Proper SSL/Encryption Setup Other Than for HTTPS?

Guac 1.2.0 Nginx: 1.18.0 Tomcat: 9.0.37 (CentOS/RHEL 8.x) I am not talking about HTTPS in relation to accessing the domain/ip via a browser, this I have setup and working via Nginx. I am asking about: 1) Encrpytion between guac client and guac server (guacd) via the guacd-ssl property in

Re: 1.2 server build fail on el7 and el8

So the error seems to indicate an issue with RDP and/or filesystem. Are you using a standard file system on the virtual disk used by the VM (ext4 or xfs)? It may be worth taking a look at /var/log/messages too to see if you can find additional errors/info. If you feel so inclined, you could try

Re: 1.2 server build fail on el7 and el8

In your output it says "no" for init and systemd, pretty sure it has to be one or the other. That is done via the configure command using a switch as explained in https://guacamole.apache.org/doc/gug/installing-guacamole.html. For what its worth, my script for rhel/centos 7 seems to build and

Extension Load Order Questions

OS: CentOS/RHEL 8.x Guac 1.1.0 Regarding extensions, there are a few things I want to clear up and make sure I understand. I see the extensions as basically being in 2 categories: Primary authentication and Secondary auth. Ex: LDAP would be a primary auth method as it can, itself*, be used. On

Re: SEL Related Issue with Enabling guacd

Sorry just a typo, the file name was correct. As explained, 100% sure its an SEL context issue which I worked out the command to resolve. Just not sure why the context was not properly set on it. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SEL Related Issue with Enabling guacd

Absolutely do. Here is the actual code (as it is currently): # Enable/Start Tomcat and Guacamole Services { systemctl daemon-reload systemctl enable tomcat systemctl restart tomcat systemctl enable guacd systemctl restart guacd systemctl status

Re: Tomcat 9, RHEL/CentOS 8.x Setup Questions

You are likely right. I will have to play with it a bit once I get things in a running capacity. My big issue right now is figuring out the tomcat server.xml file. Thanks again -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

SEL Related Issue with Enabling guacd

OS: CentOS 8.1 (fresh minimal install) Guac: 1.1.0 I unpacked guacamole, setup tomcat 9.0.34, etc. I get to the point I need to `systemctl enable guacd` to enable the guacd service and it fails with a message like: "failed to enable unit: unit file guacd.serviuce does not exist." I `ls -al

Re: Tomcat 9, RHEL/CentOS 8.x Setup Questions

For the directories/files, what are your thoughts on the file permissions? I was thinking 0750 in cases the owner needs write, maybe 0550 when write is not needed? Not really set on what approach to take here in setting this. I will play around with it a bit once I get to the point the script

Re: The appropriate way to hide/obscure database password in guacamole.properties?

You really shouldn't be running guacd or tomcat as root (or really anything else you can avoid doing so on). Create service accounts for both and run/permission them according to those accounts. As mentioned its likely a good idea to set ownership and file permissions on the tomcat/guacamole

Tomcat 9.x server.xml Config For Guacamole (RHEL/CentOS 8.x)?

OS: RHEL/CentOS 8.x Tomcat: 9.0.34 installed from tar.gz (into /opt/tomcat) Guac: 1.1.0 I previously have setup tomcat from the package in yum on RHEL/CentOS 7.x. For that I did the following in server.xml: (in the tag) URIEncoding="UTF-8" I then added the following connect a little lower in

Re: Tomcat 9, RHEL/CentOS 8.x Setup Questions

Thanks again for the excellent responses. I am taking your advice and input into consideration and working on my script for RHEL/CentOS 8.x, using your input to improve it for the better. Since I am basically re-writing the script, I am looking at parts long forgotten and finding inefficiencies,

Re: Tomcat 9, RHEL/CentOS 8.x Setup Questions

Thanks again for your very detailed and helpful response. I overthink EVERYTHING, its just who I am...but I also want to make the script as well put together as I can and looking at my current RHEL/CentOS 7.x script, there is a ton of room for improvement based on what I am learning/doing now. 1

Re: Tomcat 9, RHEL/CentOS 8.x Setup Questions

Maybe a better way to ask for your help regarding directories for Guac and tomcat...(again, if your willing, if not no problem). Could you detail where you place: - Guacamole server - Guacamole client .war file - Guacamole extensions (JDBC, TOTP, LDAP, etc) - guacamole.properties - MySQL

Re: Tomcat 9, RHEL/CentOS 8.x Setup Questions

Thanks for your response. I came across basically 2 types of guides online for CentOS/RHEL 8 and Tomcat 9. Half used /usr/share/tomcat the other half /opt/tomcat. I guess I had a 50/50 shot at it but what you say makes sense and sparks vague memories of opt likely being the better option for

Re: RHEL/CentOS 8.x Install, Needed Packages?

Thanks for the detailed response. I was aware of the Development Tools group but for my install script I am trying to install the bare minimum needed. I will admit, figuring out what the minimum is may be more trouble than its worth, but its a matter of principal/pride/(maybe stupidity) on my

Tomcat 9, RHEL/CentOS 8.x Setup Questions

I am looking for help with the proper way to "install" and configure tomcat 9 with Guac 1.1.0 on RHEL/CentOS 8.x. As RHEL 8.x removed the tomcat package from the repos, I now find myself downloading the .tar.gz and extracting it out like so: tar xvf apache-tomcat-9.0.34.tar.gz -C /usr/share ln

Re: RHEL/CentOS 8.x Install, Needed Packages?

Thanks to both of you. I ended up working this out and figured I would post back my findings in case they help others. -libtelnet | I gave up on this one. Does NOT seem to be in regular EPEL repo, maybe one of the testing or something but honestly didnt push hard to find it. Really, I have

RHEL/CentOS 8.x Install, Needed Packages?

Hello, I have been working on adapting my script for installing and configuring Guac on RHEL/CentOS 7.x to working with 8.x. (current 7.x version here for reference: https://github.com/Zer0CoolX/guacamole-install-rhel). One of the biggest challenges I am facing is with package names changing or

Re: FreeRDP Writable User Home Dir?

I have a Guac 1.0.0 server in production (CentOS 7.7, freerdp 1.x) that connects to the same Windows 7 client without that box ticked. The /var/log/messages show no errors or warnings about the certificate and the connection works. Aside from ignoring the error, how would I approach fixing this?

Re: FreeRDP Writable User Home Dir?

Thanks, so in a test situation this worked out. I created a group: sudo groupadd guacd I then created my user as follows: sudo useradd -r guacd -m -s /bin/nologin -g guacd -c guacd (-r for system account, -m to create home dir, -s for nologin, -g to add to group, -c is just name/description and

Re: FreeRDP Writable User Home Dir?

I should have specified before, this is Guac 1.1.0, CentOS 7.7. I am installing Guac server from source direct from the apache guacamole site: "https://apache.org/dyn/closer.cgi?action=download=guacamole/${GUAC_VER}/;, not a repo like EPEL. I ran the following command: ps aux | grep guacd This

FreeRDP Writable User Home Dir?

When trying to connect via RDP I get the following error in /var/log/messages: "FreeRDP initialization may fail: The current user's home directory ("/sbin") is not writable, but FreeRDP generally requires a writable home directory for storage of configuration files and certificates." The release

Re: Installation script

Read what I wrote again...at least the first part. On second look you likely picked stable as the source in which case the URL is correct. The URL is correct and works for anyone else with the ability to connect to the internet and use HTTPS/SSL. Verify that you are selecting stable as the

Re: AD/LDAP Old/Disabled Users Still Listed?

Pardon my ignorance, but let me make sure I follow. So you are saying that the ldap filter (and thus results) are likely up-to-date but that the database side of the account does not get deleted/removed from the database when there is no longer a matching LDAP account to go with it? So I would

Re: Installation script

Hello, I wrote the script: https://github.com/Zer0CoolX/guacamole-install-rhel The problem you are having is not an issue with the script, its clearly a network issue. 1) Try downloading the file at that location yourself via a browser. 2) Try running the wget command yourself manually. If the

Re: Possible to use MariaDB Connector vs MySQL Connector?

Here is the error I get in /var/log/messages when loading the Guac website/login page. t-guac server: ### Error querying database. Cause: java.sql.SQLException: Error setting driver on UnpooledDataSource. Cause: java.lang.ClassNotFoundException: com.mysql.jdbc.Driver I am by no means an expert

Re: Possible to use MariaDB Connector vs MySQL Connector?

Thanks. I gave an attempt at MariaDB connector but got a blank login screen and didnt try and troubleshoot it yet. Unless Guacamole somehow doesn't pickup on MariaDB's connector vs MySQL's, then I can likely get the connector to work. I have not tried the newer version of MariaDB yet either, may

AD/LDAP Old/Disabled Users Still Listed?

Guac: 1.0.0 OS: CentOS 7.6 Using the LDAP extension to connect with a pretty simple AD and using a mariaDB database for authentication/users (aka not changing the AD/LDAP side) with LDAPS. Using the following filter via "ldap-user-search-filter" in guacamole.properties:

Re: Compile Fails, Does Not Find libjpeg-turbo

Sorry, correction... libjpeg-turbo-devel -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail:

Re: Compile Fails, Does Not Find libjpeg-turbo

Looks like I may have resolved this. "yum install -y libjpeg-turbo-official libjpeg-devel" Adding libjpeg-devel appears to work. I guess the rpm includes them but the repo needs to have it explicitly installed? Hope this helps others, Thanks. -- Sent from:

Compile Fails, Does Not Find libjpeg-turbo

CentOS 7.6 Guac 1.0.0 When I install libjpeg-turbo directly using a command like "yum localinstall -y https://sourceforge.net/projects/libjpeg-turbo/files/2.0.2/libjpeg-turbo-official-2.0.2.x86_64.rpm; Then compiling works without issue. If however, I create the libjepg-turbo repo file and

Possible to use MariaDB Connector vs MySQL Connector?

RHEL/CentOS 7.6 Guac 1.0.0 MariaDB 5.5.60 (from official CentOS repo) MySQL Connector J 5.1.47 (or 8.0.16) I am wondering if Guacamole would function the same using MariaDB Connector J (current version is 2.4.1) vs MySQL Connector J 5.1.x or 8.x? Are there any long term concerns using MariaDB

Re: Nginx X-Frame-Options causing Chrome "Page Unresponsive error"

For what its worth, I get the same/similar errors in the dev tools in Firefox 66.0.5 but it does not appear to cause any kind of adverse effect in Firefox. Load denied by X-Frame-Options: https://mydomain.com/app/element/templates/blank.html does not permit framing. TypeError: g.contentDocument

Re: Nginx X-Frame-Options causing Chrome "Page Unresponsive error"

I can confirm, at least partially, the behavior. Guac 1.0.0, no prior issues, within the last week(s) Chrome has been doing this. Chrome confirmed v74. I currently have x-frame set to deny. I do not use Duo or file xfer. As mentioned, "SAMEORIGIN" is likely a better setting which I have been

Re: Nginx Content_Security_Policy?

You appear to have been correct, I took out "unsafe-inline" for script-src and all appears to work. My score in observatory also went to 100/100 (-10 for CSP but +5 and +5 for referrer-policy/frame-ancestors). I will have to keep testing it but so far so good. I will need to dive into the more

Re: Assistance with Apache Guacamole 1.0.0 Client

I found this to be an issue between the 8.x version of MySQL Connector J and mariaDB. MySQL Connector J 5.x does not have the same problem. So the 2 fixes I found for the issue are (one or the other, both not needed): - Stick with the 5.x version of MySQL Connector J - Add the "default_time_zone"

Re: Nginx Content_Security_Policy?

Thanks I will check on this when I can, right now I dont have access to my test platform. As I recall, I do have "Referrer-Policy" set to "no-referrer" and "frame-ancestors 'self'" should count for X-Frame-Options (though I have it in my config as well). However I think my score was not correct.

Re: Nginx Content_Security_Policy?

After further testing and messing about I think I have worked out a policy that does not break anything but will need more testing: add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; object-src 'self'; frame-src 'self';

Re: Nginx Content_Security_Policy?

Thanks for the input guys. Any idea where to start researching this? I still have yet to find any reliable info on CSP and Guac. As you both mention, I am sure its blocking aspects required by Guac and it comes down to figuring out if there is a CSP that allows everything required for guac to

Nginx Content_Security_Policy?

CentOS/RHEL 7.6 Nginx 1.16.0 OpenSSL 1.0.2k-fips Guac 1.0.0 I have SSL working just fine with a Lets Encrypt cert. I am attempting to add a CSP line to the nginx conf and its causing the login page to look odd and not actually logging in (I will explain further). The line I am adding is:

Re: Where does guacd check for libjpeg-turbo?

I guess to clarify, to this point I had been using symlinks with libjpeg-turbo (2.0.2 rpm, CentOS/RHEL 7.x), specifically: ln -vfs /opt/libjpeg-turbo/include/* /usr/include/ ln -vfs /opt/libjpeg-turbo/lib??/* /usr/lib64/ The problem is, part of the 2nd command fails, seemingly with

Where does guacd check for libjpeg-turbo?

When compiling guacamole server, what files related to libjpeg-turbo and in what directories does it look for? Thanks -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP Auth successful, mysql backend fine, but unable to query list from LDAP (I don't want this)

O just noticed you have IP in hostname for guac.properties. That may work, but I was under the impression it had to be FQDN of the AD server, ex: myserver.company.com -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP Auth successful, mysql backend fine, but unable to query list from LDAP (I don't want this)

A few things I found to help set this up. First, the user you use for ldap-search-bind-dn MUST have the ability to read other AD users and groups. Next, I log in using the default/local Guacamole admin and create a new user. This will be the first AD/LDAP user you want to have admin rights over

Re: Importance of JKS Keystore Fields?

Yes they will be run from the same system for all my cases. Thanks for the feedback. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Importance of JKS Keystore Fields?

Upon thinking about it however, end users wouldnt see this info for the key store, would they? As far as I understand it, with Nginx being the reverse proxy and handling SSL, Lets Encrypt providing a valid Cert (and looking at the cert it uses its own subject, etc.), JKS is only used for tomcat,

Importance of JKS Keystore Fields?

Sorry if this is too far removed from Guacamole itself. CentOS/RHEl 7.x Guacamole 1.0.0 Nginx (latest) Tomcat I setup Guacamole with JKS and create a keystore for Guacamole using a command like: keytool -genkey -alias some_alias -keyalg RSA -keysize 2048 -keystore

Re: RDP Settings/Requirements for Windows Server 2016 and above

For me TLS and ignore server cert works. Might be different for you. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Guacamole Branding

Aside from my extension template (Thanks @Fabian for linking it), which in my biased opinion is the best way to add branding to the login screen, I have included a link to my repos wiki that links to posts describing how this is done.

Re: Session Remote Host Address Showing Loopback

Nevermind, seems I have resolved the issue. I changed: internalProxies="127.0.0.1" to internalProxies="192.168.0.10" replace 192.168.0.10 with the servers actual IP address, not loopback, and it worked for me. It obviously will not alter already logged connections but future connections

Re: Session Remote Host Address Showing Loopback

Ok well I thought I had it worked out. I already have "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" in my Nginx config. I added: to the server.xml file towards the end within the tag as specified in the documentation. Restarted guacd, tomcat, nginx and mariadb and its still

Re: Session Remote Host Address Showing Loopback

Ah, very good guys, thought I was loosing my mind. I must have missed that bit when I read over the changes. I will read up and test the changes, but I think that takes care of it. Thanks -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Session Remote Host Address Showing Loopback

Guac: 1.0.0 OS: RHEL/CentOS 7.x Nginx, Tomcat, mariadb, LDAP (associated to db), LeysEncrypt cert I have an odd issue. This is regrading the "Remote Host" column in "Active Sessions" and "History". Both of these are regarding fresh installs of OS and Guac, these servers are not used for any other

Re: Questions About Using TOTP with LDAP

Excellent, I will give it a shot and see how it works. Thanks -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSL

The directions given for setting up SSL are a good start but uses a self-signed cert instead of a valid cert from say, LetsEncrypt. The suggested guacamole_ssl.conf configuration is also far from secure for many reasons. 1. First your using TLS 1.0 and TLS 1.1. Unless needed for very legacy

Re: Questions About Using TOTP with LDAP

Thanks for the reply. So given your insight, does this mean that my setup can/would meet the prerequisite of users being able to change their passwords or since I use LDAP for auth would LDAP and TOTP not work together? -- Sent from:

Questions About Using TOTP with LDAP

As per the documentation at https://guacamole.apache.org/doc/gug/totp-auth.html: "Prerequisites ... * Another extension must be installed which supports storage of arbitrary data from other extensions. Currently the only extensions provided with Guacamole which support this kind of storage are

Re: Dumb LDAP Properties Question

Yes I agree, I am just going to leave it as is and have it be manually entered instead of making assumptions. Thanks -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Dumb LDAP Properties Question

Ok so from the responses it sounds like typically: ldap-user-base-dn: dc=mydomain,dc=com ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=mydomain,dc=com should be using the same DC entries but that: ldap-hostname: myserver./mydomain/./com/ could possibly be on another domain. However, it sounds

Dumb LDAP Properties Question

Guac: 1.0.0 with MySQL db + LDAP extension OS: CentOS/RHEL 7.x (7.6 currently) I am specifically talking about the following entries in guacamole.properties: ldap-hostname: myserver./mydomain/./com/ ldap-user-base-dn: dc=/mydomain/,dc=/com/ ldap-search-bind-dn:

Migrating to a new Guac server?

I am wondering if its possible to do a sort of export/import to move user info/permissions and machines/groups from an existing guacamole server to a new one. For background, I have a Guac server on CentOS using MariaDB and LDAP addin for user authentication. I have not made any alterations to

Re: Theme/Logo changing

I posted this on my Github https://github.com/Zer0CoolX/guacamole-customize-loginscreen-extension Should give you a good foundation to start from. I have documented things and provided links to sources I used to figure it

Re: Help with ldap-user-search-filter and LDAP Query

Thanks, got it sorted out for the most part. Went with this for now: (&(objectCategory=person)(objectClass=user)(userAccountControl=512)) Limits it to just people and active accounts with passwords that can expire. Works out as our "service" accounts dont have expiration's on the passwords and

Re: Help with ldap-user-search-filter and LDAP Query

I kind of figured it out. At least the base issue. ldap-users-search-filter: (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=COM) Seems to be the proper syntax for the parameter in the guacamole.properties file. This pulled in just the members of that group. Removing "(&(objectCategory=user"

Re: Help with ldap-user-search-filter and LDAP Query

Hello and Thanks for the input. I think you are right, a group would be the best approach. I am currently testing using: ldap-user-search-filter: "(&(objectCategory=user)(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=COM))" In dsquery on a Windows 7 client machine the above (without

Help with ldap-user-search-filter and LDAP Query

I currently have Apache Guacamole setup and working with LDAP (both 0.9.14 from site and 1.0.0. from git) in CentOS and RHEL 7.5/7.6. I can login, see the full list of AD entities, etc. The problem is its literally everything from AD; users, computers, disabled accounts, etc. Ideally, I would

Apache Guacamole Installation Script for RHEL/CentOS

I have created an installation script for Apache Guacamole in RHEL/CentOS 7.x and up. I was hoping to get some feedback on it and maybe even some help improving it. The Github repo can be found at https://github.com/Zer0CoolX/guacamole-install-rhel Some key features of the script are: - Allows