Fwd: Problems with basic authentication

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Problems with basic authentication

Felix Wolfheimer

Hi,

I'm trying to get a VNC connection working using Guacamole. I built and installed the guacd and the client without issues, started guacd and tomcat, and can see the login page of Guacamole when connecting with the browser, but whatever I try with the user-mapping.xml file, I can't log in. I installed the "user-mapping.xml" file to /usr/share/tomcat/.guacamole (the HOME of the tomcat user is /usr/share/tomcat) and the user-mapping.xml file is the one and only file in this directory. It has the following content:

<user-mapping>
  <authorize username="testuser" password="testing">
    <connection name="Cloud Workstation">
       <protocol>vnc</protocol>
       <param name="hostname">localhost</param>
       <param name="port">5901</param>
   </connection>
  </authorize>
</user-mapping>

The only message I can find on the server about the failed login is the following line in /var/log/messages:

WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from x.x.x.x for user "testuser" failed.

I've entered the password multiple times to make sure that I just made a typo.

Is there anything I'm missing and are there other places where I can find debugging information about the login process which could help understanding what goes wrong?

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: Problems with basic authentication

vnick
On Mon, Oct 16, 2017 at 2:21 PM, Felix Wolfheimer <[hidden email]> wrote:

Hi,

I'm trying to get a VNC connection working using Guacamole. I built and installed the guacd and the client without issues, started guacd and tomcat, and can see the login page of Guacamole when connecting with the browser, but whatever I try with the user-mapping.xml file, I can't log in. I installed the "user-mapping.xml" file to /usr/share/tomcat/.guacamole (the HOME of the tomcat user is /usr/share/tomcat) and the user-mapping.xml file is the one and only file in this directory. It has the following content:

<user-mapping>
  <authorize username="testuser" password="testing">
    <connection name="Cloud Workstation">
       <protocol>vnc</protocol>
       <param name="hostname">localhost</param>
       <param name="port">5901</param>
   </connection>
  </authorize>
</user-mapping>

The only message I can find on the server about the failed login is the following line in /var/log/messages:

WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from x.x.x.x for user "testuser" failed.

I've entered the password multiple times to make sure that I just made a typo.

Is there anything I'm missing and are there other places where I can find debugging information about the login process which could help understanding what goes wrong?

Thanks!

Everything you've done looks fine to me, but I'd suggest doing the following:
- Edit your catalina.properties file (stored in the same place as the rest of the Tomcat configs, like server.xml) and add the following line:
guacamole.home=/etc/guacamole
- Create the /etc/guacamole directory and set up permissions such that the user running Tomcat can access it.
- Put your user-mapping.xml file in /etc/guacamole and restart Tomcat.  Verify permissions on that file, too, to make sure the Tomcat user has read access.

See if that works - like I said, what you've done seems like it should work, so not sure what's going on, but maybe this will help.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Problems with basic authentication

Felix Wolfheimer
Hi Nick,

thanks for your help and your suggestions. I created /etc/guacamole and put guacamole.properties into this directory. The file has the following content:

guacd-hostname: localhost
guacd-port:     4822
user-mapping: /etc/guacamole/user-mapping.xml

I also put my user-mapping.xml file into this directory (same content as before). I added the line "guacamole.home=/etc/guacamole" to /etc/tomcat/catalina.properties and restarted tomcat. The permissions of the /etc/guacamole directory and its files were set such that tomcat can access all files (tomcat.root, 400). Looking at /var/log/messages after the restart reveals the following lines which might be related to the issue:

 Oct 18 12:00:46 server: 12:00:46.936 [localhost-startStop-1] INFO  o.a.g.environment.LocalEnvironment - No guacamole.properties file found within GUACAMOLE_HOME or the classpath. Using defaults.
Oct 18 12:00:47 server: 12:00:47.030 [localhost-startStop-1] INFO  o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity.
Oct 18 12:00:47 server: 12:00:47.153 [localhost-startStop-1] INFO  o.a.g.environment.LocalEnvironment - No guacamole.properties file found within GUACAMOLE_HOME or the classpath. Using defaults.
Oct 18 12:00:47 server: 12:00:47.273 [localhost-startStop-1] INFO  o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
Oct 18 12:00:47 server: Oct 18, 2017 12:00:47 PM com.google.inject.internal.ProxyFactory <init>
Oct 18 12:00:47 server: WARNING: Method [public void org.apache.guacamole.rest.user.UserResource.updateObject(java.lang.Object) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.apache.guacamole.rest.RESTExceptionWrapper@64eba1f3]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.

So first it doesn't seem to find the guacamole.properties file for some reason and then an exception occurs in "UserResource" which may indicate that there's something wrong with the user settings. I now also added the environment variable GUACAMOLE_HOME to /etc/sysconfig/tomcat such that it is in the environment of tomcat as follows:

[root@test-guacamole ~]# cat /proc/2469/environ | tr '\0' '\n'
TOMCATS_BASE=/var/lib/tomcats/
GUACAMOLE_HOME=/etc/guacamole
SHELL=/sbin/nologin
CATALINA_HOME=/usr/share/tomcat
OLDPWD=/
NAME=
USER=tomcat
TOMCAT_CFG_LOADED=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PWD=/usr/share/tomcat
JAVA_HOME=/usr/lib/jvm/jre
LANG=en_US.UTF-8
SHLVL=0
HOME=/usr/share/tomcat
SECURITY_MANAGER=false
LOGNAME=tomcat
CATALINA_TMPDIR=/var/cache/tomcat/temp

After a restart of tomcat, again the same messages occur, i.e., Guacamole claims that guacamole.properties can't be found. BTW: I looked through the logs and this set of messages occurred also when I put the files into CATALINA_HOME (my original try). 
I'm puzzled why it can't find the files. Any idea how to solve this (or just get more output to find out what guacamole tries to do) are greatly appreciated.    


2017-10-17 4:26 GMT+02:00 Nick Couchman <[hidden email]>:
On Mon, Oct 16, 2017 at 2:21 PM, Felix Wolfheimer <[hidden email]> wrote:

Hi,

I'm trying to get a VNC connection working using Guacamole. I built and installed the guacd and the client without issues, started guacd and tomcat, and can see the login page of Guacamole when connecting with the browser, but whatever I try with the user-mapping.xml file, I can't log in. I installed the "user-mapping.xml" file to /usr/share/tomcat/.guacamole (the HOME of the tomcat user is /usr/share/tomcat) and the user-mapping.xml file is the one and only file in this directory. It has the following content:

<user-mapping>
  <authorize username="testuser" password="testing">
    <connection name="Cloud Workstation">
       <protocol>vnc</protocol>
       <param name="hostname">localhost</param>
       <param name="port">5901</param>
   </connection>
  </authorize>
</user-mapping>

The only message I can find on the server about the failed login is the following line in /var/log/messages:

WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from x.x.x.x for user "testuser" failed.

I've entered the password multiple times to make sure that I just made a typo.

Is there anything I'm missing and are there other places where I can find debugging information about the login process which could help understanding what goes wrong?

Thanks!

Everything you've done looks fine to me, but I'd suggest doing the following:
- Edit your catalina.properties file (stored in the same place as the rest of the Tomcat configs, like server.xml) and add the following line:
guacamole.home=/etc/guacamole
- Create the /etc/guacamole directory and set up permissions such that the user running Tomcat can access it.
- Put your user-mapping.xml file in /etc/guacamole and restart Tomcat.  Verify permissions on that file, too, to make sure the Tomcat user has read access.

See if that works - like I said, what you've done seems like it should work, so not sure what's going on, but maybe this will help.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: Problems with basic authentication

vnick
On Wed, Oct 18, 2017 at 8:30 AM, Felix Wolfheimer <[hidden email]> wrote:
Hi Nick,

thanks for your help and your suggestions. I created /etc/guacamole and put guacamole.properties into this directory. The file has the following content:

guacd-hostname: localhost
guacd-port:     4822
user-mapping: /etc/guacamole/user-mapping.xml

I also put my user-mapping.xml file into this directory (same content as before). I added the line "guacamole.home=/etc/guacamole" to /etc/tomcat/catalina.properties and restarted tomcat. The permissions of the /etc/guacamole directory and its files were set such that tomcat can access all files (tomcat.root, 400). Looking at /var/log/messages after the restart reveals the following lines which might be related to the issue:


Felix,
What Linux distro/version are you running?  Is SELinux enabled (output of "getenforce" command)?

-Nick 
Reply | Threaded
Open this post in threaded view
|

Re: Problems with basic authentication

Felix Wolfheimer
Nick,

the distribution is RHEL 7.4:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)

I'm using openjdk:

# java -version
openjdk version "1.8.0_144"
OpenJDK Runtime Environment (build 1.8.0_144-b01)
OpenJDK 64-Bit Server VM (build 25.144-b01, mixed mode)

SELinux was enabled but I've now completely disabled it and rebooted
the
machine:

# getenforce
Disabled

This change has no effect on the behavior.

I looked a bit in the Guacamole code and found the place where it tries
to read the guacamole.properties file
(guacamole-
ext/src/main/java/org/apache/guacamole/environment/LocalEnvironment.jav
a). I've added debug statements to understand what happens:

> > >

        // Read properties
        properties = new Properties();
        try {

            InputStream stream = null;

            // If not a directory, load from classpath
            if (!guacHome.isDirectory())
            {
                stream =
LocalEnvironment.class.getResourceAsStream("/guacamole.properties");
            }
            // Otherwise, try to load from file
            else {
                File propertiesFile = new
File(guacHome,"guacamole.properties");
logger.info("FW: The file name is:"+propertiesFile.getAbsolutePath());
                if (propertiesFile.exists())
                {
                    stream = new FileInputStream(propertiesFile);
logger.info("FW: The file exists:"+propertiesFile.getName()+"\n");
                }
            }

<<<<

The output I get in /var/log/messages is:

INFO  o.a.g.environment.LocalEnvironment - FW: The file name
is:/etc/guacamole/guacamole.properties

INFO  o.a.g.environment.LocalEnvironment - No guacamole.properties file
found within GUACAMOLE_HOME or the classpath. Using defaults.

So even though the file /etc/guacamole/guacamole.properties exists, the
propertiesFile.exists() call returns false for some reason. And
probably
the same is true for the user-mapping.xml file. So I wonder whether
this
might be a problem in openjdk. Is guacamole usually working better with
a proprietary Java version?



On Wed, 2017-10-18 at 12:28 -0400, Nick Couchman wrote:

> On Wed, Oct 18, 2017 at 8:30 AM, Felix Wolfheimer
> <[hidden email]> wrote:
>         Hi Nick,
>         
>         
>         thanks for your help and your suggestions. I
>         created /etc/guacamole and put guacamole.properties into this
>         directory. The file has the following content:
>         
>         
>         guacd-hostname: localhost
>         
>         guacd-port:     4822
>         user-mapping: /etc/guacamole/user-mapping.xml
>         
>         
>         I also put my user-mapping.xml file into this directory (same
>         content as before). I added the line
>         "guacamole.home=/etc/guacamole"
>         to /etc/tomcat/catalina.properties and restarted tomcat. The
>         permissions of the /etc/guacamole directory and its files
> were
>         set such that tomcat can access all files (tomcat.root, 400).
>         Looking at /var/log/messages after the restart reveals the
>         following lines which might be related to the issue:
>
>
>
>
> Felix,
> What Linux distro/version are you running?  Is SELinux enabled
> (output
> of "getenforce" command)?
>
>
> -Nick 


Reply | Threaded
Open this post in threaded view
|

Re: Problems with basic authentication

Mike Jumper
On Wed, Oct 18, 2017 at 3:24 PM, Felix Wolfheimer
<[hidden email]> wrote:
> ...
>
> INFO  o.a.g.environment.LocalEnvironment - No guacamole.properties file
> found within GUACAMOLE_HOME or the classpath. Using defaults.
>

Is /etc/guacamole/guacamole.properties readable by the user running
the Tomcat service?

>
> ... So I wonder whether this might be a problem in openjdk. Is
> guacamole usually working better with a proprietary Java version?
>

No. OpenJDK should work fine.

- Mike
Reply | Threaded
Open this post in threaded view
|

Re: Problems with basic authentication

Mike Jumper
In reply to this post by Felix Wolfheimer
On Wed, Oct 18, 2017 at 5:30 AM, Felix Wolfheimer
<[hidden email]> wrote:

> Hi Nick,
>
> thanks for your help and your suggestions. I created /etc/guacamole and put
> guacamole.properties into this directory. The file has the following
> content:
>
> guacd-hostname: localhost
> guacd-port:     4822
> user-mapping: /etc/guacamole/user-mapping.xml
>

Beware that:

1) The property "user-mapping" is a typo in the manual, and should
actually be "basic-user-mapping"
2) The "basic-user-mapping" property was deprecated in 0.9.10-incubating [1]

Though the property "basic-user-mapping" should still work, its use is
no longer recommended. The default location of
"GUACAMOLE_HOME/user-mapping.xml" should be used instead.

It's worth noting that "/etc/guacamole" was recently added to the
default search locations for GUACAMOLE_HOME [2], so the locations
you're using for everything here is actually the default on git and
for future releases.

- Mike

[1] http://guacamole.incubator.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
[2] https://issues.apache.org/jira/browse/GUACAMOLE-335
Reply | Threaded
Open this post in threaded view
|

Re: Problems with basic authentication

Felix Wolfheimer
Argh, indeed this was a permission problem. I used "chmod -R 0400 /etc/guacamole" to set permissions which is sufficient for the configuration files but not for the directory itself of course. This basically locked out the tomcat user and the messages in /var/log/messages then confused me. Maybe it would be a good idea to just add some output in the code which checks for the Guacamole home issuing a warning that a directory is present but can't be opened because access is denied.

BTW: Is there a way to file a bug regarding the documentation issue you mentioned? Things like this can be quite confusing and fixing them is quite easy. ;-) 

Thanks for your great help!  

2017-10-19 0:57 GMT+02:00 Mike Jumper <[hidden email]>:
On Wed, Oct 18, 2017 at 5:30 AM, Felix Wolfheimer
<[hidden email]> wrote:
> Hi Nick,
>
> thanks for your help and your suggestions. I created /etc/guacamole and put
> guacamole.properties into this directory. The file has the following
> content:
>
> guacd-hostname: localhost
> guacd-port:     4822
> user-mapping: /etc/guacamole/user-mapping.xml
>

Beware that:

1) The property "user-mapping" is a typo in the manual, and should
actually be "basic-user-mapping"
2) The "basic-user-mapping" property was deprecated in 0.9.10-incubating [1]

Though the property "basic-user-mapping" should still work, its use is
no longer recommended. The default location of
"GUACAMOLE_HOME/user-mapping.xml" should be used instead.

It's worth noting that "/etc/guacamole" was recently added to the
default search locations for GUACAMOLE_HOME [2], so the locations
you're using for everything here is actually the default on git and
for future releases.

- Mike

[1] http://guacamole.incubator.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
[2] https://issues.apache.org/jira/browse/GUACAMOLE-335