Logon failure at Guacamole after upgrade from latest UCS 4.4 version to UCS 5.0-1 errata286

Dear community,

although UCS 5 is out for quite a while, I needed to wait until I upgraded my UCS 4.4 server because of the Guacamole App that was not available for UCS 5. In the meantime, an UCS 5 compatible upgrade was available. So I updated the UCS server to the lastest version of UCS 4.4 and verified that Guacomole was correctly running.

Then I performed the upgrade to UCS 5. I realized that, after having applied all available updates, Guacamole produced a logon failure once the Guacamole App is accessed and the credentials have been entered. This was also the case after removing access rights from the user to access Guacamole and adding them afterwards again.

How can this issue be properly debugged to identify the cause of this problem?

Best regards,
Peter

you may look at guacamole logs with “docker logs guacamole” if the logon problem is on the Guacamole login page - if the logon fails on rdp connections then “docker logs guacd” should show the errors

rg
Christian

Thanks a lot for this hint. The guacamole log file reports:

17:11:04.486 [http-nio-8080-exec-10] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
17:11:04.487 [http-nio-8080-exec-10] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-<id>,cn=memberserver,cn=computers,dc=<domain>,dc=<local>"
17:11:04.487 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.10.52, 172.16.0.1] for user "Administrator" failed.

I have already removed the App “Guacamole” from user “Administrator” in the UCS 5.0 User Settings, saved the settings, then re-assigned the App “Guacamole” to the user “Administrator” and saved the settings again.

Furthermore, I verified via the UCS GUI at UMC / Devices / Computers that the managed node “cn=guaca-<id>” is stored at “cn=memberserver,cn=computers,dc=<domain>,dc=<local>” (the values in brackets <> have been anonymized here). However, this LDAP node has already been created by the previous version of the Guacamole Docker image (0.9.13-univention14).

Hi @herrep

your problem might not be related to the update but to a possible reboot of the system?
When I’ve used the app under 4.4 I always had to fix /etc/hosts inside the guacamole docker.
So the error message might be misleading regarding a LDAP issue when it is a pure network and address issue.
I first had to check the guacamole docker network:

docker network inspect guacamole_appcenter_net 

Look at my /etc/hosts file:

univention-app shell guacamole cat /etc/hosts

and fix it with the value from the first command:

univention-app shell guacamole sh -c 'echo "172.XX.Y.Z    guacd" >> /etc/hosts'

You find discussions and bug reports from 3 years ago when you search for your error message.
https://help.univention.com/search?q=o.a.g.r.auth.AuthenticationService

Best,
Bernd

Hi Bernd,

Thank you very much for your hint that my issue might be rather related to a reboot of the UCS. I tried to identify the entries in the hosts file, but failed:

root@server:~# univention-app shell guacamole cat /etc/hosts
failed to start io pipe copy: containerd-shim: opening b279fe5bc4965a7b49c16d6a70c73972034d084fc9c0d8640f867c6008bcecfd-stdout failed: open b279fe5bc4965a7b49c16d6a70c73972034d084fc9c0d8640f867c6008bcecfd-stdout: no such file or directory: unknown

I noticed that the docker images - lthugh updated via the GUI - show the old version univention13:

root@server:~# docker ps
CONTAINER ID        IMAGE                                                                   COMMAND                  CREATED             STATUS              PORTS                     NAMES
53628ee811ac        docker.software-univention.de/guacamole-guacamole:0.9.13-univention13   "/opt/guacamole/bin/…"   46 hours ago        Up 46 hours         0.0.0.0:40001->8080/tcp   guacamole_guacamole_1
7b0e8eafd334        docker.software-univention.de/guacamole-guacd:0.9.13-univention13       "/usr/local/sbin/gua…"   46 hours ago        Up 46 hours         4822/tcp                  guacamole_guacd_1

I have the following configuration details:

root@server:~# docker network ls
NETWORK ID          NAME                      DRIVER              SCOPE
9bb6be288771        bridge                    bridge              local
295fb1083d68        guacamole_appcenter_net   bridge              local
f195e08e1a6a        host                      host                local
c85f6b4291b0        none                      null                local

root@server:~# docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "9bb6be288771a64f2d11eefa49d1e88e6d218c33dd7121d97e3e3a8fbcef0480",
        "Created": "2022-04-10T15:56:03.442199867+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.42.1/16",
                    "Gateway": "172.17.42.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "53628ee811ac5e724f61bab68eee9aaabfdb9b0e2f8f59cb267ed8f79a0638ae": {
                "Name": "guacamole_guacamole_1",
                "EndpointID": "0d3bc56afc0309dc05598f24bcd0a0463f836e15c415ca1f4c20bfcf4757a15c",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            },
            "6e75b7448452b98099404c59fe313f7f25a60493e45e711038e2757ae0d7a897": {
                "Name": "pedantic_ishizaka",
                "EndpointID": "e1d734c8773ea747e2c501989ff801ed05ff9cf8f8a0f4c5db1c01f128e5f333",
                "MacAddress": "02:42:ac:11:00:01",
                "IPv4Address": "172.17.0.1/16",
                "IPv6Address": ""
            },
            "7b0e8eafd3344e4118ff2a723ce31becc4ca9831a2d069bf175da4462dfc58cf": {
                "Name": "guacamole_guacd_1",
                "EndpointID": "03477671c95b91ce30ae50abfb141d21e56f2c98f3916821dd71df59a7b4388a",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

root@server:~# docker network inspect guacamole_appcenter_net 
[
    {
        "Name": "guacamole_appcenter_net",
        "Id": "295fb1083d6814432238555af79665530b49df5910012ffef19dc10da1464695",
        "Created": "2022-04-10T15:43:25.685660025+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.16.0.0/24",
                    "Gateway": "172.16.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "53628ee811ac5e724f61bab68eee9aaabfdb9b0e2f8f59cb267ed8f79a0638ae": {
                "Name": "guacamole_guacamole_1",
                "EndpointID": "5ba9cccef51f6a5a0447060f80cd670633e0bf2c494c890d9fc42371468aba9d",
                "MacAddress": "02:42:ac:10:00:03",
                "IPv4Address": "172.16.0.3/24",
                "IPv6Address": ""
            },
            "7b0e8eafd3344e4118ff2a723ce31becc4ca9831a2d069bf175da4462dfc58cf": {
                "Name": "guacamole_guacd_1",
                "EndpointID": "7d0de670bbbe447c0a8cefc0b4057a7132603b6cb6d763adb8613bfb9ddd6286",
                "MacAddress": "02:42:ac:10:00:02",
                "IPv4Address": "172.16.0.2/24",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

The guacamole containers shouldn’t be in both networks. I would try to remove them from bridge and restart the app or server.

Edit:
I’ve just checked my installation and I have the containers only in the guacamole_appcenter_net network. And I don’t need the edit of /etc/hosts at the moment (on 5.0 now, as I did with 4.4).

Thanks a lot. After removing the containers from the bridge and restarting the app, I could connect again!