Hello everyone,
This issue can be closed. I found a solution this morning.
I don’t quite understand though why it’s working again but… it is.
What I did :
* Cloned the Guacamole VM (I’m working with vmware) and set it up in our
lab vlan
* Restored the Domain controler from a backup made a week ago in the Lab
vlan
* Setup the network between the two it can communicate
* Test the connection to the new lab DC and it worked.
From there, as the Guacamole VM used for the test was a clone and the DC a
restored backup I was 100% sure the problem was on the Domain controller side.
But to be 100% sure, I turned off my original guacamole server, used the clone
for production purpose and… it worked.
No idea why, but if someone have a connection broken someday it may worth the
shot to just clone the VM and try again.
Regards
De : Fabien Bellay
Envoyé : jeudi 31 octobre 2024 16:23
À : user@guacamole.apache.org
Objet : RE: Connection broken - Only on domain controler
I think your code just add a new account into the guacamole DB and gives him
the guacamole system administrator permission.
But our accounts are ok now, they can connect to the guacamole UI and any
microsoft server except our two domain controller.
Here an extract of some of the DB selects :
guacamole_db=# select * from guacamole_entity where name='admin-fbe';
entity_id | name | type
-----------+-----------+------
9 | admin-fbe | USER
guacamole_db=# select user_id, entity_id, password_hash, password_salt,
password_date, disabled, expired from guacamole_user where entity_id=9;
user_id | entity_id | password_hash
| password_salt |
password_date | disabled | expired
---------+-----------+--------------------------------------------------------------------+--------------------------------------------------------------------+----------------------------+----------+---------
9 | 9 | \xblablablablabla
| \xblablablablabla
| 2024-04-25 07:24:52.157+00 | f | f
guacamole_db=# select * from guacamole_user_group;
user_group_id | entity_id | disabled
---------------+-----------+----------
2 | 14 | f
1 | 10 | f
guacamole_db=# select * from guacamole_user_group_member where
member_entity_id=9;
user_group_id | member_entity_id
---------------+------------------
1 | 9
guacamole_db=# select * from guacamole_system_permission where entity_id=10;
entity_id | permission
-----------+-------------------------
10 | CREATE_CONNECTION
10 | CREATE_CONNECTION_GROUP
10 | CREATE_SHARING_PROFILE
10 | CREATE_USER
10 | CREATE_USER_GROUP
10 | ADMINISTER
Here you can see my account belong to the group (Admins), it’s enabled and has
all the permissions.
Regards
De : Sean Hulbert
<shulb...@securitycentric.net.INVALID<mailto:shulb...@securitycentric.net.INVALID>>
Envoyé : jeudi 31 octobre 2024 15:45
À : user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Objet : Re: Connection broken - Only on domain controler
Hope this helps, you'll need command line access to the database.
SET @salt = UNHEX(SHA2(UUID(), 256));
INSERT INTO guacamole_entity (name, type) VALUES ('UserNameHere', 'USER');
INSERT INTO guacamole_user (
entity_id,
password_salt,
password_hash,
password_date
)
SELECT
entity_id,
@salt,
UNHEX(SHA2(CONCAT('PasswordHere', HEX(@salt)), 256)),
CURRENT_TIMESTAMP
FROM guacamole_entity
WHERE
name = 'UserNameHere'
AND type = 'USER';
issue command get the entity ID : select * from guacamole_entity;
INSERT INTO guacamole_system_permission (entity_id, permission) VALUES (11,
'ADMINISTER');
Thank You
Sean Hulbert
Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
StormCloud Gov, Protected CUI Environment!
[cid:image001.png@01DB2EC1.58F81220]
Industry's most secure CMMC/iTAR virtual desktops!
FedRAMP MIL4 in process (RAR)
System Award Management
CAGE: 8AUV4
SAM ID: UMJLJ8A7BMT3
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the hacker you
haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use of
the intended recipient(s). Unauthorized interception, review, use or disclosure
is prohibited and may violate applicable laws including the Electronic
Communications Privacy Act. If you are not the intended recipient, please
contact the sender and destroy all copies of the communication. Content within
this email communication is not legally binding as a contract and no promises
are guaranteed unless in a formal contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 10/31/2024 1:58 AM, Fabien Bellay wrote:
Hello everyone,
I’ve been struggling on an odd issue since yesterday morning.
A little context :
1. We have a Guacamole on premise server installed with docker and ldap
extension for user authentication
2. We have some admins accounts under the Admins group which possess all the
priviledges
3. MFA is enabled for everyone
Yesterday one admin mistakenly click on the « Disabled » checkbox of the Admins
group and saved the updates.
Therefore none of the admins could connect on the Guacamole web UI so the
impact was limited.
To solve the problem :
1. We connected directly on the postgres container and manually modify the
disabled flag of the Admins group to ‘f’
That worked just fine, we could reconnect on the Web UI again and on all our
connections except the two Domain controllers…
We tried several things :
1. Cloning one of the DC connection and try to reach it -> Failed
2. Removing one of the DC connection, recreating it and try to reach it ->
Failed
3. Removing one of the admins from the Admins group and giving him the
permission directly on the DC connection -> Failed
4. Creating a new Admin Account on the DC with permission to connect on the
Web UI and on the DC connection -> Failed
5. Updating the DC connection to use the password directly (Without using
${GUAC_PASSWORD}) -> Failed
6. Updating the DC connection to use a local account from the DC -> Failed
7. Restarting Guacamole and the DCs -> Not better
Everyting we tried generates the same logs on the guacamole containers :
Log output from the Guacamole service :
08:33:37.339 [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" connected to connection "118".
08:33:37.787 [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" disconnected from connection "118". Duration: 448 milliseconds
08:37:23.299 [http-nio-8080-exec-4] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" connected to connection "118".
08:37:23.732 [http-nio-8080-exec-5] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" disconnected from connection "118". Duration: 432 milliseconds
08:37:25.311 [http-nio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" connected to connection "118".
08:37:25.758 [http-nio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" disconnected from connection "118". Duration: 447 milliseconds
08:37:59.987 [http-nio-8080-exec-9] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" connected to connection "118".
08:38:00.437 [http-nio-8080-exec-6] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" disconnected from connection "118". Duration: 450 milliseconds
08:40:15.335 [http-nio-8080-exec-5] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" connected to connection "118".
08:40:15.785 [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" disconnected from connection "118". Duration: 450 milliseconds
08:41:46.979 [http-nio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" connected to connection "118".
08:41:47.415 [http-nio-8080-exec-7] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" disconnected from connection "118". Duration: 436 milliseconds
08:42:44.979 [http-nio-8080-exec-6] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-test" connected to connection "118".
08:42:45.428 [http-nio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-test" disconnected from connection "118". Duration: 449 milliseconds
08:45:03.739 [http-nio-8080-exec-2] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" connected to connection "118".
08:45:04.200 [http-nio-8080-exec-2] INFO o.a.g.tunnel.TunnelRequestService -
User "admin-ale" disconnected from connection "118". Duration: 461 milliseconds
Log output from the Guad service :
guacd[1]: INFO: Connection "$50207ab8-e395-4f49-a43f-f76f8ff6ae6a" removed.
guacd[1]: INFO: Creating new client for protocol "rdp"
guacd[1]: INFO: Connection ID is "$ba112f6d-0256-4204-b707-3290f047d008"
guacd[4350]: INFO: No security mode specified. Defaulting to security mode
negotiation with server.
guacd[4350]: INFO: Resize method: none
guacd[4350]: INFO: Clipboard line ending normalization: Windows (CRLF)
guacd[4350]: INFO: User "@91d9cb6f-1f21-4536-b696-eb9fd3722d69" joined
connection "$ba112f6d-0256-4204-b707-3290f047d008" (1 users now present)
guacd[4350]: INFO: Loading keymap "base"
guacd[4350]: INFO: Loading keymap "en-us-qwerty"
guacd[4350]: INFO: RDP server closed/refused connection: Authentication
failure (invalid credentials?)
guacd[4350]: INFO: User "@91d9cb6f-1f21-4536-b696-eb9fd3722d69"
disconnected (0 users remain)
guacd[4350]: INFO: Last user of connection
"$ba112f6d-0256-4204-b707-3290f047d008" disconnected
guacd[1]: INFO: Connection "$ba112f6d-0256-4204-b707-3290f047d008" removed.
guacd[1]: INFO: Creating new client for protocol "rdp"
guacd[1]: INFO: Connection ID is "$18b89baa-e7b8-4176-96f0-a926ebfb3f18"
guacd[4376]: INFO: No security mode specified. Defaulting to security mode
negotiation with server.
guacd[4376]: INFO: Resize method: none
guacd[4376]: INFO: Clipboard line ending normalization: Windows (CRLF)
guacd[4376]: INFO: User "@4c4c600a-c239-4523-9b78-7301d47cc100" joined
connection "$18b89baa-e7b8-4176-96f0-a926ebfb3f18" (1 users now present)
guacd[4376]: INFO: Loading keymap "base"
guacd[4376]: INFO: Loading keymap "en-us-qwerty"
guacd[4376]: INFO: RDP server closed/refused connection: Authentication
failure (invalid credentials?)
guacd[4376]: INFO: User "@4c4c600a-c239-4523-9b78-7301d47cc100"
disconnected (0 users remain)
guacd[4376]: INFO: Last user of connection
"$18b89baa-e7b8-4176-96f0-a926ebfb3f18" disconnected
guacd[1]: INFO: Connection "$18b89baa-e7b8-4176-96f0-a926ebfb3f18" removed.
Everytime, the same logs are generated whatever the test scenario…
We’ve running out of ideas and would appreciate some helps.
Thank you.
Regards
