RE: [EXT] Re: server fails to compile

[Khoe, Yonathan]

Hi Nick,
When will we be seeing the 1.6.0 release?  I am also experiencing this compile 
error that I rather not circumvent (per Vincent Sherwood’s method) if it would 
lead to further complication later down the line.

Thanks,
Yonathan Khoe

From: Nick Couchman 
Sent: Friday, January 26, 2024 7:02 PM
To: user@guacamole.apache.org
Subject: [EXT] Re: server fails to compile

On Fri, Jan 26, 2024 at 6:40 PM Jim Ham 
mailto:jim...@porcine.com>> wrote:
Guacamole 1.5.4, from the tar on the website. I did the ./configure and
then ./make. Many files compile just fine, but the task ends with the
following error:


CC   guacenc-video.o
video.c: In function ‘guacenc_video_alloc’:
video.c:64:22: error: assignment discards ‘const’ qualifier from pointer
target type [-Werror=discarded-qualifiers]
64 | container_format = container_format_context->oformat;
   |  ^
video.c:67:22: error: initialization discards ‘const’ qualifier from
pointer target type [-Werror=discarded-qualifiers]
67 | AVCodec* codec = avcodec_find_encoder_by_name(codec_name);
   |  ^~~~
cc1: all warnings being treated as errors

<\code>

I'm compiling on a Raspberry Pi 4. GCC gives me the following version:

gcc (Raspbian 12.2.0-14+rpi1) 12.2.0
Copyright (C) 2022 Free Software Foundation, Inc.

Any suggestions?

This has already been fixed in the Git code in the master branch, targeted for 
version 1.6.0:

https://issues.apache.org/jira/browse/GUACAMOLE-1714

You can back-port the patch to your source tree code if you'd like to fix it 
immediately:

https://patch-diff.githubusercontent.com/raw/apache/guacamole-server/pull/399.patch

-Nick

Re: [EXT] Re: Query for Commercial Support

[Khoe, Yonathan]

Hello, Michael,
One of the companies listed (Arcisphere LLC) does not appear to be in service 
any longer.  This is based on trying to reach them via the phone number which 
is no longer in service.  As far as Keeper Security, do they offer support for 
on-premise open source installation of Guacamole?  Or only for KCM?  I believe 
KS is who you are currently work for, is that correct?  I would like to be able 
to speak to you directly about our on-prem installation issues and goals we are 
trying to achieve.


With regards,
Yonathan Khoe

From: Michael Jumper 
Sent: Tuesday, August 8, 2023 11:03 AM
To: user@guacamole.apache.org 
Subject: [EXT] Re: Query for Commercial Support

On 8/8/2023 3:19 AM, Abhishek Gaur wrote:
> Hi Team,
>
> We are looking for commercial usage of Apache Guacamole for our
> organization however we would need some service provider to support in
> implementation and operations. Can you suggest with any of your partners
> in India for the same?
>

The Apache Guacamole project is vendor-neutral and does not partner with
nor endorse any organizations. We simply provide a list of commercial
providers that have asked to be listed:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fguacamole.apache.org%2Fsupport%2F%23commercial-support=05%7C01%7CYonathan.Khoe%40unt.edu%7Cc8bbf2616cce429185f608db9828fe86%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C638271074064349908%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=NUBQviWVlf7cKHwpy6fMS0sxZSRmLNNdOOyZ63bcybU%3D=0

There is no vetting or partnership process for the above list. To be on
the list, a company just needs to:

1) Ask to be listed.
2) Appear to exist.
3) List services for Guacamole on their website.
4) Provide a neutral blurb and logo to be included in their listing.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Guacamole (Maybe Tomcat in General?) Web Performance Become Sluggish Over Time

[Khoe, Yonathan]

Hello,
This is something that I've noticed through various installation of Guacamole 
on different hardware spec servers.  At the start of the Tomcat.service 
running, browsing around is snappy, but eventually clicking on different 
elements on the web interface (ex.: visiting the Settings page or clicking on 
the connection to start a remote session) takes an awfully long time.  I do 
notice that some time, the animated gears do appear to indicate that the web 
page is loading content; while any other time, there is no indicator at all to 
let the user know what the web interface item that they clicked on is suppose 
to lead them somewhere (the web browser didn't have a spinning loading 
indicator, etc.).  Users are expected to sit there until there is a response 
that lead them to the next interface/page.

In terms of # user accounts, we do have about 40k users that is stored in the 
database.  I'm seeing this as the only reason why Tomcat could be slow or 
noninteractive to respond.  Is that a valid theory?  Is there any way to 
improve the browsing experience while going through the web pages in general?  
Some kind of best practice performance tuning?

Thanks

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu
https://itservices.cvad.unt.edu/

Re: [EXT] Re: "libvncserver appears to be built against libgcrypt"

[Khoe, Yonathan]

Thank you for the guidance.

With regards,
Yonathan Khoe

From: Nick Couchman 
Sent: Thursday, June 23, 2022 8:12 PM
To: user@guacamole.apache.org 
Subject: [EXT] Re: "libvncserver appears to be built against libgcrypt"

On Thu, Jun 23, 2022 at 5:43 PM Khoe, Yonathan 
mailto:yonathan.k...@unt.edu>> wrote:

I had brought up last week about my Guacamole instance not able to VNC to our 
endpoints.  I noticed some additional things coming together.  I tried building 
a new guacamole-server from source and noticed that libgcrypt and libvncserver 
not playing well with each other, thus making the VNC protocol dead post 
compile.  I have ensure that I installed libvncserver-devel on my RHEL8.6 
server.  Here are my build logs and installed packages.


https://pastebin.com/Z0Av8j5j<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2FZ0Av8j5j=05%7C01%7CYonathan.Khoe%40unt.edu%7Cef0f55fe6a52400f131a08da557e9c04%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637916299531544981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=dUnA4tDN2s6SdOPgfjzJtOKlAaGA%2BBKFpqNvGY6dYZU%3D=0>

https://pastebin.com/fLgdieFg<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2FfLgdieFg=05%7C01%7CYonathan.Khoe%40unt.edu%7Cef0f55fe6a52400f131a08da557e9c04%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637916299531544981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=xDP3z98pTaH5kzw7%2F9JzZteB9MX%2FQrWpNjYH%2BKewdPI%3D=0>

I'm not sure what you mean  by "not playing well with each other" - from your 
pastebin for the build, I see:


  1.
checking whether LIBVNCSERVER_WITH_CLIENT_GCRYPT is declared... yes
  2.
checking gcrypt.h usability... no
  3.
checking gcrypt.h presence... no
  4.
checking for gcrypt.h... no
  5.
configure: WARNING:
  6.

  7.
libvncserver appears to be built against
  8.
libgcrypt, but the libgcrypt headers
  9.
could not be found. VNC will be disabled.
  10.



This doesn't mean they aren't playing well together, it just means that 
libvncserver is built against gcrypt, and you're missing the gcrypt development 
files, which guacamole-server requires to correctly build against libvncserver. 
This should be as simple a fix as:

dnf install -y libgcrypt-devel

-Nick

"libvncserver appears to be built against libgcrypt"

[Khoe, Yonathan]

I had brought up last week about my Guacamole instance not able to VNC to our 
endpoints.  I noticed some additional things coming together.  I tried building 
a new guacamole-server from source and noticed that libgcrypt and libvncserver 
not playing well with each other, thus making the VNC protocol dead post 
compile.  I have ensure that I installed libvncserver-devel on my RHEL8.6 
server.  Here are my build logs and installed packages.

https://pastebin.com/Z0Av8j5j
https://pastebin.com/fLgdieFg

Thanks,
Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu
https://itservices.cvad.unt.edu/

RE: [EXT] Re: GuacD server never initiate a connection to the endpoint

[Khoe, Yonathan]

First of all, thank you highly for responding so promptly.  After sending that 
email, I figured out how the guacd log_level to be more verbose to get better 
clarity on what’s happening; it is not detecting the VNC library installed 
(though I’ve installed libvncserver).

I installed the libguac-client-vnc from the RHEL repo that seems to fix it.  
This had never been something I’ve had to include externally before as it 
wasn’t indicated in the 
documentation<https://guacamole.apache.org/doc/gug/installing-guacamole.html> 
page.  Perhaps the libguac created through the build 
process<https://guacamole.apache.org/doc/gug/installing-guacamole.html#the-build-process>
 broke during the ‘make’ compile…

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu<mailto:yonat...@unt.edu>
https://itservices.cvad.unt.edu/

From: Nick Couchman 
Sent: Thursday, June 16, 2022 7:36 PM
To: user@guacamole.apache.org
Cc: Copeland, Blair ; Baggett, Michael 

Subject: [EXT] Re: GuacD server never initiate a connection to the endpoint

On Thu, Jun 16, 2022 at 8:27 PM Khoe, Yonathan 
mailto:yonathan.k...@unt.edu>> wrote:
In my setup, the guacamole web client communicates to the guacd server via 
WebSocket, but the VNC traffic to the endpoint machine never appears in TCPDump 
on the guacd server.

Can you start guacd in debug mode, and post the logs?

/path/to/sbin/guacd -L debug -f

-Nick

RE: [EXT] Re: "Unable to add user" error in guacd process

[Khoe, Yonathan]

Hi, Nick,
Which logs would you like in this case? /var/log/messages?
https://pastebin.com/zgdAgD6s

And this is the catalina.out
https://pastebin.com/KuuLWe3x

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu<mailto:yonat...@unt.edu>
https://itservices.cvad.unt.edu/

From: Nick Couchman 
Sent: Thursday, June 16, 2022 10:51 AM
To: user@guacamole.apache.org
Subject: [EXT] Re: "Unable to add user" error in guacd process

On Thu, Jun 16, 2022 at 10:15 AM Khoe, Yonathan 
mailto:yonathan.k...@unt.edu>> wrote:
Hello Mike Jumper and others,
Does anybody know why this would pop up?  I’m trying to troubleshoot an issue 
we’re having with not being able to connect to VNC from the guacamole web 
interface.  Not certain that this is the culprit, but I wan to try to eliminate 
it anyways.

Our Guacamole stack is already using guac-auth-LDAP as a directory service 
method, so if this error pertains to the user-mapping.xml default 
authentication method, I don’t touch that anymore as part of my (re)build.

[cid:image001.png@01D8819D.FCAF5FF0]



You'll need to provide more detailed logs - this isn't enough information to go 
on.

-Nick

"Unable to add user" error in guacd process

[Khoe, Yonathan]

Hello Mike Jumper and others,
Does anybody know why this would pop up?  I'm trying to troubleshoot an issue 
we're having with not being able to connect to VNC from the guacamole web 
interface.  Not certain that this is the culprit, but I wan to try to eliminate 
it anyways.

Our Guacamole stack is already using guac-auth-LDAP as a directory service 
method, so if this error pertains to the user-mapping.xml default 
authentication method, I don't touch that anymore as part of my (re)build.

[cid:image001.png@01D88161.8C5F5B60]


Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu
https://itservices.cvad.unt.edu/

Understanding Sharing Profile for Non-Admins

[Khoe, Yonathan]

Hello,
We set up sharing profiles for all of our connections under an admin account.  
We want the ability for our students to be able to generate a share link to 
their connection viewing (to their professor) when they are remoted to a 
machine.  We thought that this was the idea when we create the sharing profiles 
individually and giving them a read-only option and name, but it turns out that 
our students cannot see the "Share" button when opening the Guacamole menu 
(ctrl+alt+shift).  The student accounts themselves do not have any permissions; 
the user groups that the students belong to also do not have permissions set 
(we only use it to assign the connection groups).  Are we missing something in 
terms of letting non-admins to be able to generate a share link to be given to 
other people?

Thanks in advanced.

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu
https://itservices.cvad.unt.edu/

RE: [EXT] Re: 1.4.0 Feature: Support for 2ndary SSO Provider includes MFA?

[Khoe, Yonathan]

The scenario you’re getting is pretty close! Yes, “internal accounts” as in the 
ones stored on the JDBC (ex. guacadmin).  We don’t use TOTP or any MFA for this 
one, we just want it to go straight in.  Secondly, we want to use LDAP with the 
Duo MFA as extra auth method.  So essentially:
If (Account found in JDBC) then
 Validate authentication
End if

If (account found in LDAP) then
 Validate authentication
 Validate Duo MFA
End if

I tried setting ‘extension-priority: ldap, duo, jdbc’, as well as ‘jdbc, ldap, 
duo’, unfortunately those didn’t seem to work.  So perhaps you’re right that 
the current workflow doesn’t take into account this sort of scenario.  Our API 
work  has to be through a piggyback server that doesn’t have Duo MFA installed.

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu<mailto:yonat...@unt.edu>
https://itservices.cvad.unt.edu/

From: Nick Couchman 
Sent: Sunday, January 9, 2022 3:46 PM
To: user@guacamole.apache.org
Subject: [EXT] Re: 1.4.0 Feature: Support for 2ndary SSO Provider includes MFA?

On Thu, Jan 6, 2022 at 5:13 PM Khoe, Yonathan 
mailto:yonathan.k...@unt.edu>> wrote:
Hi,
We’re testing the 1.4.0 version upgrade.  Does this feature to be able to 
prioritize the providers include tackling the issue of MFA being requested even 
for internal accounts?  We’ve been trying to tackle how to allow only providers 
such as LDAP to multi-authenticate with Duo MFA, while internal ones should be 
bypassed.

Is this a scenario that anyone else have within their environment?


Probably not, but it may be worth clarifying a few things. First, when you talk 
about "Internal Accounts", my guess is that you're talking about users 
authenticated through the JDBC module and stored in a MySQL, PostgreSQL, or SQL 
Server database? My guess is that what you're looking for is two different 
authentication "workflows":
1) JDBC -> TOTP -> Success!
2) LDAP -> Duo -> Success!

So, you can store one set of users in JDBC and have only those users do 2FA 
through TOTP, while users in LDAP go through Duo. I don't quite think this is 
possible, but it may depend upon how those services handle users not existing. 
What you could try is setting the order to:

ldap, duo, jdbc, totp

If the user exists in LDAP and is successfully authenticated, they would go to 
Duo, and complete authentication. What I'm unsure of is if, after completing 
the Duo authentication, TOTP would kick in or not - I haven't tried that out. 
If the user didn't exist in LDAP or Duo, JDBC would be used, and then TOTP 
would kick in. Might work, but quite probably not, because the TOTP module 
might still try to enforce an additional authentication on users already 
authenticated through Duo.

-Nick

1.4.0 Feature: Support for 2ndary SSO Provider includes MFA?

[Khoe, Yonathan]

Hi,
We're testing the 1.4.0 version upgrade.  Does this feature to be able to 
prioritize the providers include tackling the issue of MFA being requested even 
for internal accounts?  We've been trying to tackle how to allow only providers 
such as LDAP to multi-authenticate with Duo MFA, while internal ones should be 
bypassed.

Is this a scenario that anyone else have within their environment?

TIA

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu
https://itservices.cvad.unt.edu/

SSL Configuration for Guacd

[Khoe, Yonathan]

I'm trying to get SSL setup on our guacd server for the first time, but I'm 
having troubles getting my guacd.conf file to work once I uncomment the lines.

[adminserv@cvadguacd-01-dev ~]$ guacd -C 
/home/adminserv/cvadguacd-01-dev_college_edu_w_chain.cer -K 
/home/adminserv/nopasswd.server.key
Parse error at line 19, column 1: Invalid parameter or section name.
Unable to parse "/etc/guacamole/guacd.conf".

My guacd.conf file as well is very bare.  I'm aware of things mentioned in the 
documentation about special characters.

#
# guacd configuration file
#

[daemon]

pid_file = /var/run/guacd.pid
log_level = error

[server]

bind_host = 0.0.0.0
bind_port = 4822

#
# The following parameters are valid only if
# guacd was built with SSL support.
#
server_certificate = /home/adminserv/cvadguacd-01-dev_college_edu_w_chain.pem
server_key = /home/adminserv/server.key

If anyone has suggestions on how these SSL files should be configured for a 
guacd, please share me your thoughts (or notes).  I've only had configured a 
web server SSL, but I'm still very new even at that.

Thank you in advance on your feedback.

Yonathan Khoe
Senior Systems Administrator
CVAD IT

University of North Texas
940.565.4793
yonat...@unt.edu
https://itservices.cvad.unt.edu/

Recommended Implementation - Multiple Guac Servers Necessary?

[Khoe, Yonathan]

Hello,
I jump abroad the Guacamole project at my university after a colleague from 
another college did.  I got his insights into their college setup involving 1 
web server and 2 guacd servers as backbone.  I'm trying to get an understanding 
how/why this is necessary based on reading through the guac mailing archives.  
I see many utilize single, relatively high-performance server with room for 
scaling.  If my college (1 college, not the entire university body) were to 
expect performance that is about 80-100 concurrent usage max, is it necessary 
to have the multi-server implementation in order to help with performance and 
reliability of our Guacamole service?  Depending on the answer, do the 
"backbone" guacd servers have to be configured as proxy servers (something 
that's described in chapter 4 in the documentation)?

For context, I have set up my college with the following:
The server VM I have set up with apache tomcat and guacamole server:

  *   Xeon Gold 6140 CPU @ 2.30GHz (alloted 6 cores)
  *   8GB RAM
  *   80GB Storage
  *   Llvmpipe Graphics
  *   RHEL 8.4
  *   VMWare virtualization

The supposed GuacD server that's still a blank slate:

  *   Xeon Gold 6140 CPU @ 2.30GHz (alloted 12 cores)
  *   16GB RAM
  *   80GB Storage
  *   Llvmpipe Graphics
  *   RHEL 8.4
  *   VMWare virtualization


Thank you,
Yo Khoe
CVAD IT
University of North Texas

RE: [EXT] Re: Should I see the Login Page at this point in time following the documentation?

[Khoe, Yonathan]

Thank you, all! That really was it.  Switched to Tomcat9 and I got to the login 
page of Guacamole.  This is a great community.

Yo Khoe
CVAD IT
University of North Texas

From: Nick Couchman 
Sent: Wednesday, October 6, 2021 9:33 AM
To: user@guacamole.apache.org
Subject: Re: [EXT] Re: Should I see the Login Page at this point in time 
following the documentation?

On Wed, Oct 6, 2021 at 10:03 AM Alessandro Sironi 
mailto:a.sir...@me.com.invalid>> wrote:

Hello,

in my experience, tomcat10 doesn't work ATM with guacamole, I had have the same 
issue, switching to tomcat9 solve the problem.

Yep, there's a JIRA issue for this:
https://issues.apache.org/jira/browse/GUACAMOLE-1325

-Nick

RE: [EXT] Re: Should I see the Login Page at this point in time following the documentation?

[Khoe, Yonathan]

tion you're using, or what auth type you've 
configured, but it might pay to have a look at your log files to see if they 
carry useful information regarding the error you have?

In particular syslog and/or catalina.out may well give you sufficient detail to 
resolve the problem.

If that doesn't help, and you need to post back here, please include your 
distribution and config detail, and excerpts from your log files where you've 
restarted guacd and tomcat, and attempted a login.

Thanks.
On Wednesday, 6 October 2021, 04:23:48 pm NZDT, Khoe, Yonathan 
mailto:yonathan.k...@unt.edu>> wrote:



Hello,

I'm slowly getting a test build going for Guac and currently on the Deployment 
section of the doc.  At the last section on restarting tomcat and starting guac

 "After restarting Tomcat and startingguacd, Guacamole is successfully 
installed, though it will not be fully running. In its current state, it is 
completely unconfigured, and further steps are required to add at least one 
Guacamole user and a few connections. This is covered in Chapter 5, Configuring 
Guacamole<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fguacamole.apache.org%2Fdoc%2Fgug%2Fconfiguring-guacamole.html=04%7C01%7CYonathan.Khoe%40unt.edu%7C4d161c6ce562480bfe7308d988816cc3%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C637690912313800695%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=Z%2F0ucFC4WxltE4wEHZx13J0Ps9zGMcr6XhARHT0hMoE%3D=0>."

Should I already be able to see the guacamole login screen at 
[ip]:8080/guacamole ?



I'm getting the following error on tomcat manager.
[cid:image001.png@01D7BA8A.726D0700]



I just wanted to make sure this is normal behavior and if I should continue 
configuring the rest (i.e. auth, database, etc.)



Thank you,

Yo Khoe

CVAD IT

University of North Texas

Should I see the Login Page at this point in time following the documentation?

[Khoe, Yonathan]

Hello,
I'm slowly getting a test build going for Guac and currently on the Deployment 
section of the doc.  At the last section on restarting tomcat and starting guac
 "After restarting Tomcat and starting guacd, Guacamole is successfully 
installed, though it will not be fully running. In its current state, it is 
completely unconfigured, and further steps are required to add at least one 
Guacamole user and a few connections. This is covered in Chapter 5, Configuring 
Guacamole."
Should I already be able to see the guacamole login screen at 
[ip]:8080/guacamole ?

I'm getting the following error on tomcat manager.
[cid:image001.png@01D7BA37.A2304900]

I just wanted to make sure this is normal behavior and if I should continue 
configuring the rest (i.e. auth, database, etc.)

Thank you,
Yo Khoe
CVAD IT
University of North Texas