guacamole You do not have permission to access this connection”

After successfully setting up a dockerized guacamole 0.9.8 along the lines of

  • http://guac-dev.org/doc/gug/guacamole-docker.html
  • http://kalzi.github.io/2015/guacamole-with-docker-containers/

with the script below and login in with user: guacadmin password: guacadmin
I was able to setup a user and an rdp connection. Guacamole’s UI is useable
directly via the mapped port configured in the docker setup script (8380 in my case) but also via a reverse apache proxy configured as per guacamoles manual with:

  • How to run docker containers in their network with an external gateway?
  • Logging into docker
  • On Bluemix - handling volume for container group instances
  • Launch Docker containers to handle HTTP requests
  • How do I restore a dump file from mysqldump using kubernet?
  • Docker, no IPAddress in docker inspect
  • <Location /guac/ >
        Order allow,deny
        Allow from all
        ProxyPass http://localhost:8380/guacamole/ flushpackets=on
        ProxyPassReverse http://localhost:8380/guacamole/
      </Location> 
    

    I tried to follow the manual for rdp connections
    http://guac-dev.org/doc/gug/configuring-guacamole.html#rdp

    but when using the reverse-proxy ended up with:

    Error message

    Which happened also to other users see:

    https://sourceforge.net/p/guacamole/discussion/1110834/thread/73abbe35/

    How could I debug this situation to find the correct settings?

    There seems to be something fishy since as an administrator e.g. guacadmin I do get
    Error message on permissions
    when trying to enable and save permissions for connections in the following dialog:
    enter image description here

    I have access to the mysql DB being used for permissions e.g.
    with

    mysql> show tables;
    +---------------------------------------+
    | Tables_in_guacamole_db                |
    +---------------------------------------+
    | guacamole_connection                  |
    | guacamole_connection_group            |
    | guacamole_connection_group_permission |
    | guacamole_connection_history          |
    | guacamole_connection_parameter        |
    | guacamole_connection_permission       |
    | guacamole_system_permission           |
    | guacamole_user                        |
    | guacamole_user_permission             |
    +---------------------------------------+
    

    This is the Dockerizing Script for guacamole i used

    #!/bin/bash
    # 
    #   WF 2015-10-26
    #
    # Guacamole (semi) automatic setup of guacamole Remote Desktop server for docker
    # see
    #  http://guac-dev.org/doc/gug/guacamole-docker.html
    #  http://kalzi.github.io/2015/guacamole-with-docker-containers/
    #
    # Since: 2015-10-26
    #
    
    # config variables
    
    # images
    GUAC=glyptodon/guacamole 
    GUACD=glyptodon/guacd
    MYSQL=mysql
    
    # DB settings
    DB=guacamole_db
    DB_USER=guacamole_user
    
    # prefix to be used for container names
    prefix="lab"
    
    #ansi colors
    #http://www.csc.uvic.ca/~sae/seng265/fall04/tips/s265s047-tips/bash-using-colors.html
    blue='\033[0;34m'
    red='\033[0;31m'
    green='\033[0;32m' # '\e[1;32m' is too bright for white bg.
    endColor='\033[0m'
    
    #
    # a colored message 
    #   params:
    #     1: l_color - the color of the message
    #     2: l_msg - the message to display
    #
    color_msg() {
      local l_color="$1"
      local l_msg="$2"
      echo -e "${l_color}$l_msg${endColor}"
    }
    
    #
    # error
    #
    #   show an error message and exit
    #
    #   params:
    #     1: l_msg - the message to display
    error() {
    local l_msg="$1"
    # use ansi red for error
    color_msg $red "Error: $l_msg" 1>&2
    exit 1
    }
    
    #
    # show usage
    #
    usage() {
    echo "usage: guac-setup"
    # -h|--help|usage|show this usage
    echo "  -h|--help: show this usage"
    # -m|--mysql|run mysql in linked container
    echo "  -m|--mysql:run mysql in linked container"
    # -r|--run|run|run guacamole
    echo "  -p|--pull: pull guacamole"
    echo "  -pf|--prefix: set the containername prefix"
    echo "  -r|--run: run guacamole"
    color_msg $blue "Example:"
    echo "   sudo ./guac-setup -p -pf test -r"
    exit 1
    }
    
    #
    # generate a random password
    #
    random_password() {
    date +%N | sha256sum | base64 | head -c 16 ; echo
    } 
    
    #
    # run mysql in container
    #
    mysql_from_container() {
      local l_option="$1"
      local l_db="$2"
      local l_dbparam=""
      if [ "$l_db" != "" ]
      then
        l_dbparam=" $l_db"
      fi
      local l_cmd='exec mysql -h"$MYSQL_PORT_3306_TCP_ADDR" -P"$MYSQL_PORT_3306_TCP_PORT" -uroot -p"$MYSQL_ENV_MYSQL_ROOT_PASSWORD"'"$l_dbparam"
      #echo "$l_cmd"
      docker run $l_option --link $prefix-mysql:mysql --rm mysql sh -c "$l_cmd" 
    } 
    
    #
    # initialize the database
    #
    init_db() {
    local l_tmp=/tmp/initdb.sql
    #docker run -it $GUAC /bin/bash 
    color_msg $blue creating database
    
    cat << EOF | mysql_from_container -i
    DROP DATABASE IF EXISTS $DB;
    CREATE DATABASE IF NOT EXISTS $DB;
    DROP USER '${DB_USER}';
    CREATE USER '${DB_USER}' IDENTIFIED BY '${DB_PASSWD}';
    GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user';
    FLUSH PRIVILEGES;
    EOF
      color_msg $blue "getting initdb.sh" 
      docker run --rm $GUAC /opt/guacamole/bin/initdb.sh --mysql > $l_tmp 
      color_msg $blue "initializing database"
      # pipe the result thru mysql
      cat $l_tmp | mysql_from_container -i "$DB"
      color_msg $blue "keeping password for db $DB at /var/lib/mysql/guac_passwd"
      #echo $DB_PASSWD
      echo $DB_PASSWD | docker exec -i $prefix-mysql /usr/bin/tee /var/lib/mysql/guac_passwd > /dev/null
    }
    
    #  
    # run guacamole
    # 
    run () {
      local l_prefix="$1"
      MYSQL_ROOT_PASSWORD=`random_password`
      color_msg $blue "starting $l_prefix-guacd"
      docker run --name $l_prefix-guacd -d $GUACD
      color_msg $blue "starting $l_prefix-mysql"
      docker run --name $l_prefix-mysql -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD -d mysql:latest
      docker ps -a --filter "name=$l_prefix*"
    }
    
    # 
    # pull images
    # 
    pull() {
      for image in $GUACD $GUAC $MYSQL 
      do
        docker images | cut -c1-22 | grep $image
        if [ $? -ne 0 ]
        then
          docker pull $image
        else
          color_msg $green "$image already pulled"
        fi
      done
    }
    
    #
    # start it
    #
    startit() {
      DB_PASSWD=`docker exec -i $prefix-mysql /bin/cat /var/lib/mysql/guac_passwd`
      # now run the whole show
      docker run --name $prefix-guacamole --link $prefix-guacd:guacd \
         --link $prefix-mysql:mysql      \
         -e MYSQL_DATABASE=$DB  \
         -e MYSQL_USER=$DB_USER    \
         -e MYSQL_PASSWORD=$DB_PASSWD \
         -d -p 8380:8080 $GUAC 
    }
    
    # start of script
    
    # check arguments
    if [ $# -eq 0 ]
    then
      usage
    fi
    while test $# -gt 0
    do
      case $1 in
        # -h|--help|usage|show this usage
        -h|--help) 
          usage;;
    
        # -p|--pull|pull|pull guacamole
        -p|--pull) 
           pull;;
    
        # -pf|--prefix|set containername prefix
        -pf|--prefix) 
           shift
           prefix=$1
           ;;
    
        # -r|--run|run|run guacamole
        -r|--run) 
           run $prefix;;
    
        # -m|--mysql|run mysql connection to container
        -m|--mysql) 
           mysql_from_container -it
           ;;
    
        -ms|--mysql_shell) 
          docker exec -it $prefix-mysql /bin/bash
          ;;
    
        -i|--initdb)
           DB_PASSWD=`random_password`
           init_db
           ;;
    
        --setup) 
           pull
           run $prefix
           ;;
    
        --start) 
           startit
           ;;
      esac
      shift
    done
    

  • resolve internal DNS in linked docker containers
  • How do I remove old service images after an update?
  • Checking reason behind node failure
  • Cannot trace error in python pcapy wrapper
  • Docker in Docker permissions error
  • Unable to connect to Jupyter Notebook served by Docker
  • 2 Solutions collect form web for “guacamole You do not have permission to access this connection””

    How could I debug this situation to find the correct settings?

    In the case of authentication errors like this, the first thing you should do is check the Tomcat logs for errors. If an error is occurring which is causing Guacamole to return “Permission denied”, that error should be logged and will correlate temporally with the actions that produce the error.

    If nothing jumps out as relevant, you can also try enabling debug-level logging. This involves creating a logback.xml file within GUACAMOLE_HOME containing the following:

    <configuration>
    
        <!-- Appender for debugging -->
        <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
            <encoder>
                <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
            </encoder>
        </appender>
    
        <!-- Log at DEBUG level -->
        <root level="debug">
            <appender-ref ref="GUAC-DEBUG"/>
        </root>
    
    </configuration>
    

    If you are doing this with the official Docker images, GUACAMOLE_HOME will be /root/.guacamole, and you will need to restart the container to force Tomcat to restart and reload the Guacamole configuration.

    If you are using Guacamole behind a proxy like Nginx or Apache, I would also recommend first trying to connect to Guacamole directly. An incorrect proxy configuration could prevent WebSocket from working, and then prevent the fallback HTTP tunnel from working. Such a misconfiguration may appear, from Guacamole’s perspective, that you are attempting to access a resource without being logged in, resulting in the permission error.

    http://guac-dev.org/doc/gug/proxying-guacamole.html#websocket-and-apache

    has the necessary configuration (shown here adapted for the 8380 port being used and the /guac path)

    <Location /guac/websocket-tunnel>
        Order allow,deny
        Allow from all
        ProxyPass ws://localhost:8380/guacamole/websocket-tunnel
        ProxyPassReverse ws://localhost:8380/guacamole/websocket-tunnel
    </Location>
    

    To activate the configuration i used:

    a2enmod proxy_wstunnel
    Considering dependency proxy for proxy_wstunnel:
    Module proxy already enabled
    Enabling module proxy_wstunnel.
    To activate the new configuration, you need to run:
      service apache2 restart
    service apache2 restart
     * Restarting web server apache2          
    

    Now the connection works both directly via port 8380 and via the reverse proxy configuration that maps it to /guac on my main server.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.