guacamole RDP supports touch screens as well ? > > If yes, What is the configurations required to make it work ? > > I have tested on the touch monitor where it was not working. > > Can anyone help me out here ? > > Thanks in Advance !! > > Amarjeet Singh > > > > > On Fri, Jan 12, 2018 at 7:58 PM, Amarjeet Singh > wrote: > >> Hi Team, >> >> >> Do Guacamole RDP supports touch screens as well ? >> If yes, What is the configurations required to make it work ? >> I have tested on the touch monitor where it was not working. >> >> Thanks and Regards, >> Amarjeet Singh >> > >
Re: Installation question
I would double-check the syntax of the proxypass location in your virtual host, especially the opening and closing location tags and the trailing slash at the end of guacamole. I could be wrong, but I think proxypass requires using http, regardless if the site is served over https. It's been a while since I've configured a guacamole server, but I recall having a hard time using the ip address as the proxypass location, but it worked fine using http://localhost:8080/guacamole/ or http:// :8080/guacamole/ Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Wed, Feb 28, 2018 at 3:06 PM, wrote: > This is going to seem like a basic question, but I’m setting up a new > guacamole installation following the user guide. If I go to :8080, I > get the Tomcat status page. If I got to :8080/guacamole, I get Error > 404 Resource not found. I can’t seem to find where to set up the virtual > directory to allow this to work. Can someone point me in the right > direction? I’m drawing a blank on it. > > > > Thanks, > > Harry > > > > Harry Devine > > DOT/FAA/AJM-2412 > > Common ARTS Software Development > > Terminal Server (NASDAC) Adminstrator > > Red Hat Certfied System Adminstrator (RHCSA) > > harry.dev...@faa.gov > > (609)485-4218 > > Building 300, 3rd Floor, Column L20 (3L20) > > >
Re: anyone still using fail2ban
We use a Tomcat filter and it works just fine for Guacamole. Filter: # Fail2Ban tomcat filter # [INCLUDES] # [Definition] failregex = \bAuthentication attempt from \[(?:,.*)?\] for user ".*" failed\. # [Init] # journalmatch = _SYSTEMD_UNIT=tomcat.service maxlines = 5 Jail.local: [tomcat] port = http,https,8080 logpath = %(tomcat_access_log)s enabled = yes bantime = 14400 maxretry = 5 Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Wed, May 16, 2018 at 4:25 PM, mdbarber wrote: > to cover guacamole? > using it to protect a webmin instance but the default gucamole filter > doesn't work and all the documentation i can find regarding syntax for > filters is out of date. > Any hints please? > regards > mdb > > --- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: Plaintext passwords in guacamole.properties
>Your best option is to set filesystem permissions appropriately such that only Guacamole can read guacamole.properties. I had a similar thought a few months ago and this is your best best. Yes, the password is stored in plain text on a publicly available server, but it's not being transmitted externally, so locking it down should be sufficient. We use smtp relay on a couple of servers and have the config files storing the credentials set to 644. I just checked and guacamole.properties is set to 604, which from what I can recall was the most restrictive mode without the service becoming inaccessible. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Thu, Jul 12, 2018 at 4:19 AM, Mike Jumper wrote: > On Thu, Jul 12, 2018, 01:07 smoke wrote: > >> Hello! >> >> I am a little put off by the unhashed password in >> ldap-search-bind-password >> (guacamole.properties). Is there a way to use the hash instead of the >> visible pass? The same thing goes for the postgresql-password. >> > > No - they're not that kind of password. > > Hashing only makes sense for passwords which will be verified by Guacamole > - passwords which Guacamole does not need to know verbatim. In this case, > those passwords must be sent by Guacamole to the LDAP or PostgreSQL server > to authenticate, thus it must have the actual raw password, not a hash. > > Your best option is to set filesystem permissions appropriately such that > only Guacamole can read guacamole.properties. > > - Mike > > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: "Communications link failure" Exception being thrown.... Dear god help
Hey Zach, >The last packet sent successfully to the server was 0 milliseconds ago. The >driver has not received any packets from the server.Oct 23, 2018 6:28:44 PM >com.sun.jersey.spi.container.ContainerResponse logExceptionSEVERE: Mapped >exception to response: 500 (Internal Server Error) Have you checked any of the AWS logs? Based on the text above, there may be something relevant there as to why the db server is not responding. Are you able to ping across from the Guacamole instance to the db server and vice-versa? Erik Berndt On Tue, Oct 23, 2018 at 3:09 PM Mike Jumper wrote: > Are you sure the database is reachable over the network from the Guacamole > server? Not blocked by an AWS security group, subnet is in routing tables, > etc.? > > - Mike > > On Tue, Oct 23, 2018, 11:57 doyouhas wrote: > >> I have pasted the relevant contents of the catalina.out file to the link >> below, as in the past some people have complained about code formatting. >> When I began testing my application, I was actually running a mysql server >> on an ec2 instance instead of running against an RDS instance. So my >> database currently is residing in an Aurora serverless cluster. I haven't >> experienced this exception before. That is the only major differences >> between my earlier test configurations. I am really stuck here, I have no >> idea where to begin troubleshooting this issue. Checked the syslog, no >> relevant messages logged there. I get the classic "blank screen" situation >> that I have posted about in the past. Any help on this would be greatly >> appreciated. >> >> --Zach >> >> http://dpaste.com/0GJ63JE >> >> >> >> >> -- >> Sent from: >> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ >> > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: "Communications link failure" Exception being thrown.... Dear god help
MariaDB is a fork of MySQL, so the mysql-auth extension should work the same as it does with MySQL. Erik Berndt On Tue, Oct 23, 2018 at 4:08 PM Zachary Piazza wrote: > You don't have to apologize my dude I appreciate any input. Gonna open up > a aws support ticket and see what they can tell me. How would I use the > MariaDB connector with guacamole tho? There's no Auth extension for Maria. > > On Tue, Oct 23, 2018, 3:04 PM Nick Couchman wrote: > >> On Tue, Oct 23, 2018 at 3:32 PM doyouhas wrote: >> >>> I checked my cloudwatch logs. Nothing relating to this problem was logged >>> there. And as I stated in my previous post, on the instance where I've >>> installed guacamole, I installed the mysql client and can connect to the >>> database fine. I'm thinking it must have something to do with JDBC and >>> AWS >>> RDS, bc when I install mysql server on a physical instance, it doesn't >>> have >>> this issue. But I'm not pro enough with java to understand this JDBC >>> failure. >>> >>> >> I'm guessing you're using a recent-ish version of the MySQL driver in >> your Guacamole instance? According to Amazon's docs they recommend the >> MariaDB Connector/J JDBC connector for connecting to Aurora, but I'm >> guessing MySQL should work fine, too. Also, looks like Aurora can be set >> up to use SSL/TLS - is that enabled/required/default on your Aurora >> instance? >> >> Sorry, trying to help but kind of shooting in the dark, here - I agree >> with the other folks that have responded that it really feels like some >> sort of network connectivity, firewall, or VDC configuration issue that is >> blocking the JDBC connection from hitting the Aurora instance. >> >> -Nick >> > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: Blank screen after upgrade to 1.0.0.
> Any other tip? Having just experienced similar issues after upgrading, try clearing your browser cache. Otherwise, monitoring your catalina.out as you attempt to login may prove useful. Seems as if the client is loaded just fine if you can see the login screen, but it sounds like the JDBC extension is the source of the login issues. Erik Berndt / Systems Administrator On Fri, Jan 11, 2019 at 2:28 PM David Rodriguez wrote: > Thanks Nick > > I had 3 versions of the jar file in the folder, so just left 1.0.0 jar and > now I reached the login screen, however doesnt recongnize my user and pass. > Any other tip? > > Thanks! > > El vie., 11 ene. 2019 a las 20:21, Nick Couchman () > escribió: > >> On Fri, Jan 11, 2019 at 14:06 David Rodriguez wrote: >> >>> Hi, >>> >>> I have tried to upgrade from 0.9.14 to 1.0.0 and something didn't work >>> as Im getting a blank screen accesing the login screen. >>> >>> In the catalina log file I have seen the below errors, so I assumed this >>> was something related to the mysql schema. >>> >>> ### Error querying database. Cause: >>> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column >>> 'username' in 'field list' >>> ### The error may exist in >>> org/apache/guacamole/auth/jdbc/user/UserMapper.xml >>> ### The error may involve defaultParameterMap >>> ### The error occurred while setting parameters >>> ### SQL: SELECT user_id, username, >>> password_hash, password_salt, password_date, $ >>> ### Cause: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: >>> Unknown column 'username' in 'field list' >>> >>> >> This is the result of a mismatch between the database schema and the JDBC >> extension. Most likely you upgraded the DB to the 1.0.0 schema but it >> looks like the old extension is still loaded. Make sure that you upgrade >> the JDBC extension file (remove 0.9.14 jar, make sure 1.0.0 jar is on >> place) and restart Tomcat (or whatever container you're using). >> >> -Nick >> > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: Blank screen after upgrade to 1.0.0.
I have used that script as a general guideline, but never ran it outright as there are a few particulars in our environment where this wouldn't work. However, I would recommend downloading the pre-compiled client again and placing it in your GUAC_HOME directory again to be sure, then restart Tomcat and Guacd to see what version displays. Erik Berndt / Systems Administrator On Fri, Jan 11, 2019 at 2:54 PM David Rodriguez wrote: > btw I used the below script to upgrade > > > https://raw.githubusercontent.com/MysticRyuujin/guac-install/master/guac-upgrade.sh > > El vie., 11 ene. 2019 a las 20:46, David Rodriguez () > escribió: > >> OMG I have just seen that the login screen Im reaching said >> "0.9.13-incubating" so not sure why it is getting this version instead >> 1.0.0. >> Could someone point me in the right direction? Im really lost >> >> Thanks a lot in advance >> >> El vie., 11 ene. 2019 a las 20:33, Erik Berndt (< >> erikber...@superiorpaving.net>) escribió: >> >>> > Any other tip? >>> Having just experienced similar issues after upgrading, try clearing >>> your browser cache. Otherwise, monitoring your catalina.out as you attempt >>> to login may prove useful. Seems as if the client is loaded just fine if >>> you can see the login screen, but it sounds like the JDBC extension is the >>> source of the login issues. >>> >>> Erik Berndt / Systems Administrator >>> >>> >>> On Fri, Jan 11, 2019 at 2:28 PM David Rodriguez >>> wrote: >>> >>>> Thanks Nick >>>> >>>> I had 3 versions of the jar file in the folder, so just left 1.0.0 jar >>>> and now I reached the login screen, however doesnt recongnize my user and >>>> pass. Any other tip? >>>> >>>> Thanks! >>>> >>>> El vie., 11 ene. 2019 a las 20:21, Nick Couchman () >>>> escribió: >>>> >>>>> On Fri, Jan 11, 2019 at 14:06 David Rodriguez >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have tried to upgrade from 0.9.14 to 1.0.0 and something didn't >>>>>> work as Im getting a blank screen accesing the login screen. >>>>>> >>>>>> In the catalina log file I have seen the below errors, so I assumed >>>>>> this was something related to the mysql schema. >>>>>> >>>>>> ### Error querying database. Cause: >>>>>> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column >>>>>> 'username' in 'field list' >>>>>> ### The error may exist in >>>>>> org/apache/guacamole/auth/jdbc/user/UserMapper.xml >>>>>> ### The error may involve defaultParameterMap >>>>>> ### The error occurred while setting parameters >>>>>> ### SQL: SELECT user_id, >>>>>> username, password_hash, password_salt, >>>>>> password_date, $ >>>>>> ### Cause: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: >>>>>> Unknown column 'username' in 'field list' >>>>>> >>>>>> >>>>> This is the result of a mismatch between the database schema and the >>>>> JDBC extension. Most likely you upgraded the DB to the 1.0.0 schema but >>>>> it >>>>> looks like the old extension is still loaded. Make sure that you upgrade >>>>> the JDBC extension file (remove 0.9.14 jar, make sure 1.0.0 jar is on >>>>> place) and restart Tomcat (or whatever container you're using). >>>>> >>>>> -Nick >>>>> >>>> >>> This e-mail and any files transmitted with it are confidential and are >>> intended solely for the use of the individual or entity to whom they are >>> addressed. If you are not the intended recipient or the person responsible >>> for delivering the e-mail to the intended recipient, be advised that you >>> have received this e-mail in error and that any use, dissemination, >>> forwarding, printing or copying of this e-mail is strictly prohibited. If >>> you have received this e-mail in error, please immediately notify Superior >>> Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for >>> reasonable costs incurred in notifying us. >>> >> -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: Dumb LDAP Properties Question
> Put another way, is there any reason to have the DC entries be different on those 3 lines. I can't think of any reason how/why they could be different. What are you trying to accomplish or issue are you running into? >is it safe to assume that "mydomain" will be the same across all 3 lines Yes. Erik Berndt / Systems Administrator On Fri, Jan 11, 2019 at 3:59 PM Zer0Cool wrote: > Guac: 1.0.0 with MySQL db + LDAP extension > OS: CentOS/RHEL 7.x (7.6 currently) > > I am specifically talking about the following entries in > guacamole.properties: > > ldap-hostname: myserver./mydomain/./com/ > ldap-user-base-dn: dc=/mydomain/,dc=/com/ > ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/ > > So in the above example, is there any logical, legitimate reason the parts > in italics could be/should be different than the other entries in red (line > to line)? > > Put another way, is there any reason to have the DC entries be different on > those 3 lines or is it safe to assume that "mydomain" will be the same > across all 3 lines? > > Sorry for the silly question. Thanks > > > > -- > Sent from: > http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Login failed
We're using guacamole 1.0.0 with Apache/MySQL in a Windows AD environment and recently e every user account is receiving an Invalid Login error when trying to login. Not really sure what precipitated this, but all I'm seeing in the Tomcat logs is >Authentication attempt for from [...] for user "..." failed. The guacamole service account can login to RDP just fine, so I'm inclined to think the issue is on the Guacamole side, but I'm not sure. Does anyone have any suggestions or idea what could cause this? Erik Berndt / Systems Administrator -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: force complete logout every time
[image: image.png] These are the group policy settings for our RDP server and they work quite well at cleaning up disconnected (but not logged off) sessions. Erik Berndt / Systems Administrator On Tue, Apr 14, 2020 at 3:33 PM Joseph Szabo wrote: > Logout. No disconnected sessions. > > Joseph Szabo > CSS Lab Technical Services > NBCS Lab Team > System Administrator > Rutgers University > > > -- > *From:* sciUser > *Sent:* Tuesday, April 14, 2020 3:31 PM > *To:* user@guacamole.apache.org > *Subject:* Re: force complete logout every time > > Do you want LOGOUT or do you want fresh new session? > > > > > - > A Cybersecurity Enablement Company > We don't just run you through the motions, Our labs teach you how to > think! > Known good Guacamole installations > > -- > Sent from: > https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fapache-guacamole-general-user-mailing-list.2363388.n4.nabble.com%2F&data=02%7C01%7Cjszabo%40oit.rutgers.edu%7C48c5b8281cf6436d841008d7e0aa7885%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C1%7C637224895082761815&sdata=1okxtLdRrQHWOpoV1s7kJJpxCv3JA8CHibn53ps5VJM%3D&reserved=0 > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Users authenticating but unable to login to RDP Server
Hello, We are suddenly faced with users who are able to authenticate against the Guacamole server, but the connecting isn't being passed through to the Windows RDP server. Relevant lines from catalina.out show 10:18:13.490 [http-nio-8080-exec-3] INFO o.a.g.r.auth.AuthenticationService - User "[redacted] successfully authenticated from [redacted, redacted, 0:0:0:0:0:0:0:1]. After authentication, they receive a connection error message stating that the connecting has been closed because the server is taking too long to respond... The user have no issue logging into the Windows RDP server natively and there are no firewall rules in place that would prevent this (that I'm aware of). We're using v1.00. Does anyone have any guesses as to what could could be causing this? Thanks! Erik Berndt -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: Users authenticating but unable to login to RDP Server
It's Ubuntu 16.04. This is the output of journalctl -u guacd.service -f Aug 17 08:22:38 www.superiorpaving.net guacd[15410]: All supported devices sent. Aug 17 08:22:38 www.superiorpaving.net guacd[15410]: Device 0 (Guacamole Printer) connected successfully Aug 17 08:22:38 www.superiorpaving.net guacd[15410]: Device 1 (Guacamole Filesystem) connected successfully Aug 17 08:26:33 www.superiorpaving.net guacd[15410]: User is not responding. Aug 17 08:26:33 www.superiorpaving.net guacd[15410]: User "@762ba9a6-9e8e-492f-94e8-d1fcf35a3978" disconnected (0 users remain) Aug 17 08:26:33 www.superiorpaving.net guacd[15410]: Last user of connection "$c84cc536-2af8-4859-be05-3d3fed46baaf" disconnected Aug 17 08:26:33 www.superiorpaving.net guacd[15410]: Unloading device 0 (Guacamole Printer) Aug 17 08:26:33 www.superiorpaving.net guacd[15410]: Unloading device 1 (Guacamole Filesystem) Aug 17 08:26:33 www.superiorpaving.net guacd[15410]: Internal RDP client disconnected Aug 17 08:26:33 www.superiorpaving.net guacd[15382]: Connection "$c84cc536-2af8-4859-be05-3d3fed46baaf" removed. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) https://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Mon, Aug 17, 2020 at 11:21 AM Nick Couchman wrote: > On Mon, Aug 17, 2020 at 8:31 AM Erik Berndt-2 > wrote: > >> Ghost_Knight wrote >> >> >> guacd is running, but I don't see any output related to guacd under >> syslog. >> Is there somewhere else I could look? >> >> > It really depends on your Linux distribution and how you have it > installed. The most common configurations are /var/log/messages and > "journalctl". However, if you're running in Docker, you'll need to get the > container logs, which should contain the output. > > -Nick > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: Users authenticating but unable to login to RDP Server
> Any network changes, security software, firewalls - anything like that between the browsers and the Guacamole Client (Tomcat) server, or between Tomcat and guacd? No, both are running on the same server, so as far as I can tell connectivity isn't an issue. The behavior occurs across different browsers (Edge, Chrome, Firefox) and systems running AV or not. Erik Berndt / Systems Administrator On Fri, Aug 21, 2020 at 8:06 AM Nick Couchman wrote: > On Mon, Aug 17, 2020 at 11:45 AM Erik Berndt > wrote: > >> It's Ubuntu 16.04. This is the output of journalctl -u guacd.service -f >> >> Aug 17 08:22:38 www.superiorpaving.net guacd[15410]: All supported >> devices sent. >> Aug 17 08:22:38 www.superiorpaving.net guacd[15410]: Device 0 (Guacamole >> Printer) connected successfully >> Aug 17 08:22:38 www.superiorpaving.net guacd[15410]: Device 1 (Guacamole >> Filesystem) connected successfully >> Aug 17 08:26:33 www.superiorpaving.net guacd[15410]: User is not >> responding. >> > > This seems to be the issue, here, though it's not really clear why this is > happening. Not sure if it's a communication issue between the Tomcat > process and guacd, or between the browsers and Tomcat, but something is > causing guacd to give up because it isn't receiving any updates from the > client. > > Any network changes, security software, firewalls - anything like that > between the browsers and the Guacamole Client (Tomcat) server, or between > Tomcat and guacd? > > -Nick > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
Re: Users authenticating but unable to login to RDP Server
Ghost_Knight wrote
> In addition to Nick’s comment, what parameters are set for the RDP
> connection in the Web UI? Mainly looking at the username/password fields.
>
> The RDP connection is using NLA with ${GUAC_USERNAME} and ${GUAC_PASSWORD}
> for the username/password fields. There is no change here and this was
> working previously. I did notice that the unsuccessful connections are
> logged under the admin console as successful (albeit for 0:00 seconds :)
>
> On Sun, Aug 16, 2020 at 7:57 PM Nick Couchman <
> vnick@
> > wrote:
>
>> On Fri, Aug 14, 2020 at 10:25 AM Erik Berndt
>> <
> erikberndt@.net
> > wrote:
>>
>>> Hello,
>>>
>>> We are suddenly faced with users who are able to authenticate against
>>> the
>>> Guacamole server, but the connecting isn't being passed through to the
>>> Windows RDP server.
>>>
>>> Relevant lines from catalina.out show
>>>
>>> 10:18:13.490 [http-nio-8080-exec-3] INFO
>>> o.a.g.r.auth.AuthenticationService - User "[redacted] successfully
>>> authenticated from [redacted, redacted, 0:0:0:0:0:0:0:1].
>>>
>>> After authentication, they receive a connection error message stating
>>> that the connecting has been closed because the server is taking too
>>> long
>>> to respond...
>>>
>>> The user have no issue logging into the Windows RDP server natively and
>>> there are no firewall rules in place that would prevent this (that I'm
>>> aware of).
>>>
>>> We're using v1.00. Does anyone have any guesses as to what could could
>>> be
>>> causing this?
>>>
>>>
>> I'd say the first thing to check is to make sure guacd is actually
>> running. If users can log in to the Web interface, then Tomcat is
>> running,
>> but guacd might be stopped/dead and that could cause the issue you're
>> seeing.
>>
>> Beyond that, look at the log output of guacd (generally logged to syslog)
>> and see what errors are showing up there.
>>
>> -Nick
>>
>>
>>
vnick wrote
> On Fri, Aug 14, 2020 at 10:25 AM Erik Berndt
> <
> erikberndt@.net
> > wrote:
>
>> Hello,
>>
>> We are suddenly faced with users who are able to authenticate against the
>> Guacamole server, but the connecting isn't being passed through to the
>> Windows RDP server.
>>
>> Relevant lines from catalina.out show
>>
>> 10:18:13.490 [http-nio-8080-exec-3] INFO
>> o.a.g.r.auth.AuthenticationService - User "[redacted] successfully
>> authenticated from [redacted, redacted, 0:0:0:0:0:0:0:1].
>>
>> After authentication, they receive a connection error message stating
>> that
>> the connecting has been closed because the server is taking too long to
>> respond...
>>
>> The user have no issue logging into the Windows RDP server natively and
>> there are no firewall rules in place that would prevent this (that I'm
>> aware of).
>>
>> We're using v1.00. Does anyone have any guesses as to what could could be
>> causing this?
>>
>>
> I'd say the first thing to check is to make sure guacd is actually
> running. If users can log in to the Web interface, then Tomcat is
> running,
> but guacd might be stopped/dead and that could cause the issue you're
> seeing.
>
> Beyond that, look at the log output of guacd (generally logged to syslog)
> and see what errors are showing up there.
>
> -Nick
guacd is running, but I don't see any output related to guacd under syslog.
Is there somewhere else I could look?
--
Sent from:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
