Hope this helps, you'll need command line access to the database.
SET @salt = UNHEX(SHA2(UUID(), 256));
INSERT INTO guacamole_entity (name, type) VALUES ('UserNameHere', 'USER');
INSERT INTO guacamole_user (
entity_id,
password_salt,
password_hash,
password_date
)
SELECT
entity_id,
@salt,
UNHEX(SHA2(CONCAT('PasswordHere', HEX(@salt)), 256)),
CURRENT_TIMESTAMP
FROM guacamole_entity
WHERE
name = 'UserNameHere'
AND type = 'USER';
issue command get the entity ID : select * from guacamole_entity;
INSERT INTO guacamole_system_permission (entity_id, permission) VALUES
(11, 'ADMINISTER');
*Thank You*
Sean Hulbert
*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/
Industry's most secure CMMC/iTAR virtual desktops!
*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the
use of the intended recipient(s). Unauthorized interception, review, use
or disclosure is prohibited and may violate applicable laws including
the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 10/31/2024 1:58 AM, Fabien Bellay wrote:
Hello everyone,
I’ve been struggling on an odd issue since yesterday morning.
*A little context* :
* We have a Guacamole on premise server installed with docker and
ldap extension for user authentication
* We have some admins accounts under the Admins group which possess
all the priviledges
* MFA is enabled for everyone
Yesterday one admin mistakenly click on the « Disabled » checkbox of
the Admins group and saved the updates.
Therefore none of the admins could connect on the Guacamole web UI so
the impact was limited.
*To solve the problem* :
* We connected directly on the postgres container and manually
modify the disabled flag of the Admins group to ‘f’
That worked just fine, we could reconnect on the Web UI again and on
all our connections except the two Domain controllers…
*We tried several things* :
* Cloning one of the DC connection and try to reach it -> Failed
* Removing one of the DC connection, recreating it and try to reach
it -> Failed
* Removing one of the admins from the Admins group and giving him
the permission directly on the DC connection -> Failed
* Creating a new Admin Account on the DC with permission to connect
on the Web UI and on the DC connection -> Failed
* Updating the DC connection to use the password directly (Without
using ${GUAC_PASSWORD}) -> Failed
* Updating the DC connection to use a local account from the DC ->
Failed
* Restarting Guacamole and the DCs -> Not better
Everyting we tried generates the same logs on the guacamole containers :
*Log output from the Guacamole service* :
08:33:37.339 [http-nio-8080-exec-1] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" connected to
connection "118".
08:33:37.787 [http-nio-8080-exec-1] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" disconnected from
connection "118". Duration: 448 milliseconds
08:37:23.299 [http-nio-8080-exec-4] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" connected to
connection "118".
08:37:23.732 [http-nio-8080-exec-5] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" disconnected from
connection "118". Duration: 432 milliseconds
08:37:25.311 [http-nio-8080-exec-8] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" connected to
connection "118".
08:37:25.758 [http-nio-8080-exec-8] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" disconnected from
connection "118". Duration: 447 milliseconds
08:37:59.987 [http-nio-8080-exec-9] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" connected to
connection "118".
08:38:00.437 [http-nio-8080-exec-6] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" disconnected from
connection "118". Duration: 450 milliseconds
08:40:15.335 [http-nio-8080-exec-5] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" connected to
connection "118".
08:40:15.785 [http-nio-8080-exec-1] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" disconnected from
connection "118". Duration: 450 milliseconds
08:41:46.979 [http-nio-8080-exec-8] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" connected to
connection "118".
08:41:47.415 [http-nio-8080-exec-7] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" disconnected from
connection "118". Duration: 436 milliseconds
08:42:44.979 [http-nio-8080-exec-6] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-test" connected to
connection "118".
08:42:45.428 [http-nio-8080-exec-8] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-test" disconnected
from connection "118". Duration: 449 milliseconds
08:45:03.739 [http-nio-8080-exec-2] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" connected to
connection "118".
08:45:04.200 [http-nio-8080-exec-2] INFO
o.a.g.tunnel.TunnelRequestService - User "admin-ale" disconnected from
connection "118". Duration: 461 milliseconds
*Log output from the Guad service : *
guacd[1]: INFO: Connection "$50207ab8-e395-4f49-a43f-f76f8ff6ae6a"
removed.
guacd[1]: INFO: Creating new client for protocol "rdp"
guacd[1]: INFO: Connection ID is "$ba112f6d-0256-4204-b707-3290f047d008"
guacd[4350]: INFO: No security mode specified. Defaulting to
security mode negotiation with server.
guacd[4350]: INFO: Resize method: none
guacd[4350]: INFO: Clipboard line ending normalization: Windows
(CRLF)
guacd[4350]: INFO: User "@91d9cb6f-1f21-4536-b696-eb9fd3722d69"
joined connection "$ba112f6d-0256-4204-b707-3290f047d008" (1 users now
present)
guacd[4350]: INFO: Loading keymap "base"
guacd[4350]: INFO: Loading keymap "en-us-qwerty"
guacd[4350]: INFO: RDP server closed/refused connection:
Authentication failure (invalid credentials?)
guacd[4350]: INFO: User "@91d9cb6f-1f21-4536-b696-eb9fd3722d69"
disconnected (0 users remain)
guacd[4350]: INFO: Last user of connection
"$ba112f6d-0256-4204-b707-3290f047d008" disconnected
guacd[1]: INFO: Connection "$ba112f6d-0256-4204-b707-3290f047d008"
removed.
guacd[1]: INFO: Creating new client for protocol "rdp"
guacd[1]: INFO: Connection ID is "$18b89baa-e7b8-4176-96f0-a926ebfb3f18"
guacd[4376]: INFO: No security mode specified. Defaulting to
security mode negotiation with server.
guacd[4376]: INFO: Resize method: none
guacd[4376]: INFO: Clipboard line ending normalization: Windows
(CRLF)
guacd[4376]: INFO: User "@4c4c600a-c239-4523-9b78-7301d47cc100"
joined connection "$18b89baa-e7b8-4176-96f0-a926ebfb3f18" (1 users now
present)
guacd[4376]: INFO: Loading keymap "base"
guacd[4376]: INFO: Loading keymap "en-us-qwerty"
guacd[4376]: INFO: RDP server closed/refused connection:
Authentication failure (invalid credentials?)
guacd[4376]: INFO: User "@4c4c600a-c239-4523-9b78-7301d47cc100"
disconnected (0 users remain)
guacd[4376]: INFO: Last user of connection
"$18b89baa-e7b8-4176-96f0-a926ebfb3f18" disconnected
guacd[1]: INFO: Connection "$18b89baa-e7b8-4176-96f0-a926ebfb3f18"
removed.
Everytime, the same logs are generated whatever the test scenario…
We’ve running out of ideas and would appreciate some helps.
Thank you.
Regards
