Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 13, 2017 at 7:27 PM,  wrote:

> /var/log/tomcat/catalina.2017-11-13.log
>

Can you look for/at /var/log/tomcat/catalina.out, instead?  I'm not certain
that file will be there, but my general experience with Tomcat is that
catalina.out has more detail than even the catalina.*.log files.

-Nick

Re: IP of web session for ssh connection

[Nick Couchman]

On Wed, Nov 15, 2017 at 8:21 AM, Tjareson  wrote:

> Hi Nick,
>
> yes, the issue is opened already:
>  https://issues.apache.org/jira/browse/GUACAMOLE-369
>
> As it looks I'm really the only one who has this issue.
> Not sure what I can provide for further analysis of the topic.
>
> kind regards
> Tjareson
>
>
Ah, that's right.

Thanks - Nick

Re: [Question] About the device authentication function in Apache Guacamole

[Nick Couchman]

On Wed, Nov 15, 2017 at 2:34 AM, Shota Soeno 
wrote:

> To whom it may concern,
>
>
>
> I am the software engineer in NIFTY Corporation.
>
>
>
> We are interested in Apache Guacamole.
>
> We are planning to combine the computer certificate from Active Directory
> (the function of Windows Server)
>
> and Apache Guacamole in order to perform the device authentication function
>
> when users access to servers remotely.
>
> Could you tell me how to set up the device authentication function in
> Apache Guacamole?
>
>
>
> Sincerely,
>
> Shota Soeno
>

Can you clarify what you're trying to do?  Are you wanting to:
1) Authenticate users to Guacamole using certificates?
2) Authenticate from Guacamole to Remote Desktop servers using certificates
instead of credentials (e.g. smart cards)?
3) Pass through certificate authentication from the browser to Guacamole
and then on to the remote desktop connection?
4) Or something else?

The first one is possible to accomplish, not directly in Guacamole, but
with the help of a couple of additional components; the second and third
are not currently possible in Guacamole - there is support for SSH
key-based authentication, but not for certificate/smart card authentication
to RDP.

-Nick

Re: IP of web session for ssh connection

[Nick Couchman]

On Mon, Nov 13, 2017 at 5:29 PM, Tjareson  wrote:

>
> Hi Nick,
>
> do you know if that topic will ever get addressed somehow?
> I'm not quite sure, what I could do to support that.
>

I'm sure it will get addressed at some point, but I don't know when.  You
should probably create a JIRA issue for it in the Apache JIRA system:

https://issues.apache.org/jira/projects/GUACAMOLE

I'm not sure what level of familiarity you have with Java, programming,
etc., but if you're comfortable with Java code, Tomcat tracing, etc., then
you could dig in and see if you can figure out where this occurring.
Otherwise it'll have to wait for someone else in the community to find time
to deal with it.


>
> That was the issue that the IP address of the web session is not correctly
> provided in ${GUAC_CLIENT_ADDRESS} when starting e.g. a ssh session.
>

The issue is that there is some way in which that a user's IP address
appears to be cached or have some sort of latency associated with updating
the IP address when a user logs in from multiple systems or logs out and
logs in quickly from another system, correct?  Again, a JIRA issue
documenting this would be good, and we'll see if we can track it down.

Regards,
Nick

Re: Intermittent VNC connectivity to IP KVM

[Nick Couchman]

On Mon, Nov 13, 2017 at 12:47 PM, kpham  wrote:

> This is a weird issue.
>
> I use Adderlink IP KVM which uses VNC protocol. When I connect to the IPKVM
> from Guacamole v0.9.1.3, the connection drops every time something changes
> significant on the client's monitor (Ex. Maximize a screen, close a
> windows...etc). If I connect to the IPKVM and do nothing, the connection
> stays on.
>
>
> I have tried with multiple units and has the same issue. I checked syslog
> and got this message everytime it happens
>
> kernel: [20018.150998] traps: guacd[2185] trap divide error ip :
> 7f493214dbcd sp:7f4932d70b80 error:0 in
> libvncclient.so.1.0.0[7f493213d+1e]
>
> Do you think it's a bug in vncclient module? Any suggestion for me on how
> to
> fix it ?
>
>
Can you put guacd into debug logging  (-L debug) and see if you get any
additional output during the disconnects?  guacd logs to /var/log/messages
(or wherever the default syslog destination is), so check those logs for
guacd entries.

-Nick

Re: SFTP problems

[Nick Couchman]

On Mon, Nov 13, 2017 at 7:51 AM, Lars van Ruiten <
l.van.rui...@praxis-automation.nl> wrote:

> Hello all,
>
>
>
> Since upgrading Guacamole to 0.9.12-incubating (from 0.9.8), users have
> reported issues uploading files over SFTP connections (Added to a VNC
> connection).
>
> It appears that any file larger than ~1MB will not upload, but give a
> permission related error. (See screenshot)
>
> Uploading the file to the SFTP server directly with Bitvise SFTP client
> works fine.
>
>
>
> To me it sounds like if a file is larger than a certain size, guacd will
> buffer it on the disk on the server and it does not have the permission to
> do that. (The disk is not full)
>
> It happens to all connections, and I am sure that with some connections it
> has worked before, and the only thing that changed is the newer version of
> guacamole.
>
>
>
> If someone has any idea how I can fix this, please let me know.
> Uploading/downloading files is one of the most used features in our case.
>
>
>
> Kind regards
>
> L van Ruiten
>

A couple of quick questions:
- Did you upgrade both the client and the server components of Guacamole to
0.9.12-incubating?
- Have you tried 0.9.13-incubating?

-Nick

Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 13, 2017 at 7:55 AM,  wrote:

> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading.  I have the 0.9.13 LDAP extension at 
> /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it?  I’m pretty sure that’s where the user
> guide said to put it.  I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>

In 0.9.13-incubating, if you downloaded the release from the website, then
the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
Double-check and make sure that's the Tomcat user's home directory.  You
can also change the GUACAMOLE_HOME via either the guacamole.home property
in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
environment variable before starting Tomcat.  This changes slightly in
0.9.14-incubating (git repo), with /etc/guacamole becoming the
fallback-default location.

If you have guacamole.properties in /etc/guacamole, and you can
successfully change other items in that file and see the changes take
effect, then I believe your GUACAMOLE_HOME is probably configured for
/etc/guacamole, in which case your extensions should be in
/etc/guacamole/extensions.  So, you might try creating that directory,
placing the LDAP extension there, and then restarting Tomcat.

-Nick

Re: Unreachable RDP desktop after renaming computer

[Nick Couchman]

On Tue, Nov 7, 2017 at 3:19 PM, glarkin53  wrote:

> Hi,
>
> I'm working on a project to provide access to Windows desktops hosted on
> Amazon AWS. We spin up a number of Windows EC2 instances (Windows 2012 R2
> servers) and then connect to them with Guacamole.
>
> Upon the first connection to a machine, it has the Amazon auto-generated
> hostname, such as "win-oekuqjop15l.us-west-2.compute.internal". Our
> process
> requires the hostname to be changed and the machine rebooted, so we may
> issue the following commands in a Powershell window:
>
> Rename-Computer glarkin
> Restart-Computer
>
> After the machine restarts, Guacamole is unable to connect to the machine.
> The dialog box reads "The remote desktop server is currently unreachable."
> The machine is still up and running, and I can connect to it with a desktop
> RDP client from my laptop, so I think there is a problem with Guacamole
> somewhere.
>

Greg,
I suspect that you're running into a DNS caching issue on the system
hosting Guacamole.  Depending on what distribution you're running, there
could be one of several daemons running that caches DNS information.  sssd,
nscd, and nslcd are the ones I can think of off the top of my head.  Also,
depending on which DNS servers you're pointing at with your laptop vs.
Guacamole, it could be something on one of those systems, too.

-Nick

Re: Screen Sharing

[Nick Couchman]

On Thu, Nov 9, 2017 at 8:04 AM,  wrote:

> I`ve the following question. I want to use the screen sharing feature, but
> the screen sharing button does not be visible in the Guacamole side menu.
> I`m using the simple xml file for administration of users and connections.
>

I don't believe screen sharing works with the simple XML file - in order
for screen sharing to work, you need to create a sharing profile, which I
believe is only present in the JDBC module.

-Nick

Re: RDP remote apps in a single session

[Nick Couchman]

On Tue, Nov 7, 2017 at 5:22 AM, artur  wrote:

> I use Guacamole 0.9.13. Right now when I start multiple remote apps for the
> same user, every app is a separate Windows session. Is it possible for
> Guacamole to make RDP remote apps share a single Windows session?
> Thank you
>
>
I believe the only way this would be possible currently in Guacamole is if
you can specify multiple Remote Apps for startup in the same connection.
Guacamole works a little bit differently than a more traditional RDP client
in this sense, as each connection has its own tab/window and starting a new
connection essentially creates an entirely new display.  With traditional
RDP clients (Windows RDP Client, xfreerdp, etc.), it uses the existing
display, so it's able to "windowize" each of the remote apps and make them
look like they are seamlessly integrated into your existing desktop.

It does bring an interesting thought, though - abstracting the Guacamole
canvas from the connections a little bit further and allowing multiple
connections/clients to exists on the same workspace.  I don't know how
feasible or desirable that would be - Mike would have to comment on that -
but I can see where it would desirable in your scenario, and I can foresee
some other times that would be an interesting way of managing the
connections.

-Nick

Re: Capture keyboard input?

[Nick Couchman]

On Mon, Nov 6, 2017 at 12:50 PM, Anthony Moon 
wrote:

> Hi Ryan,
>
>
>
> I am not looking to log keyboard events, I’d like to find a way for
> keyboard hot keys/combos to be ‘captured’ within the active session and not
> interrupted by the client OS (things like CTRL + ALT + DEL or CTRL + W).
>
>
>
> Do you know if this is possible or shall I submit a feature request?
>
>
>
Anthony,
Yes, this is possible, but not by any sort of existing configuration -
you'd have to modify the source code of Guacamole to capture the specific
key strokes you're interested in.  The Guacamole client uses this with CTRL
+ SHIFT + ALT to display the user menu on the left-hand side of the page
while you're connected.

Regards,
Nick

Re: Authentication using http

[Nick Couchman]

On Tue, Oct 31, 2017 at 5:43 PM, Thompson, John H. (GSFC-606.2)[PATUXENT
TECHNOLOGY PARTNERS]  wrote:

> Will storing the allowed connections in LDAP work with HTTP
>
> header authentication"?
>
>
>
> From reading about LDAP, it seems the answer is “no”
>
> "if the bind attempt is successful, the set of available Guacamole
>
> connections is queried from the LDAP directory by executing an LDAP
>
> query as the bound user. Each Guacamole connection is represented within
>
> the directory as a special type of group: guacConfigGroup. Attributes
>
> associated with the group define the protocol and parameters of the
>
> connection, and users are allowed access to the connection only if they
>
> are associated with that group."
>
>
>
> From reading http header, it seems the answer is "maybe  ?"
>
> "This authentication method must be layered on top of some other
>
> authentication extension, such as those available from the main project
>
> website, in order to provide access to actual connections."
>
>
>
> The Guacamole documentation is somewhat unclear as to authentication
> versus authorization.
>
>
>
> Thanks in advance for any insight you can share!
>
>
>

I believe the answer is no.  Mike can correct this if I'm wrong, but my
understanding is that one of the security mechanisms in the LDAP module is
that the bind to look for connections is done with the user who logged in.
So, if the user is logged in through another mechanism (header
authentication), and particularly one that doesn't provide the password to
Guacamole (header will not), then there's not going to be any way for the
user who logged in to bind to the LDAP directory.

Header authentication does layer nicely, though, with the JDBC module, so
the best bet is to use JDBC to store the connections.  I realize that you
may be trying to use LDAP's built-in membership mechanism to assign
users/groups to connections, so that doesn't help you there, but header +
JDBC does work.

Regards,
Nick

Re: How can I set up Connection groups using LDAP

[Nick Couchman]

On Wed, Nov 1, 2017 at 16:49 wsanriv  wrote:

> Hello team,
>
> I have ldap setup and I am able to see the servers but I would like to
> separate them into groups like when we use mysql.
>
> Regards
>

The LDAP module does not currently support connection groups - at this
point these are only implemented in the JDBC module(s)

-Nick

Re: Console.log messages not included post minification

[Nick Couchman]

On Wed, Nov 1, 2017 at 9:01 AM, Erin Versfeld 
wrote:

> Thanks, Ryan and Nick,
>
> I've played around with all the log settings in the browser console, and
> run my app on multiple browsers, so that at least can be rules out as an
> issue for now.
>
> Looking more closely at minify-maven, one of the tools its built on top of
> is Google's Closure Compiler, which "parses your JavaScript, analyzes it,
> removes dead code and rewrites and minimizes what's left", which could
> potentially explain this behaviour. Commenting out that whole process from
> the pom file then breaks things because app.js isn't build. I'm playing
> around with changing the index.html and seeing if just pointing it to the
> individual .js files works, but alternative suggestions are also welcome.
>
> I tried injecting the $log service, but had no luck. It's entirely
> possible that I wasn't doing it correctly, though, so I'm heading back to
> the docs to confirm that.
>

In the file where you want to use it, simply find the sections toward the
top of the file that have one or more $injector.get lines, and add the
following:

var $log = $injector.get('$log');

Then elsewhere in your code use $log.debug('Your debug message here.') to
get the output (or $log.info(), $log.warn(), $log.error()).

It's also possible that the lines of code where you're attempting to put
log statements aren't actually being reached, so make sure you're putting
those statements in places that you absolutely know are executing.



>
> I am modifying the client rather than using the API portions of the client
> code to write a custom app. The kinds of errors I expect to see are the
> stock standard HTTP errors, like 404s, 500s, etc. I'd just like to have a
> little pop up or display a relevant error message when these errors occur.
> The browser is able to tell which of these errors has occurred, so it looks
> like everything is working as expected, its just handling this on the
> client side which is proving irksome. I'm trying to use the logs to work
> out where things should be handled but aren't.
>
>
Yeah, there's just a lot of code already in the client app that handles
these errors, so it's quite possible that the errors you're trying to
capture are being intercepted elsewhere in the code and either handled
transparently or with the guacNotification() code.  That's why I ask about
this.  Are you modifying things inside the
guacamole/src/main/webapp/app/rest directory, or elsewhere?  It really
depends on what you're trying to do, but there are several instances where
404s, for example, are part of the normal operation of the client and just
get handled transparently within the client without bothering the user
about it, so I'm wondering if the 404s you're seeing are already being
handled and never making it to the code you're writing.

-Nick

Re: Console.log messages not included post minification

[Nick Couchman]

On Mon, Oct 30, 2017 at 03:19 ErinVersfeld  wrote:

> I'm new to Guacamole, and am trying to adapt the base client for a project
> I'm working on. However, I'm having trouble with getting my console.log
> message to be included in the minified JavaScript. I'm assuming that it's
> the minification process that's removing them, because the logs are in the
> source code on my machine, but I can't work out where  the minification is
> happening. Do you perhaps have any advice for me?
>

I've never had the minification process strip out log messages. However, I
have noticed that Chrome seems to filter then by default.  There's an
option when you're looking at the console to change what messages get
displayed - make sure that you have it set to show all messages.

Also, it's a little cleaner to inject the $log service into the angular
code you're writing and use $log.debug() (or warn/info) and use that to log
your messages.


> I'm trying to use the logs to work out why my modified version of the
> client
> isn't displaying HTTP error messages, even though they're coming through to
> it. I've also tried using dummy variable to track a similar thing, but I
> can't get that working either. I'm using tomcat 7 and Xtightvnc.
>

Are you modifying the client or are you just using the API (-common)
portions of the client code to write a custom app?  Can you explain further
where/how you're trying to throw these errors and what your expect to see?
Also, if you're using Chrome, use the network tab of the dev console to see
the requests and responses, including response codes and bodies.  This may
help you see the error if it's being intercepted by some part of the client
and not pushed all the way through.

-Nick

Re: RDP No Sound

[Nick Couchman]

On Sun, Oct 29, 2017 at 11:47 AM, Skywave  wrote:

> I'm setting up Guacamole for a friend. I managed to get RDP to work but i'm
> scratching my brain trying to figure out how to get sound to work as well.
> FreeRDP /usr/local/lib/freerdp directory has guacsnd.so. I'm at a loss as
> to
> what I did wrong with the configuration. Can anyone please help me?
>

Please be more detailed in your description of the issue, including:
- Version of Guacamole, and how you're installing it (Docker, native
install, etc.)?
- Client platform/browser, version/edition of Windows?
- What have you tried to do to debug it?
- Are there any relevant errors in the guacd log (syslog) that point to the
issue?

-Nick

Re: HTTP Status 404 - /guacamole

[Nick Couchman]

On Sun, Oct 29, 2017 at 07:19 Skywave  wrote:

> Hi,
>
> I installed Guacamole and enabled all services, but when I go to
> http://:8080/guacamole I get
>
> <
> http://apache-guacamole-incubating-users.2363388.n4.nabble.com/file/t419/2017-10-29_7-14-53.jpg
> >
>
> Can anyone help?
>

You'll need to be a little more specific about what steps you took to
install Guacamole.  There are two components, the server and the client,
that need to be installed on the system hosting Guacamole.  Did you install
both guacd and the WAR file, along with any extensions?  If so, how did you
deploy it?

Beyond that, you'll need to look at your Tomcat log file - catalina.out -
and see if there are any errors that indicate why it's failing.

-Nick

Re: Disable SFTP from web interface

[Nick Couchman]

On Thu, Oct 26, 2017 at 5:40 PM, Anthony Moon 
wrote:

> We’d like to eliminate the potential for administrators to have access to
> this feature (if at all possible).
>

I do not know of a way to do this at the Guacamole level at this point.  On
the server-side you could disable it in the SSH server config (sshd_config)
if you have control over those servers and don't want it available at all,
or disable it for certain groups of users, etc.  But I don't know of a way
in the Guacamole configuration to prevent it.

-Nick

Re: UNABLE TO CREATE WEBSOCKET CONNECTION

[Nick Couchman]

On Fri, Oct 27, 2017 at 12:53 PM, Amarjeet Singh 
wrote:

> Nick,
>
> I already tried as you said. It' working when I am proxying through Apache
> or nginx. I am getting the following error in the browser through FES :
>

So, this indicates the problem is with FES.


>
> WebSocket connection to 'wss://172.16.1.180/accops-rdp
> /websocket-tunnel?token=D796521006917D22C54DC3D94D4274510A0B
> 92BB2C82F2FB394E6667F31AE34E&GUAC_DATA_SOURCE=default&GUAC_ID=
> ACCOPS&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=410&GUAC_DP
> I=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE
> =image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp'
>
>>  failed: One or more reserved bits are on: reserved1 = 1, reserved2 = 0,
>> reserved3 = 0
>
>
My guess is that this error message is from FES.


>  My Queries :-
>
> * Why I am getting the above mentioned error?  *failed: One or more
> reserved bits are on: reserved1 = 1, reserved2 = 0, reserved3 = 0
>

I can't answer this question because I don't know anything about FES.
Evidently something in "FES" is causing a failure and stopping the
WebSocket connection.  Since I don't know anything about FES, I can't help
you there.


> * What causes this issue if we are using proxy requests  in general ?*
>

Since the error is with FES, and not with "proxy request in general," I'm
not sure this is a valid question.  You've tested it and you say everything
works if you use Apache and nginx, but fails when FES is used, so proxy
requests, in general, are working.  Just not with FES.


>
> * Why there is a below exception in GuacamoleWebSocketTunnelEndpoint?*
>
>
>>
>>  Thread-65] DEBUG o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Connection
>> to guacd closed.
>> org.apache.guacamole.GuacamoleConnectionClosedException: Connection to
>> guacd is closed.
>> at 
>> org.apache.guacamole.io.ReaderGuacamoleReader.read(ReaderGuacamoleReader.java:185)
>> ~[guacamole-common-0.9.10-incubating.jar:na]
>> at org.apache.guacamole.io.ReaderGuacamoleReader.readInstructio
>> n(ReaderGuacamoleReader.java:197) ~[guacamole-common-0.9.10-incu
>> bating.jar:na]
>> at org.apache.guacamole.protocol.FilteredGuacamoleReader.readIn
>> struction(FilteredGuacamoleReader.java:83) ~[guacamole-common-0.9.10-incu
>> bating.jar:na]
>> at org.apache.guacamole.protocol.FilteredGuacamoleReader.readIn
>> struction(FilteredGuacamoleReader.java:83) ~[guacamole-common-0.9.10-incu
>> bating.jar:na]
>> at org.apache.guacamole.protocol.FilteredGuacamoleReader.read(F
>> ilteredGuacamoleReader.java:66) ~[guacamole-common-0.9.10-incu
>> bating.jar:na]
>> at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpo
>> int$2.run(GuacamoleWebSocketTunnelEndpoint.java:162)
>> ~[guacamole-common-0.9.10-incubating.jar:na]
>> Caused by: java.net.SocketException: Socket closed
>> at java.net.SocketInputStream.socketRead0(Native Method) ~[na:1.7.0_51]
>> at java.net.SocketInputStream.read(SocketInputStream.java:152)
>> ~[na:1.7.0_51]
>> at java.net.SocketInputStream.read(SocketInputStream.java:122)
>> ~[na:1.7.0_51]
>> at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283)
>> ~[na:1.7.0_51]
>> at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325)
>> ~[na:1.7.0_51]
>> at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177) ~[na:1.7.0_51]
>> at java.io.InputStreamReader.read(InputStreamReader.java:184)
>> ~[na:1.7.0_51]
>> at 
>> org.apache.guacamole.io.ReaderGuacamoleReader.read(ReaderGuacamoleReader.java:171)
>> ~[guacamole-common-0.9.10-incubating.jar:na]
>> ... 5 common frames omitted
>>
>
>
This likely occurs because guacd detects that there's no activity on the
tunnel (because the WebSocket connection is failing) and guacd shuts down
the connection.  This is a peripheral error and probably not what you
should be focused on until you fix the issues with FES.


> *4. What should I have to handle if I proxy requests in FES ?*
>

I don't know.  I don't know anything about FES, so it's very hard to say.
Is FES custom code you've written?  Is it another open source project?  Is
it proprietary code?  The issue seems to be with FES, so that needs to be
worked out.  Since Guacamole works fine when proxied through Nginx, Apache,
and any number of other web servers, the issue is not with Guacamole, or
Tomcat, and its ability to handle other software proxying requests to it.

-Nick

Re: UNABLE TO CREATE WEBSOCKET CONNECTION

[Nick Couchman]

On Fri, Oct 27, 2017 at 8:23 AM, Amarjeet Singh 
wrote:

> Hi Team,
>
> Error is :
>
> WebSocket connection to 'wss://172.16.1.180/accops-
> rdp/websocket-tunnel?token=D796521006917D22C54DC3D94D4274
> 510A0B92BB2C82F2FB394E6667F31AE34E&GUAC_DATA_SOURCE=default&
> GUAC_ID=ACCOPS&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=
> 410&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%
> 2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_
> IMAGE=image%2Fwebp' failed: One or more reserved bits are on: reserved1 =
> 1, reserved2 = 0, reserved3 = 0
>
> On Fri, Oct 27, 2017 at 5:52 PM, Amarjeet Singh 
> wrote:
>
>> Hi  Team,
>>
>> Getting this error as well on the Browser screen
>>
>>
>>
>>
>> On Thu, Oct 26, 2017 at 10:24 PM, Amarjeet Singh 
>> wrote:
>>
>>> Hi Nick,
>>>
>>> What options do I have to resolve this issue ?
>>>
>>> Even if the requests are proxying what causes this issue to throw an
>>> error...
>>>
>>> Please help me to resolve this...
>>>
>>> I am stuck and can't do much after two days of research.  Tunnel are
>>> working through only issue is with websocket request.
>>>
>>> On Oct 26, 2017 22:11, "Amarjeet Singh"  wrote:
>>>
 I am proxying through Apache httpd but wss requests or  socket
 connections goes directly to tomcat through fes( server written in c )
 which is at front end...

 FES --> HTTPD --> Tomcat

 all requests goes as above ..but

 wss requests goes from FES --> Tomcat

>>>
Amarjeet,

I'm not sure what's going on, but I did not receive any of your e-mail
replies after I asked about how it was set up.

Based on the fact that you're both using "FES" (whatever that is) and
httpd, I'd say you need to try things out without both of those items in
the way and see what works.  I would try taking one thing out at a time -
specifically, you should first remove FES from the configuration and just
use httpd -> Tomcat and see if that works.  If you still have issues with
that, verify that going directly to Tomcat works.  Once you determine if
the issue is with FES, httpd, or Tomcat, you'll be able to determine what
steps need to be taken to resolve the problem.

-Nick

Re: Disable SFTP from web interface

[Nick Couchman]

On Thu, Oct 26, 2017 at 12:20 PM, Anthony Moon  wrote:

> Hi everyone,
>
>
>
> Does anyone know if there is a way of disabling the option to enable SFTP
> from the client web server?
>
>
>

No...could you explain why you'd want to do this instead of just disabling
it for the connection and then not allowing people to modify that
connection?

-Nick

Re: UNABLE TO CREATE WEBSOCKET CONNECTION

[Nick Couchman]

Are you connecting directly to Tomcat or are you proxying through Apache
httpd, nginx, etc.?

On Thu, Oct 26, 2017 at 11:34 AM, Amarjeet Singh 
wrote:

> I am not able to connect the Websocket connections because of the
> following errors : -
>
> Machine : Centos 7
>
> Gucamole Version : 0.13
>
>
> *Errors in Catalina.out *
>
>>
>> [Thread-65] DEBUG o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Connection
>> to guacd closed.
>> org.apache.guacamole.GuacamoleConnectionClosedException: Connection to
>> guacd is closed.
>> at org.apache.guacamole.io.ReaderGuacamoleReader.read(
>> ReaderGuacamoleReader.java:185) ~[guacamole-common-0.9.10-
>> incubating.jar:na]
>> at org.apache.guacamole.io.ReaderGuacamoleReader.readInstruction(
>> ReaderGuacamoleReader.java:197) ~[guacamole-common-0.9.10-
>> incubating.jar:na]
>> at org.apache.guacamole.protocol.FilteredGuacamoleReader.readInstruction(
>> FilteredGuacamoleReader.java:83) ~[guacamole-common-0.9.10-
>> incubating.jar:na]
>> at org.apache.guacamole.protocol.FilteredGuacamoleReader.readInstruction(
>> FilteredGuacamoleReader.java:83) ~[guacamole-common-0.9.10-
>> incubating.jar:na]
>> at org.apache.guacamole.protocol.FilteredGuacamoleReader.read(
>> FilteredGuacamoleReader.java:66) ~[guacamole-common-0.9.10-
>> incubating.jar:na]
>> at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(
>> GuacamoleWebSocketTunnelEndpoint.java:162) ~[guacamole-common-0.9.10-
>> incubating.jar:na]
>> Caused by: java.net.SocketException: Socket closed
>> at java.net.SocketInputStream.socketRead0(Native Method) ~[na:1.7.0_51]
>> at java.net.SocketInputStream.read(SocketInputStream.java:152)
>> ~[na:1.7.0_51]
>> at java.net.SocketInputStream.read(SocketInputStream.java:122)
>> ~[na:1.7.0_51]
>> at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283)
>> ~[na:1.7.0_51]
>> at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325)
>> ~[na:1.7.0_51]
>> at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177) ~[na:1.7.0_51]
>> at java.io.InputStreamReader.read(InputStreamReader.java:184)
>> ~[na:1.7.0_51]
>> at org.apache.guacamole.io.ReaderGuacamoleReader.read(
>> ReaderGuacamoleReader.java:171) ~[guacamole-common-0.9.10-
>> incubating.jar:na]
>> ... 5 common frames omitted
>
>
>
> *Errors in Syslog :*
>
> Oct 26 11:13:45 hysecuresslvpn guacd[4035]: Creating new client for
>> protocol "rdp"
>> Oct 26 11:13:45 hysecuresslvpn guacd: guacd[4035]: INFO: Creating new
>> client for protocol "rdp"
>> Oct 26 11:13:45 hysecuresslvpn guacd: guacd[4035]: INFO: Connection ID
>> is "$234cbf85-7cfe-47f8-8269-7e7dfbeea05a"
>> Oct 26 11:13:45 hysecuresslvpn guacd[4035]: Connection ID is
>> "$234cbf85-7cfe-47f8-8269-7e7dfbeea05a"
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: No security mode specified.
>> Defaulting to RDP.
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: No security
>> mode specified. Defaulting to RDP.
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: Resize method:
>> none
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: User
>> "@7eda383e-1312-4db7-9f1a-6a6afb3d7ce1" joined connection
>> "$234cbf85-7cfe-47f8-8269-7e7dfbeea05a" (1 users now present)
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: Resize method: none
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: User
>> "@7eda383e-1312-4db7-9f1a-6a6afb3d7ce1" joined connection
>> "$234cbf85-7cfe-47f8-8269-7e7dfbeea05a" (1 users now present)
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: Loading keymap "base"
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: Loading keymap
>> "base"
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: Loading keymap
>> "en-us-qwerty"
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: Loading keymap "en-us-qwerty"
>> Oct 26 11:13:46 hysecuresslvpn guacd[12333]: Internal RDP client
>> disconnected
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12333]: INFO: Internal RDP
>> client disconnected
>> Oct 26 11:13:46 hysecuresslvpn guacd: connected to 172.16.1.75:3389
>> Oct 26 11:13:46 hysecuresslvpn guacd[4035]: Connection
>> "$006194f8-cc75-4fae-8a20-19723d4e1b05" removed.
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[4035]: INFO: Connection
>> "$006194f8-cc75-4fae-8a20-19723d4e1b05" removed.
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: guacdr connected.
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: guacdr
>> connected.
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: guacsnd connected.
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: guacsnd
>> connected.
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: Connected to RDPDR 1.12 as
>> client 0x0006
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: Connected to
>> RDPDR 1.12 as client 0x0006
>> Oct 26 11:13:46 hysecuresslvpn guacd[12346]: Ignoring server capability
>> set type=0x0001, length=44
>> Oct 26 11:13:46 hysecuresslvpn guacd: guacd[12346]: INFO: Ignoring
>> server capability set type=0x0001, length=44
>> Oct 26 11:13:46 hysecuresslvpn

Re: base64 encoded url

[Nick Couchman]

On Wed, Oct 25, 2017 at 20:59 Steven Pollock  wrote:

> Running into a snag with this, could use some help.
>
> http://11.26.56.131:8080/guacamole/#/client/MwBjAG15c3Fs/?username=
> secretuser&password=secretpassword
>
> --this works in the URL
> echo 'MwBjAG15c3Fs' | base64 -d
>
> *3cmysql*
>
> However, reversing, that is trying to create the base64 encoding does not.
>
> echo '3cmysql' | base64
>
> *M2NteXNxbAo=*
>
> Anyone know how to properly encode?
>

The encoding is a combination of three things:
- ConnectIon ID (3)
- Type (c)
- Datasource name (MySQL)

They are separated by a null terminator (\0), which is what you're missing
when you try the echo command above.

-Nick

Re: what is java.lang.NullPointerException

[Nick Couchman]

>
> Looking through past emails, you mentioned that you have configured
> Apache in front of Tomcat. Can you provide your configuration? If
> Apache is misconfigured, that could easily cause this.
>
> - Mike
>
>
...you can also try connecting directly to Tomcat, bypassing Apache, and
see if you encounter the same error or if the connection stays active.  If
it works when accessing Tomcat directly, you'll know the issue is with the
proxy configuration.

-Nick

Re: Assistance on creating jar file from directory

[Nick Couchman]

On Mon, Oct 23, 2017 at 10:56 PM, Charles Mccrea 
wrote:

> Hello Team,
>
> I'm getting further thanks to your help.  I do believe the issue I was
> having was due to the version of Guacamole I had installed.  version 0.9.9
> doesn't appear to have extensions for themeing your login page working.  So
> I tried upgrading my CentOS 7 install of Guacamole to 0.9.13-incubating but
> I couldn't get the upgrade to work.  So I tired a fresh install (took the
> install instructions for 0.9.9 and made the necessary changes to install
> 0.9.13) but this wouldn't work for me (guacadmin login was invalid for some
> reason?).
>
> So I abandoned CentOS and used instructions to install 0.9.13 on Ubuntu
> 16.04.  This worked!
>
> I've added my custom theme and I now have our logo and background.  Works
> like a charm.
>
> I do have a followup question for you though...the logo above the login
> (in the box).  Our logo is tiled instead within this small box.  How would
> I make this just the one logo and not tiled?
>
> I would prefer to use CentOS 7 for our Guacamole but I'll need to keep
> working at why when I install  0.9.13 using the instructions from here -
> https://deviantengineer.com/2016/11/guacamole-incubator-centos7/ and
> update his steps with the 0.9.13-incubating files and newer java files my
> install didn't work.
>

I use CentOS 7 every day with Guacamole, and have no issues with it, so I
know it works.  I do not use the packages, though, I'm mostly doing
development on it, so I have the Git repos copied and am routinely
recompiling versions of the code and using that.

The Guacamole manual lists all of the requirements for building Guacamole
on both Debian-based platforms and RH-based platforms, so I would check
that out.  If you run into issues, feel free to respond here with the
specific errors you're getting and I'm sure those of us in the community
here can help you work through it.

http://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html

-Nick

Re: General Questions

[Nick Couchman]

On Mon, Oct 23, 2017 at 11:50 AM, Carter Sema  wrote:

> Noticed the picture attached  on my Guacamole Account. Just wondering what
> the LDAP tab was used for. I did some quick google searching and wasn’t
> able to find anything. I’m assuming it’s for controlling the AD connections
> if I would have modified my Schema? Or does this control something else?
>

The LDAP extension doesn't support editing users or connections from the
management interface, but each data source that is present has a tab in the
management interface, so you'll see this show up.


>
>
> Also, is there a way to control when machines are available? An example
> would be, we have a lab of high powered CAD machines but don’t want
> everyone accessing them until after school is over so kids can work on
> their projects outside of school. Is there a way to set those machines to
> become available after a certain time in guacamole?
>
>
>

You can control when users can log on to Guacamole, but I do not believe
there is currently any way to control when connections are available to
users who log on.  You're welcome to open a feature request in Guacamole
JIRA for that, and see if there's interest in adding that functionality to
the product.

-Nick

Re: Assistance on creating jar file from directory

[Nick Couchman]

On Sat, Oct 21, 2017 at 10:04 AM, Charles Mccrea 
wrote:

> Hi Nick,
>
> Still working on this issue but I'm still not seeing results.  Here's the
> scoop:
>
> Using this post - https://sourceforge.net/p/guacamole/discussion/1110834/
> thread/48fcbd3e/#bd49/2661, I'm able to confirm a lot of things.
>
>- I've looked into my /etc/passwd file and confirmed that my tomcat
>home is /usr/share/tomcat/.guacamole/.
>
>
Please clarify tihs for me - is the home directory for the tomcat user set
to /usr/share/tomcat, or to /usr/share/tomcat/.guacamole?  It *should* be
set to /usr/share/tomcat, and then within the home directory should be a
.guacamole sub-directory, which should contain the guacamole.properties
file and an extensions directory.  So, to summarize:

- Tomcat user home: /usr/share/tomcat
- GUACAMOLE_HOME: /usr/share/tomcat/.guacamole
- Guacamole Properties: /usr/share/tomcat/.guacamole/guacamole.properties
- Extensions directory: /usr/share/tomcat/.guacamole/extensions


>
>- Inside this directory I have my guacamole.properties file and the
>extensions folder.
>- I didn't have my GUACAMOLE_HOME environement variable set so I've
>done this now using an .sh script.  Confirmed on reboot that my environment
>variable is set properly.
>
> If you're setting this property directly, now, in the startup script, it
should be set to /usr/share/tomcat/.guacamole.


>
>- Inside this /usr/share/tomcat/.guacamole/extensions folder I have
>the guacamole-auth-jdbc-mysql-0.9.9.jar file.  At the bottom of that
>forum post I'm following there is an example extension .jar file.  I've
>used this to see if I can make changes to my login screen so I've copied
>this .jar file into my extensions folder so it sits beside the
>guacamole-auth-jdbc-mysql-0.9.9.jar file.  I'm assuming both files can
>reside in the same folder without issue.
>
> If you're running 0.9.9 you should really consider upgrading.  First, I'm
not sure when custom branding support was added in, but it may not work in
that version, and, second, that's 4 releases behind the current version,
and there have been lots of improvements since then.  0.9.13-incubating is
the current released version, and then the git repo master will eventually
be 0.9.14-incubating and has more changes/fixes on top of that.

-Nick

Re: CAS Authentication with ADFS

[Nick Couchman]

On Fri, Oct 20, 2017 at 3:19 PM, Carter Sema  wrote:

> Trying out the CAS Authentication piece, and connecting back to my ADFS
> environment.
>
>
>
> My cas-authorization-endpoint is set to federation.domain.org and my
> cas-redirect-uri is set to guacamole.domain.org/guacamole. When I
> navigate to guacamole.domain.org/guacamole it redirects to the following
> error
>
>
>
>
>
This will almost certainly not work.  ADFS does not implement the CAS
authentication protocol.  CAS is not just a SSO product, it's a protocol,
as well, and the guacamole-auth-cas module implements authentication for
the CAS protocol.  IIRC, ADFS federation uses SAML, and there's currently
no publicly-available version of a SAML module for Guacamole, although
there are a couple of folks working on modules, I believe.

-Nick

Re: Assistance on creating jar file from directory

[Nick Couchman]

On Thu, Oct 19, 2017 at 5:27 PM, Charles Mccrea 
wrote:

> Hello Nick and thank you for this explanation.
>
> I've searched my guacamole server for a guacamole.properties location.  I
> found two:
>
> /etc/guacamole/guacamole.properties
> /usr/share/tomcat/.guacamole/guacamole.properties
>
> It would appear that one is a pointer to the other so basically I have
> found my guacamole.properties file.
>
> Looking within my guacamole.properties file I do not find an entry for
> GUACAMOLE_HOME.  Should this environment variable be there?
>
>
>- Will defining a Guacamole_home environment variable then tell
>guacamole where to find my new extension .jar file?
>- And my Guacamole does work as of now in that I can login and use
>Guacamole.  So how does my Guacamole currently work if it doesn't know
>where the Guacamole home is?
>
> Charles,
I think all you need to do is create the extensions directory inside the
/etc/guacamole and/or /usr/share/tomcat/.guacamole directory, then drop
your JAR file in there and restart Tomcat or redeploy the web app.

-Nick

Re: mySQL authentication issue.

[Nick Couchman]

On Thu, Oct 19, 2017 at 4:19 PM, Darch  wrote:

> Half a day trying to figure it out...and you're right.  I got all the files
> directly this time.  My mistake was using Maven to build my guacamole.war
> file initially.
>
>
You can definitely build it, but, if you do, make sure to grab all of the
extension JARs from the build directory, as well, to make sure the version
is the same.  There have been a few significant changes in the current git
master branch that will render mixed versions of extensions and the main
WAR file incompatible.

Glad you got it working - enjoy, and post back if you run into any other
issues!

-Nick

Re: mySQL authentication issue.

[Nick Couchman]

On Thu, Oct 19, 2017 at 3:27 PM, Darch  wrote:

> Trying out Guacamole, I've followed the instructions on the site.  First
> step, I got it to work without issues with a flat user-mapping.xml.
>
> Now, moving on, I'm trying to use with mysql auth.  Somehow, the
> authentication provider extension fails to start.  I have by java connector
> in lib.  I have my extension in extensions.  My GUACAMOLE_HOME is pointing
> to the right folder /usr/share/tomcat/.guacamole.
>
> Am setup on Fedora 26 with Tomcat 8
>
> Here is the error message I get, any ideas?
>
> ...
> Oct 19 13:59:13 docker server: 13:59:13.474 [localhost-startStop-1] ERROR
> o.a.g.extension.ProviderFactory - authentication provider extension failed
> to start: com.google.inject.internal.util.$ComputationException:
> java.lang.NoClassDefFoundError:
> org/apache/guacamole/net/auth/ConnectionRecordSet$SortableProperty
>
>
This error actually looks like a version mismatch between the MySQL
extension and the core Guacamole WAR.  It looks like maybe you used an
older version of the MySQL JAR with the newer Guacamole WAR file.  Are you
downloading/installing all of this from the Guacamole web page, or have you
custom built any of it?  If you're building from the git repo, I'd suggest
removing all of your WAR and JAR files, doing a clean build, and installing
everything from the clean build.

-Nick

Re: Assistance on creating jar file from directory

[Nick Couchman]

On Thu, Oct 19, 2017 at 2:40 PM, Charles Mccrea 
wrote:

> Hello,
>
> I'm attempting to make a custom icon on my login page.  I've installed
> Guacamole on CentOS 7.
>
> I'm using information from this page - http://apache-guacamole-
> incubating-users.2363388.n4.nabble.com/Branding-the-login-page-td281.html
>
> I've created my jar file and put this into the following location:
>
> /var/lib/guacamole/extensions/
>
> I then restart my guacamole server and reload my guacamole website.  The
> changes I've put into the new jar file I created are not showing up.  Do I
> need to change anything else in Guacamole so it knows to use my jar file?
>
>
Charles,
Have you defined /var/lib/guacamole either in the GUACAMOLE_HOME
environment variable or in the catalina.properties file under the
guacamole.home property?  The default is a ".guacamole" directory in the
Tomcat user's home directory, so you would need to override this if you
wanted it elsewhere.

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#guacamole-home

-Nick

Re: Websockets not working

[Nick Couchman]

On Thu, Oct 19, 2017 at 1:36 PM, Colin McGuigan <
colin_guacam...@walkingshadows.org> wrote:

> Update: Without changing any configuration (only working on my extension),
> this problem resolved itself and I now see the websocket tunnel in use.
>
> I have no idea what caused it to change, other than the possibility of
> tomcat restarts.
>
>
Colin,
I did notice something in the following line:

> GET
ws://:8080/guacamole/websocket-tunnel?token=
943D0910D316FE59C5C110AD800DFF7FBDFD7529000C1D7503719FD9828D
B69B&GUAC_DATA_SOURCE=saml&GUAC_ID=&GUAC_TYPE=
c&GUAC_WIDTH=948&GUAC_HEIGHT=998&GUAC_DPI=120&GUAC_AUDIO=
audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&
GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp

The GUAC_DATA_SOURCE=saml is a bit interesting.  I'm guessing that your
SAML extension is only doing authentication, it's not providing any
computer data, correct?  If so, this line indicates the issue, that it
is/was trying to retrieve the connection from the SAML data source, when it
is actually in another data source.  Perhaps the change you made caused it
to correct this parameter??

-Nick

Re: Telnet/SSH buffer size

[Nick Couchman]

On Thu, Oct 19, 2017 at 9:24 AM, McRoy, Jeffrey (GE Healthcare) <
jeffrey.mc...@ge.com> wrote:

> Hi Everyone,
>
>
>
> Does anyone know what the buffer size is for Guac’s Telnet and SSH
> sessions?
>
>
>
For SSH, looks like 8192:

https://github.com/apache/incubator-guacamole-server/blob/95be88be19e04e07ac1dafb823993745bee7d146/src/protocols/ssh/ssh.c#L157
https://github.com/apache/incubator-guacamole-server/blob/95be88be19e04e07ac1dafb823993745bee7d146/src/protocols/ssh/ssh.c#L177

For telnet, looks probably 8192 for most things, but there are a couple of
operations that are slightly different:

https://github.com/apache/incubator-guacamole-server/blob/95be88be19e04e07ac1dafb823993745bee7d146/src/protocols/telnet/telnet.c#L92


https://github.com/apache/incubator-guacamole-server/blob/95be88be19e04e07ac1dafb823993745bee7d146/src/protocols/telnet/telnet.c#L263


https://github.com/apache/incubator-guacamole-server/blob/95be88be19e04e07ac1dafb823993745bee7d146/src/protocols/telnet/telnet.c#L386


https://github.com/apache/incubator-guacamole-server/blob/95be88be19e04e07ac1dafb823993745bee7d146/src/protocols/telnet/telnet.c#L465



-Nick

Re: Problems with basic authentication

[Nick Couchman]

On Wed, Oct 18, 2017 at 8:30 AM, Felix Wolfheimer <
f.wolfhei...@googlemail.com> wrote:

> Hi Nick,
>
> thanks for your help and your suggestions. I created /etc/guacamole and
> put guacamole.properties into this directory. The file has the following
> content:
>
> guacd-hostname: localhost
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
>
> I also put my user-mapping.xml file into this directory (same content as
> before). I added the line "guacamole.home=/etc/guacamole" to
> /etc/tomcat/catalina.properties and restarted tomcat. The permissions of
> the /etc/guacamole directory and its files were set such that tomcat can
> access all files (tomcat.root, 400). Looking at /var/log/messages after the
> restart reveals the following lines which might be related to the issue:
>


Felix,
What Linux distro/version are you running?  Is SELinux enabled (output of
"getenforce" command)?

-Nick

Re: Guacamole ldap-group-base-dn

[Nick Couchman]

On Tue, Oct 17, 2017 at 3:04 PM, Carter Sema  wrote:

> Is it possible to use already existing AD fields that LDAP reads? Or does
> it only read the Guacamole AD Fields from its schema modification? Can
> guacamole read any AD Group from the App at all? Can’t the Security group
> that controls login hold some kind of connection data?
>
> (using ad security groups to control login is amazing, love that feature)
>
>
>
> I had just tested doing it the way you suggested, and it works, just means
> I have to load users individually or script an import. Has anyone used a
> GUI SQL tool such as Oracle SQL Developer or RazorSQL to pull data from the
> guacamole SQL tables and modify?
>

The way the module is currently implemented, if you want to store the
actual connection information in LDAP, you need to modify the schema.
There is no way (currently) to configure what LDAP attributes the extension
looks at to get things like connection name, parameters, etc.

The LDAP module can read users and groups without any schema modification;
however, unless you're storing the connections themselves in LDAP, there's
no way to map those LDAP groups, in particular, to connections.  Guacamole
doesn't support groups internally at the moment, so the only way the LDAP
groups work is because it's using LDAP searches to limit the results it
gets back.  So, for this to work, everything has to be in LDAP.

There's a JIRA issue out there to add group support to Guacamole, so
hopefully this will change in the future, and maybe there will be some
mapping for groups between the LDAP module and the JDBC module, depending
on how that's implemented, but that remains to be seen.

You should definitely be able to use scripts or a graphical tool to
manipulate the Guacamole DB directly, or write an external script/tool to
automate that.

-Nick

Re: Guacamole ldap-group-base-dn

[Nick Couchman]

On Tue, Oct 17, 2017 at 2:37 PM, Erik Berndt 
wrote:

> Carter,
>
> This should be possible without any schema change. We use an AD Security
> Group to restrict which users are permitted to access the RD Server
> (regardless of the protocol). Within Guacamole.properties you can use the
> ldap-user-search filter to restrict which users are able to login through
> Guacamole.
>
> For example, we use the Root OU as the ldap-user-base-dn (which afaik has
> to be the root OU). Than have the following lda-user-search-filter in place:
>
> ldap-user-search-filter: (memberOf=
> ,ou=,OU=,DC=,DC=)
>
>
This does, indeed, allow you to restrict who can log into Guacamole, but
does not let you assign individual connections to certain users or groups
of users.

-Nick

Re: Guacamole ldap-group-base-dn

[Nick Couchman]

On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema  wrote:

> I read the following article https://issues.apache.org/
> jira/browse/GUACAMOLE-12 when I was looking for how to assign connections
> to LDAP users. From the article it sounds like I can use AD Security
> Groups? Is this possible without updating my Schema? Updating my Schema is
> off the table for options. So im looking for the 2nd best without needing
> to import a ton of users into the guac sql database.
>
>
>

Using that method requires that you store the connection information inside
LDAP, which requires schema modifications.

If you stack authentication modules, like JDBC and LDAP, you can have users
log in with LDAP, make sure those same users are created in JDBC, and then
assign the permissions to the user accounts objects in the JDBC module.  As
long as the LDAP and JDBC usernames match, this will map through.

-Nick

Re: Connection Error

[Nick Couchman]

On Wed, Oct 11, 2017 at 10:46 AM, surfshack66 
wrote:

> Unfortunately, I'm still having this issue where the connection drops
> (receive an error) due to the corporate network interfering. I don't
> understand how it could be or what to do now, but any help would be
> appreciated as I would love to get this working.
>
>
It's hard to say - it sounds to me like the connection is failing between
the Guacamole Server (guacd) and the RDP server, and not between the
Guacamole Client and the Guacamole Server.  I'm not certain about that,
it's just what I gather from the error you're getting.  I don't know if the
Guacamole Server is on the same subnet as the RDP server, or if it's
possible for you to move the Guacamole Server "closer" to the RDP server
(not physical proximity, just fewer hops/firewalls in between) and see if
that helps.  Without knowing what kind of firewalling/filtering is being
done across the network, types of links in place, etc., it's going to be
hard to pinpoint what's going on.

-Nick

Re: what is java.lang.NullPointerException

[Nick Couchman]

On Mon, Oct 9, 2017 at 8:28 AM, Youhei Ootsuki 
wrote:

> Hi,
>
>
>
> Thank you very much for your reply.
>
>
> > At what point in the process do you get the error?
>
> I can login to My Guacamole server. ( HTTPS )
> but, I can not connect to the remote server with SSH.
>
> However, RDP connection is possible.( Another remote server )
> and, SSH connection to myself is also possible( Guacamole server to
> Guacamole server on ssh )
>
> SSH connection to Cisco IOS is also possible.
>
>
>
> SSH connection to the latest Linux such as Debian 9, Centos 7 is
> impossible.
>
>
That's very strange.  I don't use Debian much, but I do use CentOS 7.4 and
RHEL 7.4 routinely, and connect to these hosts with Guacamole without a
problem.

Can you enable debugging mode for guacd (guacamole server) and capture the
logs when the connection fails?  You can either change the startup, or stop
the service and run guacd manually with the -L debug flag and the -f flag
and capture the output during a connection failure:
/usr/sbin/guacd -L debug -f

(Use the appropriate path to guacd, wherever you have it installed.)

-Nick

Re: execute script on “guacamole server” before/after connecting ?

[Nick Couchman]

On Thu, Oct 12, 2017 at 1:55 PM, Jonathan Haché-Deschênes <
jhache-desche...@infoplus.ca> wrote:

> It could be a lot of thing. In our case we would like to start a openvpn
> connexion before connecting & close vpn when session close.
>
>
>
That makes sense.  I do not know of any way to do this inside Guacamole
itself.  I think there are some network-level things you can do in Linux,
perhaps even with iptables, to automatically kick off a VPN session when
certain IPs or hostname are requested, so that might be a route worth
exploring.

-Nick

Re: Apache Force Re-Direct to HTTPS

[Nick Couchman]

On Mon, Oct 16, 2017 at 10:25 PM, Carter Sema  wrote:

> I checked my Apache folders and my only site-enabled is my tomcat one, and
> just to be safe, I deleted the default ones in sites-available, rebooted
> apache2 and reloaded, still no luck. I can actually access HTTP content
> such as Guac(not static default tomcat sites) and it works. Any other
> tricks or ideas?
>
Nothing off the top of my head - clearly something else there is still
servicing the traffic on port 80, but I'm not able to spot what it is in
the configs you've posted.


> Do I need to enable Rewrite? The only reason I ask, is because on my other
> ubuntu-apache2-tomcat8 box, I don't have Rewrite enabled, and it works.
>
I think you should be able to do it without rewrite and with alias, using
the Redirect permanent line you have.  According to docs, the Redirect
directive is part of mod_alias, so you should only need to enable mod_alias
and then put that Redirect permanent / https:/// line in there.


> I ended up doing what you suggested and blocking my traffic to port 80. As
> a fix for right now, eventually I will go back and investigate more. As you
> said, it's not pretty, but it restricts unwanted access on unsecured ports.
> I'm pretty new to linux in general but quickly learning, is blocking the
> port 80/8080 just as secure as forcing a redirect to https?
>
It's certainly no less secure that forcing a redirect - it might be
slightly more secure than allowing port 80 through and forcing the
redirect, since it's truly blocking all non-SSL/TLS traffic, so there's not
anything unencrypted that will get by.  Based on your setup, proxying
through Apache httpd, I would *definitely* block port 8080 and 8009 from
the outside world - my usual practice is to reconfigure Tomcat to only
listen on 127.0.0.1 so that the 8080/8009 traffic remains internal to the
host, and httpd (or nginx when I use that) is handling all of the requests
coming in from the network.

-Nick

Re: Problems with basic authentication

[Nick Couchman]

On Mon, Oct 16, 2017 at 2:21 PM, Felix Wolfheimer <
f.wolfhei...@googlemail.com> wrote:

>
> Hi,
>
> I'm trying to get a VNC connection working using Guacamole. I built and
> installed the guacd and the client without issues, started guacd and
> tomcat, and can see the login page of Guacamole when connecting with the
> browser, but whatever I try with the user-mapping.xml file, I can't log in.
> I installed the "user-mapping.xml" file to /usr/share/tomcat/.guacamole
> (the HOME of the tomcat user is /usr/share/tomcat) and the user-mapping.xml
> file is the one and only file in this directory. It has the following
> content:
>
> 
>   
> 
>vnc
>localhost
>5901
>
>   
> 
>
> The only message I can find on the server about the failed login is the
> following line in /var/log/messages:
>
> WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from
> x.x.x.x for user "testuser" failed.
>
> I've entered the password multiple times to make sure that I just made a
> typo.
>
> Is there anything I'm missing and are there other places where I can find
> debugging information about the login process which could help
> understanding what goes wrong?
>
> Thanks!
>
> Everything you've done looks fine to me, but I'd suggest doing the
following:
- Edit your catalina.properties file (stored in the same place as the rest
of the Tomcat configs, like server.xml) and add the following line:
guacamole.home=/etc/guacamole
- Create the /etc/guacamole directory and set up permissions such that the
user running Tomcat can access it.
- Put your user-mapping.xml file in /etc/guacamole and restart Tomcat.
Verify permissions on that file, too, to make sure the Tomcat user has read
access.

See if that works - like I said, what you've done seems like it should
work, so not sure what's going on, but maybe this will help.

-Nick

Re: Re: UserName in Guacamole Extension

[Nick Couchman]

On Mon, Oct 16, 2017 at 4:44 PM, @eve0s  wrote:

> · Replace content of menu-dropdown to add an ID on the username
> DIV
>
>
>
> 
>
>
>
> 
>
>  ng-click="toggleMenu()">
>
> {{menuTitle}}
>
> 
>
>
>
> 
>
> 
>
> 
>
> 
>
>
>
> · Then you can access this variable by jquery.
>
>
>
> 
>
>
>
> $('#USERNAMEDIV').html()
>
> 
>
>
>
>
>
> · Don’t forget that all variable used on the client side can be
> hack.  You shouldn't use those variable for security.
>
I'm not entirely sure what this thread is about, as its missing some
context, but its similar to another thread I responded to earlier.  The
username of the currently logged in user should be available using the
authenticationService service and the getCurrentUsername() method.  You
should be able to inject that module into your AngularJS code and retrieve
the username for the extension.

-Nick

Re: Guacd Telnet/SSH settings

[Nick Couchman]

On Mon, Oct 16, 2017 at 11:06 AM, McRoy, Jeffrey (GE Healthcare) <
jeffrey.mc...@ge.com> wrote:

> Hi Everyone,
>
>
>
> The newer versions of guacd allow for setting the color scheme, font size,
> and session capture. It looks like these are all set at the creation of the
> connection using guacd parameters. So far, I haven’t found a reference to
> accessing these features through the Javascript layer so users can control
> them. Is this the case, or did I miss something?
>
>
>
>
>
> Thanks & Regards,
>
> Jeff
>

To my knowledge these parameters cannot be adjusted in Guacamole after a
connection is established.  They are connection parameters, so they are
configured with the connection and then set by the Guacamole Client when
talking to guacd at connection time.

That said, I believe some recent enhancements to guacd allow for better
manipulation of the Guacamole terminal from within the destination system.
Linux, in particular, has fairly extensive support for tweaking the
terminal while you're using it, so there may be some of those things (color
schemes, in particular) that can be adjusted in the session that you are
logged into rather than worrying about them on the client side.  I'm not
sure if font size/zoom is one of those things, though - I've been using
xfce-terminal for so long, now, that my skills for raw terminal
manipulation are a bit dull!

-Nick

Re: Apache Force Re-Direct to HTTPS

[Nick Couchman]

On Mon, Oct 16, 2017 at 3:42 PM, Carter Sema  wrote:

> So, guac is configured to use Lets Encrypt for a SSL cert and it works
> great. But, my unsecured version is still open. My Apache configuration is
> set to redirect to HTTPs, but guac doesn’t seem to be listening, or my
> apache rules are incorrect.
>
>
>
> My current apache config is listed below.
>
>
>
> 
>
>   # redirect to https
>
>   Redirect permanent / https://myURL
>
> 
>

Is there another VirtualHost directive elsewhere in your Apache config that
might be overwriting this?  Are you able to access Guacamole via HTTP, or
does it just go to some other generic HTML content?

If you are able to access Guacamole via HTTP (vs. static content), make
sure you don't have any other ProxyPass/ProxyPassReverse directives in any
other Apache config files, as those might be take precedence over the
Rewrite conditions.  You should only need those ProxyPass directives in
your  directive.

Finally, you always have the option of firewalling port 80 on your Apache
host - it isn't as user-friendly, but it keeps people from using HTTP :-).

-Nick

Re: Cisco ASA webvpn and Guac 0.9.13

[Nick Couchman]

On Fri, Oct 13, 2017 at 7:16 AM,  wrote:

> Hi there,
>
> https://issues.apache.org/jira/browse/GUACAMOLE-65 seems to have sprung
> up again.
>
> The workaround (the APCF) does not seem to work any longer.
>
> Can anyone confirm?
>
> Thanks
>
> Marki
>
>
Marki,
The last time around it was determined this was an issue with the ASA, not
Guacamole.  How do we know the issue hasn't changed/reccurred on the Cisco
ASA platform?

As I don't have a Cisco ASA to test this out with, I probably can't be very
much help in tracking down the issue, and I don't know that any of the
other developers on the project have access to the ASA to do any testing.
You'll have to provide more details to help track down the problem and
suggest a solution.

-Nick

Re: Headless Guacamole protocol plugins

[Nick Couchman]

On Wed, Oct 11, 2017 at 5:00 PM McRoy, Jeffrey (GE Healthcare) <
jeffrey.mc...@ge.com> wrote:

> Hi Everyone,
>
>
> Has anyone tried making a headless protocol plugin to do a specific job?
> For example, download a file to a specific local guac server location. In
> the hypothetical example below when the Guacamole.Client connects it would
> login to hostname and download the remote file specified from hostname to
> the local destination on the guac server with no display.
>
> Regards,
> Jeff
>

Jeff,
I don't know of anyone having done this, but I guess I'm a little fuzzy on
why you'd want to do this in the first place?  Why not just a normal
transfer protocol, like FTP, FTPS, SFTP, SCP, etc., and find some way or
another to have the user launch that in a user-friendly way?  I guess I'm
not understanding what you gain in doing something like this with Guacamole?

-Nick

Re: auto-provisioning for auth-header?

[Nick Couchman]

On Thu, Oct 12, 2017 at 10:49 PM Jason Haar  wrote:

> Hi there
>
> Is there any way to have guacamole auto-provision a new profile the first
> time a user connects? In particular I was wanting a set of default RDP/SSH
> connectors (ie equivalent to /etc/skel for Linux account creation)
>

No, this functionality does not currently exists in Guacamole (to my
knowledge, anyway).  However, I wonder if the token functionality might
work for you, instead?  If you layer JDBC and Header authentication, you
can then use the ${GUAC_USERNAME} token in your connection so that the name
of the logged in user will be placed into whatever connection parameter you
want (like the username field).  Perhaps that would accomplish the end goal
you're aiming for?

-Nick

Re: Guacamole Dropping Connections

[Nick Couchman]

On Thu, Oct 12, 2017 at 3:16 PM, Carter Sema  wrote:

> Check /var/log/messages or journalctl = see screenshot attached. This is
> all I have under /var/log. My Distro is Ubuntu Server 16.04. Any other
> locations where those guacd logs might live?
>
>
>

You can check /var/log/syslog.  journalctl is a command, not a file - so
you'd just run "journalctl" at the command line, or "journalctl -f" if you
want to tail the file.  I'm not sure if Ubuntu uses that or not.  The
/var/log/syslog file might have information for you.

Alternatively you can start guacd in the foreground with debug:
/path/to/sbin/guacd -L debug -f

(after first stopping/killing any running guacd instances).  That will
print out all of the guacd output to the terminal - then retry your
connection and see what errors you get.

-Nick

Re: Deploying locally built WAR

[Nick Couchman]

On Thu, Oct 12, 2017 at 2:49 PM, Ryan Underwood 
wrote:

> I think that is part of the problem.  Could someone post the dockerfile
> that you guys used for the docker image on docker hub?  For some reason
> that one posted without the dockerfile.
>
> Thank you
>
>
>

You can find the Dockerfile in the github repository:

https://github.com/apache/incubator-guacamole-client/blob/master/Dockerfile

-Nick

Re: Guacamole Dropping Connections

[Nick Couchman]

On Thu, Oct 12, 2017 at 2:33 PM, Carter Sema  wrote:

> OK! That seemed to work… But now there another error.
>
> When trying to connect to a machine it says “
>
> The remote desktop server is currently unreachable. If the problem
> persists, please notify your system administrator, or check your system
> logs.”
>
>
>
> And catalina.out says-
>
> “Thu Oct 12 14:19:21 EDT 2017 WARN: Establishing SSL connection without
> server's identity verification is not recommended. According to MySQL
> 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established
> by default if explicit option isn't set. For compliance with existing
> applications not using SSL the verifyServerCertificate property is set to
> 'false'. You need either to explicitly disable SSL by setting useSSL=false,
> or set useSSL=true and provide truststore for server certificate
> verification.
>
>
>
> I don’t think the SQL error is causing the problem, but I might be wrong..
>
>
>

Check /var/log/messages or journalctl, depending on your Linux distro, to
see what the error is from guacd.  The catalina.out file will tell you the
errors for the gaucamole-client stuff, but the error you're getting seems
to be coming from the guacamole-server side, when it tries to make the
connection via RDP.

One thing I've noticed in my experience with Guacamole + RDP - if you're
using Windows 8 or newer or Windows 2012 or newer, NLA is required by
default.  If you've saved your username/password in Guacamole and have
turned on NLA, this will work - otherwise, if you have not saved your
credentials, and/or not enabled NLA, you might receive that error message.
You'll either need to relax Windows' restrictions on RDP connections such
that you can connect with older RDP clients, or you'll need to save your
credentials in the connection info.  The other option is to log in to
Guacamole with the same credentials you'd use to connect to Windows (enable
LDAP authentication module, or set your username/password the same) and
then use the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens to pass the
authentication information through.  Hopefully at some point we'll get
parameter prompting into the Guacamole Client, which will allow for the
preferred combination: Use NLA, don't save credentials, but allow user to
enter credentials at connection time.  Again, not sure if that's what
you're running into, but it could be.

-Nick

Re: execute script on “guacamole server” before/after connecting ?

[Nick Couchman]

2017-10-12 13:19 GMT-04:00 Jonathan Haché-Deschênes <
jhache-desche...@infoplus.ca>:

> Is there a way to execute script on “guacamole server” before/after
> connecting a specific RDP, VNC, TELNET, SSH connexion.
>
>
>
> We want to be able to execute script before connecting to session.
>
> -  Start connexion (RDP, VPN, TELNET, SSH)
>
> We want to be able to execute script when closing session.
>
>
>

Could you provide a little more detail of what you're trying to do?  What
is it you want to do before and after the connection - what is the script
going to do?

I don't think there's a way to do this currently, but it would help if you
could provide a little more information.

-Nick

Re: Deploying locally built WAR

[Nick Couchman]

On Thu, Oct 12, 2017 at 1:47 PM, Ryan Underwood 
wrote:

> I built the war with no issues, dropped it into the tomcat folder (in
> docker) and bounced the container.  Now the MySQL authentication/extension
> appears to have issues.  Any ideas?
>
> For reference, I’m still troubleshooting the fact that I cannot connect to
> any remote RDP servers (or any servers) on my installation, though it’s a
> mirror of a friend’s built with the same scripts. I rebuilt the war to add
> logging information around the areas that are failing.
>
> Thank you
>
>
>
> 17:41:36.046 [localhost-startStop-1] ERROR o.a.g.extension.ProviderFactory
> - authentication provider extension failed to start:
> com.google.inject.internal.util.$ComputationException: 
> java.lang.NoClassDefFoundError:
> org/apache/guacamole/net/auth/ConnectionRecordSet$SortableProperty
>
>
>
If you built a new WAR, you also probably need to replace the MySQL JAR
file.  There have been some recent changes that would impact this class
mentioned, specifically - the ConnectionRecordSet has been changed to
ActivityRecordSet, so the WAR and JAR need to match.  You'll need to drop
the new JAR file into the Guacamole extensions folder.

-Nick

Re: Guacamole Dropping Connections

[Nick Couchman]

On Thu, Oct 12, 2017 at 12:52 PM, Carter Sema  wrote:

> Installed Fresh Guacamole 0.9.13, using mysql database backend for user
> and LetsEncrypt! For SSL with Apache2 for a reverse proxy. Guacamole won’t
> allow sessions to connect. Checked my catalina.out log and I’m seeing the
> following error
>
>
>
> 12:05:27.501 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet
> - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> 12:06:26.882 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet
> - HTTP tunnel request failed: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
>
>
 This seems to indicate that Java does not trust whatever certificate
you're using.  You might need to import either the server certificate or
the root certificate for that server cert into the Java keystore.  This
will vary based on what type/version of Java you're using - in the
Sun/Oracle versions of Java, if you look in the JRE base directory, under
lib/security, you'll find a cacerts file that contains known CA
certificates.  You can use the keytool binary to import your certificate(s)
into that file, then restart Tomcat.  OpenJDK maintains a file somewhere
else, and that depends on what Linux distribution you're using.

-Nick

>

Re: Guacamole "protocol is not installed"

[Nick Couchman]

Brian,
What version of Guacamole gets installed?  If my searches are correct, the
versions of Guacamole available in the Ubuntu repositories are 0.9.9 and
0.8.3 - very old versions of Guacamole.  You probably want to try
downloading the source and installing following the build instructions:

http://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html

Alternatively I believe the EPEL repository has relatively recent versions
of Guacamole, so if you try CentOS or RHEL you might have better success
with a recent-ish package-based install.

-Nick

On Thu, Oct 12, 2017 at 11:59 AM, Brian Petr  wrote:

> I just installed Guacamole from apt-get on Lubuntu 17.04 (new VM I just
> stood up), and have included libraries for all 3 main protocols (SSH, VNC,
> RDP). I am able to login to the WebUI, but I am unable to use any of my
> connections. Logs show "Support for selected protocol is not installed"
> whether I use ssh, vnc, or rdp.
>
> Thank you
>

Re: [RDP] NLA Authentification fails with username who contains some characters

[Nick Couchman]

On Wed, Oct 11, 2017 at 8:54 AM, cbosys  wrote:

> *Guacamole server 0.9.11-incubating*
> *Guacamole client 0.9.11*
>

Can you try 0.9.13-incubating (the latest) and see if the issue still
exists there?

-Nick

Re: Guacamole Install Script problems

[Nick Couchman]

On Tue, Oct 10, 2017 at 2:14 PM, Carter Sema  wrote:

> Installed Guacamole from this script several times
> https://sourceforge.net/projects/guacamoleinstallscript/ . Without any
> problems, went to stand up a testing box and its acting like the
> application didn’t install. I navigate to my URL with nginx and without the
> reverse proxy and it just returns 404 errors.
>
> Started the service guacd, tomcat, nginx. Checked some of the
> configuration and everything looks right to me…
>
>
>
> Any Idea’s?
>
> Thanks!
>
> Carter
>
>
>

First, it's worth noting that this install script isn't officially
associated with the Guacamole project.  Looks like someone (Hernan) has
created the script and posted it on SourceForge.  I've never seen/used that
script, so not sure what it does.  It looks like Hernan keeps it up to date
(mostly, as of May), but based on the fact that it is separate from the
project, the amount of support you're going to get from this community for
that script is going to be limited.

That said, in order to debug any issues you're having getting Guacamole to
run, you're going to need to look at configuration files and log files.
The amount of information you've provided isn't very comprehensive, so when
you say you checked some of the configuration and it looks right - what
configurations did you check?  How are they configured?  What messages are
you seeing in the Nginx log files?  How about the Tomcat log files?  Have
you checked to make sure the Guacamole webapp is getting deployed by
Tomcat?  Is it at the URL you expect it to be at?  Is the 404 being thrown
by Nginx or by Tomcat?

Please look at those items and provide additional detail, and we'll see
what we can do to help you get it going.

Regards,
Nick

Re: have got auth-header working - but can't see any "" options

[Nick Couchman]

Jason,

On Mon, Oct 9, 2017 at 10:06 PM, Jason Haar  wrote:

> Hi there
>
> I've just started playing with guacamole and have successfully got as far
> as creating a standalone user-profile (ie username/password)
> in user-mapping.xml - some RDP and SSH sessions - all working fine.
>
> So then I got more adventurous and decided on testing auth-header - as we
> would run such a beast behind an Apache reverse-proxy - so time to test.
> Well I've got the Apache server sending "X-User: email@address", and now
> when I connect I see I am automagically logged in as "email@address" -
> great! But there's no "profile" (for want of a better term).
>
> So then I edited user-mapping.xml and created a fake account for
> "email@address" , and cut-n-pasted my working standalone user profile
> into it (ie the same RDP and SSH ""'s). Restarted tomcat and -
> nothing.
>
> Whatever I try, all I get is an empty profile - no actual terminal
> services. Also, if I access the account's "Settings", all I get is the
> turning "cog wheel" - but nothing actually comes up. If I did that on my
> standalone account, I get to change my default language/etc.
>

For the spinning cog wheel of infinity, there's a commit in the git master
repo that I believe will fix this issue.  I doubt it's related to the other
trouble you're having - the lack of connection mapping.  From what I can
tell you're doing things right, so not sure why that isn't working.

I would suggest setting up the JDBC authentication module with a MySQL or
PostgreSQL database.  It takes a few minutes longer, and definitely works
to layer the JDBC module with the auth-header module (or CAS, LDAP, etc.).
I can't remember if Mike mentioned something recently about the basic user
mapping module not working as a layered module or not - I haven't tried
it.  Either way, I highly recommend using the JDBC module - particularly if
you plan to scale your deployment at all, it'll be much easier to do that
with JDBC.

-Nick

Re: Error message when disconnecting a Windows Server 2012

[Nick Couchman]

On Mon, Oct 9, 2017 at 6:09 AM, Kevin Rivrain 
wrote:

> Hello,
>
>
>
> For information I quickly tested Guacamole installation on Centos 7 (my
> previous installations were on Debian 8) and I don’t have the problem when
> I logout from Windows now…
>
>
Interesting.


>
>
> On Debian, the version of freerdp is 1.1.0 and on Centos 1.0.2. And, I do
> not have some libraries on Centos (libavcodec, libavutil, libswscale,
> libtelnet), I'll look for why. I do not know why it's OK on Centos and not
> on Debian.
>

I'm using FreeRDP 1.1.0 on CentOS 7 that I compiled from git, and I do not
see the issue.  I also have another CentOS system with FreeRDP 1.0.x that
does not exhibit the problem.  I wonder if the Debian package has some
other patch applied to it that is causing this behavior...

-Nick

Re: Looking for help with Sles 12 SP2 and guacamole with freerdp

[Nick Couchman]

On Thu, Oct 5, 2017 at 7:25 AM, Grohnwaldt, Klaus 
wrote:

> Hello,
>
> I'm trying to set up a guacamole enviroment and run into a challenge on my
> SLES 12 SP2.
>
> I'm not able to "make" the guacamole server with support for RDP, since
> something is wrong with the freerdp package - at least i think so.
>
>
>
> Can you recommend a work around or a functional version of freerdp?
>
>
>
> 0.9.13-incubating
>
> libfreerdp2-2.0.0~git.1463131968.4e66df7-12.3.2.x86_64
>
> freerdp-devel-2.0.0~git.1463131968.4e66df7-12.3.2.x86_64
>
>
> Unfortunately I do not believe Guacamole currently supports the FreeRDP
2.0.0 code.  There's a JIRA issue opened to add the support:

https://issues.apache.org/jira/browse/GUACAMOLE-249

But they've changed around the API for FreeRDP for that version, so there
are some challenges getting it to work correctly.

-Nick

Re: Screen Recording with Mouse Cursor

[Nick Couchman]

On Thu, Oct 5, 2017 at 2:59 PM, Aaron Newsome 
wrote:

> Hi all. I posted this question a few weeks back and got zero response. The
> list seems more active now so maybe someone has some insight into this now.
> Sorry for the repost.
>
>
No worries, sometimes we need a gently nudge.


> I'm using the version 0.9.12 and 0.9.13. I'm very impressed with Guacamole
> so far. It's an excellent piece of software that really simplifies remote
> access for me.
>
>
Glad you like it.


> I'm trying out the screen recording feature and the recordings look great
> (given a high enough bitrate for guacenc). My question is regarding the
> rendering of the mouse in RDP sessions.
>
> When I create a screen recording, the movie file does not show a cursor.
> For the type of screen recordings I'll be doing, I'll need the mouse to be
> rendered for the movie file to be useful.
>
> I've done a bunch of searching around to see if there's a way for RDP to
> render the cursor in the remote machine but I'm having no luck finding that
> option.
>
> Does anyone know how to make a guacamole screen recording with the mouse
> cursor recorded as well?
>

I don't think I have good news for you - I'm fairly certain that, with RDP
in general, the mouse cursor is rendered on the client-side and I don't
know of a way to change this.  I think VNC has some options for showing
client-side, server-side, or both, but I think RDP is fairly set in its
behavior that the rendering happens client-side.  I don't think this is an
issue specific to Guacamole, I believe it's something you'd see if you were
using any screen recording software that operates outside the client.

The only potential work-around I can think of to tell you to try is to
install a VNC Server on the Windows system and connect that way, and see if
you can change the mouse cursor options on VNC (either in the Guacamole
configuration or on the VNC server) such that you get the mouse pointer.
What you *should* see if this is working the way you require when you
connect with Guacamole is actually dual mouse pointers - you'll see the
client-side one on your system that is connecting to Guacamole, and then
you should see a second server-side one "follow" that one around.

Beyond that, we'd have to see if there was a modification we could make to
Guacamole, specifically in the recording feature, to render a cursor where
it sees mouse activity.  I don't know how feasible this is, or if it's
something other folks would consider desirable.  Mike, any thoughts on that?

-Nick

Re: what is java.lang.NullPointerException

[Nick Couchman]

On Fri, Oct 6, 2017 at 6:59 AM, Youhei Ootsuki 
wrote:

> Hi,
>
>
> Thank you very much for your reply.
>
>
> > Are you using the Guacamole Client, or are you writing your own custom
> application?  Can you provide more details about what you're doing when you
> encounter the error?
>
> I am using Firefox. # ver 56.0 (32 bit)
> and accessing my Guacamole server using HTTPS
>
>
Okay, so you're using the full guacamole-client and guacamole-server
packages.


> Good )
>
>   My PC ---> SSH > Remote Server
>   My Guacamole Server > SSH > Remote Server
>
>
> No Good )
>
>   My PC ---> HTTPS > My Guacamole Server > SSH > Remote Server
>
>
At what point in the process do you get the error?  Is it when you try to
log in to Guacamole?  Or you can log in to Guacamole, but when you try to
make the SSH connection it fails?  How is the connection configured?

Also, you mentioned you were using Apache, presumably as a proxy in front
of Tomcat - how do you have Apache configured?  It looks to me like at
least one of the errors is a misconfiguration of the proxy between httpd
and tomcat, probably either related to HTTP/HTTPS or to WS/WSS, but it's
hard to tell without a lot more detail.

-Nick

Re: Clipboard Usage

[Nick Couchman]

On Sun, Oct 8, 2017 at 3:37 PM, Steve Karam 
wrote:

> Hi Philip,
>
> If you’re using Chrome you can install this extension: https://chrome.
> google.com/webstore/detail/clipboard-permission-mana/
> ipbhneeanpgkaleihlknhjiaamobkceh?hl=en
>
> On a supported guacamole desktop, an icon in the extensions bar will let
> you allow direct copy/paste. I’m not sure what the minimum required
> guacamole version is, but it didn’t work on 0.9.7.
>

 I tracked it down not too long ago, and I believe it was either 0.9.10 or
0.9.11 where support was added; however, using the latest version
(0.9.13-incubating or building from git master) definitely works.

Chrome requires the extension, and I believe Firefox requires a certain
version capable of loading Chrome-style extensions, but I could be wrong
about that.

-Nick

Re: what is java.lang.NullPointerException

[Nick Couchman]

On Thu, Oct 5, 2017 at 9:40 AM, Youhei Ootsuki 
wrote:

> Hi,
>
>
> What happened
>
> Please tell me the solution
>
>
>
Are you using the Guacamole Client, or are you writing your own custom
application?  Can you provide more details about what you're doing when you
encounter the error?

-Nick

Re: showing an error message to the end user

[Nick Couchman]

On Tue, Oct 3, 2017 at 6:41 PM, Mike Jumper 
wrote:

> On Tue, Oct 3, 2017 at 2:00 PM, shaykeren  wrote:
>
>> Hi,
>> I've implemented my own AuthenticationProvider.
>> I would like to show an error message to user if some request parameter
>> is not valid.
>
>
> What request are you referring to? What is the nature of the parameter?
>
> - Mike
>
>
Also, what kind of authentication provider?  What's the login process look
like?

As much detail as possible :-).

-Nick

Re: Error message when disconnecting a Windows Server 2012

[Nick Couchman]

On Tue, Oct 3, 2017 at 10:50 AM, Kevin Rivrain 
wrote:

> Hello,
>
>
>
> No one has encountered this problem on Windows Server 2012 R2 ?
>
> It is possible to change Guacamole configuration to come back at the main
> page automatically after logout a Server to bypass this problem ?
>
>
>
> Sincerely,
>
> Kevin
>
>
>

I connect to both 2008R2 and 2012R2 servers, and am not seeing this issue.
What version of FreeRDP are you building guacd against?

I don't think there's currently a way to change the behavior of a
disconnect that results in an error.

-Nick

Re: french translation in 0.9.13 ?

[Nick Couchman]

On Tue, Oct 3, 2017 at 5:21 AM, fou fe  wrote:

> Hi
>
> In fresh installation of Guacamole 0.9.13 I see that some new words are
> missed in fr.json like Guacamole Proxy Parameters :
>
> Can you confirm that ?
>
> F.F
>
Fou,
We do our best to get the translations into to as many languages as
possible, but if there is something missing you are welcome to contribute
to the translations - we can use all the help we can get!

Regards,
Nick

Re: Automatic execution of commands in Telnet/SSH

[Nick Couchman]

Jeff,
Guacamole does not work any different in this regard than logging into the
SSH or Telnet system with a terminal emulator.  So, you can certainly set a
command to run at login, which will be executed in the context of the
user's login shell and environment, but there's no special way that
Guacamole has to inject commands into the login process that either bypass
the user's login shell or execute something just because it's coming from
Guacamole.

There are ways to accomplish this - like setting the SSH session startup
command to a particular shell script that runs and then drops the user into
a shell.  But, again, this is exactly the same process you'd use if you
wanted to do this for someone using ssh or telnet on a command line.

-Nick

On Mon, Oct 2, 2017 at 4:46 PM, McRoy, Jeffrey (GE Healthcare) <
jeffrey.mc...@ge.com> wrote:

> Hi Everyone,
>
>
>
> Has anyone experimented with automatically executing a command on the
> remote system directly after logging in using the Telnet or SSH protocol
> plugins?
>
>
>
>
>
> Thanks & Regards,
>
> Jeff
>
>
>

Re: How-to - Guacamole with Google Authenticator for 2FA

[Nick Couchman]

>
> My impression of CAS is that it is notoriously difficult to get working
> due to it's relative paucity of documentation / sample configurations, and
> its development / release ethos.  On that basis, any write-up would benefit
> CAS even more than Guacamole!
>
>
Yes, I've set it up several times, and, while I'm better at it, I still
have trouble getting all of the options, syntax, etc., correct due to the
lack of documentation that does not assume an intimate knowledge of the
source code and the lack of comprehensive examples.


> The good news regarding TOTP 2FA is that if you look at GUACAMOLE-96
> , there may be some
> good news soon enough.
>
>
Yeah, I hope we can produce something that brings the capability into the
product, even if it supported by external authentication mechanisms.  I
also have a RADIUS module currently going through the review process and,
someday, I hope that'll finish the review process and be available, as
well.  Getting 2FA set up in RADIUS isn't too bad, especially with things
like LOTP.

-Nick

Re: How-to - Guacamole with Google Authenticator for 2FA

[Nick Couchman]

David,
Thanks for the fantastic write-up!  I think using CAS only for Guacamole
2FA is probably overkill for most folks, but if you're already using CAS or
want CAS for 2FA for other stuff, and want to integrate Guacamole into it,
this is great.  I'll try to take a look at your write-up in detail and
provide some suggested edits for it.  Don't know exactly where the best
place to post it would be, but I definitely think it should be made
available!  I think it probably should be made available to a wider
audience than just the Guacamole folks, as I think it's probably useful for
folks who want to do 2FA with CAS, in general.

-Nick

On Fri, Sep 29, 2017 at 6:09 PM, David Bonnes  wrote:

> For humor, I set up a Apereo CAS server as a means to use gauth/TOTP as a
> second-factor for authenticating with guacmole.  It was working 100%, but
> personally, I'll be sticking with DUO for now.  However, I think some
> people would want this feature.
>
> I really think the method I used needs writing up somewhere for the
> benefit of the community (and doubtless for them to improve), but I am not
> the person to do that...
>
> Is someone willing to edit my notes, and post a nice tutorial somewhere?
> For the right person (i.e. some evidence you'll write up a nice how-to), I
> am willing to take some time to explain what worked, what didn't, and why.
>
> If not, and in any case, here is the bulk of my notes/scripts...
>
>
> #!/bin/bash
> 
> 
> #0. Confirm that Guacamole is working with MySQL (have something in the
> profile)
> #1. Test basic config of CAS via CAS - need to set log folder
> #2. Switch to static account (same name as one in 0.) via CAS - consider
> SHA256 encoding
> #3. Test auth through guacuamole - should see profile (will need service
> registry)
> #4. Switch to jdbc auth (QUERY) on CAS - (may need to set permission for
> guac_username) - can test auth-d via cas logon page first
> #5. As above, but with Gauth
> 
> 
>
> 
> 
> ## Install CAS webapp via the overlay method
> # can change  in pom.xml for other versions...
>   mkdir /opt; cd /opt
>   git clone -b 5.2 https://github.com/apereo/cas-overlay-template cas
>   cd cas
>   chmod a+x build.sh
>
>
>
>
> 
> 
> # To eliminate: "Non-secure Connection" warning, add secure="true" to 8080
> of /var/lib/tomcat8/conf/server.xml
>
> ### ./etc/cas/config/log4j2.xml: set /var/log/
> tomcat8
>   sed -i -e '/"cas.log.dir"/ s:>.*<:>/var/log/tomcat8<:'
> etc/cas/config/log4j2.xml
>   mkdir -p /etc/cas/logs; chmod a+w /etc/cas/logs
>
> ### ./pom.xml - will need this eventually
> #   5.2.0-RC4-SNAPSHOT
>
> ## ./etc/cas/config/cas.properties
> ## Enable logging...
>   logging.level.org.apereo: TRACE
>   logging.config: file:/etc/cas/config/log4j2.xml
>
> ## Set CAS server name URL...
>   cas.server.name:   https://vm-builder.home:8443
>   cas.server.prefix: ${cas.server.name}/cas
>
> ## Enable basic admin pages...
>   cas.adminPagesSecurity.ip=172\.27\.0\.99
>   cas.monitor.endpoints.enabled=true
>   cas.monitor.endpoints.sensitive=false
>
>
>
> 
> 
>
>
> service tomcat8 stop
> rm/var/log/tomcat8/*; rm /etc/cas/logs/*
> rm -r /var/lib/tomcat8/webapps/cas; rm /var/lib/tomcat8/webapps/cas.war
> ./build.sh package
> cp /opt/cas/target/cas.war /var/lib/tomcat8/webapps
> cp -r etc/cas/ /etc
> service tomcat8 restart
> tail -f /var/log/tomcat8/catalina.out
>
>
> 
> 
> # see: https://apereo.github.io/cas/5.1.x/installation/Whitelist-
> Authentication.html
>
>
> ### ./etc/cas/config/cas.properties
> ## A whitelist of users (use SHA-256 password hash)...
> # cas.authn.accept.users=dbonnes::P@ssw0rd
>   cas.authn.accept.users=dbonnes::d61bcb77d84080738bd5993b18
> 1400992e8c272b372bb4e33522427936
>   cas.authn.accept.passwordEncoder.type=DEFAULT
>   cas.authn.accept.passwordEncoder.characterEncoding=UTF-8
>   cas.authn.accept.passwordEncoder.encodingAlgorithm=SHA-256
>
>
>
> 
> 
> # see: https://groups.google.com/a/apereo.org/forum/#!topic/cas-
> user/jJ8OOyoQoBw
>
> ### ./pom.xml
> 
> org.apereo.cas
> cas-server-support-json-service-registry
> ${c

Re: Error message when disconnecting a Windows Server 2012

[Nick Couchman]

On Thu, Sep 28, 2017 at 12:23 PM, Kevin Rivrain 
wrote:

> Hello everyone,
>
>
>
> I have a problem when disconnecting a Windows Server 2012. Indeed, this
> message appear : « The remote desktop server is currently unavailable. If
> the problem persists, please notify your system administrator, or check
> your system logs. »
>
>
>
> Error log message : « guacamole01 guacd[1453]: Error handling RDP file
> descriptors »
>
>
>
> Isn’t present on Windows 2008 (log : « guacamole01 guacd[1436]: RDP
> server closed connection: Disconnected. »).
>
>
>
> What might be the reason for the problem?
>
>
>
> Sincerely,
>
> Kevin
>
>
>

Kevin,
A few questions for you:
- What version of Guacamole are you running?
- How did you install guacd?  Was it a package, or did you build it
yourself?
- Does this happen consistently with multiple Windows 2012 servers, or just
a single one?
- Does it happen when you Disconnect, Log Off, or both?

-Nick

Re: Handling a SAML POST response

[Nick Couchman]

On Thu, Sep 28, 2017 at 12:20 PM, Colin McGuigan <
colin_guacam...@walkingshadows.org> wrote:

> Nick;
>
> Thanks for all your help.  Let me elaborate.
>
> When I say I have a REST service, it's just as you described -- a WS
> annotated class that is returned from the authentication provider's
> getResource method.  I can call this REST service just fine, and know that
> it works.
>
>
Very nice.


> This service takes in as POST (from the SAML identity provider), calls the
> existing /api/tokens endpoint, passing all of the same content, and
> receives
> a Guacamole authentication token -- ie, the user is know authenticated by
> Guacamole (specifically by my authentication provider), and is stored in
> the
> session.  This also works.  I receive the token just fine.
>
> The problem is I need to pass this token, somehow, to the Guacamole UI so
> that when it calls /api/tokens itself, it can pass in the same token.  The
> essentials of the REST method:
>
> @POST
> @Path("/postredirect")
> public Response redirectSamlPostToGet(@Context HttpServletRequest
> request, String content) throws GuacamoleException, URISyntaxException {
> try {
> String token = callTokenService(request, content);
> return Response.seeOther(new URI("http://
> /guacamole/#/token=" +
> token)).build();
> } catch (Exception e) {
> logger.error("Error occurred in postredirect", e);
> throw new RuntimeException(e);
> }
> }
>
> There is no errors in the logs.  In network traffic I see the redirect
> happen correctly.  However, Guacamole is ignoring the token= portion
> of the URL.  I've tried using id_token instead, but that is also ignored.
>
>
What if you try:

 return Response.seeOther(new URI("http:///guacamole/#/?token=" +
token)).build();

(Add the ? between the token parameter and the Guacamole URL).  Does that
work?

-Nick

Re: Handling a SAML POST response

[Nick Couchman]

>
>
>> So, I think the approach you need to take is that, within the SAML
>> extension itself, you need to create a REST endpoint that consumes handles
>> a POST call to it, processes the data from the POST, and then translates
>> that to the correct call to /guacamole/api/tokens to tell Guacamole that
>> the login has succeeded.  You can have a look at the other REST source code
>> to see code that creates these types of services:
>>
>> https://github.com/apache/incubator-guacamole-client/tree/
>> master/guacamole/src/main/java/org/apache/guacamole/rest
>>
>> I've not actually implemented an extension-specific REST endpoint myself,
>> so I can't provide very detailed instructions, but it is possible - Mike
>> can probably provide further guidance, if needed.
>>
>
>
Here's a quick-and-dirty example of an extension-specific REST endpoint.  I
just did a quick modification to the JDBC base module.

- First, I created a new class inside the extension code.  I created a new
directory called "rest" and a file called TestRESTModule.java:

---TestRESTModule.java---
package org.apache.guacamole.auth.jdbc.rest;

import com.google.inject.Inject;
import java.util.List;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleResourceNotFoundException;

@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class TestRESTModule {

private final String hello = "Hello, world.";

@GET
@Path("hello")
public String getHello() {

return hello;

}

}
---End TestRESTModule.java---

- Next, in the Authentication Provider part of the module (for JDBC it's in
the InjectedAuthenticationProvider.java file), locate the getResource()
method and have it return this class (don't forget to import it):

@Override
public Object getResource() throws GuacamoleException {
return new TestRESTModule();
}

- Finally, log in to Guacamole, then pull up a tab with the URL (I'm using
the PostgreSQL JDBC module):

http://guacamole.example.com/guacamole/api/ext/postgresql/hello?token=

And you should see "Hello, world."

Obviously this isn't very useful, but should give you an idea of one way to
go about this.  Whatever class you return in getResource() can have the
necessary methods to process the SAML POST, read in the body of the POST,
and then accomplish whatever needs to be done to cause the login to succeed
and reload the page.

Hope this is of some use, or you've already figured it out! :-)

-Nick

Re: Docker Guacamole Latest

[Nick Couchman]

>
>
>
> guacamole/guacamole is something anyone in the Guacamole PPMC controls,
> including myself. You should have access, too, as all committers are
> implicitly PPMC within Guacamole. If not, that's an oversight we should
> correct.
>
> See: https://lists.apache.org/thread.html/b345e6c72629e3bf79c3e1243c6290
> 073c3cf6f3901aa100a649f2a2@%3Cgeneral.incubator.apache.org%3E
>

Good to know.


>
>
> I assume glyptodon/guacamole is yours?
>>
>>
> Not really. "glyptodon/guacamole" is Glyptodon's, and while I'm certainly
> affiliated with Glyptodon, I'm not equal to it. For the health of the
> project, I refuse to wear my Glyptodon hat when doing anything within the
> Guacamole community. Here, I am strictly a committer on the Guacamole
> project and a member of its PPMC.
>

Makes sense.


>
> If the question here is whether third-party distribution of Guacamole is
> harmful, my personal view is that it isn't, and that part of the philosophy
> of the Apache Way is to embrace such distribution. It is expected (and
> beneficial) that third parties will package and distribute Guacamole,
> including via Docker images. Quickly checking Docker Hub, I find at least
> 15 pages of search results for Docker images containing Guacamole:
>
> https://hub.docker.com/search/?isAutomated=0&isOfficial=0&;
> page=1&pullCount=0&q=guacamole&starCount=0
>
> To me, that's a good sign.
>

I totally agree.


>
> If there is a trademark/branding/licensing issue, however, that would be a
> different matter and should definitely be corrected ASAP.
>

 I think your answers above clear up some of the confusion - I was just
trying to clarify things to understand if the original suggestion - to make
sure only guacamole/guacamole had the newer versions (vs.
glyptodon/guacamole) - made sense.  For the purposes of this discussion
glyptodon/guacamole is a "third party" to the Guacamole Project, so I
definitely see and agree with your point - the Project should not worry
about trying to control/sanitize/dictate/etc. what is posted there.

-Nick

Re: Docker Guacamole Latest

[Nick Couchman]

>
>
>>
>> Since 0.9.10-incubating++ appear under guacamole/guacamole it may be
>> worth stripping the same out of glyptodon/guacamole to funnel those like me
>> more directly towards the right answer.
>>
>>
> The Guacamole project doesn't control whether third parties distribute
> their own Docker images. As long as licenses and trademarks/brands are not
> violated, we welcome such distribution. See:
>
> Mike

Is guacamole/guacamole not something you control?  I assume
glyptodon/guacamole is yours?

-Nick

Re: Handling a SAML POST response

[Nick Couchman]

On Wed, Sep 27, 2017 at 6:31 PM, Nick Couchman  wrote:

>
>
> On Wed, Sep 27, 2017 at 5:35 PM, Colin McGuigan  walkingshadows.org> wrote:
>
>> So I went ahead and created an external web service that internally calls
>> /guacamole/api/tokens, and then redirects to /guacamole/#/token=
>>
>
> When you say you created an external web service, what do you mean?
>
>
>>
>> Doesn't work.
>>
>> Investigation of the network traffic shows that the /guacamole/api/tokens
>> call does not have the token in it at all (in Mike's OpenID implementation
>> id_token is passed along this way, and I was hoping it would work the same
>> for token).  Changing the name of the parameter, so it's now redirecting
>> to
>> /guacamole/#/id_token= also does not pass a token_id parameter to
>> /guacamole/api/tokens, which confuses me, because I saw this behavior with
>> the OpenID plugin.
>>
>> So new questions:
>>
>> 1) Is this a valid approach?  Ie, can a Guacamole authorization token even
>> be passed around in this manner?
>>
>> 2) Why is the token not being passed from /guacamole/#/token= to
>> /guacamole/api/tokens?
>>
>>
>>
> So, I think the approach you need to take is that, within the SAML
> extension itself, you need to create a REST endpoint that consumes handles
> a POST call to it, processes the data from the POST, and then translates
> that to the correct call to /guacamole/api/tokens to tell Guacamole that
> the login has succeeded.  You can have a look at the other REST source code
> to see code that creates these types of services:
>
> https://github.com/apache/incubator-guacamole-client/
> tree/master/guacamole/src/main/java/org/apache/guacamole/rest
>
> I've not actually implemented an extension-specific REST endpoint myself,
> so I can't provide very detailed instructions, but it is possible - Mike
> can probably provide further guidance, if needed.
>

Some basic information on extension-specific REST resources is available
here:

http://guacamole.incubator.apache.org/doc/gug/guacamole-ext.html#ext-rest-resources

-Nick

Re: Handling a SAML POST response

[Nick Couchman]

On Wed, Sep 27, 2017 at 5:35 PM, Colin McGuigan <
colin_guacam...@walkingshadows.org> wrote:

> So I went ahead and created an external web service that internally calls
> /guacamole/api/tokens, and then redirects to /guacamole/#/token=
>

When you say you created an external web service, what do you mean?


>
> Doesn't work.
>
> Investigation of the network traffic shows that the /guacamole/api/tokens
> call does not have the token in it at all (in Mike's OpenID implementation
> id_token is passed along this way, and I was hoping it would work the same
> for token).  Changing the name of the parameter, so it's now redirecting to
> /guacamole/#/id_token= also does not pass a token_id parameter to
> /guacamole/api/tokens, which confuses me, because I saw this behavior with
> the OpenID plugin.
>
> So new questions:
>
> 1) Is this a valid approach?  Ie, can a Guacamole authorization token even
> be passed around in this manner?
>
> 2) Why is the token not being passed from /guacamole/#/token= to
> /guacamole/api/tokens?
>
>
>
So, I think the approach you need to take is that, within the SAML
extension itself, you need to create a REST endpoint that consumes handles
a POST call to it, processes the data from the POST, and then translates
that to the correct call to /guacamole/api/tokens to tell Guacamole that
the login has succeeded.  You can have a look at the other REST source code
to see code that creates these types of services:

https://github.com/apache/incubator-guacamole-client/tree/master/guacamole/src/main/java/org/apache/guacamole/rest

I've not actually implemented an extension-specific REST endpoint myself,
so I can't provide very detailed instructions, but it is possible - Mike
can probably provide further guidance, if needed.

Once you have that working, when you call the SAML authentication, you need
to make sure that SAML is redirecting back to your new REST endpoint, which
will then process the body of the POST request, authenticate the user in
Guacamole, and redirect on to the Guacamole home page or connection.

Mike or James, am I providing accurate information?

-Nick

Re: Docker Guacamole Latest

[Nick Couchman]

On Wed, Sep 27, 2017 at 11:26 AM, Jacob Staub  wrote:

> Hello,
>
> Click here  for guacamole.
>
> Click here  for guacd.
>
> Regards,
> Jake
>

If you look at the Tags tab on both of those you'll see the latest is
0.9.13-incubating, so if you're pulling the latest from there it should be
0.9.13-incubating.

How are you pulling it?

-Nick

Re: Docker Guacamole Latest

[Nick Couchman]

Please let us know how/from where you're pulling the image?

-Nick

On Wed, Sep 27, 2017 at 11:04 AM, Jacob Staub  wrote:

> Good morning,
>
> I have been working on updating Docker Guacamole from 0.9.9 to 0.9.13. I
> have pulled the latest image for guacamole and guacd. But when I deploy
> Guacamole from the latest images 0.9.11-incubating comes up rather than
> 0.9.13-incubating. 0.9.11-incubating, or what is indicated on the login
> page as 0.9.11-incubating, functions normally.
>
> Please confirm the Guacamole version of the latest guacamole images. It
> will help me determine if I'm causing the problem on my end.
>
> Regards,
> Jake
>
>
>

Re: Websocket tunnel connection time out issues

[Nick Couchman]

On Wed, Sep 20, 2017 at 10:08 PM, Eric Sten  wrote:

> Mike, Nick:
>
>   Because I am a glutton for punishment I decided to try installing
> Guacamole 0.9.13 one more time in FreeBSD, but this time with a fresh
> FreeBSD 11 install, not 10.3.  Wouldn’t  you know it installing via the
> FreeBSD pkg system under version 11, everything installed and works
> properly out of the gate!  Very strange indeed.
>
> Thanks
>
> Eric Sten
>
>

Cool, thanks for trying that out.  I did the same thing with 10.3 and it
worked for me, so not sure what was going on, but that's very strange.

-Nick

Re: Issues with mysql/mariadb authentication

[Nick Couchman]

On Wed, Sep 20, 2017 at 9:03 PM, Eric Sten  wrote:

> Mike, Nick.
>
>  After turning SELinux back on I found that the mysql_connect_any setting
> is OFF when I ran a getsebool -a | grep mysql.  After setting it to be on
> with the *setsebool mysql_connect_any 1 *I am able to authenticate into
> Guacamole using mysql without errors and with SELinux enabled.
>
> In case it helps the CentOS I installed is from the
> CentOS-7-x86_64-Minimal-1708.iso.  I downloaded it on 9/16.
>
>   Thanks again for the assistance from both of you.
>
> Eric Sten
>
>
Good to know, thanks!  Still curious that neither Mike or I has hit that
issue, but you did.  Maybe something changed in the most recent CentOS.

-Nick

Re: value of ${GUAC_USERNAME} need help

[Nick Couchman]

On Thu, Sep 21, 2017 at 5:21 AM, fou fe  wrote:

> Hi Nick,
>
>
> I have 0.9.13 now. My problem is still there.
>
>
> I mean that I have two users both initiating connections (not shared
> sessions) to the same host, and the second one to connect gets the first
> one's directory share ( Guacmole RDP share) and can see/modifie a files of
> the other user.
>
> I'm using virtual drive defined :https://guacamole.incubator.
> apache.org/doc/gug/using-guacamole.html#rdp-virtual-drive
>
>
> Parameters of  connection are:
>
>
> parameter_name ='drive-path';
> parameter_value ='/tmp/$GUAC_USERNAME/';
> parameter_name ='enable-drive';
> parameter_value ='true';
> parameter_name ='security';
> parameter_value =' rdp';
>


Okay, good to know.  Have you tried this same scenario using something like
FreeRDP?  I'm curious if this is a Guacamole issue, a FreeRDP issue, or a
Windows issue.


>
> I don't see in log of tomcat any declaration of drive share
>
> there is fresh syslog with error
>
> Sep 21 11:08:35 caracole guacd[23716]: File open refused (-2):
> "\libglib-2.0-0.dll"
> Sep 21 11:08:35 caracole guacd[23716]: File open refused (-2):
> "\libintl-8.dll"
> Sep 21 11:08:35 caracole guacd[23716]: File open refused (-2):
> "\libgcc_s_sjlj-1.dll"
> Sep 21 11:08:35 caracole guacd[23716]: File open refused (-2):
> "\libgobject-2.0-0.dll"
> ...
>

What platform are you running guacd on?

-Nick

Re: value of ${GUAC_USERNAME} need help

[Nick Couchman]

On Wed, Sep 20, 2017 at 4:21 AM, fouad fezzi  wrote:

> Hi ,
>
> I have guacamole 0.9.11 running and I want to set drive share but i have
> problem with value of GUAC_USERNAME.
> When 2 users are connected they have the same directory share in  windows
> server.
> Do i forget something ?
>
>
A couple of requests, here.  First, have you tried a later version of
Guacamole?  0.9.13 is out, now, so I'd suggesting trying that.

Also, when you say you want to set a driver share using ${GUAC_USERNAME},
could you explain further what parameter you are setting, and the value you
are setting it to?

Finally, Could you explain a little more clearly what you mean by "when 2
users are connected?"  Do you mean, when you're sharing a Guacamole session
and one user connects to the session another user has open?  Or do you mean
that you have two users both initiating connections (not shared sessions)
to the same host, and the second one to connect gets the first one's
directory share?  Or are both users connecting to different hosts, but one
user gets the path from the other user, even though they are connecting to
different hosts?



> syslog
>  Connection ID is "$8260954c-ccd4-4a8b-80e6-20a3232011bd"
> Sep 20 09:46:02 caracole guacd[5221]: Security mode: RDP
> Sep 20 09:46:02 caracole guacd[5221]: Resize method: none
> Sep 20 09:46:02 caracole guacd[5221]: User 
> "@82624d23-3a91-4551-a8af-f9fedb546cf6"
> joined connection "$8260954c-ccd4-4a8b-80e6-20a3232011bd" (1 users now
> present)
> Sep 20 09:46:02 caracole guacd[5221]: Loading keymap "base"
> Sep 20 09:46:02 caracole guacd[5221]: Loading keymap "fr-fr-azerty"
> Sep 20 09:46:02 caracole guacd[5221]: guacsnd connected.
> Sep 20 09:46:02 caracole guacd[5221]: guacdr connected.
> Sep 20 09:46:02 caracole guacd[5221]: Connected to RDPDR 1.12 as client
> 0x0003
> Sep 20 09:46:02 caracole guacd[5221]: Ignoring server capability set
> type=0x0001, length=44
> Sep 20 09:46:02 caracole guacd[5221]: Ignoring server capability set
> type=0x0002, length=8
> Sep 20 09:46:02 caracole guacd[5221]: Ignoring server capability set
> type=0x0003, length=8
> Sep 20 09:46:02 caracole guacd[5221]: Ignoring server capability set
> type=0x0004, length=8
> Sep 20 09:46:02 caracole guacd[5221]: Ignoring server capability set
> type=0x0005, length=8
> Sep 20 09:46:02 caracole guacd[5221]: Sending capabilities...
> Sep 20 09:46:02 caracole guacd[5221]: Capabilities sent.
> Sep 20 09:46:02 caracole guacd[5221]: Client ID confirmed
> Sep 20 09:46:11 caracole guacd[5221]: User logged on
> Sep 20 09:46:11 caracole guacd[5221]: Sending filesystem
> Sep 20 09:46:11 caracole guacd[5221]: Registered device 0 (Guacamole
> Filesystem)
> Sep 20 09:46:11 caracole guacd[5221]: All supported devices sent.
> Sep 20 09:46:11 caracole guacd[5221]: Device 0 (Guacamole Filesystem)
> connected successfully
>


It also might be useful to see the output from the Tomcat logs
(catalina.out).

-Nick

>
>

Re: 答复: guacamole remote access win10 failed

[Nick Couchman]

Oliver,
Are you using NLA Encryption with the Windows 10 connection?  I believe
Windows 8 and greater, by default, *require* NLA authentication, so you
*must* be using that, or you *must* reconfigure Windows to support non-NLA
encryption.  Microsoft was headed this way in Windows 7, and I believe by
Windows 8 (and Server 2012) it became the default.  Please try that.

-Nick

On Tue, Sep 19, 2017 at 3:47 AM, Oliver.Zhan 
wrote:

> can other windows system except win10 and server 2012/2016 can enable TLS
> security for remote access?
>
>
>
> *发件人:* Christian Kraus [mailto:christian.kr...@ckc-it.at]
> *发送时间:* 2017年9月15日 19:32
> *收件人:* user@guacamole.incubator.apache.org
> *主题:* AW: guacamole remote access win10 failed
>
>
>
> In Guacamole you need to enable TLS security for win10 and server
> 2012/2016 in the connections settings
>
>
>
> Rg
>
> Christian
>
>
>
>
>
>
>
> *Von:* Oliver.Zhan [mailto:zhangjianp...@hikvision.com
> ]
> *Gesendet:* Freitag, 15. September 2017 11:03
> *An:* user@guacamole.incubator.apache.org
> *Betreff:* guacamole remote access win10 failed
>
>
>
> I can remote win7 from guacamole succesffully, but when I remote access
> win10, a error appear:
>
> Error connecting to RDP server
>
>
>
> My configuration for win10 is correct and I can access the win10 by
> another win7 successfully.
>
>
>
> What is wrong? Please help me!
>
>
>
>
> --
>
> *CONFIDENTIALITY NOTICE:*
>
> This electronic message is intended to be viewed only by the individual or
> entity to whom it is addressed. It may contain information that is
> privileged, confidential and exempt from disclosure under applicable law.
> Any dissemination, distribution or copying of this communication is
> strictly prohibited without our prior permission. If the reader of this
> message is not the intended recipient, or the employee or agent responsible
> for delivering the message to the intended recipient, or if you have
> received this communication in error, please notify us immediately by
> return e-mail and delete the original message and any copies of it from
> your computer system. For further information about Hikvision company.
> please see our website at *www.hikvision.com *
>
> --
> CONFIDENTIALITY NOTICE:
>
> This electronic message is intended to be viewed only by the individual or
> entity to whom it is addressed. It may contain information that is
> privileged, confidential and exempt from disclosure under applicable law.
> Any dissemination, distribution or copying of this communication is
> strictly prohibited without our prior permission. If the reader of this
> message is not the intended recipient, or the employee or agent responsible
> for delivering the message to the intended recipient, or if you have
> received this communication in error, please notify us immediately by
> return e-mail and delete the original message and any copies of it from
> your computer system. For further information about Hikvision company.
> please see our website at www.hikvision.com
>
>

Re: guacamole remote access win10 failed

[Nick Couchman]

On Fri, Sep 15, 2017 at 5:02 AM, Oliver.Zhan 
wrote:

> I can remote win7 from guacamole succesffully, but when I remote access
> win10, a error appear:
>
> Error connecting to RDP server
>
>
>
> My configuration for win10 is correct and I can access the win10 by
> another win7 successfully.
>
>
>
> What is wrong? Please help me!
>
>
>

Have you tried different RDP encryption methods?  I believe Windows 10, by
default, requires NLA, so make sure you've tried that (and specified your
domain, username, and password).

-Nick

Re: How do I ensure that the sample guacamole I use is using websockets and not ajax (XMLHttpRequest) ?

[Nick Couchman]

If you look at the catalina.out file from Tomcat, or the matching file from any 
other Java application server, you'll see a warning at the time of connection 
if it's using HTTP instead of Websocket for the tunnel.  If you see this 
warning then you need to make sure that you have properly configured all of the 
Websocket listeners - in particular, if you are proxying Tomcat (/JBOSS/etc.) 
behind something like Apache or Nginx, you need to make sure you configure the 
Websocket proxy in addition to the HTTP(S) proxy.  Apache HTTPD requires 2.4 or 
later, I believe, to proxy the WSS protocol, so if you're running 2.2 you will 
need to upgrade to get that to work.  Also, according to Tomcat documentation, 
you must be running Java 7 or later for WSS to work.  That shouldn't be too 
hard these days - it is generally difficult to get a Java 6 version downloaded, 
but just something else to verify.
-Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Tuesday, September 5, 2017, 8:32:59 AM EDT, odonya  wrote:

I set up sample guacamole and it seems to be using ajax (XMLHttpRequest) and
not websockets, how can I ensure that I am using websockets?

I can tell it is using ajax because I am seeing so many XHR calls on the
browser console.



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: Raspberry Pi3 Debian compile fails for Stable and git versions of Guacamole server

[Nick Couchman]

 
What version of Debian are you compiling on, and what version of GCC are you 
using?
-NickOn Thursday, August 31, 2017, 12:47:56 AM EDT, ReachNab 
 wrote:  
 
   CC      libguac_terminal_la-typescript.lo
typescript.c: In function 'guac_terminal_typescript_alloc':
typescript.c:133:46: error: '%s' directive writing 6 bytes into a region of
size between 0 and 2047 [-Werror=format-overflow=]
    sprintf(typescript->timing_filename, "%s.%s",
typescript->data_filename,
                                              ^~
typescript.c:133:5: note: 'sprintf' output between 8 and 2055 bytes into a
destination of size 2048
    sprintf(typescript->timing_filename, "%s.%s",
typescript->data_filename,
    
^~~~
            GUAC_TERMINAL_TYPESCRIPT_TIMING_SUFFIX);
            ~~~
cc1: all warnings being treated as errors
Makefile:567: recipe for target 'libguac_terminal_la-typescript.lo' failed
make[2]: *** [libguac_terminal_la-typescript.lo] Error 1
make[2]: Leaving directory '/srv/incubator-guacamole-server/src/terminal'
Makefile:493: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/srv/incubator-guacamole-server'
Makefile:425: recipe for target 'all' failed
make: *** [all] Error 2



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/
  

Re: How to use just the backend of guac

[Nick Couchman]

Scott,A few files for you to take a look at.  First, on the AngularJS side:
https://github.com/apache/incubator-guacamole-client/blob/master/guacamole/src/main/webapp/app/client/types/ManagedClient.js#L208

In the getConnectString() method, you'll see that several parameters are set up 
to pass through to the tunnel connection endpoint, and, among those, are 
GUAC_DPI, GUAC_WIDTH, and GUAC_HEIGHT.  Those parameters are taken off and 
processed in these two files:
https://github.com/apache/incubator-guacamole-client/blob/master/guacamole/src/main/java/org/apache/guacamole/tunnel/TunnelRequestService.java
https://github.com/apache/incubator-guacamole-client/blob/master/guacamole/src/main/java/org/apache/guacamole/tunnel/TunnelRequest.java

The TunnelRequest class contains the code that actually looks at the parameters 
and returns them; the TunnelRequestService class calls those methods and 
generates a GuacamoleClientInformation object that contains the required 
information.  You can eventually see that information processed here:
https://github.com/apache/incubator-guacamole-client/blob/master/guacamole-common/src/main/java/org/apache/guacamole/protocol/ConfiguredGuacamoleSocket.java#L157

There are a few more steps in between there before it actually makes it there, 
but most of that is just moving through various authentication extensions and 
such.
Hope that helps.
Regards,Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 31, 2017, 6:15:41 PM EDT, Scott  wrote:

Nick,

Thanks again for the help.

My next question is, for SSH, how does the display automatically get resized
when the web page is resized and how is the size of the SSH terminal
initialized to the size of the web page?

Right now when I bring it up it is small and appears to not resize.

Scott



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: Want to copy/paste data directly to terminal and vice versa with out clipboard .

[Nick Couchman]

The one in the extension bar is the one you should be looking at.  I'm not sure 
what version of Guacamole started supporting it, but 0.9.8 may be a little old. 
 You might try a more recent version.
-Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 31, 2017, 4:25:07 PM EDT, Steve Karam 
 wrote:

Thanks Nick. Unfortunately I’m not seeing a clipboard icon anywhere except the 
icon in the extension bar which has no options to allow/disallow. 
The clipboard icon I saw in the screenshot for the Chrome extension doesn’t 
show up in my browser when I’m on a Guacamole page. Could this be because I’m 
on guacamole 0.9.8?

On Aug 31, 2017, at 4:11 PM, Nick Couchman  wrote:
Steve,After you install it, go to the Guacamole web page, then left-click the 
new clipboard icon.  You should see the menu options to allow/disallow.
-Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 31, 2017, 4:03:58 PM EDT, Steve Karam 
 wrote:

Nick,
I just tried installing Clipboard Permission Manager on Chrome 60.0.3112.113 
64-bit for Mac, and don’t see any options or ability to use it. I’ve tried 
reinstalling, and restarting Chrome and restarting my computer as well. 

When I left click the icon it just shows the “right click” options. I also 
don’t see the logo on the omni bar.
Any chance using a reverse proxy or a non-default path could render it unusable?
Regards,
Steve Karam

On Aug 31, 2017, at 3:27 PM, Nick Couchman  wrote:
I assume you don't mean "without clipboard" and, instead, you mean "without 
Ctrl-Alt-Shift menu"?  You can do this in Google Chrome using the Clipboard 
Permission Manager plugin - it allows you to allow web pages to access the 
client clipboard directly without having to paste it into the hidden menu.
Regards,Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 31, 2017, 3:04:21 PM EDT, Anburaj Palraj 
 wrote:

Hi All ,

Is it possible to copy/paste data  to directly to terminal  and vice versa with 
out clipboard  ? If yes can you help me  to achieve this  ? 

Re: Want to copy/paste data directly to terminal and vice versa with out clipboard .

[Nick Couchman]

Steve,After you install it, go to the Guacamole web page, then left-click the 
new clipboard icon.  You should see the menu options to allow/disallow.
-Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 31, 2017, 4:03:58 PM EDT, Steve Karam 
 wrote:

Nick,
I just tried installing Clipboard Permission Manager on Chrome 60.0.3112.113 
64-bit for Mac, and don’t see any options or ability to use it. I’ve tried 
reinstalling, and restarting Chrome and restarting my computer as well. 

When I left click the icon it just shows the “right click” options. I also 
don’t see the logo on the omni bar.
Any chance using a reverse proxy or a non-default path could render it unusable?
Regards,
Steve Karam

On Aug 31, 2017, at 3:27 PM, Nick Couchman  wrote:
I assume you don't mean "without clipboard" and, instead, you mean "without 
Ctrl-Alt-Shift menu"?  You can do this in Google Chrome using the Clipboard 
Permission Manager plugin - it allows you to allow web pages to access the 
client clipboard directly without having to paste it into the hidden menu.
Regards,Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 31, 2017, 3:04:21 PM EDT, Anburaj Palraj 
 wrote:

Hi All ,

Is it possible to copy/paste data  to directly to terminal  and vice versa with 
out clipboard  ? If yes can you help me  to achieve this  ? 

Re: Want to copy/paste data directly to terminal and vice versa with out clipboard .

[Nick Couchman]

I assume you don't mean "without clipboard" and, instead, you mean "without 
Ctrl-Alt-Shift menu"?  You can do this in Google Chrome using the Clipboard 
Permission Manager plugin - it allows you to allow web pages to access the 
client clipboard directly without having to paste it into the hidden menu.
Regards,Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 31, 2017, 3:04:21 PM EDT, Anburaj Palraj 
 wrote:

Hi All ,

Is it possible to copy/paste data  to directly to terminal  and vice versa with 
out clipboard  ? If yes can you help me  to achieve this  ? 

Re: Granting users permissions after LDAP authentication

[Nick Couchman]

Mike asked the following follow-up question:

> Are you using any other extensions to provide storage for the connection data 
>itself? Or are you planning on storing the connection data within the LDAP 
>directory?

Which received no response.
The reason Mike asked is because the answer is that it depends on how you're 
doing authentication and connections with LDAP.  If you're authenticating with 
LDAP, but using one of the JDBC modules for storing connections, then you need 
to create the LDAP users you want to assign permissions to in the JDBC module 
(you can use the guacadmin user to do this, or you can manipulate the database 
directly) and then assign those users permissions.  Then, then next time you 
log in under the LDAP account, that user will have the permissions.  This is 
called "layering" authentication modules, and works as long as the usernames of 
the modules line up - that is, if you're logging into LDAP with the username 
"avocado" then you must create a user with that same username in the JDBC 
module and assign the permissions.
If you're using only the LDAP module, then the answer is that you cannot manage 
connections from the Guacamole interface - you must use an LDAP tool to 
manipulate the directory tree directly and then those items will be read in by 
Guacamole.  You can do some basic permission management (use the member LDAP 
property to assign the connection to certain users), but it's fairly 
rudimentary.
See the following manual page for more info on both 
options:http://guacamole.incubator.apache.org/doc/gug/ldap-auth.html
Regards,Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==



On Thursday, August 31, 2017, 12:37:56 PM EDT, marcosrlopes 
 wrote:


Anyone??



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: Mike do you need anything?

[Nick Couchman]

Definitely check JIRA - that's where issues get logged and you can find ones 
that aren't owned by anyone and aren't actively being worked and contribute to 
those.  Create an account for yourself and grab an issue that you want to work 
and work on it.  The process for contributing code to the project is done 
through github.com - you fork the repository (make sure to use the Apache 
Incubator ones, not the Glyptodon ones), create a branch and make your changes, 
then create a pull request to merge the changes back into the Apache 
repository.  The changes will go through a review by one or more committers on 
the Guacamole project before they are merged back into the code.  See the 
following page for information on contributing to the project:
http://guacamole.incubator.apache.org/open-source/

Regards,Nick


On Tuesday, August 29, 2017, 10:19:05 AM EDT, Suncatcher16 
 wrote:

Mike Jumper wrote
> If you encounter an issue with guac, dig in and try to scratch that
> itch, working with us upstream to contribute the result. 

Do you have any list of critical issues we can contribute? On  Github
  or maybe in Jira?

I am kinda new to Github issues and don't know where can I apply my efforts,
but I can do smth on Python and Java.




--
View this message in context: 
http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Mike-do-you-need-anything-tp1005p1589.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at 
Nabble.com.

Re: Docker installation problem

[Nick Couchman]

You need to specify the database on that command line - so, something like:psql 
-h 1.2.3.4 -U postgres guacamole < upgrade-pre-0.9.13.sql
Replacing gaucamole with whatever your database is named, and 1.2.3.4 with the 
IP of your Postgres instance.
Also, if I were you, I would not post the public IP address of your cloud-based 
database instance - even if you have the necessary ACLs in place, it's just not 
a great idea to advertise that you're running a particular service on that IP, 
on a publicly-accessible mailing list.  Just my opinion.
-Nick

On Tuesday, August 29, 2017, 9:36:42 AM EDT, Suncatcher16 
 wrote:

 tried upgrade script for 0.9.13 but got


> suncatcher@bodhi-v:/media/Downloads$ psql -h 54.169.108.0 -U postgres -f
> upgrade-pre-0.9.13.sql
> CREATE TYPE
> psql:upgrade-pre-0.9.13.sql:33: ERROR:  relation "guacamole_connection"
> does not exist
> psql:upgrade-pre-0.9.13.sql:34: ERROR:  relation "guacamole_connection"
> does not exist
> psql:upgrade-pre-0.9.13.sql:35: ERROR:  relation "guacamole_connection"
> does not exist
> psql:upgrade-pre-0.9.13.sql:41: ERROR:  relation "guacamole_user" does not
> exist
> psql:upgrade-pre-0.9.13.sql:42: ERROR:  relation "guacamole_user" does not
> exist
> psql:upgrade-pre-0.9.13.sql:43: ERROR:  relation "guacamole_user" does not
> exist
> psql:upgrade-pre-0.9.13.sql:44: ERROR:  relation "guacamole_user" does not
> exist





--
View this message in context: 
http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Docker-installation-problem-tp1577p1584.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at 
Nabble.com.

Re: Docker installation problem

[Nick Couchman]

Yes, the structure has changed since then - you'll need to use the update 
scripts included in the PostgreSQL module to update to the 0.9.13 schema.  You 
don't need to recreate the entire database - there are scripts specifically for 
updating the schema from one version to another.
-NickOn Tuesday, August 29, 2017, 9:26:34 AM EDT, Suncatcher16 
 wrote:


Mike Jumper wroteWell, it was a firewall issue. Now it's okay, but I have 
another problem.
When I try to access Guacamole page it shows nothing and in logs I see:
13:22:29.977 [http-nio-8080-exec-1] ERROR o.a.g.rest.RESTExceptionWrapper - 
Unexpected internal error:### Error querying database. Cause: 
org.postgresql.util.PSQLException: ERROR: column "full_name" does not exist 
Position: 322### The error may exist in 
org/apache/guacamole/auth/jdbc/user/UserMapper.xml### The error may involve 
defaultParameterMap### The error occurred while setting parameters### SQL: 
SELECT user_id, username, password_hash, password_salt, password_date, 
disabled, expired, access_window_start, access_window_end, valid_from, 
valid_until, timezone, full_name,  email_address, organization, 
organizational_role FROM guacamole_user WHERE username = ?### Cause: 
org.postgresql.util.PSQLException: ERROR: column "full_name" does not exist 
Position: 32229-Aug-2017 13:22:29.985 SEVERE [http-nio-8080-exec-1] null.null 
Mapped exception to response: 500 (Internal Server Error) 
org.apache.guacamole.rest.APIException at 
org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:202)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498) at 
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
  at 
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
 at 
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
 at 
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
 at 
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
 at 
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
 at 
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
  at 
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
 at 
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
 at 
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
 at 
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
 at 
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
 at 
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
 at 
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) at 
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
 at 
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178) 
at 
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
 at 
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
 at 
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
 at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113) at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
 at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
 at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
 at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
 at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) 
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) 
at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
 at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) 
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)
 at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractPro

Re: How to use just the backend of guac

[Nick Couchman]

Scott,There is some example code available, both in the manual and in the 
github repository for guacamole-client, that should provide some guidance on 
how to do this.  You can implement it from the ground-up, or you could use the 
guacamole-common component of the repository to do the core functionality and 
then build your web application on top of that.  The guacamole-common piece 
provides the basic interfaces that talk to the guacd process and do the 
translation.  Of course, if you go this route you'll need to do your 
implementation in Java, since that's what guacamole-common is written in.
You could go a completely different direction, if you wanted, and write it in 
some other server-side language, like PHP or NodeJS.  I believe there was a PHP 
implementation out on the web somewhere once upon a time, but that was several 
years ago and I've not looked in a while.  If you go this route, you'd more or 
less have to start from the ground up, writing all of the client-side 
components and referencing the Guacamole protocol documentation (and maybe some 
of the Java source code) to make whatever application you write talk to the 
guacd process using that protocol.
-Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 24, 2017, 9:25:31 PM EDT, Scott  wrote:

Nick,Thanks for the reply. For clarification, it is a web application. Since I 
am really early in my investigation of this and have not really look at the web 
client that is provided, how easy would be to modify the client to do what I 
want, which is essentially take some params that provide the appropriate 
protocol information and the have the RDP/VNC/SSH page served back to me?Scott 
View this message in context: Re: How to use just the backend of guac
Sent from the Apache Guacamole (incubating) - Users mailing list archive at 
Nabble.com.

Re: How to use just the backend of guac

[Nick Couchman]

Scott,Guacamole is, really, a protocol.  It's a way of converting the various 
remote desktop protocols - like RDP, VNC, SSH, etc., - to a single protocol.  
There is a Guacamole Server (guacd) and a Guacamole Client.  The Guacamole 
Server, guacd, handles the translating RDP, VNC, SSH, and Telnet, to the 
Guacamole Protocol.  The Guacamole Server does not implement everything 
necessary for you to access the connections in a web browser - you need a 
client that speaks the Guacmaole protocol to accomplish this.
So, the core answer to your question is, yes, you can just use guacd - you do 
not have to use the web client provided by the Guacamole project.  However, if 
you're going to do this, you still need something to translate between the 
Guacamole protocol and whatever client type you're trying to use.  If it's a 
web browser, you'll need to write a web application.  If it's a mobile device, 
you'd need to implement a mobile application, etc.  But, whatever client type 
you want to use, you have to write something that speaks the Guacamole Protocol 
to guacd.
Hope this helps - feel free to respond with additional questions if you have 
them.
Regards,Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Thursday, August 24, 2017, 8:29:55 PM EDT, Scott  wrote:

Hopefully this isn't a stupid question, but I would like to just utilize the 
VNC, RDP,... functionality of guad and not use the connection management and 
auth that the web interface provides. I already have a solution that provides 
all of this.Is this possible? Do I just need to follow how to make my own Web 
application or is there more?Also, has anyone used node.js instead of 
Apache?Thanks in advance. 
View this message in context: How to use just the backend of guac
Sent from the Apache Guacamole (incubating) - Users mailing list archive at 
Nabble.com.

Re: IP of web session for ssh connection

[Nick Couchman]

As far as NoAuth, I think that's pretty much a closed issue - there's not 
really any support for that among the development community.  You might try, 
instead, using either SSO or LDAP and then using the ${GUAC_USERNAME} and 
${GUAC_PASSWORD} tokens to pass through authentication such that you can avoid 
the dual-login requirements.  I do understand the frustration there - I've 
lived the admin side of things for long enough that I recognize that you want 
to make the experience as simple as possible for users, and asking them to 
login twice can cause frustration.  I also realize that use of SSO or LDAP 
modules would require your destination SSH server to use the same 
authentication that Guacamole does, and that that's not always possible, but 
you can probably work something out, there.
Yeah, probably good to go ahead and log a JIRA issue for the IP issue you're 
seeing.
-Nick


On Thursday, August 24, 2017, 11:45:40 AM EDT, Tjareson  wrote:

 
 Yes, I saw some discussion about the no-auth as well. It's a bit of a pity 
that it will be removed. 
 Even if off-topic here right now: I think in the end it will in fact make it 
more confusing for the user. Today I can tell the user "You only ever type your 
credentials into the login screen of the application, never anywhere else." 
Which makes it clear and easy to remember and avoids fishing.
 Without no-auth, the user has to login either at login screen of guacamole 
and/or at the login screen of the application, in case he or she connects on 
the internal network directly with a Putty client. So we are loosing that 
unique point where to type in login data only.
 Is that still under discussion, means is there a point where I can mention my 
argument?
  
 Back to the topic: if you could find something where the ip behaviour could be 
changed that would be very helpful. 
 Would it make sense, if I log an issue for that?
 
 I've also checked the option to track down the web ip of a ssh session with 
lsof and netstat and all logs, to see who is talking to whom via which ports. 
But it always stops where communication is aggregated in one single process and 
connections becoming 1:n. (e.g. nginx)
 
 kind regards
 Tjareson
 
 Am 24.08.2017 um 09:02 schrieb Nick Couchman:
  
   A word of caution about no-auth: it is deprecated, no longer maintained or 
supported, and will not be available in future releases. 
  As far as why it's not getting updated, I'm not sure off the top of my head, 
except that there's likely a session somewhere in the Guacamole Servlet code 
that has the data cached for a particular user login.  I'll see if I can do 
some debugging on this and figure out where it's happening and what needs to be 
done to flush it out. 
  -Nick 
  == He has shown you, O man, what is good; And what does the LORD require of 
you But to do justly, To love mercy, And to walk humbly with your God?  --Micah 
6:8-- == 
   
  
On Wednesday, August 23, 2017, 7:16:51 PM EDT, Tjareson  
wrote: 
  
 
 By the way: I see the same phenomenon when I'm using no-auth, where there is 
no specific user anymore. 
 
 If it works proper with no-auth it would have been a solution in my case 
already as the application does a proper authentication anyway. (so currently 
I'm redirecting all users to a url containing a default user name and password, 
so they do not need to authenticate twice.)
 
 So the not changing ip address in ${GUAC_CLIENT_ADDRESS} remains kind of a 
question mark. 
 
 
 Am 23.08.2017 um 17:38 schrieb Nick Couchman:
   
   There may be some buffering done inside the Guacamole code somewhere - I'm 
not sure about that.  Maybe Mike or James can chime in and confirm or debunk 
that? 
  -Nick 
   
  
On Wednesday, August 23, 2017, 5:10:19 PM EDT, Tjareson  
wrote: 
  
 Hi Nick,
 
 that did the trick. 
 
 Do you know if there is any setting stopping tomcat7 (or maybe guacd) from 
buffering the ip?
 Currently I have the odd situation that if I log in from a different ip 
address with the same user I see this different ip address in catalina.out, but 
 the first ip it got after  starting tomcat stays in ${GUAC_CLIENT_ADDRESS}, no 
matter if I logout the user before or not.
 It looks like that the user session for a particular username in guacamole 
gets buffered somewhere.
 Only if I restart tomcat then the ip gets updated. 
 The odd thing is: catalina.out shows always the correct ip and a restart of 
guacd doesn't reset this link between username and ip of first login.
 
 I'm not sure, if the connection between tomcat and guacamole gets really 
terminated, when the user logs  out, as the user is falling back on the 
guacamole login screen only, which would probably explain that the ip from the 
first session survives somehow, even if the same user logs in  from a different 
ip.
 
 kind regards
 Tjareson
 
 Am 23.08.2017 um 14:46 schrieb Nick Couchman:
   

Re: IP of web session for ssh connection

[Nick Couchman]

A word of caution about no-auth: it is deprecated, no longer maintained or 
supported, and will not be available in future releases.
As far as why it's not getting updated, I'm not sure off the top of my head, 
except that there's likely a session somewhere in the Guacamole Servlet code 
that has the data cached for a particular user login.  I'll see if I can do 
some debugging on this and figure out where it's happening and what needs to be 
done to flush it out.
-Nick
== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- ==


On Wednesday, August 23, 2017, 7:16:51 PM EDT, Tjareson  wrote:

 
 By the way: I see the same phenomenon when I'm using no-auth, where there is 
no specific user anymore. 
 
 If it works proper with no-auth it would have been a solution in my case 
already as the application does a proper authentication anyway. (so currently 
I'm redirecting all users to a url containing a default user name and password, 
so they do not need to authenticate twice.)
 
 So the not changing ip address in ${GUAC_CLIENT_ADDRESS} remains kind of a 
question mark. 
 
 
 Am 23.08.2017 um 17:38 schrieb Nick Couchman:
  
   There may be some buffering done inside the Guacamole code somewhere - I'm 
not sure about that.  Maybe Mike or James can chime in and confirm or debunk 
that? 
  -Nick 
   
  
On Wednesday, August 23, 2017, 5:10:19 PM EDT, Tjareson  
wrote: 
  
 Hi Nick,
 
 that did the trick. 
 
 Do you know if there is any setting stopping tomcat7 (or maybe guacd) from 
buffering the ip?
 Currently I have the odd situation that if I log in from a different ip 
address with the same user I see this different ip address in catalina.out, but 
 the first ip it got after starting tomcat stays in ${GUAC_CLIENT_ADDRESS}, no 
matter if I logout the user  before or not.
 It looks like that the user session for a particular username in guacamole 
gets buffered somewhere.
 Only if I restart tomcat then the ip gets updated. 
 The odd thing is: catalina.out shows always the correct ip and a restart of 
guacd doesn't reset this link between username and ip of first login.
 
 I'm not sure, if the connection between tomcat and guacamole gets really 
terminated, when the user logs out, as the user is falling back on the 
guacamole login screen only, which would probably explain that the ip from the 
first session survives somehow, even if the same user logs in from a different 
ip.
 
 kind regards
 Tjareson
 
 Am 23.08.2017 um 14:46 schrieb Nick Couchman:
   
   In addition to what you've set up there (which I believe is correct), you 
also need to add the remote IP valve to your Tomcat  configuration file.  I did 
this by adding this block of code just inside the closing  tag in my 
server.xml file: 
          
  
  Please note that you should research and consider the security implications 
of enabling this.  I dug into it when I added  the functionality for the 
GUAC_CLIENT_ADDRESS token, but it's been long enough that I don't recall 
exactly what the risks are.  I believe that you need to pay particular 
attention to the value of  "internalProxies" and make sure that you trust the 
hosts listed as internal proxies - that is, that someone you don't trust does 
not have access to those systems in a way that would allow them to use the 
remote IP  valve to do something malicious, deceptive, etc. 
  Obviously this is specific to Tomcat + Nginx - I can't remember what the 
steps are for Tomcat + Apache and have never tried it with any other 
application server (JBoss,  Weblogic, etc.). 
  -Nick  
  
On Wednesday, August 23, 2017, 2:29:16 PM EDT, Tjareson  
wrote: 
  
 Hi
 
 the approach as such works in principle, as I get the ip passed through the 
ssh connection by just setting ${GUAC_CLIENT_ADDRESS} as command parameter in 
the ssh  connection settings.
 Unfortunately the ip is 127.0.0.1 again. (same with ...HOSTNAME) My guess is 
it might be because I'm using nginx as reverse proxy.
 
 Which ip is guacamole using to provide ${GUAC_CLIENT_ADDRESS/HOSTNAME}? 
 
 In the proxy setup I have set
 proxy_set_headerHost $host;
  proxy_buffering off;
  proxy_http_version 1.1;
  proxy_set_headerX-Real-IP $remote_addr;
  proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_headerX-Forwarded-Proto $scheme;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_pass  http://localhost:8080/;

 Is anyone using the client IP in a similar setup?
 
 kind regards
 Tjareson
 
 
 Am 23.08.2017 um 11:56 schrieb Tjareson:
  
 
Hi Nick,
 
 the execute command option sounds like a good idea. 
 
 I saw the ${GUAC_CLIENT_ADDRESS} token but wasn't aware that guacd supports 
the comman