guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From SergeyKh <mail4ser...@gmail.com>
Subject Re: guacamole radius
Date Tue, 20 Nov 2018 20:58:41 GMT
radius authenticated users can't see their guacamole web workspace (or i
don't know how that stuff is called).

one login one password. no 2fa.

so the steps:
1. built the documentation from the git
2. built guacd + guacamole's war + extensions from the git as it described
in the manual
3. installed all the dependencies on ubuntu 18. mysql 5.7.24,
tomcat 8.5.30.0 and all the stuff that is needed from the manual.
4. set up mysql auth. it works as it should. i've got guacadmin, that i
used to make users and connections. everything is ok for now.
6. then i made user with the the same username as my AD user that i want to
use via radius. the password is empty. (i did  the same for ldap auth and
it worked well )
7. enabled radius auth extension. the names of the jars are:
                  01-guacamole-auth-radius-1.0.0.jar
                  02-guacamole-auth-jdbc-mysql-1.0.0.jar
8. guacamole.properties:
           radius-hostname: IP of my radius  (I've tested with freeradius
and  Rcdevs OpenOTP RADIUS Bridge)
           radius-auth-port: 1812
           radius-shared-secret: secret
           radius-auth-protocol: pap
9. restart tomcat
10. log in to guacamole with guacadmin from mysql works fine. any other
uses from mysql works fine. they authenticate, can manage their connections
and so on.
11. log in to guacamole with AD user via radius. the user authenticates
well. i can see success login message logs in my radius and in tomcat's
catalina.out
  but:
 if the user has no connections i get:
 "An error has occurred and this action cannot be completed. If the problem
persists, please notify your system administrator or check your system logs.
"

if the user has only one connection he can use it because it starts
automatically right after login but if the user wants to log off that
connection (ctrl+alt+shift also gets  error) and return to his
guacamole-web-stuff (the place where he can add and manage connections ) he
gets error:
"An error has occurred and this action cannot be completed. If the problem
persists, please notify your system administrator or check your system logs.
"

tomcat's localhost_access_log..txt has:

  "POST /guacamole/api/tokens HTTP/1.1" 403 437
  "POST /guacamole/api/tokens HTTP/1.1" 200 191
  "POST /guacamole/api/tokens HTTP/1.1" 200 191
  "GET /guacamole/api/patches?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200 352
  "GET /guacamole/api/session/data/mysql-shared/connectionGroups/ROOT/tree?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200
  "GET /guacamole/api/session/data/mysql-shared/self/permissions?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200 247
  "GET /guacamole/api/session/data/mysql/self/permissions?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200 244
  "GET /guacamole/api/session/data/mysql/connectionGroups/ROOT/tree?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200 434
  "POST /guacamole/api/tokens HTTP/1.1" 200 191
  "GET /guacamole/images/settings/tablet-keys.png HTTP/1.1" 200 3175
  "GET /guacamole/images/logo-144.png HTTP/1.1" 200 9167
  "GET /guacamole/images/settings/zoom-in.png HTTP/1.1" 200 1553
  "GET /guacamole/images/settings/zoom-out.png HTTP/1.1" 200 1521
  "GET /guacamole/images/settings/touchscreen.png HTTP/1.1" 200 24025
  "GET /guacamole/images/settings/touchpad.png HTTP/1.1" 200 38013
  "GET /guacamole/api/session/data/mysql/connections/1?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200 315
  "GET /guacamole/images/drive.png HTTP/1.1" 200 752
  "GET /guacamole/images/action-icons/guac-back.png HTTP/1.1" 200 586
  "GET /guacamole/app/element/templates/blank.html HTTP/1.1" 200 173
  "GET /guacamole/layouts/ru-ru-qwerty.json HTTP/1.1" 200 15203
  "GET /guacamole/websocket-tunnel?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64&GUAC_DATA_SOURCE=mysql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WID
  "GET /guacamole/api/session/tunnels/fa90ae89-3ad0-469e-8da8-cef2ab0f7178/activeConnection/connection/sharingProfiles?token=081C0ABDDED002820358AA33F7AB6960EA
  "GET /guacamole/images/logo-144.png HTTP/1.1" 200 9167
  "GET /guacamole/api/session/data/mysql-shared/self/effectivePermissions?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200
  "GET /guacamole/images/x.png HTTP/1.1" 200 591
  "GET /guacamole/api/session/data/radius/users/MY-AD-USERNAME?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 404 254
  "GET /guacamole/api/session/data/mysql/self/effectivePermissions?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
HTTP/1.1" 200 301


so GET /guacamole/api/session/data/radius/users/MY-AD-USERNAME?token=081C0ABDDED002820358AA33F7AB6960EA4D899B3693505321A37F0E24A67D64
gets 404


then i used "F12" in chrome and it tells us:

{"message":"Session not associated with authentication provider
\"radius\".","translatableMessage":{"key":"Session not associated with
authentication provider
\"radius\".","variables":null},"statusCode":null,"expected":null,"type":"NOT_FOUND"}










вт, 20 нояб. 2018 г. в 21:54, Nick Couchman <vnick@apache.org>:

> On Tue, Nov 20, 2018 at 1:49 PM SergeyKh <mail4sergey@gmail.com> wrote:
>
>> Yes. 02 is jdbc mysql
>>
>>
> Okay, and, I think you described it elsewhere, but can you provide me the
> exact list of steps you go through to reproduce the issue, and the exact
> behavior you're seeing?  It sounds like users cannot see the connection you
> expect them to be able to see, but I just want to make sure that it's
> something I can fully reproduce in my environment.
>
> Thanks - Nick
>

Mime
View raw message