You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Zer0Cool <me...@gmail.com> on 2020/02/04 14:12:31 UTC
FreeRDP Writable User Home Dir?
When trying to connect via RDP I get the following error in
/var/log/messages:
"FreeRDP initialization may fail: The current user's home directory
("/sbin") is not writable, but FreeRDP generally requires a writable home
directory for storage of configuration files and certificates."
The release notes for Guac 1.1.0 mention this issue but not how to actually
fix/resolve it:
"For Guacamole’s RDP support, this means that the user running guacd must
have a valid, writable home directory, and that RDP connections...may begin
failing if the user running guacd does not have a valid home directory."
How do I determine what user/account is running guacd and how do I ensure it
has a writable home dir?
"Sanity checks have been added to Guacamole’s RDP support which will log
warnings if these conditions are not met."
Which log provides these warnings? What are the conditions?
Thanks
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: FreeRDP Writable User Home Dir?
Posted by Zer0Cool <me...@gmail.com>.
I have a Guac 1.0.0 server in production (CentOS 7.7, freerdp 1.x) that
connects to the same Windows 7 client without that box ticked. The
/var/log/messages show no errors or warnings about the certificate and the
connection works.
Aside from ignoring the error, how would I approach fixing this? Not sure
what kind of cert this is or how to issue/create/resolve this.
Thanks
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: FreeRDP Writable User Home Dir?
Posted by Niubbo75 <a....@me.com.INVALID>.
Hi, the cert error is due to Windows side, you need a valid cert to connect
w/out accept unthrusted cert.
From what I remember, I got the same error also on 1.0.0 and 0.9.9 (if I
remember the right sub version).
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: FreeRDP Writable User Home Dir?
Posted by ivanmarcus <iv...@yahoo.com.INVALID>.
I can't completely answer your question but thought I'd drop in to say
that in the several instances of Guacamole I have running I always check
'ignore cert', IOW I consider this normal practice.
In my largest installation (~60 possible users), presently utilising
Guacamole 1.0.0., we have a mix of Win7 and Win10 machines. If I don't
check the box at least one group of machines fails to connect (it's
currently in use so I can't check for sure which group - or if it's both).
Given what I've read I suspect it occurs due to uncheckable self-signed
certs, but I've never pursued the 'why'. As I trust the machines I set
the specific connections up for within the internal network I don't see
the need to go much further in terms of security checking.
On 5/02/2020 5:00 a.m., Zer0Cool wrote:
> Rebooted (though restarting services would likely work too) and got past the
> home dir error, however I faced a new error (/var/log/messages) and RDP not
> connecting:
>
> guacd[9918]: Certificate validation failed
> guacd: guacd[9918]: INFO:#011Certificate validation failed
> guacd: guacd[9918]: ERROR:#011Error connecting to RDP server
> guacd[9918]: Error connecting to RDP server
>
> The client is a Windows 7 Pro box. I found that if I checked the box for
> this connection labeled "Ignore server certificate" then I could connect to
> this connection.
>
> Any idea why this would be needed? Previously, Guac 1.0.0, freerdp 1.x,
> CentOS 7.7 and the same Windows 7 client did not require this box to be
> checked to connect.
>
> What does the error actually mean? What certificate failed verification? IS
> this correctable or is the only option to ignore the cert?
Re: FreeRDP Writable User Home Dir?
Posted by Zer0Cool <me...@gmail.com>.
Thanks, so in a test situation this worked out.
I created a group: sudo groupadd guacd
I then created my user as follows: sudo useradd -r guacd -m -s /bin/nologin
-g guacd -c guacd
(-r for system account, -m to create home dir, -s for nologin, -g to add to
group, -c is just name/description and optional).
I then edited the file: /etc/systemd/system/guacd.service
and changed the user line to: User=guacd
Rebooted (though restarting services would likely work too) and got past the
home dir error, however I faced a new error (/var/log/messages) and RDP not
connecting:
guacd[9918]: Certificate validation failed
guacd: guacd[9918]: INFO:#011Certificate validation failed
guacd: guacd[9918]: ERROR:#011Error connecting to RDP server
guacd[9918]: Error connecting to RDP server
The client is a Windows 7 Pro box. I found that if I checked the box for
this connection labeled "Ignore server certificate" then I could connect to
this connection.
Any idea why this would be needed? Previously, Guac 1.0.0, freerdp 1.x,
CentOS 7.7 and the same Windows 7 client did not require this box to be
checked to connect.
What does the error actually mean? What certificate failed verification? IS
this correctable or is the only option to ignore the cert?
Thanks
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: FreeRDP Writable User Home Dir?
Posted by "Stefan M. Radman" <sm...@kmi.com.INVALID>.
So is the correct solution to this issue to create a user to run guacd, set
the guacd service to run from that user and have that user to run guacd have
a writable home folder?
Yes, I think that's correct.
Modifying file src/guacd/systemd/guacd.service.in before running configure should do half of the job (see below).
The other half is creating the user, which will create the home directory by default.
Cheers
Stefan
smr:guacamole-server-1.1.0 smr$ cat src/guacd/systemd/guacd.service.in | fgrep -1 User=daemon
[Service]
User=daemon
ExecStart=@sbindir@/guacd -f
On Feb 4, 2020, at 16:09, Zer0Cool <me...@gmail.com>> wrote:
I should have specified before, this is Guac 1.1.0, CentOS 7.7. I am
installing Guac server from source direct from the apache guacamole site:
"https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapache.org%2Fdyn%2Fcloser.cgi%3Faction%3Ddownload%26filename%3Dguacamole%2F%24&data=02%7C01%7Csmr%40kmi.com%7C4eddfcfcaf2d4a80f76c08d7a9842c6d%7Cc2283768b8d34e008f3d85b1b4f03b33%7C0%7C0%7C637164257464459596&sdata=%2FxtiukSBxp5jiAoz6LZQcVdRj5VbgSIJNHXosRHB%2B4M%3D&reserved=0{GUAC_VER}/",
not a repo like EPEL.
I ran the following command: ps aux | grep guacd
This returned:
daemon 22404 0.0 0.3 116488 13068 ? Ss 09:28 0:00
/usr/local/sbin/guacd -f
So apparently the user that guacd runs off for me is "daemon".
getent passwd returns:
daemon:x:2:2:daemon:/sbin:/sbin/nologin
Which explains why sbin is listed as the home folder via the error message
in /var/log/messages.
So is the correct solution to this issue to create a user to run guacd, set
the guacd service to run from that user and have that user to run guacd have
a writable home folder?
If that's correct, how do I set what user runs guacd?
Thanks
--
Sent from: https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fapache-guacamole-general-user-mailing-list.2363388.n4.nabble.com%2F&data=02%7C01%7Csmr%40kmi.com%7C4eddfcfcaf2d4a80f76c08d7a9842c6d%7Cc2283768b8d34e008f3d85b1b4f03b33%7C0%7C0%7C637164257464459596&sdata=69hBMGTGr9GjvSIjJWDr4r902hQqdLzXld%2BL2i1Hb1Y%3D&reserved=0
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org<ma...@guacamole.apache.org>
For additional commands, e-mail: user-help@guacamole.apache.org<ma...@guacamole.apache.org>
CONFIDENTIALITY NOTICE: This communication may contain privileged and confidential information, or may otherwise be protected from disclosure, and is intended solely for use of the intended recipient(s). If you are not the intended recipient of this communication, please notify the sender that you have received this communication in error and delete and destroy all copies in your possession.
Re: FreeRDP Writable User Home Dir?
Posted by Zer0Cool <me...@gmail.com>.
I should have specified before, this is Guac 1.1.0, CentOS 7.7. I am
installing Guac server from source direct from the apache guacamole site:
"https://apache.org/dyn/closer.cgi?action=download&filename=guacamole/${GUAC_VER}/",
not a repo like EPEL.
I ran the following command: ps aux | grep guacd
This returned:
daemon 22404 0.0 0.3 116488 13068 ? Ss 09:28 0:00
/usr/local/sbin/guacd -f
So apparently the user that guacd runs off for me is "daemon".
getent passwd returns:
daemon:x:2:2:daemon:/sbin:/sbin/nologin
Which explains why sbin is listed as the home folder via the error message
in /var/log/messages.
So is the correct solution to this issue to create a user to run guacd, set
the guacd service to run from that user and have that user to run guacd have
a writable home folder?
If that's correct, how do I set what user runs guacd?
Thanks
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: FreeRDP Writable User Home Dir?
Posted by "Stefan M. Radman" <sm...@kmi.com.INVALID>.
The guacd-1.0.0 package currently available from EPEL creates a "guacd" user and home directory /var/lib/guacd upon installation, then starts guacd as that user.
That's how it ensures a writable home directory.
Stefan
https://centos.pkgs.org/7/epel-x86_64/guacd-1.0.0-3.el7.x86_64.rpm.html
[root@dev7 ~]# rpm -q guacd
guacd-1.0.0-3.el7.x86_64
[root@dev7 ~]# rpm -q --scripts guacd | head -5
preinstall scriptlet (using /bin/sh):
getent group guacd >/dev/null || groupadd -r guacd &>/dev/null || :
getent passwd guacd >/dev/null || useradd -r -s /sbin/nologin \
-d /var/lib/guacd -M -c 'Guacamole proxy daemon' -g guacd guacd &>/dev/null || :
exit 0
[root@dev7 ~]# cat /usr/lib/systemd/system/guacd.service
[Unit]
Description=Guacamole proxy daemon
Documentation=man:guacd(8)
After=network.target
[Service]
EnvironmentFile=-/etc/sysconfig/guacd
Environment=HOME=/var/lib/guacd
ExecStart=/usr/sbin/guacd -f $OPTS
Restart=on-failure
User=guacd
Group=guacd
[Install]
WantedBy=multi-user.target
[root@dev7 ~]#
On Feb 4, 2020, at 15:12, Zer0Cool <me...@gmail.com>> wrote:
When trying to connect via RDP I get the following error in
/var/log/messages:
"FreeRDP initialization may fail: The current user's home directory
("/sbin") is not writable, but FreeRDP generally requires a writable home
directory for storage of configuration files and certificates."
The release notes for Guac 1.1.0 mention this issue but not how to actually
fix/resolve it:
"For Guacamole’s RDP support, this means that the user running guacd must
have a valid, writable home directory, and that RDP connections...may begin
failing if the user running guacd does not have a valid home directory."
How do I determine what user/account is running guacd and how do I ensure it
has a writable home dir?
"Sanity checks have been added to Guacamole’s RDP support which will log
warnings if these conditions are not met."
Which log provides these warnings? What are the conditions?
Thanks
--
Sent from: https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fapache-guacamole-general-user-mailing-list.2363388.n4.nabble.com%2F&data=02%7C01%7Csmr%40kmi.com%7C1f5e7306efd4414e126608d7a97c4581%7Cc2283768b8d34e008f3d85b1b4f03b33%7C0%7C0%7C637164223537735730&sdata=YelkH6bG9euWg52ayUw085wH9GQwtXtHPJIHeim%2B0o8%3D&reserved=0
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org<ma...@guacamole.apache.org>
For additional commands, e-mail: user-help@guacamole.apache.org<ma...@guacamole.apache.org>
CONFIDENTIALITY NOTICE: This communication may contain privileged and confidential information, or may otherwise be protected from disclosure, and is intended solely for use of the intended recipient(s). If you are not the intended recipient of this communication, please notify the sender that you have received this communication in error and delete and destroy all copies in your possession.