You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Felix Wolfheimer <f....@googlemail.com> on 2017/10/16 18:21:14 UTC
Fwd: Problems with basic authentication
Hi,
I'm trying to get a VNC connection working using Guacamole. I built and
installed the guacd and the client without issues, started guacd and
tomcat, and can see the login page of Guacamole when connecting with the
browser, but whatever I try with the user-mapping.xml file, I can't log in.
I installed the "user-mapping.xml" file to /usr/share/tomcat/.guacamole
(the HOME of the tomcat user is /usr/share/tomcat) and the user-mapping.xml
file is the one and only file in this directory. It has the following
content:
<user-mapping>
<authorize username="testuser" password="testing">
<connection name="Cloud Workstation">
<protocol>vnc</protocol>
<param name="hostname">localhost</param>
<param name="port">5901</param>
</connection>
</authorize>
</user-mapping>
The only message I can find on the server about the failed login is the
following line in /var/log/messages:
WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
x.x.x.x for user "testuser" failed.
I've entered the password multiple times to make sure that I just made a
typo.
Is there anything I'm missing and are there other places where I can find
debugging information about the login process which could help
understanding what goes wrong?
Thanks!
Re: Problems with basic authentication
Posted by Felix Wolfheimer <f....@googlemail.com>.
Argh, indeed this was a permission problem. I used "chmod -R 0400
/etc/guacamole" to set permissions which is sufficient for the
configuration files but not for the directory itself of course. This
basically locked out the tomcat user and the messages in /var/log/messages
then confused me. Maybe it would be a good idea to just add some output in
the code which checks for the Guacamole home issuing a warning that a
directory is present but can't be opened because access is denied.
BTW: Is there a way to file a bug regarding the documentation issue you
mentioned? Things like this can be quite confusing and fixing them is quite
easy. ;-)
Thanks for your great help!
2017-10-19 0:57 GMT+02:00 Mike Jumper <mi...@guac-dev.org>:
> On Wed, Oct 18, 2017 at 5:30 AM, Felix Wolfheimer
> <f....@googlemail.com> wrote:
> > Hi Nick,
> >
> > thanks for your help and your suggestions. I created /etc/guacamole and
> put
> > guacamole.properties into this directory. The file has the following
> > content:
> >
> > guacd-hostname: localhost
> > guacd-port: 4822
> > user-mapping: /etc/guacamole/user-mapping.xml
> >
>
> Beware that:
>
> 1) The property "user-mapping" is a typo in the manual, and should
> actually be "basic-user-mapping"
> 2) The "basic-user-mapping" property was deprecated in 0.9.10-incubating
> [1]
>
> Though the property "basic-user-mapping" should still work, its use is
> no longer recommended. The default location of
> "GUACAMOLE_HOME/user-mapping.xml" should be used instead.
>
> It's worth noting that "/etc/guacamole" was recently added to the
> default search locations for GUACAMOLE_HOME [2], so the locations
> you're using for everything here is actually the default on git and
> for future releases.
>
> - Mike
>
> [1] http://guacamole.incubator.apache.org/releases/0.9.10-
> incubating/#deprecation-of-the-basic-user-mapping-property
> [2] https://issues.apache.org/jira/browse/GUACAMOLE-335
>
Re: Problems with basic authentication
Posted by Mike Jumper <mi...@guac-dev.org>.
On Wed, Oct 18, 2017 at 5:30 AM, Felix Wolfheimer
<f....@googlemail.com> wrote:
> Hi Nick,
>
> thanks for your help and your suggestions. I created /etc/guacamole and put
> guacamole.properties into this directory. The file has the following
> content:
>
> guacd-hostname: localhost
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
>
Beware that:
1) The property "user-mapping" is a typo in the manual, and should
actually be "basic-user-mapping"
2) The "basic-user-mapping" property was deprecated in 0.9.10-incubating [1]
Though the property "basic-user-mapping" should still work, its use is
no longer recommended. The default location of
"GUACAMOLE_HOME/user-mapping.xml" should be used instead.
It's worth noting that "/etc/guacamole" was recently added to the
default search locations for GUACAMOLE_HOME [2], so the locations
you're using for everything here is actually the default on git and
for future releases.
- Mike
[1] http://guacamole.incubator.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
[2] https://issues.apache.org/jira/browse/GUACAMOLE-335
Re: Problems with basic authentication
Posted by Mike Jumper <mi...@guac-dev.org>.
On Wed, Oct 18, 2017 at 3:24 PM, Felix Wolfheimer
<f....@googlemail.com> wrote:
> ...
>
> INFO o.a.g.environment.LocalEnvironment - No guacamole.properties file
> found within GUACAMOLE_HOME or the classpath. Using defaults.
>
Is /etc/guacamole/guacamole.properties readable by the user running
the Tomcat service?
>
> ... So I wonder whether this might be a problem in openjdk. Is
> guacamole usually working better with a proprietary Java version?
>
No. OpenJDK should work fine.
- Mike
Re: Problems with basic authentication
Posted by Felix Wolfheimer <f....@googlemail.com>.
Nick,
the distribution is RHEL 7.4:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)
I'm using openjdk:
# java -version
openjdk version "1.8.0_144"
OpenJDK Runtime Environment (build 1.8.0_144-b01)
OpenJDK 64-Bit Server VM (build 25.144-b01, mixed mode)
SELinux was enabled but I've now completely disabled it and rebooted
the
machine:
# getenforce
Disabled
This change has no effect on the behavior.
I looked a bit in the Guacamole code and found the place where it tries
to read the guacamole.properties file
(guacamole-
ext/src/main/java/org/apache/guacamole/environment/LocalEnvironment.jav
a). I've added debug statements to understand what happens:
> > >
// Read properties
properties = new Properties();
try {
InputStream stream = null;
// If not a directory, load from classpath
if (!guacHome.isDirectory())
{
stream =
LocalEnvironment.class.getResourceAsStream("/guacamole.properties");
}
// Otherwise, try to load from file
else {
File propertiesFile = new
File(guacHome,"guacamole.properties");
logger.info("FW: The file name is:"+propertiesFile.getAbsolutePath());
if (propertiesFile.exists())
{
stream = new FileInputStream(propertiesFile);
logger.info("FW: The file exists:"+propertiesFile.getName()+"\n");
}
}
<<<<
The output I get in /var/log/messages is:
INFO o.a.g.environment.LocalEnvironment - FW: The file name
is:/etc/guacamole/guacamole.properties
INFO o.a.g.environment.LocalEnvironment - No guacamole.properties file
found within GUACAMOLE_HOME or the classpath. Using defaults.
So even though the file /etc/guacamole/guacamole.properties exists, the
propertiesFile.exists() call returns false for some reason. And
probably
the same is true for the user-mapping.xml file. So I wonder whether
this
might be a problem in openjdk. Is guacamole usually working better with
a proprietary Java version?
On Wed, 2017-10-18 at 12:28 -0400, Nick Couchman wrote:
> On Wed, Oct 18, 2017 at 8:30 AM, Felix Wolfheimer
> <f....@googlemail.com> wrote:
> Hi Nick,
>
>
> thanks for your help and your suggestions. I
> created /etc/guacamole and put guacamole.properties into this
> directory. The file has the following content:
>
>
> guacd-hostname: localhost
>
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
>
>
> I also put my user-mapping.xml file into this directory (same
> content as before). I added the line
> "guacamole.home=/etc/guacamole"
> to /etc/tomcat/catalina.properties and restarted tomcat. The
> permissions of the /etc/guacamole directory and its files
> were
> set such that tomcat can access all files (tomcat.root, 400).
> Looking at /var/log/messages after the restart reveals the
> following lines which might be related to the issue:
>
>
>
>
> Felix,
> What Linux distro/version are you running? Is SELinux enabled
> (output
> of "getenforce" command)?
>
>
> -Nick
Re: Problems with basic authentication
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Oct 18, 2017 at 8:30 AM, Felix Wolfheimer <
f.wolfheimer@googlemail.com> wrote:
> Hi Nick,
>
> thanks for your help and your suggestions. I created /etc/guacamole and
> put guacamole.properties into this directory. The file has the following
> content:
>
> guacd-hostname: localhost
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
>
> I also put my user-mapping.xml file into this directory (same content as
> before). I added the line "guacamole.home=/etc/guacamole" to
> /etc/tomcat/catalina.properties and restarted tomcat. The permissions of
> the /etc/guacamole directory and its files were set such that tomcat can
> access all files (tomcat.root, 400). Looking at /var/log/messages after the
> restart reveals the following lines which might be related to the issue:
>
Felix,
What Linux distro/version are you running? Is SELinux enabled (output of
"getenforce" command)?
-Nick
Re: Problems with basic authentication
Posted by Felix Wolfheimer <f....@googlemail.com>.
Hi Nick,
thanks for your help and your suggestions. I created /etc/guacamole and put
guacamole.properties into this directory. The file has the following
content:
guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
I also put my user-mapping.xml file into this directory (same content as
before). I added the line "guacamole.home=/etc/guacamole" to
/etc/tomcat/catalina.properties and restarted tomcat. The permissions of
the /etc/guacamole directory and its files were set such that tomcat can
access all files (tomcat.root, 400). Looking at /var/log/messages after the
restart reveals the following lines which might be related to the issue:
Oct 18 12:00:46 server: 12:00:46.936 [localhost-startStop-1] INFO
o.a.g.environment.LocalEnvironment - No guacamole.properties file found
within GUACAMOLE_HOME or the classpath. Using defaults.
Oct 18 12:00:47 server: 12:00:47.030 [localhost-startStop-1] INFO
o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes
of inactivity.
Oct 18 12:00:47 server: 12:00:47.153 [localhost-startStop-1] INFO
o.a.g.environment.LocalEnvironment - No guacamole.properties file found
within GUACAMOLE_HOME or the classpath. Using defaults.
Oct 18 12:00:47 server: 12:00:47.273 [localhost-startStop-1] INFO
o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
Oct 18 12:00:47 server: Oct 18, 2017 12:00:47 PM
com.google.inject.internal.ProxyFactory <init>
Oct 18 12:00:47 server: WARNING: Method [public void
org.apache.guacamole.rest.user.UserResource.updateObject(java.lang.Object)
throws org.apache.guacamole.GuacamoleException] is synthetic and is being
intercepted by [org.apache.guacamole.rest.RESTExceptionWrapper@64eba1f3].
This could indicate a bug. The method may be intercepted twice, or may not
be intercepted at all.
So first it doesn't seem to find the guacamole.properties file for some
reason and then an exception occurs in "UserResource" which may indicate
that there's something wrong with the user settings. I now also added the
environment variable GUACAMOLE_HOME to /etc/sysconfig/tomcat such that it
is in the environment of tomcat as follows:
[root@test-guacamole ~]# cat /proc/2469/environ | tr '\0' '\n'
TOMCATS_BASE=/var/lib/tomcats/
GUACAMOLE_HOME=/etc/guacamole
SHELL=/sbin/nologin
CATALINA_HOME=/usr/share/tomcat
OLDPWD=/
NAME=
USER=tomcat
TOMCAT_CFG_LOADED=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PWD=/usr/share/tomcat
JAVA_HOME=/usr/lib/jvm/jre
LANG=en_US.UTF-8
SHLVL=0
HOME=/usr/share/tomcat
SECURITY_MANAGER=false
LOGNAME=tomcat
CATALINA_TMPDIR=/var/cache/tomcat/temp
After a restart of tomcat, again the same messages occur, i.e., Guacamole
claims that guacamole.properties can't be found. BTW: I looked through the
logs and this set of messages occurred also when I put the files into
CATALINA_HOME (my original try).
I'm puzzled why it can't find the files. Any idea how to solve this (or
just get more output to find out what guacamole tries to do) are greatly
appreciated.
2017-10-17 4:26 GMT+02:00 Nick Couchman <vn...@apache.org>:
> On Mon, Oct 16, 2017 at 2:21 PM, Felix Wolfheimer <
> f.wolfheimer@googlemail.com> wrote:
>
>>
>> Hi,
>>
>> I'm trying to get a VNC connection working using Guacamole. I built and
>> installed the guacd and the client without issues, started guacd and
>> tomcat, and can see the login page of Guacamole when connecting with the
>> browser, but whatever I try with the user-mapping.xml file, I can't log in.
>> I installed the "user-mapping.xml" file to /usr/share/tomcat/.guacamole
>> (the HOME of the tomcat user is /usr/share/tomcat) and the user-mapping.xml
>> file is the one and only file in this directory. It has the following
>> content:
>>
>> <user-mapping>
>> <authorize username="testuser" password="testing">
>> <connection name="Cloud Workstation">
>> <protocol>vnc</protocol>
>> <param name="hostname">localhost</param>
>> <param name="port">5901</param>
>> </connection>
>> </authorize>
>> </user-mapping>
>>
>> The only message I can find on the server about the failed login is the
>> following line in /var/log/messages:
>>
>> WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
>> x.x.x.x for user "testuser" failed.
>>
>> I've entered the password multiple times to make sure that I just made a
>> typo.
>>
>> Is there anything I'm missing and are there other places where I can find
>> debugging information about the login process which could help
>> understanding what goes wrong?
>>
>> Thanks!
>>
>> Everything you've done looks fine to me, but I'd suggest doing the
> following:
> - Edit your catalina.properties file (stored in the same place as the rest
> of the Tomcat configs, like server.xml) and add the following line:
> guacamole.home=/etc/guacamole
> - Create the /etc/guacamole directory and set up permissions such that the
> user running Tomcat can access it.
> - Put your user-mapping.xml file in /etc/guacamole and restart Tomcat.
> Verify permissions on that file, too, to make sure the Tomcat user has read
> access.
>
> See if that works - like I said, what you've done seems like it should
> work, so not sure what's going on, but maybe this will help.
>
> -Nick
>
Re: Problems with basic authentication
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Oct 16, 2017 at 2:21 PM, Felix Wolfheimer <
f.wolfheimer@googlemail.com> wrote:
>
> Hi,
>
> I'm trying to get a VNC connection working using Guacamole. I built and
> installed the guacd and the client without issues, started guacd and
> tomcat, and can see the login page of Guacamole when connecting with the
> browser, but whatever I try with the user-mapping.xml file, I can't log in.
> I installed the "user-mapping.xml" file to /usr/share/tomcat/.guacamole
> (the HOME of the tomcat user is /usr/share/tomcat) and the user-mapping.xml
> file is the one and only file in this directory. It has the following
> content:
>
> <user-mapping>
> <authorize username="testuser" password="testing">
> <connection name="Cloud Workstation">
> <protocol>vnc</protocol>
> <param name="hostname">localhost</param>
> <param name="port">5901</param>
> </connection>
> </authorize>
> </user-mapping>
>
> The only message I can find on the server about the failed login is the
> following line in /var/log/messages:
>
> WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
> x.x.x.x for user "testuser" failed.
>
> I've entered the password multiple times to make sure that I just made a
> typo.
>
> Is there anything I'm missing and are there other places where I can find
> debugging information about the login process which could help
> understanding what goes wrong?
>
> Thanks!
>
> Everything you've done looks fine to me, but I'd suggest doing the
following:
- Edit your catalina.properties file (stored in the same place as the rest
of the Tomcat configs, like server.xml) and add the following line:
guacamole.home=/etc/guacamole
- Create the /etc/guacamole directory and set up permissions such that the
user running Tomcat can access it.
- Put your user-mapping.xml file in /etc/guacamole and restart Tomcat.
Verify permissions on that file, too, to make sure the Tomcat user has read
access.
See if that works - like I said, what you've done seems like it should
work, so not sure what's going on, but maybe this will help.
-Nick