You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by sysjaj <ja...@gccaz.edu> on 2020/09/03 22:37:58 UTC
Cannot Get LDAP authentication to work with Active Directory No DNS
resoultion?
Hello all. I'd like to thank everyone in ADVANCE for any help you can
provide. I have been battling this guacamole install for more than a week
and at my wits end. I have installed the latest version on a Ubuntu 20.04
server that has been joined to our domain as well. This is the sole purpose
of this machine and no other applications are running on it. (UFW) firewall
is disabled as well. I was able to get MSQL authentication to work, but for
our school and user base we need people to be able to use their active
directory credentials to log in. I have tried MANY permutations of the
"guacamole.properties" file with no success. The only error message I am
able to get is from /var/log/syslog and it reads :
Sep 3 11:27:13 guacamole tomcat9[862]: 11:27:13.994 [http-nio-8080-exec-8]
ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
"ADMAIN11.gccaz.edu " as user "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
failed: ERR_04121_CANNOT_RESOLVE_HOSTNAME Cannot connect to the server,
Hostname 'ADMAIN11.gccaz.edu ' could not be resolved.
Sep 3 11:27:13 guacamole tomcat9[862]: 11:27:13.995 [http-nio-8080-exec-8]
ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search
DN "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
Now the Hostname not resolving confuses me as this server CAN ping that
domain controller via IP and host name and joined the domain. (I have also
tried the config file with IP address and get the SAME error which I would
have thought not possible using IPs.) Here is example of NSlookup on the the
server which does resolve:
root@guacamole:/var/log# nslookup admain11
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: admain11.gccaz.edu
Address: 10.1.50.240
Here is output of ResolveCTL Status command:
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 10.1.50.230
DNS Servers: 10.1.50.230
Fallback DNS Servers: 10.1.50.240
DNS Domain: gccaz.edu
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (ens160)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 10.1.50.230
DNS Servers: 10.1.50.230
10.1.50.240
DNS Domain: gccaz.edu
So DNS would appear to be functioning to me and resolving on this domain.
Here is the output of my Guacamole Properties file.
#SSL Settings If set to "true", Guacamole will require SSL/TLS encryption
between the web application and guacd. By default, communication between the
web application and guacd will be unencrypted.
#guacd-ssl: true
#Autehtication Providers
#A comma-separated list of the identifiers of authentication providers that
should be allowed to fail internally without aborting the authentication
process.
skip-if-unavailable: mysql,ldap
#LDAP Connection inforamtion
ldap-hostname: ADMAIN11.gccaz.edu
#ldap-encryption-method: none
ldap-user-base-dn:DC=gccaz,DC=edu
ldap-search-bind-dn:CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu
ldap-search-bind-password:******
#ldap-username-attribute: sAMAccountName
ldap-follow-referrals:true
# MYSQL Settings
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: ***********
Here is the output of the Catalina log in /var/log/tomcat9 that pretty much
has been the same for the last week no matter how many times I restart the
service or reboot the server or make config changes to the
guacamole.properties file.
Catalina Logs show nothing
03-Sep-2020 11:25:24.487 INFO [Thread-3]
org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler
["http-nio-8080"]
03-Sep-2020 11:25:24.506 INFO [Thread-3]
org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler
["http-nio-8080"]
03-Sep-2020 11:26:04.114 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:
Apache Tomcat/9.0.31 (Ubuntu)
03-Sep-2020 11:26:04.125 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:
Feb 24 2020 22:37:00 UTC
03-Sep-2020 11:26:04.125 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version number:
9.0.31.0
03-Sep-2020 11:26:04.126 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:
Linux
03-Sep-2020 11:26:04.126 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
5.4.0-45-generic
03-Sep-2020 11:26:04.127 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architecture:
amd64
03-Sep-2020 11:26:04.127 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home:
/usr/lib/jvm/java-11-openjdk-amd64
03-Sep-2020 11:26:04.128 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:
11.0.8+10-post-Ubuntu-0ubuntu120.04
03-Sep-2020 11:26:04.128 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Ubuntu
03-Sep-2020 11:26:04.129 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:
/var/lib/tomcat9
03-Sep-2020 11:26:04.129 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:
/usr/share/tomcat9
03-Sep-2020 11:26:04.263 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.lang=ALL-UNNAMED
03-Sep-2020 11:26:04.266 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.io=ALL-UNNAMED
03-Sep-2020 11:26:04.267 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
03-Sep-2020 11:26:04.268 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties
03-Sep-2020 11:26:04.268 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
03-Sep-2020 11:26:04.269 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.awt.headless=true
03-Sep-2020 11:26:04.269 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djdk.tls.ephemeralDHKeySize=2048
03-Sep-2020 11:26:04.270 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
03-Sep-2020 11:26:04.270 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
03-Sep-2020 11:26:04.271 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dignore.endorsed.dirs=
03-Sep-2020 11:26:04.271 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.base=/var/lib/tomcat9
03-Sep-2020 11:26:04.271 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.home=/usr/share/tomcat9
03-Sep-2020 11:26:04.272 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.io.tmpdir=/tmp
03-Sep-2020 11:26:04.272 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
03-Sep-2020 11:26:04.273 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
03-Sep-2020 11:26:04.273 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
03-Sep-2020 11:26:04.288 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1f 31 Mar 2020]
03-Sep-2020 11:26:05.161 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["http-nio-8080"]
03-Sep-2020 11:26:05.270 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [2,278]
milliseconds
03-Sep-2020 11:26:05.458 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting service
[Catalina]
03-Sep-2020 11:26:05.458 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet
engine: [Apache Tomcat/9.0.31 (Ubuntu)]
03-Sep-2020 11:26:05.608 INFO [main]
org.apache.catalina.startup.HostConfig.deployWAR Deploying web application
archive [/var/lib/tomcat9/webapps/guacamole.war]
03-Sep-2020 11:26:09.700 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TL>
03-Sep-2020 11:26:14.798 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider
class
03-Sep-2020 11:26:14.803 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a
root resource class
03-Sep-2020 11:26:14.803 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.language.LanguageRESTService as a root
resource class
03-Sep-2020 11:26:14.804 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.patch.PatchRESTService as a root
resource class
03-Sep-2020 11:26:14.804 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.auth.TokenRESTService as a root
resource class
03-Sep-2020 11:26:14.804 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.session.SessionRESTService as a root
resource class
03-Sep-2020 11:26:14.805 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider
class
03-Sep-2020 11:26:14.809 INFO [main]
com.sun.jersey.server.impl.application.WebApplicationImpl._initiate
Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM'
03-Sep-2020 11:26:14.945 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.RESTExceptionMapper to
GuiceManagedComponentProvider with the scope "Singleton"
03-Sep-2020 11:26:14.950 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to
GuiceManagedComponentProvider with the scope "Singleton"
03-Sep-2020 11:26:15.960 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.extension.ExtensionRESTService to
GuiceManagedComponentProvider with the scope >
[ Read 140 lines ]
I have been googling and trying to find answer online, including this
mailing list but still nothing seems to work. I'm pretty much throwing in
the towel at this point and may tell my boss it cannot be done. (Sorry just
super frustrated. I've set up other CentOS servers and applications and
dealt with SELinux..But man..NOTHING has been as hard as this Guacamole set
up and install by far. I thought using base Ubuntu would make it easier..I
am VERY worried even if I can get past this, HOW I am going to set this all
up for SSL and 636 communication and java., looks to be another nightmare
coming..but I digress.)
Again.. I thank anyone for help and if there are any other better "guides"
out there as I have found the official documentation to be lacking.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by sysjaj <ja...@gccaz.edu>.
Nick,
Thanks for the info and tips. I will definitely use them as I move to next
step with guacamole.
Appreciate the help. Have a great week!
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Sep 7, 2020 at 7:28 PM sysjaj <ja...@gccaz.edu> wrote:
> Mike,
>
> Finally! I commented out the "ldap-follow-referrals:true" , rebooted the
> server, and boom...BOTH my test AD accounts were able to authenticate and
> log in to guacamole web interface! Man. This has been brutal. Thanks so
> much
> for sticking in there with me and answering all my back and forth issues. I
> appreciate the help. NOW..on to the NEXT hard part..I'll try to tackle
> getting guacamole to be HTTPS and also communicate with Active Directory
> securely also over port 636 and not unsecured as now. (Sadly I predict I
> will be posting to this mailing list in near future with issues about that
> to..sigh.) But for now at least I know it CAN connect with AD credentials
> for our end users and I can "close" this case.
>
>
Regarding LDAP SSL/TLS, you'll need to make sure that your LDAP server
certificates are trusted by Java. This usually means importing your LDAP
root certificate authority into your Java cacerts file, but exactly where
the cacerts file lives and how you go about that import can vary widely
depending on whether you're using your distribution's Java install or a
custom one.
For HTTPS access to Guacamole, the easiest way to go about this is to proxy
Tomcat behind a reverse proxy - most commonly either Apache httpd or
Nginx. The Guacamole manual provides instructions for how to accomplish
either of those;
http://guacamole.apache.org/doc/gug/proxying-guacamole.html
-Nick
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by sysjaj <ja...@gccaz.edu>.
Mike,
Finally! I commented out the "ldap-follow-referrals:true" , rebooted the
server, and boom...BOTH my test AD accounts were able to authenticate and
log in to guacamole web interface! Man. This has been brutal. Thanks so much
for sticking in there with me and answering all my back and forth issues. I
appreciate the help. NOW..on to the NEXT hard part..I'll try to tackle
getting guacamole to be HTTPS and also communicate with Active Directory
securely also over port 636 and not unsecured as now. (Sadly I predict I
will be posting to this mailing list in near future with issues about that
to..sigh.) But for now at least I know it CAN connect with AD credentials
for our end users and I can "close" this case.
Thanks so much for all your patience, efforts, and troubleshooting advice!
Have a great rest of your week!
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by Mike Jumper <mj...@apache.org>.
On Mon, Sep 7, 2020 at 10:08 AM sysjaj <ja...@gccaz.edu> wrote:
> ...
>
> Alas I still could not login with active directory user accounts. Now I
> get
> this error in "syslog" and user authentication failure.
>
> Sep 7 09:42:31 guacamole tomcat9[854]: 09:42:31.059 [http-nio-8080-exec-8]
> WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for
> user "jaytest": [CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
> CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
> CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
> CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
> CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
> ...snip...
> CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
> CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu]
>
> Sep 7 09:42:31 guacamole tomcat9[854]: 09:42:31.062 [http-nio-8080-exec-8]
> WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 140.198.201.101 for user "jaytest" failed.
>
Well, the reason things are failing in this case is that your LDAP server
appears to be returning 121 duplicate results for a query that
theoretically should return exactly one object. Guacamole is refusing to
attempt authentication from that point as the result fails this sanity
check. I'm not sure what could cause such behavior (perhaps something due
to referrals?), however I would recommend manually executing a search
against your LDAP server using the same details (same base DN, search for
objects matching "(sAMAccountName=jaytest)", enable referral following) and
see what you get back. Really, there *should* be just one object...
It's worth disabling referrals to see whether that's what's happening here.
If CN will also be usable, and all your users will be of the form
"CN=username,OU=DomainUsers,DC=gccaz,DC=edu", you can work around this
behavior for the time being by using "CN" for your username attribute,
"OU=DomainUsers,DC=gccaz,DC=edu" for your base DN, and *not* using a search
DN and password. This will cause Guacamole to map users to DNs directly
rather than searching for them, but I think it is also important to
investigate and explain the odd LDAP query behavior.
- Mike
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by sysjaj <ja...@gccaz.edu>.
Mike,
Thanks for the continued help and suggestions. I did indeed try
un-commenting "sAMAccountName" (and even rebooted whole system) in my
config file here:
#SSL Settings If set to "true", Guacamole will require SSL/TLS encryption
between the web application and guacd. By default, communication between the
web application and guacd will be unencrypted.
#guacd-ssl: true
#Autehtication Providers
#A comma-separated list of the identifiers of authentication providers that
should be allowed to fail internally without aborting the authentication
process.
skip-if-unavailable: mysql,ldap
#LDAP Connection inforamtion
ldap-hostname:ADMAIN11.gccaz.edu
#ldap-encryption-method:none
ldap-user-base-dn:DC=gccaz,DC=edu
ldap-search-bind-dn:CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu
ldap-search-bind-password:********
ldap-username-attribute:sAMAccountName
ldap-follow-referrals:true
# MYSQL Settings (created from GitHub script)
mysql-hostname:localhost
mysql-port:3306
mysql-database:guacamole_db
mysql-username:guacamole_user
mysql-password:TH3guacpasswordis3asy!!
Alas I still could not login with active directory user accounts. Now I get
this error in "syslog" and user authentication failure.
Sep 7 09:42:31 guacamole tomcat9[854]: 09:42:31.059 [http-nio-8080-exec-8]
WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for
user "jaytest": [CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu,
CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu]
Sep 7 09:42:31 guacamole tomcat9[854]: 09:42:31.062 [http-nio-8080-exec-8]
WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
140.198.201.101 for user "jaytest" failed.
Sep 7 09:52:05 guacamole tomcat9[854]: 09:52:05.051 [http-nio-8080-exec-9]
WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
140.198.201.101 for user "sysjaj" failed.
I also tried adding "@gccaz.edu" to the end of a username during login as
sometimes other applications needed this to work, but still no luck here
either.
Sep 7 09:52:44 guacamole tomcat9[854]: 09:52:44.409 [http-nio-8080-exec-6]
WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
140.198.201.101 for user "sysjaj@gccaz.edu" failed.
Sorry for the continued issues. I appreciate the feedback and help. Hope
your week has started off well.
Thanks.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by Mike Jumper <mj...@apache.org>.
On Fri, Sep 4, 2020 at 5:41 PM sysjaj <ja...@gccaz.edu> wrote:
> Mike,
>
> I believe this is the requested info on both accounts, including DN's.
>
> "jaytest'
>
> objectClass top^person^organizationalPerson^user
> cn jaytest
> description Just a test account on domain.
> givenName jaytest
> *distinguishedName* CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu
> instanceType 4
> whenCreated 9/1/2020 8:45:44 AM
> whenChanged 9/4/2020 2:33:02 PM
> displayName jaytest
> uSNCreated 135359339
> uSNChanged 135594602
> nTSecurityDescriptor
>
> O:DAG:DAD:AI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa0030...!
> name jaytest
> objectGUID {7D78751D-036A-4659-AB12-B9511A0C2E3E}
> userAccountControl 66048
> badPwdCount 0
> codePage 0
> countryCode 0
> badPasswordTime (None)
> lastLogoff (None)
> lastLogon (None)
> pwdLastSet 9/4/2020 2:33:02 PM
> primaryGroupID 513
> objectSid S-1-5-21-2877231372-3052491633-13629038-216149
> accountExpires Never
> logonCount 0
> sAMAccountName jaytest
> sAMAccountType 805306368
> userPrincipalName jaytest@gccaz.edu
> lockoutTime (None)
> objectCategory CN=Person,CN=Schema,CN=Configuration,DC=gccaz,DC=edu
> dSCorePropagationData The parameter is incorrect.
>
From the documentation for the "ldap-username-attribute" property [1], the
default LDAP attribute that will be used for users is "uid". In your case,
there is no such attribute, and "cn" or "sAMAccountName" look like they
would be the correct choices. Your original guacamole.properties already
has an "ldap-username-attribute" property set to "sAMAccountName", the most
common attribute for Active Directory, but this is commented out. I suggest
simply uncommenting it and restarting Tomcat.
- Mike
[1] http://guacamole.apache.org/doc/gug/ldap-auth.html#guac-ldap-config
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by sysjaj <ja...@gccaz.edu>.
Mike,
I believe this is the requested info on both accounts, including DN's.
"jaytest'
objectClass top^person^organizationalPerson^user
cn jaytest
description Just a test account on domain.
givenName jaytest
*distinguishedName* CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu
instanceType 4
whenCreated 9/1/2020 8:45:44 AM
whenChanged 9/4/2020 2:33:02 PM
displayName jaytest
uSNCreated 135359339
uSNChanged 135594602
nTSecurityDescriptor
O:DAG:DAD:AI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa0030...!
name jaytest
objectGUID {7D78751D-036A-4659-AB12-B9511A0C2E3E}
userAccountControl 66048
badPwdCount 0
codePage 0
countryCode 0
badPasswordTime (None)
lastLogoff (None)
lastLogon (None)
pwdLastSet 9/4/2020 2:33:02 PM
primaryGroupID 513
objectSid S-1-5-21-2877231372-3052491633-13629038-216149
accountExpires Never
logonCount 0
sAMAccountName jaytest
sAMAccountType 805306368
userPrincipalName jaytest@gccaz.edu
lockoutTime (None)
objectCategory CN=Person,CN=Schema,CN=Configuration,DC=gccaz,DC=edu
dSCorePropagationData The parameter is incorrect.
"sysjaj"
objectClass top^person^organizationalPerson^user
cn SYSJAJ
sn Jacobs
title Network and Systems Admr
description jas2175656 Jason Jacobs-36128226
givenName Jason
initials A
*distinguishedName*
CN=SYSJAJ,OU=SysUsers,OU=ITstaff,OU=Noinheritance,DC=gccaz,DC=edu
instanceType 4
whenCreated 3/18/2019 8:28:40 AM
whenChanged 9/3/2020 2:03:23 PM
displayName Jason Jacobs
uSNCreated 91728658
memberOf CN=LinuxAdmins,OU=Server Based
Groups,OU=DomainGroups,DC=gccaz,DC=edu^CN=SQLAdmin,OU=Server Based
Groups,OU=DomainGroups,DC=gccaz,DC=edu^CN=KLDeviceAdmin,OU=Server Based
Groups,OU=DomainGroups,DC=gccaz,DC=edu^CN=FSO-Shome,OU=DomainGroups,DC=gccaz,DC=...!
uSNChanged 135526223
department Tech Services Network
nTSecurityDescriptor
O:DAG:DAD:PAI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b0...!
name SYSJAJ
objectGUID {6EB1DDB7-28DD-4824-A11B-1FF4F63FA1C6}
userAccountControl 512
badPwdCount 0
codePage 0
countryCode 0
homeDirectory \\gccaz.edu\home\sys\sysjaj
homeDrive H:
badPasswordTime 9/4/2020 5:30:37 PM
lastLogoff (None)
lastLogon 9/4/2020 5:30:59 PM
pwdLastSet 7/8/2020 3:40:06 PM
primaryGroupID 513
objectSid S-1-5-21-2877231372-3052491633-13629038-210828
adminCount 1
accountExpires Never
logonCount 4369
sAMAccountName SYSJAJ
sAMAccountType 805306368
userPrincipalName SYSJAJ@gccaz.edu
lockoutTime (None)
objectCategory CN=Person,CN=Schema,CN=Configuration,DC=gccaz,DC=edu
Thanks again.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by Mike Jumper <mj...@apache.org>.
On Fri, Sep 4, 2020 at 2:17 PM sysjaj <ja...@gccaz.edu> wrote:
> Bogdan,
>
> Good eyes? SO there was a space before ":" and "admian11.gccaz.edu" which
> finally stopped the "host not resolving failure issue.. BUT..(SADLY) I
> still
> cannot get any user I attempt to authenticate via LDAP and AD.
>
> The Only error messages I get now in syslog are like this:
>
> Sep 4 13:55:33 guacamole tomcat9[865]: 13:55:33.210
> [http-nio-8080-exec-10]
> WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 140.198.201.124 for user "sysjaj" failed.
> Sep 4 14:06:17 guacamole tomcat9[865]: 14:06:17.087 [http-nio-8080-exec-5]
> WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 140.198.201.124 for user "jaytest" failed.
>
> Now when attempting to login with domain accounts such as these it dose not
> fail immediately, it seems to be "thinking" for about 30 seconds..then
> fails.
>
Can you provide the full LDIF for the "sysjaj" and "jaytest" users? What
are their DNs?
- Mike
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by sysjaj <ja...@gccaz.edu>.
Bogdan,
Good eyes? SO there was a space before ":" and "admian11.gccaz.edu" which
finally stopped the "host not resolving failure issue.. BUT..(SADLY) I still
cannot get any user I attempt to authenticate via LDAP and AD.
The Only error messages I get now in syslog are like this:
Sep 4 13:55:33 guacamole tomcat9[865]: 13:55:33.210 [http-nio-8080-exec-10]
WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
140.198.201.124 for user "sysjaj" failed.
Sep 4 14:06:17 guacamole tomcat9[865]: 14:06:17.087 [http-nio-8080-exec-5]
WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from
140.198.201.124 for user "jaytest" failed.
Now when attempting to login with domain accounts such as these it dose not
fail immediately, it seems to be "thinking" for about 30 seconds..then
fails.
SIGH. Back to pounding head against wall. LOL.
In response to Mike also in this thread here are the Dig results on DNS that
also look good:
root@guacamole:~# dig gccaz.edu
; <<>> DiG 9.16.1-Ubuntu <<>> gccaz.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 185
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;gccaz.edu. IN A
;; ANSWER SECTION:
gccaz.edu. 600 IN A 10.2.0.103
gccaz.edu. 600 IN A 10.1.50.230
gccaz.edu. 600 IN A 10.198.21.53
gccaz.edu. 600 IN A 10.1.50.247
gccaz.edu. 600 IN A 10.1.50.240
gccaz.edu. 600 IN A 10.2.0.102
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Sep 04 11:26:00 MST 2020
;; MSG SIZE rcvd: 134
root@guacamole:~# dig admain11.gccaz.edu
; <<>> DiG 9.16.1-Ubuntu <<>> admain11.gccaz.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61871
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;admain11.gccaz.edu. IN A
;; ANSWER SECTION:
admain11.gccaz.edu. 3600 IN A 10.1.50.240
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Sep 04 11:27:13 MST 2020
;; MSG SIZE rcvd: 63
Minus the change with removal of the "space" before admain11.gccaz.edu, my
gucamole.properties file is the same as previously posted.
Again thanks to everyone who has read this far and to those who have sent
feedback. I appreciate the help and still hold out small hope to one day
soon figure this out.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by Stefan Bogdan Cimpeanu <bo...@cimpeanu.org>.
It might be just me and my OCD, but I see an extra space after your domain name in the messages.
Maybe check that?
> "ADMAIN11.gccaz.edu <http://admain11.gccaz.edu/> "
> 'Hostname 'ADMAIN11.gccaz.edu <http://admain11.gccaz.edu/> ' could not be resolved.
Bogdan
> On 4 Sep 2020, at 02:17, Mike Jumper <mj...@apache.org> wrote:
>
> On Thu, Sep 3, 2020 at 3:38 PM sysjaj <jason.jacobs@gccaz.edu <ma...@gccaz.edu>> wrote:
> ...
> Sep 3 11:27:13 guacamole tomcat9[862]: 11:27:13.994 [http-nio-8080-exec-8]
> ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
> "ADMAIN11.gccaz.edu <http://admain11.gccaz.edu/> " as user "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
> failed: ERR_04121_CANNOT_RESOLVE_HOSTNAME Cannot connect to the server,
> Hostname 'ADMAIN11.gccaz.edu <http://admain11.gccaz.edu/> ' could not be resolved.
> Sep 3 11:27:13 guacamole tomcat9[862]: 11:27:13.995 [http-nio-8080-exec-8]
> ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search
> DN "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
>
> Now the Hostname not resolving confuses me as this server CAN ping that
> domain controller via IP and host name and joined the domain. (I have also
> tried the config file with IP address and get the SAME error which I would
> have thought not possible using IPs.)
>
> Your LDAP server may be returning a referral to that domain.
>
> Here is example of NSlookup on the the
> server which does resolve:
>
> root@guacamole:/var/log# nslookup admain11
> Server: 127.0.0.53
> Address: 127.0.0.53#53
>
> Non-authoritative answer:
> Name: admain11.gccaz.edu <http://admain11.gccaz.edu/>
> Address: 10.1.50.240
>
> This is not necessarily the same as a DNS lookup for the "admain11.gccaz.edu <http://admain11.gccaz.edu/>" hostname provided for your "ldap-hostname" property. What does dig (not nslookup) return for the exact value specified in your guacamole.properties?
>
> - Mike
>
Re: Cannot Get LDAP authentication to work with Active Directory No
DNS resoultion?
Posted by Mike Jumper <mj...@apache.org>.
On Thu, Sep 3, 2020 at 3:38 PM sysjaj <ja...@gccaz.edu> wrote:
> ...
> Sep 3 11:27:13 guacamole tomcat9[862]: 11:27:13.994 [http-nio-8080-exec-8]
> ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
> "ADMAIN11.gccaz.edu " as user "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
> failed: ERR_04121_CANNOT_RESOLVE_HOSTNAME Cannot connect to the server,
> Hostname 'ADMAIN11.gccaz.edu ' could not be resolved.
> Sep 3 11:27:13 guacamole tomcat9[862]: 11:27:13.995 [http-nio-8080-exec-8]
> ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search
> DN "CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu"
>
> Now the Hostname not resolving confuses me as this server CAN ping that
> domain controller via IP and host name and joined the domain. (I have also
> tried the config file with IP address and get the SAME error which I would
> have thought not possible using IPs.)
Your LDAP server may be returning a referral to that domain.
Here is example of NSlookup on the the
> server which does resolve:
>
> root@guacamole:/var/log# nslookup admain11
> Server: 127.0.0.53
> Address: 127.0.0.53#53
>
> Non-authoritative answer:
> Name: admain11.gccaz.edu
> Address: 10.1.50.240
>
This is not necessarily the same as a DNS lookup for the "admain11.gccaz.edu"
hostname provided for your "ldap-hostname" property. What does dig (not
nslookup) return for the exact value specified in your guacamole.properties?
- Mike