You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by drhy <da...@outlook.com> on 2020/01/24 01:35:17 UTC
guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs as
root
Hi,
I'm not sure where this should be posted so am hoping this is OK.
I have just installed the 1.1.0 version from apache.
I have it running successfully on CentOS 8.1 with MySQL 8 and Radius talking
to Windows 2019 Network Policy Server (using mschapv2 or pap, but no
others).
The only - small - issue I have is that the guacd service needs to run under
User=root for rdp connections to succeed. It won't connect with User=daemon.
I haven't tested the other protocols.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs
as root
Posted by drhy <da...@outlook.com>.
Hi Mike,
got it working with:
useradd -r guacd
mkdir /home/guacd
chown -R guacd:guacd /home/guacd
setfacl -bkdR --modify=g:guacd:rwx /run/guacamole
and guacd.service now using "User=guacd"
I couldn't get /var/empty/guacd to work = me being v new to linux.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs
as root
Posted by drhy <da...@outlook.com>.
Hi Mike,
I saw those jiras but didn't fully understand their implications. Thanks for
explaining.
I have confirmed the daemon behaviour that you describe, and am now creating
the reduced-privilege user etc. per your suggestions.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs as root
Posted by Mike Jumper <mj...@apache.org>.
When I build and run things against CentOS 8, manually running guacd as the
"daemon" user, I see the following at the beginning of the connection:
guacd[8]: WARNING: FreeRDP initialization may fail: The current user's home
directory ("/sbin") is not writable, but FreeRDP generally requires a
writable home directory for storage of configuration files and certificates.
This is due to the behavior of the FreeRDP 2.0.0 library, which is known to
refuse to attempt to connect if it cannot create a configuration directory
with the user's home directory, hence the addition of new checks and
warnings within Guacamole's RDP support:
https://issues.apache.org/jira/browse/GUACAMOLE-927
https://issues.apache.org/jira/browse/GUACAMOLE-931
I suspect that is what is happening in your case, and that the warning I
see is likely also in your logs if you look a bit further up near where the
connection attempt begins.
You will need to create your own reduced-privilege user which has a
writable home directory, rather than use the system "daemon" user. A user
named "guacd" which has an associated group "guacd" and a home directory
like "/var/empty/guacd" could be a good choice.
- Mike
On Thu, Jan 23, 2020 at 6:21 PM drhy <da...@outlook.com> wrote:
> Hi Mike
>
> as at January 23, 22:20 GMT.
>
> -David
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs
as root
Posted by drhy <da...@outlook.com>.
Hi Mike
as at January 23, 22:20 GMT.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs as root
Posted by Mike Jumper <mj...@apache.org>.
On Thu, Jan 23, 2020 at 6:11 PM drhy <da...@outlook.com> wrote:
> Hi Mike,
>
> with default settings, "systemctl status guacd" shows:
>
> root@guactest~ systemctl status guacd
> ● guacd.service - Guacamole Server
> Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor
> preset: disabled)
> Active: active (running) since Fri 2020-01-24 15:03:51 NZDT; 36s ago
> Docs: man:guacd(8)
> Main PID: 2952 (guacd)
> Tasks: 1 (limit: 10717)
> Memory: 11.3M
> CGroup: /system.slice/guacd.service
> └─2952 /usr/local/sbin/guacd -f
>
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]:
> INFO:
> Loading keymap "en-us-qwerty"
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: Loading keymap
> "en-us-qwerty"
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: Error connecting to
> RDP server
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]:
> ERROR:
> Error connecting to RDP server
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: User
> "@a823603a-b58b-4646-b7fa-e55fc9e49383" disconnected (0 users remain)
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]:
> INFO:
> User "@a823603a-b58b-4646-b7fa-e55fc9e49383" disconnected (0 users remain)
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]:
> INFO:
> Last user of connection "$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398"
> disconnected
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: Last user of
> connection "$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398" disconnected
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: Connection
> "$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398" removed.
> Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2952]:
> INFO:
> Connection "$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398" removed.
>
> When I change "info" to "debug" in guacd.conf, "systemctl status guacd"
> shows:
>
> ● guacd.service - Guacamole Server
> Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor
> preset: disabled)
> Active: active (running) since Fri 2020-01-24 15:00:49 NZDT; 28s ago
> Docs: man:guacd(8)
> Main PID: 2794 (guacd)
> Tasks: 1 (limit: 10717)
> Memory: 11.0M
> CGroup: /system.slice/guacd.service
> └─2794 /usr/local/sbin/guacd -f
>
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: User
> "@d48ba968-2367-48fd-8b24-69fedd312358" disconnected (0 users remain)
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]:
> INFO:
> User "@d48ba968-2367-48fd-8b24-69fedd312358" disconnected (0 users remain)
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]:
> INFO:
> Last user of connection "$6ad546e6-36f8-4a3b-ba4d-9dc517acd530"
> disconnected
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: Last user of
> connection "$6ad546e6-36f8-4a3b-ba4d-9dc517acd530" disconnected
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]:
> DEBUG:
> Requesting termination of client...
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]:
> DEBUG:
> Client terminated successfully.
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: Requesting
> termination of client...
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: Client terminated
> successfully.
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: Connection
> "$6ad546e6-36f8-4a3b-ba4d-9dc517acd530" removed.
> Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2794]:
> INFO:
> Connection "$6ad546e6-36f8-4a3b-ba4d-9dc517acd530" removed.
>
> Is there anything I can do to get more detail ?
>
How recent was the your build from staging/1.1.0?
- Mike
Re: guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs
as root
Posted by drhy <da...@outlook.com>.
Hi Mike,
with default settings, "systemctl status guacd" shows:
root@guactest~ systemctl status guacd
● guacd.service - Guacamole Server
Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor
preset: disabled)
Active: active (running) since Fri 2020-01-24 15:03:51 NZDT; 36s ago
Docs: man:guacd(8)
Main PID: 2952 (guacd)
Tasks: 1 (limit: 10717)
Memory: 11.3M
CGroup: /system.slice/guacd.service
└─2952 /usr/local/sbin/guacd -f
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]: INFO:
Loading keymap "en-us-qwerty"
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: Loading keymap
"en-us-qwerty"
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: Error connecting to
RDP server
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]: ERROR:
Error connecting to RDP server
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: User
"@a823603a-b58b-4646-b7fa-e55fc9e49383" disconnected (0 users remain)
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]: INFO:
User "@a823603a-b58b-4646-b7fa-e55fc9e49383" disconnected (0 users remain)
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2987]: INFO:
Last user of connection "$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398" disconnected
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2987]: Last user of
connection "$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398" disconnected
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: Connection
"$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398" removed.
Jan 24 15:04:23 guactest.xxxxxxxxxxxxx.nz guacd[2952]: guacd[2952]: INFO:
Connection "$94c16ea4-c2a3-49f0-ba6a-5968f6ed7398" removed.
When I change "info" to "debug" in guacd.conf, "systemctl status guacd"
shows:
● guacd.service - Guacamole Server
Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor
preset: disabled)
Active: active (running) since Fri 2020-01-24 15:00:49 NZDT; 28s ago
Docs: man:guacd(8)
Main PID: 2794 (guacd)
Tasks: 1 (limit: 10717)
Memory: 11.0M
CGroup: /system.slice/guacd.service
└─2794 /usr/local/sbin/guacd -f
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: User
"@d48ba968-2367-48fd-8b24-69fedd312358" disconnected (0 users remain)
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]: INFO:
User "@d48ba968-2367-48fd-8b24-69fedd312358" disconnected (0 users remain)
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]: INFO:
Last user of connection "$6ad546e6-36f8-4a3b-ba4d-9dc517acd530" disconnected
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: Last user of
connection "$6ad546e6-36f8-4a3b-ba4d-9dc517acd530" disconnected
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]: DEBUG:
Requesting termination of client...
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2826]: DEBUG:
Client terminated successfully.
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: Requesting
termination of client...
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2826]: Client terminated
successfully.
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: Connection
"$6ad546e6-36f8-4a3b-ba4d-9dc517acd530" removed.
Jan 24 15:01:10 guactest.xxxxxxxxxxxxx.nz guacd[2794]: guacd[2794]: INFO:
Connection "$6ad546e6-36f8-4a3b-ba4d-9dc517acd530" removed.
Is there anything I can do to get more detail ?
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacd 1.1.0 (as at 2020-01-22) daemon on CentoS 8.1 only runs as root
Posted by Mike Jumper <mj...@apache.org>.
On Thu, Jan 23, 2020, 17:32 drhy <da...@outlook.com> wrote:
> Hi,
>
> I'm not sure where this should be posted so am hoping this is OK.
> I have just installed the 1.1.0 version from apache.
>
There is no 1.1.0 yet. Your testing is appreciated, but keep in mind you
are testing code that is not yet an RC and not yet a release.
It will probably be an RC soon, though, assuming what you are asking about
doesn't prove to be a regression.
I have it running successfully on CentOS 8.1 with MySQL 8 and Radius talking
> to Windows 2019 Network Policy Server (using mschapv2 or pap, but no
> others).
>
> The only - small - issue I have is that the guacd service needs to run
> under
> User=root for rdp connections to succeed. It won't connect with
> User=daemon.
> I haven't tested the other protocols.
>
What does guacd say in the logs when connecting with RDP fails?
- Mike