guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joachim Lindenberg" <joac...@lindenberg.one>
Subject Hyper-V-Administrators vs VMConnectAccess?
Date Wed, 28 Feb 2018 15:13:58 GMT
Hello all,

Hyper-V allows to assign VMConnectAccess to specific user/VM combinations and afai remember
freerdp (unlike VMconnect which is also able to control a VM) is able to connect just with
VMConnectAccess and not requiring Hyper-V-Administrators (or remote management) membership.
Now I also tried the same with guacamole and it looks like the connecting user needs to be
member of Hyper-V-Administrators. Can you please clarify why? Or am I mislead by some other
configuration issue?

 

I also find it difficult to analyse connection issues. I have seen catlina.out, which shows
something like

15:37:08.901 [http-nio-8080-exec-10] INFO  o.a.g.tunnel.TunnelRequestService - User "user"
connected to connection "Eval".

15:37:09.012 [http-nio-8080-exec-5] INFO  o.a.g.tunnel.TunnelRequestService - User "user"
disconnected from connection "Eval". Duration: 111 milliseconds

And syslog, which shows

Feb 28 15:49:39 ubuntu guacd[1147]: Creating new client for protocol "rdp"

Feb 28 15:49:39 ubuntu guacd[1147]: Connection ID is "$c3ac4a71-9e40-4c05-afb8-137a7cf01b3e"

Feb 28 15:49:39 ubuntu guacd[2881]: Security mode: ANY

Feb 28 15:49:39 ubuntu guacd[2881]: Resize method: none

Feb 28 15:49:39 ubuntu guacd[2881]: User "@b8b0b1af-42fa-42e1-91ee-7480695392d6" joined connection
"$c3ac4a71-9e40-4c05-afb8-137a7cf01b3e" (1 users now present)

Feb 28 15:49:39 ubuntu guacd[2881]: Loading keymap "base"

Feb 28 15:49:39 ubuntu guacd[2881]: Loading keymap "de-de-qwertz"

Feb 28 15:49:39 ubuntu guacd[2881]: Failed to load guacdr plugin. Drive redirection and printing
will not work. Sound MAY not work.

Feb 28 15:49:39 ubuntu guacd[2881]: Failed to load guacsnd alongside guacdr plugin. Sound
will not work. Drive redirection and printing MAY not work.

Feb 28 15:49:39 ubuntu guacd[2881]: Error handling RDP file descriptors

Feb 28 15:49:39 ubuntu guacd[2881]: User "@b8b0b1af-42fa-42e1-91ee-7480695392d6" disconnected
(0 users remain)

Feb 28 15:49:39 ubuntu guacd[2881]: Last user of connection "$c3ac4a71-9e40-4c05-afb8-137a7cf01b3e"
disconnected

Feb 28 15:49:39 ubuntu guacd[1147]: Connection "$c3ac4a71-9e40-4c05-afb8-137a7cf01b3e" removed.

But it looks exactly the same whether the user is authorized or not.

Thanks & Best Regards,

Joachim

 

Von: Mike Jumper [mailto:mike.jumper@guac-dev.org] 
Gesendet: Dienstag, 27. Februar 2018 08:04
An: user@guacamole.apache.org
Betreff: Re: New user questions...

 

On Mon, Feb 26, 2018 at 10:45 PM, Joachim Lindenberg <joachim@lindenberg.one <mailto:joachim@lindenberg.one>
> wrote:

...

*       w.r.t. ldap & database – my installation is very small w.r.t. the number of
users (2-3) and virtual systems (5-10).  A database sounds overengineered to me especially
considering operations (backup).

 

Small or large, the database authentication backend is really the best way to go. It is the
only authentication extension which implements both reading and writing, thus providing a
web-based management interface for connections and users, and the only extension which implements
full screen sharing, logging of connection access, etc.

 

Generating user-mapping.xml on the Hyper-V host sounds like one approach I might try

 

I strongly recommend against auto-generating XML as a means of throwing together integration
quickly:

 

http://guacamole.apache.org/faq/#integrate-auth

 

(but I dislike the passwords in that and would prefer to get them from LDAP), or I am considering
to plug in my own authentication – but that will take some programming time.

 

Nevertheless, if you wish to tightly integrate Guacamole with your own authentication, this
is exactly the way it should be done.

 

Actually I think Guacamole could standardize a rest based client

 

Guacamole's interface is already driven by a REST sevice.

 

using basic authentication (forwarding the credentials received)

 

Guacamole also already pulls credentials from HTTP basic auth if they are not otherwise provided.
If you implement your own authentication extension, you can also explicitly do this, but the
username/password from HTTP basic auth will be automatically pulled into the Credentials object
already.

 

- Mike

 


Mime
View raw message