Re: Can guacamole (or freerdp) detect if someone is logged into the console (locally)?

[Hankins, Jonathan]

Not sure if/how FreeRDP handles this but here is some context about changes
from Windows Server 2003 to 2008 (RDC 6.1):
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/changes-to-remote-administration-in-windows-server-2008/ba-p/246577

On a Desktop OS (Windows 11), this is what I see:

Connecting through Guacamole via RDP as the SAME user I have logged into
the console "steals" the session that was on the console, regardless of the
"Administrator console" setting on the connection in Guacamole.

Connecting through Guacamole via RDP as a DIFFERENT user I have logged into
the console asks me if I want to disconnect them, and when I choose Yes,
asks them (on the console) if they want to be disconnected with a 30s
countdown, regardless of the "Administrator console" setting on the
connection in Guacamole.

On a server OS (Windows Server 2022) with RDS role, this is what I see:

(FWIW, I do have "Restrict Remote Desktop Services users to a single Remote
Desktop Services session" enabled in my group policy for my terminal
servers.)

Connecting through Guacamole via RDP as the SAME user I have logged into
the console "steals" the session that was on the console, regardless of the
"Administrator console" setting on the connection in Guacamole.

Connecting through Guacamole via RDP as a DIFFERENT user I have logged into
the console does NOT affect the session on the console, regardless of the
"Administrator console" setting on the connection in Guacamole.



On Wed, May 22, 2024 at 12:42 PM Barnhart, Steven 
wrote:

> We have a scenario where a lab may be used in person, but we also want it
> to be available remotely through guacamole. I know Guacamole doesn’t handle
> that right now (or seemingly), but is it even possible or does the RDP
> protocol not expose that at all?
>
>
>
> *Steven T. Barnhart*
>
> Solutions Engineer
> *The Ohio State University*
> OTDI Research Technology and Infrastructure
> (614) 688-1013 Office
>
>
>

Re: Issue with load balancing not going past down server

[Hankins, Jonathan]

I am using the "stick-table", "stick on rdp_cookie(...)" and
"external-check" directives in my haproxy.cfg, along with the check_x224
nagios plugin (from exchange.nagios.org; you can just do a basic TCP port
3389 connectivity check with the "tcp-check" directive, too) to accomplish
this.




On Fri, Mar 22, 2024 at 2:36 PM Barnhart, Steven 
wrote:

> Could you provide some info on that setup? Would love to hear more.
>
> –Steve
> --
> *From:* Hankins, Jonathan 
> *Sent:* Friday, March 22, 2024 3:33:42 PM
> *To:* user@guacamole.apache.org 
> *Subject:* Re: Issue with load balancing not going past down server
>
> I don't think that Guacamole load balancing does any housekeeping with
> regard to the status of the systems behind the connections it's balancing
> across. I think it just keeps track of number of active connections / which
> users (session
> I don't think that Guacamole load balancing does any housekeeping with
> regard to the status of the systems behind the connections it's balancing
> across. I think it just keeps track of number of active connections / which
> users (session affinity) are connected to each connection and then uses
> that information to choose which one to hand a user to when they connect.
>
> I use haproxy behind Guacamole to balance across RDP servers, with
> connectivity checks/steering disconnected users back to their correct
> server, etc.
>
> On Fri, Mar 22, 2024 at 11:30 AM Barnhart, Steven 
> wrote:
>
> Anyone have any info on why this could be happening? Or have I assumed
> incorrectly that load balancing will try other ones when a server is
> doesn’t respond?
>
> –Steve
> --
> *From:* Barnhart, Steven 
> *Sent:* Tuesday, March 19, 2024 7:12:03 PM
> *To:* user@guacamole.apache.org 
> *Subject:* Re: Issue with load balancing not going past down server
>
> Hi, thanks for the reply. I am running in docker and mysql/ldap
> authenticated, version 1. 5. 1. The log doesn’t seem to show much aside
> from the one connection and disconnect, whn it really should show multiple.
> I assume it worked before, but
>
> Hi, thanks for the reply.
>
>
>
> I am running in docker and mysql/ldap authenticated, version 1.5.1. The
> log doesn’t seem to show much aside from the one connection and disconnect,
> whn it really should show multiple. I assume it worked before, but maybe it
> just needed the “right” machines to be down, I am not sure. I’ve always had
> mixed reports with the load balancing, but never was able to reproduce or
> see it myself.
>
>
>
>
>
> --Steve
>
>
>
> *From: *Ivanmarcus 
> *Date: *Tuesday, March 19, 2024 at 3:44 PM
> *To: *user@guacamole.apache.org 
> *Subject: *Re: Issue with load balancing not going past down server
>
>
>
> Steven,
>
> It would help people to assist you if you were able to post some detail
> on your setup including the OS in use, how you've got Guacamole
> installed, and in particular log data around when you have the issue.
>
> I don't run load balancing myself, so it probably won't be me responding
> when you post the above information, however in general the message you
> have commonly appears when there's a network or connection mismatch
> issue. It *may* also occur in some installations using 1.5.4., so it
> would also be useful to know if you had a previously working install,
> with the issue occurring since you upgraded?
>
> On 20/03/24 07:07, Barnhart, Steven wrote:
> > I keep getting angry users because users receive the following message
> > [A screenshot of a computer  Description automatically generated]
> >
> > This is machine 02 of about 20. Confirm the settings are set to
> balancing.
> > [A screenshot of a login form  Description automatically generated]
> >
> > But many users (including me testing as my admin account) only connect
> to 2 and get the timeout. It doesn’t try any other servers. I tried (as you
> see above), to turn off session affinity. What is going on?
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Issue with load balancing not going past down server

[Hankins, Jonathan]

I don't think that Guacamole load balancing does any housekeeping with
regard to the status of the systems behind the connections it's balancing
across. I think it just keeps track of number of active connections / which
users (session affinity) are connected to each connection and then uses
that information to choose which one to hand a user to when they connect.

I use haproxy behind Guacamole to balance across RDP servers, with
connectivity checks/steering disconnected users back to their correct
server, etc.

On Fri, Mar 22, 2024 at 11:30 AM Barnhart, Steven 
wrote:

> Anyone have any info on why this could be happening? Or have I assumed
> incorrectly that load balancing will try other ones when a server is
> doesn’t respond?
>
> –Steve
> --
> *From:* Barnhart, Steven 
> *Sent:* Tuesday, March 19, 2024 7:12:03 PM
> *To:* user@guacamole.apache.org 
> *Subject:* Re: Issue with load balancing not going past down server
>
> Hi, thanks for the reply. I am running in docker and mysql/ldap
> authenticated, version 1. 5. 1. The log doesn’t seem to show much aside
> from the one connection and disconnect, whn it really should show multiple.
> I assume it worked before, but
>
> Hi, thanks for the reply.
>
>
>
> I am running in docker and mysql/ldap authenticated, version 1.5.1. The
> log doesn’t seem to show much aside from the one connection and disconnect,
> whn it really should show multiple. I assume it worked before, but maybe it
> just needed the “right” machines to be down, I am not sure. I’ve always had
> mixed reports with the load balancing, but never was able to reproduce or
> see it myself.
>
>
>
>
>
> --Steve
>
>
>
> *From: *Ivanmarcus 
> *Date: *Tuesday, March 19, 2024 at 3:44 PM
> *To: *user@guacamole.apache.org 
> *Subject: *Re: Issue with load balancing not going past down server
>
>
>
> Steven,
>
> It would help people to assist you if you were able to post some detail
> on your setup including the OS in use, how you've got Guacamole
> installed, and in particular log data around when you have the issue.
>
> I don't run load balancing myself, so it probably won't be me responding
> when you post the above information, however in general the message you
> have commonly appears when there's a network or connection mismatch
> issue. It *may* also occur in some installations using 1.5.4., so it
> would also be useful to know if you had a previously working install,
> with the issue occurring since you upgraded?
>
> On 20/03/24 07:07, Barnhart, Steven wrote:
> > I keep getting angry users because users receive the following message
> > [A screenshot of a computer  Description automatically generated]
> >
> > This is machine 02 of about 20. Confirm the settings are set to
> balancing.
> > [A screenshot of a login form  Description automatically generated]
> >
> > But many users (including me testing as my admin account) only connect
> to 2 and get the timeout. It doesn’t try any other servers. I tried (as you
> see above), to turn off session affinity. What is going on?
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>

Re: RDP / Load Balancing

[Hankins, Jonathan]

I understand that you don't want to use anything external to Guacamole, but
for anyone else stumbling on this discussion, I wanted to add that I use
haproxy for RDP load balancing behind Guacamole. It has the extra
functionalities of 1) connectivity test to avoid balancing a user onto a
non-functional RDP server and 2) reconnecting a user with a disconnected
RDP session back to the server their session is on, even if they have
logged out of Guacaomole in the interim. I am using the "stick-table",
"stick on rdp_cookie(...)" and "external-check" directives in my
haproxy.cfg, along with the check_x224 nagios plugin (from
exchange.nagios.org; you can just do a basic TCP port 3389 connectivity
check with the "tcp-check" directive, too) to accomplish this.

On Thu, Feb 22, 2024 at 10:58 AM Brad Turnbough <
bturnbo...@backlundinvestment.com> wrote:

> This is exactly what I’m looking for.  Thank you for your help.
>
>
>
>
>
>
>
> Thank you,
>
> *Brad Turnbough*
> Senior Technology Analyst
>
>
>
> P: 309.272.2739 F: 309.272.2839
>
> www.betterbanks.com
> www.statestreetbank.com
>
> NOTICE: The information contained in this email and any document attached
> hereto is intended only for the named recipient(s). If you are not the
> intended recipient, nor the employee or agent responsible for delivering
> this message in confidence to the intended recipient(s), you are hereby
> notified that you have received this transmittal in error, and any review,
> dissemination, distribution or copying of this transmittal or its
> attachments is strictly prohibited. If you have received this transmittal
> and/or attachments in error, please notify me immediately by reply e-mail
> and then delete this message, including any attachments.
>
>
>
> *From:* MAURIZI Lorenzo 
> *Sent:* Thursday, February 22, 2024 9:48 AM
> *To:* user@guacamole.apache.org
> *Subject:* R: RDP / Load Balancing
>
>
>
> *External email. Please make sure you trust this source before clicking
> links or opening attachments.*
>
> In documentation, I can find this page
>
>
>
>
> https://guacamole.apache.org/doc/gug/administration.html#connection-organization-and-balancing
>
>
>
> See if it helps!
>
> Regards.
>
> Lorenzo
>
>
>
> *Da:* Brad Turnbough 
> *Inviato:* giovedì 22 febbraio 2024 16:38
> *A:*user@guacamole.apache.org
> *Oggetto:* RE: RDP / Load Balancing
>
>
>
> I’ve been digging, but I’ve been unable to locate documentation around
> this feature and how to implement it.
>
>
>
> Basically, I have four windows 10 boxes that need to be ‘load balanced’
> via guacamole using ‘connection pooling’.
>
>
>
> To be clear, we don’t use / want to implement a connection broker.  We
> want to solely rely on Guac’s ability to determine session utilization on
> each of those four boxes and balance connections out from there.
>
>
>
> Searches here: https://guacamole.apache.org/doc/gug/index.html for
> ‘connection pooling’ or even ‘pool’ and ‘load balance’ and ‘balance’ have
> yielded zero useful results.
>
>
>
>
>
> Thank you.
>
>
>
>
>
> *From:* Barnhart, Steven 
> *Sent:* Friday, January 26, 2024 8:59 AM
> *To:*user@guacamole.apache.org
> *Subject:* Re: RDP / Load Balancing
>
>
>
> *External email. Please make sure you trust this source before clicking
> links or opening attachments.*
>
> Depends what you’re looking for. There is connection pooling, which can
> load balance across a group of RDP connections and there is some
> persistence built-in. You can also set a max concurrent connections as well.
>
>
>
> --Steve
>
>
>
> *From: *Brad Turnbough 
> *Date: *Friday, January 26, 2024 at 9:53 AM
> *To: *user@guacamole.apache.org 
> *Subject: *RDP / Load Balancing
>
> I know RDP in general has a connection broker for load balancing / session
> persistence, but I have to ask… Does Guacamole do something like this as
> well, since it has basically a database of who is logged into what sessions
> on what machine?
>
>
>
> I know RDP in general has a connection broker for load balancing / session
> persistence, but I have to ask… Does Guacamole do something like this as
> well, since it has basically a database of who is logged into what sessions
> on what machine?
>
>
>
>
>
>
>

Re: Enabling Audio and/or Drive Breaks RDP

[Hankins, Jonathan]

FWIW, a few years ago I had a strange crash that was happening with RDP
audio enabled. It turned out that I had some leftover files from a
different version of FreeRDP that were getting loaded when audio was
enabled. Check your ldconfig output and make sure everything looks sane.

On Tue, Oct 25, 2022 at 9:41 AM Nick Couchman  wrote:

>
>
> On Fri, Oct 21, 2022 at 3:30 PM Dylan Francis 
> wrote:
>
>> The logs generated from my most recent connection attempt are below.
>> It is now creating the user folder within /etc/guacamole/share after I
>> updated the web ui to /etc/guacamole/share/${GUAC_USERNAME}
>> There is no guacd user on the machine, if that makes a difference.
>> I have included the Device Redirection section below as well, if that is
>> beneficial.
>>
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: Creating new client for
>> protocol "rdp"
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[213659]:
>> INFO:#011Creating new client for protocol "rdp"
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[213659]:
>> INFO:#011Connection ID is "$d3aef13c-823d-4130-a36f-f73deaf10e4f"
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: Connection ID is
>> "$d3aef13c-823d-4130-a36f-f73deaf10e4f"
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: FreeRDP initialization may
>> fail: The current user's home directory ("/usr/sbin") is not writable, but
>> FreeRDP generally requires a writable home directory for storage of
>> configuration files and certificates.
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]:
>> WARNING:#011FreeRDP initialization may fail: The current user's home
>> directory ("/usr/sbin") is not writable, but FreeRDP generally requires a
>> writable home directory for storage of configuration files and certificates.
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: Security mode: Negotiate
>> (ANY)
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: Resize method: none
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]:
>> INFO:#011Security mode: Negotiate (ANY)
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]:
>> INFO:#011Resize method: none
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]: INFO:#011No
>> clipboard line-ending normalization specified. Defaulting to preserving the
>> format of all line endings.
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]: INFO:#011User
>> "@b14b5698-04ab-4338-9c54-65a92699028d" joined connection
>> "$d3aef13c-823d-4130-a36f-f73deaf10e4f" (1 users now present)
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: No clipboard line-ending
>> normalization specified. Defaulting to preserving the format of all line
>> endings.
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: User
>> "@b14b5698-04ab-4338-9c54-65a92699028d" joined connection
>> "$d3aef13c-823d-4130-a36f-f73deaf10e4f" (1 users now present)
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: Loading keymap "base"
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: Loading keymap "en-us-qwerty"
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]:
>> INFO:#011Loading keymap "base"
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]:
>> INFO:#011Loading keymap "en-us-qwerty"
>> Oct 21 19:23:21 n114-251-182 guacd[1798243]: Connected to RDPDR 1.13 as
>> client 0x0003
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: guacd[1798243]:
>> INFO:#011Connected to RDPDR 1.13 as client 0x0003
>> Oct 21 19:23:21 n114-251-182 guacd[213659]: free(): double free detected
>> in tcache 2
>> Oct 21 19:23:21 n114-251-182 coredump_handler: coredump argv[3] is
>> !usr!local!sbin!guacd
>> Oct 21 19:23:22 n114-251-182 guacd[213659]: Connection
>> "$d3aef13c-823d-4130-a36f-f73deaf10e4f" removed.
>> Oct 21 19:23:22 n114-251-182 guacd[213659]: guacd[213659]:
>> INFO:#011Connection "$d3aef13c-823d-4130-a36f-f73deaf10e4f" removed.
>>
>>
> Two things stand out to me, here:
> * First, you might want to fix the issue with the writable home directory
> for the user running guacd. I would recommend just creating a guacd account
> with a normal home directory and switching the service over to run under
> that account so that FreeRDP can write out the server fingerprints.
> * This is likely causing the issues you're seeing:
>
> Oct 21 19:23:21 n114-251-182 guacd[213659]: free(): double free detected
> in tcache 2
> Oct 21 19:23:21 n114-251-182 coredump_handler: coredump argv[3] is
> !usr!local!sbin!guacd
>
> If you could locate this core dump and provide the output, that would help
> in tracking it down. It's possible this has already been resolved in the
> git version of the code, but if would be good to verify the exact location
> of that and make sure that it has actually been resolved.
>
> -Nick
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message 

Re: Unable to allocate PTY, possible bug

[Hankins, Jonathan]

Doubt this is helpful, but I looked at your Cisco-Device-Log file where it
complains about various term types. What happens if you set the term type
to vt100 in the guacamole connection settings?

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-0/system-security/configuration/guide/b-system-security-cg-asr9000-70x/b-system-security-cg-asr9000-70x_chapter_01001.html

Use of a terminal type other than vt100 is unsupported, and the software
> generates a warning message in this case.


On Fri, Apr 1, 2022 at 1:34 AM Amartya Thorat <
amartya.tho...@logicmonitor.com> wrote:

> Hi All
> I am facing same issue for CISCO-IOS XR  DEVICE
> Can we get more help on this
>
> Attaching device ssh logs
>
>
> Thanks !
> Amartya Thorat
>
>
> On 2021/04/06 13:08:32 Yaroslav Nikonorov wrote:
> > Hi There,
> > When connect to Cisco-IOS-XRv-9000 by ssh guacd failed with "Unable to
> > allocate PTY" error.
> > As it is critical for us, I played around and found that guacd failed on
> PTY
> > request "libssh2_channel_request_pty()".
> > After some debugging on guacd and libssh2 I found that request is sent
> > successfully, but it failed on receiving specific packet type.
> > I created the below patch for  guacd, added warning instead of
> > "guac_client_abort()" and it worked.
> >
> > Currently we are using custom builds, but it would be great to add the
> fix
> > to the code base to avoid such cases.
> > Can you help me with the solution?
> > Thanks.
> >
> >
> > From d5c0e7aa4c38db04d0bf7adb817ca9f392c7f619 Mon Sep 17 00:00:00 2001
> > From: Yaroslav 
> > Date: Fri, 2 Apr 2021 07:05:20 +
> > Subject: [PATCH] Continue execution if PTY request failed
> >
> > ---
> >  src/protocols/ssh/ssh.c | 3 +--
> >  1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/src/protocols/ssh/ssh.c b/src/protocols/ssh/ssh.c
> > index 81fb0855..e7f9eeb0 100644
> > --- a/src/protocols/ssh/ssh.c
> > +++ b/src/protocols/ssh/ssh.c
> > @@ -368,8 +368,7 @@ void* ssh_client_thread(void* data) {
> >  settings->terminal_type, strlen(settings->terminal_type),
> >  ssh_ttymodes, ttymodeBytes, ssh_client->term->term_width,
> >  ssh_client->term->term_height, 0, 0)) {
> > -guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR,
> > "Unable to allocate PTY.");
> > -return NULL;
> > +guac_client_log(client, GUAC_LOG_WARNING, "Unable to allocate
> > PTY.");
> >  }
> >
> >  /* Forward specified locale */
> > --
> > 2.20.1
> >
> >
> >
> > --
> > Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> > For additional commands, e-mail: user-h...@guacamole.apache.org
> >
> >
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: How To have multiple LDAP servers?

[Hankins, Jonathan]

Jim,

What LDAP server are you using? Are you wanting multiple LDAP servers for
fault-tolerance / load balancing? If you are using AD LDAP, you can use the
DNS name of the domain instead of individual DCs and you will get DNS round
robin. I am not sure how the LDAP library that Guacamole uses handles this,
and I don't know if it has any logic to, e.g., try the 2nd IP if the first
one doesn't respond. You could probably also handle this kind of situation
with a load balancer (like haproxy) in front of your LDAP.

If you are trying to authenticate against multiple, different LDAP domains
(i.e., users in domain 1 OR users in domain 2), that'd be up to guacamole
to support, and I don't see anything indicating that in the documentation.

If you are in an AD situation where you have multiple domains all in one
forest and want to query across the forest, you can do that by querying the
Global Catalog port instead of the normal LDAP port, and enabling following
of referrals, I think. Your search filter would have to be permissive
enough to work for both domains, but not over-match, since you only get one
search filter.

Good luck!

On Tue, Mar 22, 2022 at 6:53 AM Jim Rx  wrote:

> We came upon this requirement yesterday -- how to I configure
> guacamole.properties so that there are multiple LDAP servers available to
> query? Can I simply have more than one ldap-hostname entries?
>
> Thanks
>
> Jim
> - To
> unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional
> commands, e-mail: user-h...@guacamole.apache.org



-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: source code changes to disable guac's auto-reconnect after vnc idle timeout?

[Hankins, Jonathan]

Tushar,

I had a bug filed for a similar issue with RDP session termination code:
https://issues.apache.org/jira/browse/GUACAMOLE-484. Not sure if that gives
you any insight.

As far as your question 5, if you change part of guacd you'd need to
recompile and restart guacd. If the change is in the Guacamole client,
you'd need to rebuild and replace guacamole.war and restart your
servelet (tomcat or whatever). The changes in the pull request where they
addressed by bug were all in guacd from what I can tell.



On Mon, Mar 14, 2022 at 1:38 PM Tushar Sheth  wrote:

> Hey all- I've done some digging since my last post about this. Would be
> grateful for your direction. Happy also to pay for anyone's time if that's
> an option.
>
> Apologies for this long post. We desperately need some help to get things
> going for an early customer we just scored.
>
> Problem:
> -->We have an idle timeout (15 mins) working via tigervnc server. The
> problem is, guacamole then automatically reconnects, which we want to
> disable.
>
> Setup:
> -->Guac: ubuntu 20.04 (on GCP) + guac 1.4.0 & guac-client built from
> source + tomcat9 + nginx reverse proxy & ssl + mysql auth
> -->VM: vnc connection using tigervnc server to Kali Linux (on GCP)
>
> Some solution ideas/questions (with contextual info):
>
> 1. Here
> 
> is a screenshot of the auto reconnect dialogue box that pops up after the
> VNC server does the idle timeout
>
> 2. The dialogue box language matches up with ERROR_CLIENT_203
> 
> in the guacamole-client source code
>
> 3. Client error code 203 is designated as one of the error codes that
> triggers an auto reconnect in guacClientNotification.js
> 
>
> 4. Could I disable the reconnect simply by commenting out line 95 in
> guacClientNotification.js? (I get that this is not a recommended way to do
> it)
>
> 5. If I do that, can I activate the change simply by restarting guacd or
> do I need to make the change in source and then reinstall guacamole-client?
>
> 6. If modifying guacClientNotification.js is not the way, then what do I
> need to modify to accomplish my goal?
>
> 7. I've seen past listserv messages explaining that GUACAMOLE-208
>  might have intended
> to address this, so perhaps that didn't fully work and guacamole is still
> not categorizing idle timeout under the proper error code (or maybe it's
> fixed for rdp but not vnc). However, that seems like a big lift to sort out
> quickly- I would really welcome a quick hacky solution even if it isn't
> ideal. Even a way to disable auto-reconnect across the board would be fine
> for now.
>
> 7. Is your ideal rec to do this via an extension? If yes, any pointers to
> get us started? I've read the documentation, but I don't understand how we
> could use an extension to override the auto-reconnect trigger.
>
> Thank you!!
>
> Tushar
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: libguac.so.20 not found

[Hankins, Jonathan]

FWIW I have had to run ldconfig to update the linker cache after upgrades
before. That would be related to "guacd[777]: Starting guacd:
/usr/local/sbin/guacd: error while loading
shared libraries: libguac.so.20: cannot open shared object file: No such
file or directory", but the updatedb would fix the stale locate database,
which (should be) totally unrelated.
It looks like some systems' systemd has a ldconfig.service -- maybe that is
the case on your system and it ran ldconfig in the background while you
were troubleshooting and
resolved the linker issue.


On Sat, Feb 26, 2022 at 4:14 AM Tuomas Kaijanen 
wrote:

> Replying to myself. There was someting strange in my OS. I did run
> "updatedb" and everything started to work just fine.
>
> Regards
>
> - Tuomas
>
> On 2022-02-26 11:53, Tuomas Kaijanen wrote:
> > Hi
> >
> > I am moving form Guacamole Server 1.3 to 1.4 in Ubuntu 18.04.6 LTS.
> >
> > Building from latest 1.4.0 version goes without errors, but Guacd wont
> > start
> >
> > systemd[1]: Starting LSB: Guacamole proxy daemon...
> > guacd[777]: Starting guacd: /usr/local/sbin/guacd: error while loading
> > shared libraries: libguac.so.20: cannot open shared object file: No
> > such file or directory
> > guacd[777]: FAIL
> >
> > The reason is quite obvious libguac.so.20 does not get generated.
> >
> > root@mole:/# locate libguac.so.20
> > root@mole:/# locate libguac.so.19
> > /usr/local/lib/libguac.so.19
> >
> > What could be the problem here?
> >
> > Regards
> >
> > - Tuomas
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Sudden issues with LDAP logins

[Hankins, Jonathan]

I can't coax those error messages out of 1.4.0 by removing the LDAP module
or making it unreadable with chmod. The latter *does* give a couple of
messages at tomcat startup time in catalina.out, but not what you are
seeing. I'd check and make sure nothing has changed on the system. Look
back in the catalina.out file until the last successful LDAP authentication
and see if tomcat has been restarted since then. My hunch is this one is
the relevant one:

Feb 24 14:46:40 sds server: 14:46:40.042 [http-bio-8080-exec-4] WARN
o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider
has e*ncountered an internal error* which will halt the authentication
process. If this is unexpected or you are the developer of this
authentication provider, you may wish to enable debug-level logging. If
this is expected and you wish to ignore such failures in the future, please
set "skip-if-unavailable: ldap" within your guacamole.properties.

You can configure logback.xml to turn up the debugging level (1.4.0 docs,
should still apply for you):
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application

Make sure no disks are full, no I/O errors in dmesg, server hasn't rebooted
unexpectedly, etc.



On Thu, Feb 24, 2022 at 2:00 PM Devine, Harry (FAA)
 wrote:

> Today, one of our Guacamole servers started to not allow LDAP logins.  We
> are running version 1.2.0 and have 3 or 4 other 1.2.0 servers running
> without any issues.  I’ve even put SELinux into Permissive just in case.
>
>
>
> Any ideas on the log info below:
>
>
>
> Feb 24 14:46:40 sds server: 14:46:40.040 [http-bio-8080-exec-4] WARN
> o.a.g.e.AuthenticationProviderFacade - Authentication attempt ignored
> because the relevant authentication provider could not be loaded. Please
> check for errors earlier in the logs.
>
> Feb 24 14:46:40 sds server: 14:46:40.042 [http-bio-8080-exec-4] WARN
> o.a.g.e.AuthenticationProviderFacade - Authentication attempt ignored
> because the relevant authentication provider could not be loaded. Please
> check for errors earlier in the logs.
>
> Feb 24 14:46:40 sds server: 14:46:40.042 [http-bio-8080-exec-4] WARN
> o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider
> has encountered an internal error which will halt the authentication
> process. If this is unexpected or you are the developer of this
> authentication provider, you may wish to enable debug-level logging. If
> this is expected and you wish to ignore such failures in the future, please
> set "skip-if-unavailable: ldap" within your guacamole.properties.
>
> Feb 24 14:46:40 sds server: 14:46:40.042 [http-bio-8080-exec-4] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> [10.143.33.164, 127.0.0.1] for user "harry.devine" failed.
>
> Feb 24 14:46:43 sds server: 14:46:43.311 [http-bio-8080-exec-6] WARN
> o.a.g.e.AuthenticationProviderFacade - Authentication attempt ignored
> because the relevant authentication provider could not be loaded. Please
> check for errors earlier in the logs.
>
> Feb 24 14:46:43 sds server: 14:46:43.311 [http-bio-8080-exec-6] WARN
> o.a.g.e.AuthenticationProviderFacade - Authentication attempt ignored
> because the relevant authentication provider could not be loaded. Please
> check for errors earlier in the logs.
>
>
>
> Thanks,
>
> Harry
>
>
>
> Harry Devine
>
> Secure-OSE System Administrator
>
> Red Hat Certified System Administrator (RHCSA)
>
> Work: (609) 485-4218
>
> FAA Cell:  (609) 612-7274
>
>
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Issues with RDP connections

[Hankins, Jonathan]

I was incorrect -- I *did* have a domain user named "guacadmin". I checked
the windows event logs on the 2012 machine I failed to connect to and saw
error 4825 in the Windows/Security event log, as an Audit Failure message:

"A user was denied the access to Remote Desktop. By default, users are
allowed to connect only if they are members of the Remote Desktop Users
group or Administrators group."

If I delete the user and try to connect again, I get this expected error
from guacd:

"RDP server closed/refused connection: Authentication failure (invalid
credentials?)"

I hear you saying you can connect to the same server presumably with the
same domain and username credentials via another RDP client, but I'd
suggest double-checking that this is indeed the case as well as check your
Windows Event logs to see if anything is logged when the connection from
guacamole fails.


On Fri, Feb 18, 2022 at 11:23 AM Hankins, Jonathan <
jhank...@homewood.k12.al.us> wrote:

> FWIW, I get the same error "RDP server closed/refused connection: Server
> refused connection (wrong security type?)" if I try to connect with a
> username passed through that does not exist on the Windows side.
>
> For reference, in my connection, I have the domain set, the login set to
> "${GUAC_USERNAME}", security mode set to NLA in guac (also required on the
> Windows side). If I login as "guacadmin" to guac and launch that
> connection, it fails with the message you are receiving, as there is no
> "guacadmin" user in my Windows domain.
>
>
>
>
> On Fri, Feb 18, 2022 at 6:47 AM Devine, Harry (FAA)
>  wrote:
>
>> It doesn’t look like guacd.conf is being used in our installation.  I
>> tried “/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look
>> any different in what its logging.  Where else should I be adding/looking
>> for the debug messages?  Perhaps guacamole.properties?
>>
>>
>>
>> Thanks,
>>
>> Harry
>>
>>
>>
>> *From:* Nick Couchman 
>> *Sent:* Thursday, February 17, 2022 9:26 PM
>> *To:* user@guacamole.apache.org
>> *Subject:* Re: Issues with RDP connections
>>
>>
>>
>> On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA) <
>> harry.dev...@faa.gov.invalid> wrote:
>>
>> On the Windows side or the guacamole side?  If the user couldn’t write
>> there, why did the windows 10 rdp work?  One of out admins said they can
>> rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2.
>> Does guacamole expect v2?  If so, does the 2012 need to update to TLS2?
>>
>>
>>
>>
>>
>> This would be on the Guacamole side. No, I do not expect that Guacamole
>> would require a TLS version that Windows doesn't support- I use 1.4.0 to
>> connect to Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with
>> Windows 10.
>>
>>
>>
>> Also, might want to start guacd with debug logging (-L debug on the
>> command line, or log_level = debug in guacd.conf) to see if you get any
>> more useful messages.
>>
>>
>>
>> -Nick
>>
>
>
> --
> Jonathan Hankins
>
> Homewood City Schools
>
> W: 205-877-4548
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Issues with RDP connections

[Hankins, Jonathan]

FWIW, I get the same error "RDP server closed/refused connection: Server
refused connection (wrong security type?)" if I try to connect with a
username passed through that does not exist on the Windows side.

For reference, in my connection, I have the domain set, the login set to
"${GUAC_USERNAME}", security mode set to NLA in guac (also required on the
Windows side). If I login as "guacadmin" to guac and launch that
connection, it fails with the message you are receiving, as there is no
"guacadmin" user in my Windows domain.




On Fri, Feb 18, 2022 at 6:47 AM Devine, Harry (FAA)
 wrote:

> It doesn’t look like guacd.conf is being used in our installation.  I
> tried “/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look
> any different in what its logging.  Where else should I be adding/looking
> for the debug messages?  Perhaps guacamole.properties?
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman 
> *Sent:* Thursday, February 17, 2022 9:26 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Issues with RDP connections
>
>
>
> On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA) <
> harry.dev...@faa.gov.invalid> wrote:
>
> On the Windows side or the guacamole side?  If the user couldn’t write
> there, why did the windows 10 rdp work?  One of out admins said they can
> rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2.
> Does guacamole expect v2?  If so, does the 2012 need to update to TLS2?
>
>
>
>
>
> This would be on the Guacamole side. No, I do not expect that Guacamole
> would require a TLS version that Windows doesn't support- I use 1.4.0 to
> connect to Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with
> Windows 10.
>
>
>
> Also, might want to start guacd with debug logging (-L debug on the
> command line, or log_level = debug in guacd.conf) to see if you get any
> more useful messages.
>
>
>
> -Nick
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: 2FA: using TOTP authenticators (examples)

[Hankins, Jonathan]

Vieri,

If you are on 1.4.0 and still have access to another admin account, you can
clear it in the Settings / Users page for guacadmin.

Otherwise it's in the database, in the guacamole_user_attribute table.

On Wed, Feb 9, 2022 at 8:28 AM Vieri  wrote:

> How does one clear the TOTP data for the guacadmin user?
>
> Regards,
>
> Vieri
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: 2FA and sharing profile

[Hankins, Jonathan]

On Tue, Feb 8, 2022 at 11:16 AM Alejandro Hernandez 
wrote:

> I understand that the 1) was addressed on version 1.4, now you are able to
> turn on TOTP just for some users, not all of them
>
I don't think this is correct -- the TOTP changes listed for 1.4.0 are:


   - Allow for clearing TOTP Data in admin interface (GUACAMOLE-770
   )
   - User profile information cleared after TOTP enrollment (GUACAMOLE-1199
   )
   - Automatically focus TOTP field (GUACAMOLE-1397
   )


In 1.4.0, there are now options to clear the TOTP secret and mark it
unconfirmed (does not change the TOTP seed, but does present the user with
the QR code / TOTP seed again and require them to re-confirm it.)

[image: image.png]



> El 2022-02-04 08:31, Don Eugene Paul Viado escribió:
>
> Hello,
>
> Just wanted to ask if the below function is already possible or any
> workaround
>
> 1.) Mixing 2FA and Password only users - Currently, I have used the totp
> plugin but this seems to force all users to enroll token on the device.  Is
> it possible to configure some user to not be presented with 2FA challenge
> and only use their passwords
> 2.) Sharing profile - Very useful feature but i have concern with security
> as sharing the URL link goes to some unsecure method (chat, email) which
> will can be seen by someone else.  Is it possible to password protect it so
> the link can be passed insecurely and the password to some other means
>
> Thanks in advance.
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: 2FA and sharing profile

[Hankins, Jonathan]

Re: #1 --   There are some tickets in JIRA  about it, and it looks like
it's being considered for a future version. See the workaround that one
user is using here.

https://issues.apache.org/jira/plugins/servlet/mobile#issue/GUACAMOLE-1164

Re: #2 -- I don't think this is possible in the current implementation. If
you trust your users to follow protocol, you could have them share the
links by something password protected/ephemeral, like Bitwarden Send or
something similar. This won't help if you are worried about your users
sharing via inappropriate channels.



On Fri, Feb 4, 2022 at 9:31 AM Don Eugene Paul Viado
 wrote:

> Hello,
>
> Just wanted to ask if the below function is already possible or any
> workaround
>
> 1.) Mixing 2FA and Password only users - Currently, I have used the totp
> plugin but this seems to force all users to enroll token on the device.  Is
> it possible to configure some user to not be presented with 2FA challenge
> and only use their passwords
> 2.) Sharing profile - Very useful feature but i have concern with security
> as sharing the URL link goes to some unsecure method (chat, email) which
> will can be seen by someone else.  Is it possible to password protect it so
> the link can be passed insecurely and the password to some other means
>
> Thanks in advance.
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Guacamole 1.4.0 - Shared Connections

[Hankins, Jonathan]

See here:
https://guacamole.apache.org/doc/gug/administration.html#connection-sharing

Specifically:

Unlike connections and groups, there is no “New Sharing Profile” button.
> Sharing profiles are created through clicking the “New Sharing Profile”
> placeholders which appear when connections are expanded. Just as expanding
> a connection group reveals the connections or groups therein, expanding a
> connection reveals the sharing profiles associated with that connection.
> This holds true with both the list of connections in the connection
> management screen and the list of connections in the user editor.


On Tue, Jan 25, 2022 at 12:13 PM CVAD IT Service Desk <
cvad.itservi...@unt.edu> wrote:

> Good afternoon everyone.
>
>
>
> We are using Guacamole 1.4.0 and would like to create a shared connection
> as noted in the guacamole documentation, however don’t see the “share”
> dialogue anywhere on our instance. Is this something that we have to enable
> in the guacamole configuration files on the server? We have scoured the
> guacamole documentation and have found no inferences on how to enable this
> functionality.
>
>
>
> Any guidance would be appreciated. Thank you!
>
>
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: LDAP Multi AD Domain

[Hankins, Jonathan]

Not sure if / how this works for LDAP auth, but I know you can run your
LDAP searches against the Gobal Catalog and search multiple domains.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730749(v=ws.11)?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978012(v=technet.10)?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/windows/win32/ad/binding-to-the-global-catalog


On Fri, Jan 21, 2022 at 1:05 PM David McDade 
wrote:

> I have been looking for through the manual and online and only found one
> really solid mention of more than a single domain authentication support
> with Guacamole. Basic of the setup we have a large single forest AD with
> several child domains outside the primary domain that Guacamole  is
> configured in. We would like to serve RDP access to the child domains in
> the primary domain but need to authenticate them through their local
> domains. Can I add another LDAP host in the guacamole.properties file?
>
>
>
>
>
> *David McDade*
>
> IT Manager
>
> *Kalitta Charters Companies* | Information Technology
>
> 734.985.2466
>
> www.kalittacharters.com
>
>
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Restricting LDAP groups

[Hankins, Jonathan]

FWIW, I tested today in my environment (AD LDAP) and this works:


*ldap-group-search-filter: (&(objectClass=group)(cn=guac*))*

I also tested *(|(cn=foo)(cn=bar))* where foo and bar DO exist, and it
works, and I tested it where foo and bar do NOT exist, and they are absent
from the list, as expected.


On Thu, Jan 20, 2022 at 12:44 PM Brad Saxton  wrote:

>
> So, I've upgraded to version 1.4 hoping that the new
> ldap-group-search-filter would help with a problem I am having. I have set
> up ldap auth + mysql so that Guacamole groups map to groups in LDAP (well
> Active Directory actually) and things work as expected (ie. users in an
> LDAP group get the settings/connections for the same-named Guacamole
> group). The problem is that when you log in with an account which has group
> administrator permissions, the list of groups on Settings -> Groups is
> huge. Here is a very simplified example of our setup and the issue:
>
> Most of our security groups are in, say "OU=Security, DC=mysite,
> DC=local". There are hundreds of groups with that base but I trying to
> limit the list available to Guacamole to be specific ones, or even ones
> which contain a substring like guac.
>
> My configuration is something like this:
>
> ldap-user-base-dn: OU=Users.DC=mysite,DC=local
> ldap-username-attribute: uid
> ldap-member-attribute: member
> ldap-member-attribute-type: dn
> ldap-user-search-filter:
> (|(memberOf=CN=guac-access,OU=Security,DC=mysite,local)(memberof=CN=guac-admin,OU=Security,DC=mysite,DC=local))
> ldap-group-base-dn: OU=Security.DC=mysite,DC=local
> ldap-group-name-attribute: cn
> ldap-group-search-filter: ?
>
> I have tried a number of things for ldap-group-search-filter to try and
> limit the groups listed in Settings -> Groups to not include groups besides
> guac-access & guac-admin but to no avail. I always seem to get every single
> group that has a base of OU=Security,DC=mysite,DC=local. For example, none
> of the following seem to work for ldap-group-search-filter:
>
>|(CN=guac-access)(CN=guac-admin)
>(|(CN=guac-access)(CN=guac-admin))
>
> |(CN=guac-access,OU=Security,DC=mysite,DC=local)(CN=guac-admin,OU=Security,DC=mysite,DC=local)
>
> (|(CN=guac-access,OU=Security,DC=mysite,DC=local)(CN=guac-admin,OU=Security,DC=mysite,DC=local))
>CN=guac-*
>(CN=guac-*)
>CN=guac-*,OU=Security,DC=mysite,DC=local
>(CN=guac-*,OU=Security,DC=mysite,DC=local)
>
>
> Am I fundamentally missing something or is ldap-group-search-filter not
> able to do what I am trying to accomplish?
>
> Thanks in advance for any help
> Brad
>
> --
>
> Brad Saxton
> Senior System Administrator
> Infrastructure Team
> Brock University | Information Technology Services
> Niagara Region | 1812 Sir Isaac Brock Way | St. Catharines, ON, Canada
> L2S 3A1
> brocku.ca | T 905-688-5550 x4761 | F 905-688-4191
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: *LONG* Directly using SQL tables

[Hankins, Jonathan]

Glad you got it worked out. FWIW, I tested the auto-create setup and it did
work -- user is not in Guacamole DB, authenticates against LDAP (AD) and is
created in Guacamole DB (you still have to go assign a group or connection
afterward, per the docs).

You do have to make sure you set:

mysql-user-required: false

if you set:

mysql-auto-create-accounts: true

On Fri, Jan 14, 2022 at 10:09 AM Jim Rx  wrote:

> Johnathan,
>
> I was over-complicating things. Salting the hashes is not a big deal (as
> I've discovered).
>
> So the key to the whole thing working was the guacamole_user table. I had
> to add the entries there as well. The trick is the password_hash... the
> fields for the password_hash and password_salt are binary(32). So when I
> took our common starting point password "$UPER$ecret" and hashed it with
> SHA256 (I used on online hash tool), I had to divide the 64 hex characters
> it returned into two 32-character strings, one in the password_hash field
> and one in the password_salt field.
>
> There are a couple more mandatory fields in that table and then it imports
> just fine. After that, as long as the users are in AD, they can log in just
> fine and they have connections set up.
>
> The guacamole_user table works out to look like this in the csv file:
> 141,141,98FBF2243B9D9A9F93B7D87DAC20C8CD,CCB8315A0A5F02340A115F6A846113D0,2022-01-01
> 00:01:00,0,0,\N,\N,\N,\N,CST,\N,\N,\N,\N
>
> So I can salt the hashes to protect the common starting password, and all
> is well.
>
> Thanks again,
>
> Jim
> *Sent:* Thursday, January 13, 2022 at 1:14 PM
> *From:* "Hankins, Jonathan" 
> *To:* user@guacamole.apache.org
> *Subject:* Re: *LONG* Directly using SQL tables
> The docs indicate that the only thing required for auto-create to work,
> once it's enabled, is for a successful authentication from another
> extension, so I would expect that it should be creating accounts for you if
> they are successfully authenticating against LDAP. Haven't tested in our
> environment.
>
> As far as adding unsalted passwords, make sure to heed the warning in the
> docs. Even if you are using the database accounts as "dummies" and they are
> all authenticating against LDAP, I *believe* that they can still auth
> against the database with the password in the DB, regardless of LDAP. May
> be wrong on that, but if that's right, and your DB was compromised, the
> unsalted hashes are easy to break. There is a code example in the docs
> about how to salt the hashes in MySQL.
>
> On Thu, Jan 13, 2022 at 11:38 AM Jim Rx  wrote:
>
>>
>> Johnathan,
>>
>> Thanks for your reply.
>>
>> I checked and you are right -- the import into the guacamole_entity table
>> was successful, but there are no corresponding entries being created in the
>> guacamole_user table.
>>
>> We are using LDAP, and we have the auto-create option
>> "mysql-auto-create-accounts: true" configured. I assume that if the account
>> already exists in the database, then it's a push.
>>
>> Since database authentication is "subordinate" to other authentication
>> extensions, I think I'll try and add to the user table manually with
>> unsalted gibberish passwords and see if it works.
>>
>> Jim
>> *Sent:* Thursday, January 13, 2022 at 10:45 AM
>> *From:* "Hankins, Jonathan" 
>> *To:* user@guacamole.apache.org
>> *Subject:* Re: *LONG* Directly using SQL tables
>> I am using Postgres, but one thing I noticed that's different with my
>> setup is I am not specifying the entity_id -- it is an auto-increment field
>> in MySQL (serial in Postgres).
>>
>> I think you don't have anything in the guacamole_user table for the
>> entities you are creating. Have a look at:
>>
>> https://guacamole.apache.org/doc/gug/jdbc-auth.html#users
>>
>> Also, since you are using LDAP for auth, you may be able to shortcut all
>> of this, have a look at:
>>
>>
>> https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
>>
>>
>>
>>
>> On Tue, Jan 11, 2022 at 11:09 AM Jim Rx  wrote:
>>
>>> Greetings, I have a question about updating the database contents
>>> directly. Sorry for the length of the email, just trying to cover all the
>>> bases.
>>>
>>> Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4
>>> CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory.
>>>
>>> We support a training company that will generally bring in 20 students
>>> at a time for class, several times over the course of a year.
>>>
>>> 

Re: Guacamole update: on-screen keyboard and printing

[Hankins, Jonathan]

I believe it introduces the .setpdfwrite command, so you would need to
remove it too:

https://www.ghostscript.com/doc/current/Use.htm

-c token ...
> -c string ...Interprets arguments as PostScript code *up to the next
> argument that begins with "-" followed by a non-digit*, or with "@". For
> example, if the file quit.ps contains just the word "quit", then -c quit
> on the command line is equivalent to quit.ps there. Each argument must be
> valid PostScript, either individual tokens as defined by the token
> operator, or a string containing valid PostScript.


Leaving the "-c"  isn't causing any harm in this case due to the statement
in bold above, but it should be removed to be proper/safe.

FWIW the gs(1) man page on my system did not cover -c, but the docs do.


On Thu, Jan 13, 2022 at 5:29 PM Vieri  wrote:

> Thanks, Jonathan.
>
> With guacd GIT there's only one place to delete which is:
>
> --- a/src/protocols/rdp/print-job.c 2022-01-13 23:56:09.624104530 +0100
> +++ b/src/protocols/rdp/print-job.c 2022-01-14 00:11:11.980761279 +0100
> @@ -46,7 +46,6 @@
>  "-sDEVICE=pdfwrite",
>  "-sOutputFile=-",
>  "-c",
> -".setpdfwrite",
>  "-sstdout=/dev/null",
>  "-f",
>  "-",
>
> I don't know what the "-c" option does as I haven't found it in the man
> page. I'm supposing it has nothing to do with .setpdfwrite.
> In any case, I compile guacamole-server with this patch, and I can confirm
> that printing to PDF finally works.
>
> Is a bug report necessary?
>
> Thanks again,
>
> Vieri
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Guacamole update: on-screen keyboard and printing

[Hankins, Jonathan]

FWIW, .setpdfwrite was deprecated in gs 9.5.0 (2019-08-13) and removed in
gs 9.5.4 (2021-02-12). Quick googling shows that the removal has broken
various projects that involve PDF and use gs over the last year.

Vieri, if you are building guacd yourself, it's trivial to remove it:
guacamole-server-1.4.0/src/protocols/rdp/print-job.c lines 48 and 49.

http://git.ghostscript.com/?p=ghostpdl.git=search=refs%2Fheads%2Fgs9.55.0=commit=setpdfwrite

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=180419375973b9ce4664286a67106d712260ef7f

On Thu, Jan 13, 2022 at 4:43 PM Vieri  wrote:

>
> On Thursday, January 13, 2022, 11:30:41 PM GMT+1, Vieri
>  wrote:
>
> > It looks like the issue lies in GhostScript itself
> > Error: /undefined in .setpdfwrite
> > That option is indeed passed to "gs" in the case of the print filter
> command used by the RDP support
>
> I downgraded to ghostscript-gpl-9.52, and PDF printing now works fine!
> It also seems that simply removing .setpdfwrite in guacamole should be
> fine. It doesn't seem to do much anyway.
>
> Should a bug report be opened, or is this ML thread enough?
>
> Thanks again,
>
> Vieri
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: *LONG* Directly using SQL tables

[Hankins, Jonathan]

The docs indicate that the only thing required for auto-create to work,
once it's enabled, is for a successful authentication from another
extension, so I would expect that it should be creating accounts for you if
they are successfully authenticating against LDAP. Haven't tested in our
environment.

As far as adding unsalted passwords, make sure to heed the warning in the
docs. Even if you are using the database accounts as "dummies" and they are
all authenticating against LDAP, I *believe* that they can still auth
against the database with the password in the DB, regardless of LDAP. May
be wrong on that, but if that's right, and your DB was compromised, the
unsalted hashes are easy to break. There is a code example in the docs
about how to salt the hashes in MySQL.

On Thu, Jan 13, 2022 at 11:38 AM Jim Rx  wrote:

>
> Johnathan,
>
> Thanks for your reply.
>
> I checked and you are right -- the import into the guacamole_entity table
> was successful, but there are no corresponding entries being created in the
> guacamole_user table.
>
> We are using LDAP, and we have the auto-create option
> "mysql-auto-create-accounts: true" configured. I assume that if the account
> already exists in the database, then it's a push.
>
> Since database authentication is "subordinate" to other authentication
> extensions, I think I'll try and add to the user table manually with
> unsalted gibberish passwords and see if it works.
>
> Jim
> *Sent:* Thursday, January 13, 2022 at 10:45 AM
> *From:* "Hankins, Jonathan" 
> *To:* user@guacamole.apache.org
> *Subject:* Re: *LONG* Directly using SQL tables
> I am using Postgres, but one thing I noticed that's different with my
> setup is I am not specifying the entity_id -- it is an auto-increment field
> in MySQL (serial in Postgres).
>
> I think you don't have anything in the guacamole_user table for the
> entities you are creating. Have a look at:
>
> https://guacamole.apache.org/doc/gug/jdbc-auth.html#users
>
> Also, since you are using LDAP for auth, you may be able to shortcut all
> of this, have a look at:
>
>
> https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
>
>
>
>
> On Tue, Jan 11, 2022 at 11:09 AM Jim Rx  wrote:
>
>> Greetings, I have a question about updating the database contents
>> directly. Sorry for the length of the email, just trying to cover all the
>> bases.
>>
>> Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4
>> CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory.
>>
>> We support a training company that will generally bring in 20 students at
>> a time for class, several times over the course of a year.
>>
>> Right now, we use generic "Student123" accounts associated with prebuilt
>> connections and everything runs great. But we want to move to having
>> students use their named logins (which means we'll also have to remove
>> those entries at the end of class). The process of getting everything set
>> up is pretty manual, so I'm looking for a way to script everything.
>>
>> All authentication is pointed at our Windows Domain Controller using LDAP.
>>
>> I have used CSV files and SQL commands in the past to add new connections
>> (entries into the connections and connection_parameter tables). Those
>> always show up in the Web UI just fine. I have not had any luck adding
>> entries into the table with user names (entities) or the table with
>> connections (connection_permissions). The rows are added to the table, but
>> do not appear in the Web UI (this is being done ahead of a class starting,
>> so the users are in AD but they have never logged on any of our systems).
>>
>> When using this method, user login attempts fail with no apparent log
>> entries (I think I checked them all... /var/etc/tomcat9/ catalina.out,
>> localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log;
>> /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log
>> guac_error.log ).
>> If I only add the connection information (nothing in the entity or
>> permissions tables) then the user can log in successfully, but I have to go
>> back and manually add their connection information. I'd like to keep from
>> doing things manually as possible.
>>
>> Below are the details of the configuration and the SQL commands I used in
>> my attempts.
>>
>> Thank you
>>
>> Jim
>>
>> /etc/guacamole/guacamole.properties looks like this:
>> guacd-hostname: localhost
>> guacd-port: 4822
>> user-mapping: /etc/guacamole/user-mapping.xml
>> auth-provider:
>> net.sourcefo

Re: *LONG* Directly using SQL tables

[Hankins, Jonathan]

I am using Postgres, but one thing I noticed that's different with my setup
is I am not specifying the entity_id -- it is an auto-increment field in
MySQL (serial in Postgres).

I think you don't have anything in the guacamole_user table for the
entities you are creating. Have a look at:

https://guacamole.apache.org/doc/gug/jdbc-auth.html#users

Also, since you are using LDAP for auth, you may be able to shortcut all of
this, have a look at:

https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users




On Tue, Jan 11, 2022 at 11:09 AM Jim Rx  wrote:

> Greetings, I have a question about updating the database contents
> directly. Sorry for the length of the email, just trying to cover all the
> bases.
>
> Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4
> CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory.
>
> We support a training company that will generally bring in 20 students at
> a time for class, several times over the course of a year.
>
> Right now, we use generic "Student123" accounts associated with prebuilt
> connections and everything runs great. But we want to move to having
> students use their named logins (which means we'll also have to remove
> those entries at the end of class). The process of getting everything set
> up is pretty manual, so I'm looking for a way to script everything.
>
> All authentication is pointed at our Windows Domain Controller using LDAP.
>
> I have used CSV files and SQL commands in the past to add new connections
> (entries into the connections and connection_parameter tables). Those
> always show up in the Web UI just fine. I have not had any luck adding
> entries into the table with user names (entities) or the table with
> connections (connection_permissions). The rows are added to the table, but
> do not appear in the Web UI (this is being done ahead of a class starting,
> so the users are in AD but they have never logged on any of our systems).
>
> When using this method, user login attempts fail with no apparent log
> entries (I think I checked them all... /var/etc/tomcat9/ catalina.out,
> localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log;
> /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log
> guac_error.log ).
> If I only add the connection information (nothing in the entity or
> permissions tables) then the user can log in successfully, but I have to go
> back and manually add their connection information. I'd like to keep from
> doing things manually as possible.
>
> Below are the details of the configuration and the SQL commands I used in
> my attempts.
>
> Thank you
>
> Jim
>
> /etc/guacamole/guacamole.properties looks like this:
> guacd-hostname: localhost
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
> auth-provider:
> net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
>
> # MySQL properties
> mysql-hostname: localhost
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: $UPER$ecret
> mysql-auto-create-accounts: true
> # LDAP Properties
> ldap-hostname: 10.0.0.10
> ldap-port: 389
> ldap-encryption-method: none
> #ldap-user-base-dn: OU=them, DC=our, DC=net
> ldap-user-base-dn: DC=our,DC=net
> ldap-username-attribute: samAccountName
> ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts,
> ou=Administration, dc=our, dc=net
> ldap-search-bind-password: $UPER$ecret
> #ldap-user-search-filter: (objectClass=user)(!(objectCategory=computer))
> ldap-user-search-filter: (sAMAccountType=805306368)
>
> The process that I attempted to use was as follows:
> Create the required CSV files-
> NEW_STUDENT_CONNECTION.csv:
> 284,NS-Linux-01,\N,rdp,\N,\N,\N,\N,\N,\N,0
> 285,NS-Linux-02,\N,rdp,\N,\N,\N,\N,\N,\N,0
> 286,NS-Linux-03,\N,rdp,\N,\N,\N,\N,\N,\N,0
> 287,NS-Linux-04,\N,rdp,\N,\N,\N,\N,\N,\N,0
> 314,NS-Windows-01,\N,rdp,\N,\N,\N,\N,\N,\N,0
> 315,NS-Windows-02,\N,rdp,\N,\N,\N,\N,\N,\N,0
> 316,NS-Windows-03,\N,rdp,\N,\N,\N,\N,\N,\N,0
> 317,NS-Windows-04,\N,rdp,\N,\N,\N,\N,\N,\N,0
>
>
> NEW_STUDENT_CONNECTION_PARAMETERS.csv:
> 284,hostname,10.16.6.100
> 284,ignore-cert,true
> 284,port,3389
> 285,hostname,10.16.6.101
> 285,ignore-cert,true
> 285,port,3389
> 286,hostname,10.16.6.102
> 286,ignore-cert,true
> 286,port,3389
> 287,hostname,10.16.6.103
> 287,ignore-cert,true
> 287,port,3389
> 314,hostname,10.16.6.130
> 314,ignore-cert,true
> 314,port,3389
> 315,hostname,10.16.6.131
> 315,ignore-cert,true
> 315,port,3389
> 316,hostname,10.16.6.132
> 316,ignore-cert,true
> 316,port,3389
> 317,hostname,10.16.6.133
> 317,ignore-cert,true
> 317,port,3389
>
>
> NEW_STUDENT_ENTITY.csv:
> 141,2299shenry,USER
> 142,2299sjones,USER
> 143,2299bsmith,USER
> 144,2299gstetson,USER
>
>
> NEW_STUDENT_CONNECTION_PERMISSIONS.csv:
> 141,284,READ
> 141,314,READ
> 142,285,READ
> 142,315,READ
> 143,286,READ
> 143,316,READ
> 144,287,READ
> 144,317,READ
>
> Once the files were in place on the server, I ran the following 

Re: Feature Request: disable connection sharing without logging out

[Hankins, Jonathan]

(FWIW, in testing the existing functionality out today, I find that when
you click the sharing profile a second time, it generates a new link, but
the first link is not invalidated when this happens, nor is anyone actively
using the link disconnected.)

I think this could be useful in a few ways. One thing that comes to mind is
some Windows terminal server policies may cause a session to log out
immediately on disconnect, and a user who had shared their session may not
want to completely log out just to end the sharing. Another thought -
suppose you had one sharing setting to grant a co-presenter RW access, and
then a second RO share setting that was distributed to each group of
attendees. You are going to do back-to-back sessions and would like to
"kick out" the attendees from the previous session without affecting the
co-presenter.

If generating a new sharing URLs invalidated the previously-generated one
and terminated any active sessions using that URL, it would work, but I
don't know how clearly the current UI would indicate what was happening to
the (primary) user. For example, I expected it to invalidate/disconnect the
previous URL/session when I clicked it a second time, but I wasn't even
sure that clicking it a second time would do anything.

It also might be helpful under the "This connection is now shared" area of
the Guacamole menu to have an indication of whether each share URL is RO or
RW.

I am kind of envisioning a checkbutton next to each sharing setting (in the
Share dropdown) that gives a visual indication of which sharing settings
are active, and a way to "turn them off" which would invalidate the URL and
disconnect the URL. Checking the box again after unchecking it would
generate the new URL, so you are kind of toggling them on and off.

Curious what others think or what use cases they may have.


On Wed, Jan 12, 2022 at 2:06 AM Michael Niehren  wrote:

> Hi,
>
>
> first of all, many thanks for this great software.
>
>
> I missed one thing. Would it be possible to implement that the user can
> disable an provided connection
>
> sharing withoud logging out. Or maybe a button to disable all shared
> connections.
>
> All external users should be automatically disconnected, when the sharing
> end's, in the same way like
>
> disconnecting the session.
>
>
> So someone can use guacamole for a Presentation Meeting and if the meeting
> is over he only disables
>
> the sharing.
>
>
> best regards
>
>   Michael
>
>
> 
> Angaben nach dem EHUG
>
> Firmenname :tuxlan GmbH
> Rechtsform :  GmbH
> Sitz :   Am Waldstadion 32, 66636 Tholey
> Geschäftsführer :  Michael Niehren
> Registergericht :   Saarbrücken, HRB 107090
> 
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Odd Ctrl-Shift-Alt Behavior

[Hankins, Jonathan]

I tried banging on this a bit and I can't reproduce what Nick and Fil John
are seeing. My environment is Win 10 (local) (Chrome browser) and a variety
of Windows versions inside the guacamole session, all over RDP. I tried
various things like:

Getting an Alt+key combo "pending" in another local window, focusing the
browser (mouse click - clears out the "pending" alt, as expected) and
trying the Ctrl+Alt+Shift.

Activating the Ctrl+Alt+Shift menu, then activating the WM popup with
Alt+Space, then Ctrl+Alt+Shift again (closes the WM menu AND closes the
guacamole menu)

Having an Alt+key combo "pending" inside the session (no effect on local,
activating guac menu takes focus away which clears the pending Alt in the
client).

Additionally, you would really have to work to make Sticky Keys in Win 10
cause something like the behavior you are seeing without beeping and
screeching at you.

I also tried quickly repeating the key combo, using various combinations of
left and right Ctrl/Alt/Shift keys, incomplete combos (missing one of the
keys), etc. and couldn't reproduce it.

I also tried playing around with the new tiled window feature and couldn't
break anything.

Notably, I am not seeing the delay that Nick mentioned.

The only strange thing I saw was this: in Chrome, do Ctrl+Alt+Shift to open
the guac menu, now you are focused in a way that you can do Alt-F to open
the Chrome "3 dots" menu (otherwise it passes through to the session). At
this point, you can't get the focus back in such a way that Ctrl+Alt+Shift
closes the guac menu OR passesANY keyboard input into the session, unless
you switch tabs and back again, or switch to a different application window
/ task bar (mouse click or alt-tab) and back to Chrome. This behavior
exists in 1.3.0 and probably isn't really a Guacamole issue. I have not
tested it in other browsers.

Curious what your environments look like?





On Fri, Jan 7, 2022 at 2:15 AM Fil John Goza 
wrote:

> Hi Nick,
>
> It is also happening in my environment, after pressing Ctrl-Alt-Shift
> twice to open and close the menu, pressing Ctrl+Shift again without Alt
> sometimes opens the hidden menu.
>
>
> On Friday, January 7, 2022, 05:22:37 AM GMT+4, Mike Jumper <
> mjum...@apache.org> wrote:
>
>
> On Thu, Jan 6, 2022, 16:53 Nick Couchman  wrote:
>
> On Thu, Jan 6, 2022 at 7:17 PM Hankins, Jonathan <
> jhank...@homewood.k12.al.us> wrote:
>
> Hey Nick, I am not seeing this. It sounds like Alt is "sticking" somehow
> though, almost like it's toggling instead of momentary. I have seen this in
> various situations with different remote desktop / web consoles / nested
> sessions / whatever over the years -- alt+tab and alt stays "pressed"
> inside the session. Curious if, when Ctrl-Alt-End doesn't work, if you do
> it again, does it work (i.e., 1st attempt "toggled" alt keypress off, so
> session actually receives all 3 the second attempt?).
>
>
> Yeah, Jonathan, I think you're correct - it seems to be "toggling" it
> somehow or another. I'll have to play around a bit more and see if I can
> consistently reproduce the behavior, and maybe I'll do a "git bisect" and
> try to track down where it changed. It's definitely slightly different
> between 1.3.0 and 1.4.0 - something changed enough that my usage of it is
> impacted.
>
>
> So far, Ctrl+Alt+Shift for me is behaving just like it always has. Menu
> opens, menu closes, keys pressed in any order.
>
> - Mike
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Odd Ctrl-Shift-Alt Behavior

[Hankins, Jonathan]

Hey Nick, I am not seeing this. It sounds like Alt is "sticking" somehow
though, almost like it's toggling instead of momentary. I have seen this in
various situations with different remote desktop / web consoles / nested
sessions / whatever over the years -- alt+tab and alt stays "pressed"
inside the session. Curious if, when Ctrl-Alt-End doesn't work, if you do
it again, does it work (i.e., 1st attempt "toggled" alt keypress off, so
session actually receives all 3 the second attempt?).


On Thu, Jan 6, 2022 at 6:01 PM Nick Couchman  wrote:

> Hello, everyone,
> I'm seeing some odd behavior related to the hidden Guacamole menu after
> upgrading to 1.4.0. Basically, what I'm seeing is:
> * Pressing Ctrl-Shift-Alt seems to require holding down Ctrl and Shift and
> then pressing Alt. The menu is not as "responsive" in 1.4.0 as it was
> previously.
> * After pressing it to get the hidden menu, and then pressing it, again,
> to hide the menu, I'm able to get the menu back pressing only Ctrl-Shift
> (no Alt required).
>
> Possibly related to this, the Ctrl-Alt-End hotkey seems broken.
>
> Anyone else seeing any similar issues?
>
> -Nick
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Upgrade forces IPv6?

[Hankins, Jonathan]

I ran into this. On my system (debian) there are 2 entries for localhost in
/etc/hosts, one with 127.0.0.1 and one with ::1. I had no guacd.conf file.
My guacamole.properties had guacd-hostname set to "localhost". The sysctl
for ipv6 bindv6only was at the default of 0 (false).

My connections had "localhost" under the guacd proxy settings.

Guacd was apparently resolving localhost as ::1 but the web app was trying
to connect to "::127.0.0.1" which would fail since guacd was not
binding to 127.0.0.1.

I believe this is related to the changes from GUACAMOLE-1190, but I have
seen someone else ask about it on the list and I suspect others are hitting
this too. We don't use IPv6 (at least, not intentionally) so I wasn't up to
speed on things, and it caught me by surprise and took me a while to
un-confuse myself.

The solution that worked for me was setting guacd-hostname to 127.0.0.1 in
guacamole.properties, bind_host to 127.0.0.1 in guacd.conf, and leaving my
connections set to "localhost". I'm on tomcat9 and I suspect there's
something at play there that's causing guacd to resolve localhost to ::1
but the tunnel code in the web app to resolve it to 127.0.0.1, at least on
my system.

On Tue, Jan 4, 2022, 12:57 PM Brad Saxton  wrote:

> 
> Just in case someone has an answer for this or runs into the same problem.
>
> I upgraded a working instance of 1.3.0 to 1.4.0. Recompiled and installed
> guacd. Removed old extensions and copied the 1.4.0 versions in their place.
> Replaced the guacamole.war file and remove the old guacamole webapps
> directory. Started tomcat and guacd.
>
> Logging in to the web interface works and available connections are shown
> (ssh in my case). Attempts to use any connections results in an internal
> error. Log shows:
>
>  ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request
> failed: java.net.ConnectException: Connection refused (Connection refused)
>
> Things are configured (same as before - no changes to config files) to
> have guacd run on the standard port 4822 and guacd is definitely listening
> on that port BUT as it turns out, it is only listening on the IPv6
> interface.
>
> If I completely disable IPv6, which on Red Hat 7 is done with adding to
> the end of /etc/sysctl.conf:
>net.ipv6.conf.all.disable_ipv6 = 1
>net.ipv6.conf.default.disable_ipv6 = 1
>
> and rebooting.
>
> Now things work since guacd now binds to the IPv4 interface.
>
> Any chance there is a configuration setting to force binding to IPv4 even
> if IPv6 is available?
>
> Thanks
> Brad
>
>
> --
>
> Brad Saxton
> Senior System Administrator
> Infrastructure Team
> Brock University | Information Technology Services
> Niagara Region | 1812 Sir Isaac Brock Way | St. Catharines, ON, Canada
> L2S 3A1
> brocku.ca | T 905-688-5550 x4761 | F 905-688-4191
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Disabling TOTP on a per user basis?

[Hankins, Jonathan]

I just worked on this today. There are some tickets in JIRA  about it, and
it looks like it's being considered for a future version. See the
workaround that one user is using here - I tested the same thing today.

https://issues.apache.org/jira/plugins/servlet/mobile#issue/GUACAMOLE-1164


On Thu, Nov 18, 2021, 10:01 PM Brad Bendy  wrote:

> Hi,
>
> I setup the TOTP extension and all works fine. We are using the API
> heavily for auto creation of connections and when we enable the module
> this breaks for the API user. Can we disable this somehow for just the
> API user?
>
> Thanks
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Remote connection is disconnected when I use use remote-app and remote-app-dir parameters

[Hankins, Jonathan]

Check this out, there's a separate idle timeout policy to log off after
remoteapp application windows are closed. Maybe something's going on there?
Can you test by setting up the connection to just launch notepad and see if
it stays on the screen while you work in it for a while?

If your last remoteapp windows are closed, by default, 20s later the user
session logs off. I wonder if the app you are launching is exiting for some
reason, and then 20s after that, your session logs out and you see the blue
logoff screen?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remoteapp-sessions-disconnected

On Thu, Nov 18, 2021, 5:04 AM Hanadi Salka  wrote:

> Good Day,
>
> My original Message
>
>
> 
>
> My name is Hanadi Salka , I am a software engineer at XCINO Inc in
>  Canada. We have used Guacmole API to connect to remote RDP through our
>  ERP System.
>
> I can connect to Full System using RDP and Guacamole without any problem
> but when I use remote-app and remote-app-dir parameters , I can connect
> for two minutes then blue screen with sign-out message appears and the
>  session is terminated . Can you please provide me any detail what could
>  be the reason that the session is disconnect. It is a configuration at
>  windows or at Guacamole I need to do
>
> 
>
>
>
> *Thank you for your response.*
>
>
>
>
> *1.A 'blue screen' does sound like a Windows issue, the content of the
> message is likely to assist in determining that.*
>
>
>
> I have attached the messages that appear during the disconnection process.
>
>
>
>
>
>
> *In addition to that the Guacamole log files will be useful, from around
> the disconnection time - catalina.out and syslog.*
>
> Below is the log files:
>
> --
> 
>
> catalina log
>
> 04:40:31.829 [http-nio-8080-exec-10] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>
> 04:40:31.831 [http-nio-8080-exec-10] INFO
> o.a.guacamole.event.TutorialListener - successful authentication for user
> admin
>
> 04:40:31.831 [http-nio-8080-exec-10] INFO
> o.a.g.r.auth.AuthenticationService - User "admin" successfully
> authenticated from 0:0:0:0:0:0:0:1.
>
> 04:40:31.831 [http-nio-8080-exec-10] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>
> 04:40:31.842 [http-nio-8080-exec-6] INFO
> o.a.guacamole.event.TutorialListener - successful authentication for user
> admin
>
> 04:40:35.101 [http-nio-8080-exec-2] INFO
> o.a.guacamole.event.TutorialListener - successful authentication for user
> admin
>
> 04:40:35.127 [http-nio-8080-exec-3] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>
> 04:40:35.129 [http-nio-8080-exec-9] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>
> 04:40:35.210 [http-nio-8080-exec-9] INFO
> o.a.g.tunnel.TunnelRequestService - User "admin" connected to connection
> "WindowsTermina1192.168.1.23Paintremoteapponly".
>
> 04:42:40.626 [http-nio-8080-exec-3] INFO
> o.a.g.tunnel.TunnelRequestService - User "admin" disconnected from
> connection "WindowsTermina1192.168.1.23Paintremoteapponly". Duration:
> 125416 milliseconds
>
> 04:42:40.641 [http-nio-8080-exec-1] INFO
> o.a.guacamole.event.TutorialListener - successful authentication for user
> admin
>
> --
> 
>
> -- sys.log
>
> Nov 18 04:40:35 debian01 guacd[4189]: Creating new client for protocol
> "rdp"
>
> Nov 18 04:40:35 debian01 guacd[4189]: Connection ID is
> "$e439449b-5065-4164-a2ee-ae66c63c7002"
>
> Nov 18 04:40:35 debian01 guacd[10581]: Security mode: NLA
>
> Nov 18 04:40:35 debian01 guacd[10581]: Resize method: none
>
> Nov 18 04:40:35 debian01 guacd[10581]: User
> "@9c803274-f7b2-41e0-84dd-c9e51724ba71" joined connection
> "$e439449b-5065-4164-a2ee-ae66c63c7002" (1 users now present)
>
> Nov 18 04:40:35 debian01 guacd[10581]: Loading keymap "base"
>
> Nov 18 04:40:35 debian01 guacd[10581]: Loading keymap "en-us-qwerty"
>
> Nov 18 04:40:36 debian01 guacd[10581]: Connected to RDPDR 1.13 as client
> 0x0005
>
> Nov 18 04:40:36 debian01 guacd[10581]: RDPDR user logged on
>
> Nov 18 04:42:40 debian01 guacd[10581]: RDP server closed connection:
> Manually logged off.
>
> Nov 18 04:42:40 debian01 guacd[10581]: Internal RDP client disconnected
>
> Nov 18 04:42:40 debian01 guacd[10581]: User
> "@9c803274-f7b2-41e0-84dd-c9e51724ba71" disconnected (0 users remain)
>
> Nov 18 04:42:40 debian01 guacd[10581]: Last user of connection
> "$e439449b-5065-4164-a2ee-ae66c63c7002" disconnected
>
> Nov 18 04:42:40 debian01 guacd[4189]: Connection
> "$e439449b-5065-4164-a2ee-ae66c63c7002" removed.
>
>

Re: RDP disconnects when a second user starts a different RDP session in a network device

[Hankins, Jonathan]

Try disabling glyph caching (I algo have disabled bitmap and off-screen
caching on my connections.)

See: https://github.com/FreeRDP/FreeRDP/issues/6258

It looks like in Guacamole 1.4.0 they are disabling the caching.

https://issues.apache.org/jira/browse/GUACAMOLE-1191

-Jonathan Hankins


On Thu, Sep 23, 2021 at 5:11 AM Jose Moreno Delgado 
wrote:

> This error appear as well:
>
> guacd[76730]: ERROR:Connection closed.
> guacd[76730]: INFO: Internal RDP client disconnected
> guacd[76730]: INFO: User "@c30491ee-9957-46e4-9eb3-4b7778271b04"
> disconnected (0 users remain)
> guacd[76730]: INFO: Last user of connection
> "$18e70f32-9815-4804-a651-330ddbaf4250" disconnected
> guacd[6]: INFO: Connection "$18e70f32-9815-4804-a651-330ddbaf4250" removed.
> guacd[76918]: ERROR:User is not responding.
> guacd[76918]: INFO: User "@00d1360e-2a61-4a4b-a22f-c397ab247c5b"
> disconnected (0 users remain)
> guacd[76918]: INFO: Last user of connection
> "$8b84d2fd-b9c0-48ae-96fd-02a69295c9ef" disconnected
> guacd[77073]: ERROR:User is not responding.
> guacd[77073]: INFO: User "@089ef6d6-7c51-43d0-99af-1024b776a9c1"
> disconnected (0 users remain)
> guacd[77073]: INFO: Last user of connection
> "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502" disconnected
> guacd[77073]: INFO: Internal RDP client disconnected
> guacd[6]: INFO: Connection "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502" removed.
> guacd[76918]: INFO: Internal RDP client disconnected
> guacd[6]: INFO: Connection "$8b84d2fd-b9c0-48ae-96fd-02a69295c9ef" removed.
>
> --
> *De:* Jose Moreno Delgado 
> *Enviado:* jueves, 23 de septiembre de 2021 12:03
> *Para:* user@guacamole.apache.org 
> *Asunto:* RE: RDP disconnects when a second user starts a different RDP
> session in a network device
>
> Hi,
>
> Just error appeared right now, this is the log where the error appears:
>
> guacd[6]: INFO: Creating new client for protocol "rdp"
> guacd[6]: INFO: Connection ID is "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c"
> guacd[77025]: INFO: Security mode: Negotiate (ANY)
> guacd[77025]: INFO: Resize method: none
> guacd[77025]: INFO: User "@9cf4b6f7-8255-445f-a23c-d1abe6e33f88"
> joined connection "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c" (1 users now
> present)
> guacd[77025]: INFO: Loading keymap "base"
> guacd[77025]: INFO: Loading keymap "es-es-qwerty"
> guacd[77025]: INFO: Connected to RDPDR 1.10 as client 0x9645
> guacd[77025]: INFO: RDPDR user logged on
> guacd[77025]: ERROR:Connection closed.
> guacd[77025]: INFO: Internal RDP client disconnected
> guacd[77025]: INFO: User "@9cf4b6f7-8255-445f-a23c-d1abe6e33f88"
> disconnected (0 users remain)
> guacd[77025]: INFO: Last user of connection
> "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c" disconnected
> guacd[6]: INFO: Connection "$9a07f3ca-25c5-48ea-b057-499f6c48cb1c" removed.
> guacd[6]: INFO: Creating new client for protocol "rdp"
> guacd[6]: INFO: Connection ID is "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502"
> guacd[77073]: INFO: Security mode: Negotiate (ANY)
> guacd[77073]: INFO: Resize method: none
> guacd[77073]: INFO: User "@089ef6d6-7c51-43d0-99af-1024b776a9c1"
> joined connection "$8eca4cc8-e2e5-4217-ac4c-c9bdfd569502" (1 users now
> present)
> guacd[77073]: INFO: Loading keymap "base"
> guacd[77073]: INFO: Loading keymap "es-es-qwerty"
> guacd[77073]: INFO: Connected to RDPDR 1.10 as client 0x727a
> guacd[77073]: INFO: Connected to RDPDR 1.10 as client 0x527a
> guacd[77073]: INFO: RDPDR user logged on
>
> Is there something to check?
>
> --
> *De:* Jose Moreno Delgado 
> *Enviado:* jueves, 23 de septiembre de 2021 9:25
> *Para:* user@guacamole.apache.org 
> *Asunto:* RE: RDP disconnects when a second user starts a different RDP
> session in a network device
>
> Let us check, because we noticed that we had caching enabled (bitmap,
> off-screen, glyph), we're connecting mainly to windows server 2003, 2008
> and 2012 machines because of the systems embedded and it looks like this is
> more stable, we will check logs and if problem persists we will share
> logging information to drill down in the problem.
>
> --
> *De:* Mike Jumper 
> *Enviado:* martes, 21 de septiembre de 2021 16:50
> *Para:* user@guacamole.apache.org 
> *Asunto:* Re: RDP disconnects when a second user starts a different RDP
> session in a network device
>
> On Tue, Sep 21, 2021 at 4:58 AM Jose Moreno Delgado 
> wrote:
>
> Hi, we have a stable Guacamole solution running properly, but we have
> noticed that when a user is connected to a device through RDP and a second
> user runs a new RDP session (same or another device) drops and reconnect
> message appears in the screen of previously connected users. They are able
> to reconnect properly, but this is disturbing them because they lose their
> work. We have experienced this behavior using Guacamole 1.2.0 as native in
> a 

Re: RDP disconnects when a second user starts a different RDP session in a network device

[Hankins, Jonathan]

Assuming that the users are connecting to a Windows device since it's via
RDP. Is it possible that 1) user A and user B are both connecting to the
same Windows device and 2) either they're connecting to the "console"
session and/or 3) the Windows device doesn't have terminal services and
just allows a single (limited) number of remote desktop connection, and
user B is inadvertently forcibly logging user A off? I ask since you say
that they're losing work, but a RDP disconnect / reconnect shouldn't log
off the session on the Windows device, just disconnect it. There are also
registry settings / Terminal Services configs / group policies to force a
session to log off if it's disconnected.

Maybe you can describe your environment a bit more?

If you're indeed connecting to a Windows terminal server, and if you have
access to Windows workstations that can connect to your RDP sessions, try
to replicate the setup with mstsc (Remote Desktop Connection) and see if
the same disconnect / log off issue happens.


On Tue, Sep 21, 2021 at 9:51 AM Mike Jumper 
wrote:

> On Tue, Sep 21, 2021 at 4:58 AM Jose Moreno Delgado 
> wrote:
>
>> Hi, we have a stable Guacamole solution running properly, but we have
>> noticed that when a user is connected to a device through RDP and a second
>> user runs a new RDP session (same or another device) drops and reconnect
>> message appears in the screen of previously connected users. They are able
>> to reconnect properly, but this is disturbing them because they lose their
>> work. We have experienced this behavior using Guacamole 1.2.0 as native in
>> a CentOS 7 machine and when using Guacamole 1.3.0 on docker system running
>> in a Linux Ubuntu 20.0.4, can you tell us if this is a normal behavior? We
>> don't have network problems (we have tested switches and cables/ports) and
>> when using ssh tunnels to connect to same machines in alternate scenario
>> this problem is not present. BR.
>>
>
> No, you should not experience any drops whatsoever. The system is
> specifically designed and intended to provide access to a variety of
> connections for multiple users concurrently, with no assumptions regarding
> whether the connections made available to each user are logically different.
>
> Is there anything on the network between your users and Guacamole that
> might be interfering with connections? Do you see any warnings or errors in
> the logs when you see unexpected behavior?
>
> Michael Jumper
> CEO, Lead Developer
> Glyptodon Inc .
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: How to return parts of a screen rather than the whole screen

[Hankins, Jonathan]

If you can use VNC instead of RDP, you may be able to figure something out:
https://www.tightvnc.com/whatsnew.php. I haven't looked at any of this, and
don't know if it would even work with the VNC client in Guacamole.

TightVNC 2.8.1 (limited release)

   - Server for Windows: Added an option to specify a list of rectangles to
   be treated as video and sent to viewers with minimal delays. Rectangles
   are specified by their screen coordinates in the Video tab in the TightVNC
   Server's Configuration window. Normally, this option is not very useful,
   it's rather for using TightVNC in specialized environments.

TightVNC 2.5.0

   - Server for Windows: New command-line options to share full desktop,
   primary monitor, selected monitor, a window, or an arbitrary rectangular
   area.


On Tue, May 4, 2021 at 8:35 AM Neil Canham 
wrote:

> Thanks - what you say makes a great deal of sense. If I had total control
> of all elements of the system I'd do it like that. Unfortunately I may be
> stuck connecting over RDP to a single high resolution desktop that needs to
> be split to 4 browser clients, that much is out of my control  So I guess I
> am stuck with all updates going to all browser clients.
>
> Thanks for your patience!
> Neil
>
> On Tue, 4 May 2021 at 15:15, Craig Sawyer  wrote:
>
>> Neil, this is all correct as I understand it.  Only changes are sent,
>> but if you only care about the changes in 1 corner, you will get it
>> all anyway.
>>
>> The right way to solve this is to just use 4 different displays.  I.e.
>> You have 4 separate desktops showing whatever you care about, and then
>> the 4 clients you are showing this stuff to, will have 4 unique
>> connections, 1 to each of the 4 separate desktop connections in
>> Guacamole.
>>
>> You are trying to break how guacamole was designed to work, when the
>> "guac" solution is right in front of you, have 4 distinct connections,
>> to 4 distinct desktops, 1 per "quadrant" as you are saying.  This way
>> you aren't trying to break how guac works, for no good reason.  Just
>> have 1 app on 1 desktop display whatever is on quadrant 1,  which
>> would be 1 desktop connection in guac and so on.
>>
>> IF you have some requirement, where you have some physical display
>> that needs to see all 4 on the same physical screen, that too is
>> easily accomplished with 4 browser windows, 1 per guac connection.  It
>> will be basically just as efficient as what you are describing, but
>> with no actual code or work on your part.
>>
>> You don't need to invent anything new here, no new code or feature is
>> required.
>>
>>
>> On Tue, May 4, 2021 at 1:25 AM Neil Canham
>>  wrote:
>> >
>> > But those changes may be occurring in quadrants of the display that a
>> particular client has no interest in as they are not displaying them. I'm
>> really not trying to be deliberately difficult, but I'm clearly missing
>> something. Imagine clients 1-4 displaying quarters of the whole desktop.
>> Now imagine that the desktop has some realtime graphical display of
>> changing data so changes may be happening in all four quadrants
>> simultaneously. Client 1 will get the changing data for all  quadrants,
>> despite only needing the changing data for their quadrant. Or maybe changes
>> are happening only in quadrant 2 but those changes get sent to client 1
>> even though it doesn't need them -  unless there is a way that the client
>> is indicating to the server which area it is displaying.  It seems I must
>> have got this totally wrong somehow but I'm not sure how?
>> >
>> > On Mon, 3 May 2021 at 21:17, Mike Jumper 
>> wrote:
>> >>
>> >> On Sun, May 2, 2021 at 11:09 PM Neil Canham <
>> neil.can...@vcommsolutions.com> wrote:
>> >>>
>> >>> Hi Mike
>> >>> Thanks for clarifying how Guacamole is working. Am I right in
>> thinking though that if there were changes occurring in all four quadrants
>> of the original desktop, without some kind of server-side mechanism to
>> select only a given quadrant per client, lots of unnecessary data would be
>> delivered to all clients? That is what I'd live to avoid.
>> >>
>> >>
>> >> No. Only the changed portions of the screen will be sent.
>> >>
>> >> Michael Jumper
>> >> CEO, Lead Developer
>> >> Glyptodon Inc.
>> >>
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
>> For additional commands, e-mail: user-h...@guacamole.apache.org
>>
>>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Occasional RDP disconnection

[Hankins, Jonathan]

Not sure of OP's Guacamole and freerdp versions, but I have Guacamole 1.2.0
built (on Debian) against FreeRDP 2.0.0 and working correctly. At some
point, Debian upgraded freerdp2 a git snapshot, and when I built Guacamole
1.3.0 against that, I have the frequent RDP disconnects. I also tried a
backport of FreeRDP 2.2.0 but have the same problem. See:
https://github.com/FreeRDP/FreeRDP/issues/6258

I don't always see the error, and sometimes I see it frequently,
immediately after connect, etc.
If I check "Disable bitmap caching", "Disable off-screen caching" and
"Disable glyph caching", it fixes it. I am not sure which
option/combination fixes it -- just disabling glyph caching as mentioned in
the FreeRDP issue I linked did NOT fix it for me.

-Jonathan Hankins

On Tue, Mar 2, 2021 at 1:00 PM Mike Jumper 
wrote:

> On Mon, Mar 1, 2021 at 7:56 PM alipawsey  wrote:
>
>> ...
>> Any idea what does ::1 mean?
>>
>
> That is the IPv6 address for localhost. In this context, it probably means
> that Guacamole is behind a reverse proxy on the same machine and that
> Tomcat and/or the reverse proxy are not configured to pass through the IP
> address of the client machine on the public side of the proxy:
>
>
> http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip
>
> If the reverse proxy is configured to pass through the client IP address
> with the "X-Forwarded-For" header (and Tomcat is configured to trust that
> header from your proxy using Tomcat's "RemoteIpValve"), then the address
> shown for future connection attempts will be the client's IP address rather
> than the address of the proxy.
>
> Michael Jumper
> CEO, Lead Developer
> Glyptodon Inc .
>


-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments are prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: How to enter Ctrl+W into vi without having your window closed?

[Hankins, Jonathan]

By default,  is backslash "\". You can use:

:nnoremap w 

This let's you use w wherever you would use C-w, which in the
default case would be \w (backslash-w)

I found this at:

https://vi.stackexchange.com/questions/3728/how-can-i-work-with-splits-in-vim-without-ctrl-w

and:

https://vi.stackexchange.com/questions/281/how-can-i-find-out-what-leader-is-set-to-and-is-it-possible-to-remap-leader

-Jonathan Hankins

On Wed, Dec 30, 2020 at 1:08 PM gk_2020  wrote:

> I have managed to solve the problem. Sharing here in case someone else
> finds
> it useful
>
> We cannot get Ctrl-W to vim, as it will be stopped by browser.
>
> Send something else not caught by browser. For this purpose, I used
> Ctrl-j.
>
> On vim, I used commands like
> :map  w
> :map  gf
>
> each mapping provides me an alternative way of getting the same thing done.
> Now my ~/.vimrc is having these mappings and I don't have to worry about
> setting these mappings anymore
>
> In addition I made a new chrome profile just for going to Guacamole, and in
> that profile I use AutoControl to capture and ignore Ctrl-W, so that even
> if
> I type it by mistake there is no problem
>
>
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

-- 
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Chrome problems

[Hankins, Jonathan]

Sorry for replying to an old thread, but I finally resolved the issue I was
having and thought it might help someone if they ever run into it.

Ahead of trying to get 1.2.0 going on my test server (debian) I wiped out
my tomcat8 configuration and started over with the default tomcat9
configuration from debian "buster". I modified the server.xml file per the
Guacamole manual and had a working Guacamole on port 8080. I further
followed the instructions for using nginx as a reverse proxy with
websockets and was able to get everything going. I still am not sure what I
did wrong originally, but I believe it was in the  definition in
my tomcat8 server.xml file.

Thanks,

-Jonathan Hankins



On Thu, Apr 4, 2019 at 6:51 PM Hankins, Jonathan <
jhank...@homewood.k12.al.us> wrote:

> See log below -- from Chrome 73 error console upon reloading a session
> that started to connect then threw the connection error being discussed.
> This is on 1.0.0 with websockets.
> On 1.0.0 with Slimjet (Chrome 72) I only see the "angular.js:12845 GET
> https://guac-test.homewood.k12.al.us:8443/CLIENT.URL_OSK_LAYOUT 404"
> error from below in the console when I reload, and it reconnects correctly.
> This is only happening for me in Chrome 73.
>
> For comparison, if I disconnect a session from the server side (RDP) on
> 0.9.14, leaving it as the "disconnected" prompt, then reload it in browser
> to reconnect, I do not see these errors, and the session reconnects.
>
> FWIW, when you first login to Guacamole and launch a session (my sessions
> are RDP) it connects to the RDP server and the windows desktop starts to
> render then it blows out to the connection error, sometimes in the middle
> of drawing the screen. If you hit reload in the browser over and over
> again, it usually just shows the connection error again but every once in a
> while you will see the windows cursor paint or a partial screen draw, then
> back to the error.
>
> -Jonathan Hankins
>
> jquery.min.js:2 GET https://ADDRESS:8443/images/settings/touchpad.png
> net::ERR_EMPTY_RESPONSE
> (anonymous) @ jquery.min.js:2
> z @ jquery.min.js:2
> html @ jquery.min.js:2
> (anonymous) @ app.js?v=1.0.0:474
> (anonymous) @ angular.js:17169
> $digest @ angular.js:18352
> $apply @ angular.js:18649
> l @ angular.js:12627
> t @ angular.js:12871
> A.onload @ angular.js:12788
> load (async)
> (anonymous) @ angular.js:12771
> n @ angular.js:12572
> (anonymous) @ angular.js:12320
> (anonymous) @ angular.js:17169
> $digest @ angular.js:18352
> $apply @ angular.js:18649
> (anonymous) @ angular.js:1958
> invoke @ angular.js:5106
> c @ angular.js:1956
> Uc @ angular.js:1976
> we @ angular.js:1861
> (anonymous) @ angular.js:34354
> l @ jquery.min.js:2
> c @ jquery.min.js:2
> setTimeout (async)
> (anonymous) @ jquery.min.js:2
> u @ jquery.min.js:2
> fireWith @ jquery.min.js:2
> fire @ jquery.min.js:2
> u @ jquery.min.js:2
> fireWith @ jquery.min.js:2
> ready @ jquery.min.js:2
> _ @ jquery.min.js:2
> angular.js:12845 GET
> https://ADDRESS:8443/api/session/data/postgresql-shared/connectionGroups/ROOT/tree?token=9246B9675F6B6101FF9756FEF5F5CDDACD4A0FB0F1C579C600B677AE32FEB0A8
> net::ERR_EMPTY_RESPONSE
> (anonymous) @ angular.js:12845
> n @ angular.js:12572
> (anonymous) @ angular.js:12320
> (anonymous) @ angular.js:17169
> $digest @ angular.js:18352
> $apply @ angular.js:18649
> l @ angular.js:12627
> t @ angular.js:12871
> A.onload @ angular.js:12788
> load (async)
> (anonymous) @ angular.js:12771
> n @ angular.js:12572
> (anonymous) @ angular.js:12320
> (anonymous) @ angular.js:17169
> $digest @ angular.js:18352
> $apply @ angular.js:18649
> (anonymous) @ angular.js:1958
> invoke @ angular.js:5106
> c @ angular.js:1956
> Uc @ angular.js:1976
> we @ angular.js:1861
> (anonymous) @ angular.js:34354
> l @ jquery.min.js:2
> c @ jquery.min.js:2
> setTimeout (async)
> (anonymous) @ jquery.min.js:2
> u @ jquery.min.js:2
> fireWith @ jquery.min.js:2
> fire @ jquery.min.js:2
> u @ jquery.min.js:2
> fireWith @ jquery.min.js:2
> ready @ jquery.min.js:2
> _ @ jquery.min.js:2
> angular.js:14800 {data: null, status: -1, headers: ƒ, config: {…},
> statusText: "", …}
> (anonymous) @ angular.js:14800
> (anonymous) @ app.js?v=1.0.0:453
> (anonymous) @ angular.js:17169
> $digest @ angular.js:18352
> $apply @ angular.js:18649
> l @ angular.js:12627
> t @ angular.js:12871
> A.onerror @ angular.js:12799
> error (async)
> (anonymous) @ angular.js:12812
> n @ angular.js:12572
> (anonymous) @ angular.js:12320
> (anonymous) @ angular.js:17169
> $digest @ angular.js:18352
> $apply @ angular.js:18649
> l @ angular.js:12627
> t @ angular.j

Re: AD/LDAP Old/Disabled Users Still Listed?

[Hankins, Jonathan]

Yes, but my point was that when guacamole reads the username from the login
form and does the LDAP query against AD, the marching is done case
sensitively, and will fail if your AD sAMAccountName or cn is in mixed case.

For example: AD user JoeUser can login to their Windows workstation as
"joeuser", but must login to guacamole as "JoeUser" (and also must be in
the Guacamole DB as "JoeUser") when authenticating against LDAP, IIRC.

Just something I ran into in my environment.

-Jonathan Hankins


On Fri, Jun 14, 2019 at 3:43 PM sciUser 
wrote:

> Windows usernames by default are not case sensitive, Active directory is
> case
> aware, unless you enable it to be case sensitive.
>
> Thank You
>
>
>
> -
> A Cybersecurity Enablement Company
> We don't just run you through the motions, Our labs teach you how to
> think!
> Known good Guacamole  installations
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

-- 

Jonathan HankinsHomewood City Schools

jhank...@homewood.k12.al.us


-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: AD/LDAP Old/Disabled Users Still Listed?

[Hankins, Jonathan]

Since I see that the OP is authenticating against AD via LDAP, I just want
to throw this out there: AD stores the cn or sAMAccountName attribute
case-sensitively. Guacamole doesn't do a case-insensitive match (whereas
Windows login does), so I had to make sure that my sAMAccountName / cn
attributes were all lower case (which is what my users are expecting to
type in the Guacamole login box) for authentication to work. Mass-changing
sAMAccountName to lowercase is non-trivial, since many tools to do so work
case-insensitively. I can look up how I managed to script it if anyone gets
stuck like I did.

-Jonathan Hankins

On Fri, Jun 14, 2019 at 10:31 AM Mike Jumper  wrote:

> On Fri, Jun 14, 2019, 07:06 Zer0Cool  wrote:
>
>> Pardon my ignorance, but let me make sure I follow.
>>
>> So you are saying that the ldap filter (and thus results) are likely
>> up-to-date but that the database side of the account does not get
>> deleted/removed from the database when there is no longer a matching LDAP
>> account to go with it?
>>
>
> Nor would a database account be automatically created for LDAP. The two
> are independent. Guacamole unifies things for accounts having the same
> username, and that common username is the sole association between them.
>
>  So I would assume that while the account still exists in the database,
>> authentication of the account would fail as the underlying AD/LDAP account
>> is no longer active/pulled in by the filter?
>>
>
> If you set a password for the database account, authentication using the
> database-specific password will succeed.
>
>
>> I presume that means it would be a manual task to go in and delete
>> disbaled
>> AD accounts from the database within Guacamole?
>>
>
> Yes.
>
>
>> For what its worth, this makes sense to me as you wouldn't want the
>> database
>> to delete users/settings in the event it cannot connect to AD temporarily
>> for example.
>>
>
> Indeed.
>
> Also, the two systems really are not interconnected in that way. Except
> for having the same username, there is no direct association between
> accounts in the database and within LDAP.
>
> Both the database and LDAP expose separate and independent sets of data,
> while the web interface unifies that data for presentation to user. With
> the exception of one (the database) trusting the authentication result of
> the other (LDAP), the two function completely independently.
>
> - Mike
>
>

-- 

Jonathan HankinsHomewood City Schools

jhank...@homewood.k12.al.us


-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Chrome problems

[Hankins, Jonathan]

See log below -- from Chrome 73 error console upon reloading a session that
started to connect then threw the connection error being discussed. This is
on 1.0.0 with websockets.
On 1.0.0 with Slimjet (Chrome 72) I only see the "angular.js:12845 GET
https://guac-test.homewood.k12.al.us:8443/CLIENT.URL_OSK_LAYOUT 404" error
from below in the console when I reload, and it reconnects correctly. This
is only happening for me in Chrome 73.

For comparison, if I disconnect a session from the server side (RDP) on
0.9.14, leaving it as the "disconnected" prompt, then reload it in browser
to reconnect, I do not see these errors, and the session reconnects.

FWIW, when you first login to Guacamole and launch a session (my sessions
are RDP) it connects to the RDP server and the windows desktop starts to
render then it blows out to the connection error, sometimes in the middle
of drawing the screen. If you hit reload in the browser over and over
again, it usually just shows the connection error again but every once in a
while you will see the windows cursor paint or a partial screen draw, then
back to the error.

-Jonathan Hankins

jquery.min.js:2 GET https://ADDRESS:8443/images/settings/touchpad.png
net::ERR_EMPTY_RESPONSE
(anonymous) @ jquery.min.js:2
z @ jquery.min.js:2
html @ jquery.min.js:2
(anonymous) @ app.js?v=1.0.0:474
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
l @ angular.js:12627
t @ angular.js:12871
A.onload @ angular.js:12788
load (async)
(anonymous) @ angular.js:12771
n @ angular.js:12572
(anonymous) @ angular.js:12320
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
(anonymous) @ angular.js:1958
invoke @ angular.js:5106
c @ angular.js:1956
Uc @ angular.js:1976
we @ angular.js:1861
(anonymous) @ angular.js:34354
l @ jquery.min.js:2
c @ jquery.min.js:2
setTimeout (async)
(anonymous) @ jquery.min.js:2
u @ jquery.min.js:2
fireWith @ jquery.min.js:2
fire @ jquery.min.js:2
u @ jquery.min.js:2
fireWith @ jquery.min.js:2
ready @ jquery.min.js:2
_ @ jquery.min.js:2
angular.js:12845 GET
https://ADDRESS:8443/api/session/data/postgresql-shared/connectionGroups/ROOT/tree?token=9246B9675F6B6101FF9756FEF5F5CDDACD4A0FB0F1C579C600B677AE32FEB0A8
net::ERR_EMPTY_RESPONSE
(anonymous) @ angular.js:12845
n @ angular.js:12572
(anonymous) @ angular.js:12320
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
l @ angular.js:12627
t @ angular.js:12871
A.onload @ angular.js:12788
load (async)
(anonymous) @ angular.js:12771
n @ angular.js:12572
(anonymous) @ angular.js:12320
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
(anonymous) @ angular.js:1958
invoke @ angular.js:5106
c @ angular.js:1956
Uc @ angular.js:1976
we @ angular.js:1861
(anonymous) @ angular.js:34354
l @ jquery.min.js:2
c @ jquery.min.js:2
setTimeout (async)
(anonymous) @ jquery.min.js:2
u @ jquery.min.js:2
fireWith @ jquery.min.js:2
fire @ jquery.min.js:2
u @ jquery.min.js:2
fireWith @ jquery.min.js:2
ready @ jquery.min.js:2
_ @ jquery.min.js:2
angular.js:14800 {data: null, status: -1, headers: ƒ, config: {…},
statusText: "", …}
(anonymous) @ angular.js:14800
(anonymous) @ app.js?v=1.0.0:453
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
l @ angular.js:12627
t @ angular.js:12871
A.onerror @ angular.js:12799
error (async)
(anonymous) @ angular.js:12812
n @ angular.js:12572
(anonymous) @ angular.js:12320
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
l @ angular.js:12627
t @ angular.js:12871
A.onload @ angular.js:12788
load (async)
(anonymous) @ angular.js:12771
n @ angular.js:12572
(anonymous) @ angular.js:12320
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
(anonymous) @ angular.js:1958
invoke @ angular.js:5106
c @ angular.js:1956
Uc @ angular.js:1976
we @ angular.js:1861
(anonymous) @ angular.js:34354
l @ jquery.min.js:2
c @ jquery.min.js:2
setTimeout (async)
(anonymous) @ jquery.min.js:2
u @ jquery.min.js:2
fireWith @ jquery.min.js:2
fire @ jquery.min.js:2
u @ jquery.min.js:2
fireWith @ jquery.min.js:2
ready @ jquery.min.js:2
_ @ jquery.min.js:2
app.js?v=1.0.0:281 GET
https://ADDRESS:8443/images/action-icons/guac-back.png
net::ERR_EMPTY_RESPONSE
link @ app.js?v=1.0.0:281
(anonymous) @ angular.js:1383
(anonymous) @ angular.js:10613
va @ angular.js:10619
p @ angular.js:10008
(anonymous) @ angular.js:10347
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
l @ angular.js:12627
t @ angular.js:12871
A.onload @ angular.js:12788
load (async)
(anonymous) @ angular.js:12771
n @ angular.js:12572
(anonymous) @ angular.js:12320
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
(anonymous) @ angular.js:1958
invoke @ angular.js:5106
c @ angular.js:1956
Uc @ angular.js:1976
we @ angular.js:1861
(anonymous) @ angular.js:34354
l @ jquery.min.js:2
c @ 

Re: Chrome problems

[Hankins, Jonathan]

This has started happening for me recently after a Chrome upgrade. I am
seeing this on 1.0.0, with websockets configured. *NOT* seeing it on 0.9.14
without websockets. Has been working fine on 1.0.0 w/ websockets previously.

Experiencing error with these browser versions:

(Linux)

Google Chrome Version 73.0.3683.86 (Official Build) (64-bit)

Brave Version 0.61.52 Chromium: 73.0.3683.86 (Official Build) (64-bit)

Chromium Version 73.0.3683.75 (Official Build) Built on Ubuntu , running on
LinuxMint 19.1 (64-bit)

(Windows)

Chrome 73 (not in front of it at the moment)
Working *correctly* in:

(Firefox, Edge)

Slimjet Version 22.0.4.0 (based on Chromium 72.0.3626.121) (Official Build)
(64-bit)

-Jonathan Hankins

On Mon, Apr 1, 2019 at 1:19 PM Nick Couchman  wrote:

> On Mon, Apr 1, 2019 at 1:33 PM elvelux  wrote:
>
>> I have recently discovered that the error only occurs connecting by
>> https, no
>> by http.
>>
>>
> I use Guacamole 1.0.0 with Chrome and HTTPS routinely with no issues.
>
> -Nick
>


-- 

Jonathan HankinsHomewood City Schools

jhank...@homewood.k12.al.us


-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: Bizarre RDP issues with 0.9.14 / Win7

[Hankins, Jonathan]

If you disable hardware acceleration in chrome, does it work correctly?

-Jonathan Hankins

On Tue, Oct 16, 2018, 9:25 AM surgo  wrote:

> Sorry for the delayed response, I didn't get your mail immediately for
> whatever reason!
>
> > Are there any errors visible in the browser's console after the session
> > stops rendering?
>
> There are not. The response data (for the tunnel?read url) appears to be
> empty.
>
> > Do you see the same behavior if an iframe is not involved?
>
> Hadn't thought to try this one. Same issue though.
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.