Guacamole 1.3.0 testing

mrmarkuz · March 3, 2021, 9:10pm

New default values for the login:

AD: samaccountname,userprincipalname
LDAP: uid,mail.

So one can login with username or username@serverdomain.tld.

The username attribute can now be set in the config database.
In this example only full name logins are allowed.

AD:
config setprop guacd usernameAttribute displayname

LDAP:
config setprop guacd usernameAttribute gecos

To remove the attribute and go back to default:

config setprop guacd usernameAttribute ''

Apply the changes:

signal-event nethserver-guacamole-update

Installation:

yum -y install https://mrmarkuz.dynu.net/mirror/devtest/nethserver-guacamole-0.0.1-3.ns7.noarch.rpm

If you already installed the testing package you need to reinstall:

yum -y reinstall https://mrmarkuz.dynu.net/mirror/devtest/nethserver-guacamole-0.0.1-3.ns7.noarch.rpm

royceb · March 4, 2021, 3:36pm

Tested by updating exisiting 1.3 install and can confirm that both user1 & user1@domain.tdl work as described against SAMBA/AD.

EDIT/Update - Odd behavior but I thought I’d post it here. Initially to set up the guacamole LDAP I created a local user1 with group 1 in SAMBA-AD & Guacamole. I also created another user1 within Guacamole with a different password than SAMBA-AD that helped me verify the LDAP vs local login was actually working. After the update, I tested user1@domain.tdl and was able to login as expected. What I found odd is that Guacamole treated the SAMBA-AD logins of user1 & user1@domain.tdl as separate and different accounts with different permissions applied.

royceb · March 4, 2021, 5:36pm

Second feature request if we are in the charitable giving season. How difficult would it be to add 2 Cockpit items for Guacamole?

Add a Guacamole Tab within Cockpit like SOGo with a Settings & Logs section
Under Settings - Ability to set vhost name via Cockpit - Guacamole akin to the SOGo module

mrmarkuz · March 4, 2021, 5:42pm

It’s a shame that I didn’t learn enough about cockpit yet but I’ll have a look at it…

royceb · March 9, 2021, 3:01pm

Is there anything else that you would like help with testing out before we can push this live?

mrmarkuz · March 9, 2021, 3:19pm

It would be nice to have a solution for this Mac issue but unfortunately I have no Mac to play around with.
@Andy_Wismer wanted to do some testing (with Mac) too.
I guess we can push it live this week.

Andy_Wismer · March 9, 2021, 3:22pm

@mrmarkuz

I’m doing a restore of my Home NS - for another reason. But if it finishes timely, I’ll do the Guac test tonight…

My 2 cents
Andy

carsten · March 11, 2021, 10:23pm

I use a Microsoft AD which Nethserver is joined to:
In Guacamole I set:

config setprop guacd ldapPort 389
config setprop guacd Encryption none
signal-event nethserver-guacamole-update

I have several problems:

The bind entry in /etc/guacamole/guacamole.properties is generated the wrong way. It reads ldap-search-bind-dn: cn=CN=Administrator,OU=Users,OU=MyBusiness,DC=MYDOMAIN,DC=LOKAL,cn=Users,DC=myadmin,DC=LOKAL instead of CN=Administrator,OU=Users,OU=MyBusiness,DC=MYDOMAIN,DC=LOKAL
I see no users in Guacamole
I cannot login with AD users.
WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.42.52, 127.0.0.1] for user “xy” failed.

mrmarkuz · March 11, 2021, 10:31pm

It looks like a CN in a CN, weird…

Which Windows server version (the DC) do you use? I’ll try to reproduce…

EDIT:

Maybe your binddn is not in user@domain.tld format?

config show sssd

carsten · March 11, 2021, 11:00pm

AdDns=192.168.xx.yy
BaseDN=DC=mydomain,DC=LOKAL
BindDN=CN=Administrator,OU=Users,OU=MyBusiness,DC=MYDOMAIN,DC=LOKAL
BindPassword=xxx,
DiscoverDcType=dns
GroupDN=OU=Groups,OU=MyBusiness,DC=mydomain,DC=lokal
LdapURI=ldap://hal9001.straightec.lokal
Provider=ad
Realm=MYDOMAIN.LOKAL
ShellOverrideStatus=enabled
StartTls=disabled
UserDN=OU=Users,OU=MyBusiness,DC=mydomain,DC=lokal
Workgroup=MYDOMAIN
status=enabled

mrmarkuz · March 11, 2021, 11:11pm

Hm, I assume a format like that in guacamole.properties (see /etc/e-smith/templates/etc/guacamole/guacamole.properties/10base:

BindDN=admin@domain.tld

Does that setting work? Do you see users/groups in cockpit?

I’m going to check, if not possible another way I could add a db prop binddn to be flexible for such cases.

carsten · March 11, 2021, 11:21pm

I removed and readded the domain membership and then it asked for a principal name as bindDN. I used administrator@myadmin.lokal and it seems to be correct also in Guacamole. However I still don’t see any users in guacamole (however in Cockpit of NS, I see users).

carsten · March 11, 2021, 11:23pm

Another strange thing is, that the connection to Windows 7 machines is dropping all the time. Especially when trying to open the start menu.

mrmarkuz · March 11, 2021, 11:28pm

Thanks for testing! I’m starting up some VMs to check…

Did you already play with the guacamole connection settings?
Did you update your guacamole from old 0.9 version?
Do you use a VPN?

carsten · March 11, 2021, 11:37pm

I did update from old 0.9 version. I did run the db upgrade scripts.
No VPN. Yes I tried all connection settings.
Very strange: I get a connection to the login screen but as soon I enter user/password it disconnects. A similar thing is when I provide the username/password in guacamole. It connects but when opening the start menu, it disconnects.

Mar 12 00:35:19 myneths guacd[12117]: Connection closed.
Mar 12 00:35:19 myneths guacd: guacd[12117]: ERROR:#011Connection closed.
Mar 12 00:35:19 myneths guacd: guacd[12117]: INFO:#011User “@c3d367af-b946-459a-8b5a-4d5b5ecfe0ef” disconnected (0 users remain)
Mar 12 00:35:19 myneths guacd: guacd[12117]: INFO:#011Last user of connection “$8ad00a2c-4144-4742-b04d-a52183f68ef9” disconnected
Mar 12 00:35:19 myneths guacd[12117]: User “@c3d367af-b946-459a-8b5a-4d5b5ecfe0ef” disconnected (0 users remain)
Mar 12 00:35:19 myneths guacd[12117]: Last user of connection “$8ad00a2c-4144-4742-b04d-a52183f68ef9” disconnected
Mar 12 00:35:19 myneths guacd: guacd[12117]: INFO:#011Internal RDP client disconnected
Mar 12 00:35:19 myneths guacd[12117]: Internal RDP client disconnected
Mar 12 00:35:19 myneths guacd[6107]: Connection “$8ad00a2c-4144-4742-b04d-a52183f68ef9” removed.
Mar 12 00:35:19 myneths guacd: guacd[6107]: INFO:#011Connection “$8ad00a2c-4144-4742-b04d-a52183f68ef9” removed.
Mar 12 00:35:19 myneths daemon.sh: 00:35:19.346 [http-nio-8080-exec-9] INFO o.a.g.tunnel.TunnelRequestService - User “guacadmin” disconnected from connection “3”. Duration: 13646 millisecond

mrmarkuz · March 11, 2021, 11:41pm

I have similar problems but with VNC on an updated machine. I have no solution so far, it works on a test VM with a fresh nethserver-guacamole install.

I’ll check on a Win 7 VM and report…

EDIT:

Tested with Win 2019 Server as DC and Neth as domain member and guacamole login worked with port 389 and encryption “none” but for guacamole the users “Name” has to match, not the account / user logon name.
Usually the logon name has to match as it is in Neth. I tried with all attributes but no change. Need to test more…

In the following example markus works but admin does not work (nethadmin would work in guacamole but not in neth).

For testing just edit guacamole.properties and restart tomcat8.

carsten · March 12, 2021, 7:29am

The disconnect when clicking on the start menu looks similar to the following bug: https://issues.apache.org/jira/browse/GUACAMOLE-950

or this

BTW: How to enable more detailed tracing for guacamole and where are the log files?

carsten · March 12, 2021, 7:47am

I solved the disconnection problem. The glyph-caching is the problem and must be disabled in the guacamole settings for the connection.

grafik

mrmarkuz · March 12, 2021, 4:52pm

Great that you found a solution for the Win 7 clients!

See Guacamole manual for debug logging.

The logfiles are /var/log/messages and /opt/tomcat8/logs

I added this info to the wiki.

alefattorini · March 16, 2021, 4:27pm

That’s amazing thanks man! Login screen is super cool