[
https://issues.apache.org/jira/browse/GUACAMOLE-2057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17949158#comment-17949158
]
Nick Couchman commented on GUACAMOLE-2057:
------------------------------------------
[~lexaphix] I have branches in my forks of the Guacamole repos that you're
welcome to check out and give it a go:
https://github.com/necouchman/guacamole-server/tree/working/rdp-kerberos
https://github.com/necouchman/guacamole-client/tree/working/rdp-kerberos
If you check out and build those branches, you should be able to test out the
ability to connect to servers/accounts that require Kerberos. Note that, while
I included the fields for the Kerberos KDC and the Kerberos Cache, I didn't
actually have to do anything with those, nor did I have to provide or edit a
krb5.conf file - it just worked for me. The same was true using xfreerdp from
the command line - I just had to specify the /auth-pkg-list with kerberos and
that was it.
Let me know how it goes.
> Allow RDP connections to leverage FreeRDP3 Kerberos Security
> ------------------------------------------------------------
>
> Key: GUACAMOLE-2057
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2057
> Project: Guacamole
> Issue Type: New Feature
> Components: RDP
> Reporter: Axel D'Olislager
> Assignee: Nick Couchman
> Priority: Major
> Labels: security
>
> Since in Guacamole 1.6.0 there will be support for FreeRDP3.0, there is
> currently no way to make use of the new kerberos authentication functionality
> within FreeRDP.
>
> As per deprication of NTLM and security issues the demand for it is becoming
> reasonably high, as in a Active Directory domain, your users cannot be part
> of the Protected Users security group which blocks legacy protocols.
> [https://www.reddit.com/r/sysadmin/comments/1b5o6kx/apache_guacamole_kerberos_support_or_roadmap_for/]
>
> I've personally been playing around with this.
> Manually I am able to create a connection using the FreeRDP package using the
> following command and modifying my krb5.conf file:
> {code:java}
> xfreerdp /auth-pkg-list:'!ntlm,kerberos' /u:<username> /v:<host_ip>
> /d:<domainname> /cert:ignore{code}
>
> krb5.conf:
> {code:java}
> includedir /etc/krb5.conf.d/
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LEXAPHIX.LAB
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> [realms]
> LEXAPHIX.LAB = {
> kdc = besnlexdc03.lexaphix.lab
> admin_server = besnlexdc03.lexaphix.lab
> }[domain_realm]
> .lexaphix.lab = LEXAPHIX.LAB
> lexaphix.lab = LEXAPHIX.LAB{code}
>
>
> I've been trying to get this to work, but because I do not have the knowledge
> of this code base, I'm unable to add these things.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
