Go to Qiita Advent Calendar 2024 Top
LoginSignup
6
10

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@sandopan65

GuacamoleでRDPに繋げないのを解決したの

Posted at

https://qiita.com/sandopan65/items/b7beecfe70c79e354371
続きです。マッチポンプ…

GuacamoleはVNCやRDPをブラウザで繋ぐための中継サーバみたいなものです。

前に試したときにRDPがうまく繋げなかったのですが、
結論としては RDPのセキュリティ(SSL)設定 に問題があったようです。

発端

以下を設定してWindows serverにRDPしてみる。

/etc/guacamole/user-mapping.xml
<user-mapping>
  <authorize username="test" password="password">
    <!-- うまくいかぬ -->
    <connection name="windows">
      <protocol>rdp</protocol>
      <param name="hostname">192.168.0.1</param>
   </connection>
 </authorize>
</user-mapping>

Guacamoleのログイン画面からログインすると…

Screenshot_20191211_141102.png

CONNECTION ERROR
ですって。どうしたものか。

環境

今回も以下。

  • Fedora 31 (Server Edition)
  • guacamole-server-1.0.0
  • freerdp1.2-devel

RDP接続先は Windows Server 2019 Essentials にする。

ログを追ってみる。

ログイン失敗時のguard logは以下の通り。

$ journalctl -u guacd -f
-- Logs begin at Mon 2019-12-09 00:19:02 JST. --
Dec 11 23:10:57 localhost.localdomain guacd[1083]: User "@4110d22e-5241-4fbe-b5d9-a290879fa50b" disconnected (0 users remain)
Dec 11 23:10:57 localhost.localdomain guacd[789]: guacd[1083]: INFO:        User "@4110d22e-5241-4fbe-b5d9-a290879fa50b" disconnected (0 users remain)
Dec 11 23:10:57 localhost.localdomain guacd[789]: guacd[1083]: INFO:        Last user of connection "$7b5cde0a-bf39-48af-8962-c3992c63ebf6" disconnected
Dec 11 23:10:57 localhost.localdomain guacd[1083]: Last user of connection "$7b5cde0a-bf39-48af-8962-c3992c63ebf6" disconnected
Dec 11 23:10:57 localhost.localdomain guacd[789]: [23:10:57:816] [1083:1089] [ERROR][com.winpr.library] - LoadLibraryA: /usr/lib64/freerdp/guacdr-client.so: cannot open shared object file: No such file or directory
Dec 11 23:10:57 localhost.localdomain guacd[789]: [23:10:57:816] [1083:1089] [ERROR][com.winpr.library] - LoadLibraryA: /usr/lib64/freerdp/guacsnd-client.so: cannot open shared object file: No such file or directory
Dec 11 23:10:57 localhost.localdomain guacd[789]: [23:10:57:824] [1083:1089] [ERROR][com.freerdp.legacy] - freerdp_set_last_error 0x2000C
Dec 11 23:10:57 localhost.localdomain guacd[789]: [23:10:57:824] [1083:1089] [ERROR][com.freerdp.legacy] - Error: protocol security negotiation or connection failure
Dec 11 23:10:57 localhost.localdomain guacd[789]: Connection "$7b5cde0a-bf39-48af-8962-c3992c63ebf6" removed.
Dec 11 23:10:57 localhost.localdomain guacd[789]: guacd[789]: INFO:        Connection "$7b5cde0a-bf39-48af-8962-c3992c63ebf6" removed.

どうやらライブラリファイルが見つからないみたい。

Symbolic linkを作る

とりあえずsymbolic linkで解決するかやってみる。

$ sudo ln -s /usr/local/lib/freerdp/* /usr/lib64/freerdp
$ ls -l /usr/lib64/freerdp/
total 444
-rwxr-xr-x. 1 root root 16104 Jul 25 10:07 audin-client-alsa.so
-rwxr-xr-x. 1 root root 24352 Jul 25 10:07 audin-client-pulse.so
-rwxr-xr-x. 1 root root 20560 Jul 25 10:07 audin-client.so
-rwxr-xr-x. 1 root root 15912 Jul 25 10:07 disp-client.so
-rwxr-xr-x. 1 root root 36752 Jul 25 10:07 drive-client.so
-rwxr-xr-x. 1 root root 15888 Jul 25 10:07 echo-client.so
lrwxrwxrwx. 1 root root    39 Dec 11 23:28 guacai-client.la -> /usr/local/lib/freerdp/guacai-client.la
lrwxrwxrwx. 1 root root    39 Dec 11 23:28 guacai-client.so -> /usr/local/lib/freerdp/guacai-client.so
lrwxrwxrwx. 1 root root    39 Dec 11 23:28 guacdr-client.la -> /usr/local/lib/freerdp/guacdr-client.la
lrwxrwxrwx. 1 root root    39 Dec 11 23:28 guacdr-client.so -> /usr/local/lib/freerdp/guacdr-client.so
lrwxrwxrwx. 1 root root    40 Dec 11 23:28 guacsnd-client.la -> /usr/local/lib/freerdp/guacsnd-client.la
lrwxrwxrwx. 1 root root    40 Dec 11 23:28 guacsnd-client.so -> /usr/local/lib/freerdp/guacsnd-client.so
lrwxrwxrwx. 1 root root    40 Dec 11 23:28 guacsvc-client.la -> /usr/local/lib/freerdp/guacsvc-client.la
lrwxrwxrwx. 1 root root    40 Dec 11 23:28 guacsvc-client.so -> /usr/local/lib/freerdp/guacsvc-client.so
-rwxr-xr-x. 1 root root 15864 Jul 25 10:07 parallel-client.so
-rwxr-xr-x. 1 root root 20368 Jul 25 10:07 printer-client.so
-rwxr-xr-x. 1 root root 28760 Jul 25 10:07 rdpei-client.so
-rwxr-xr-x. 1 root root 37232 Jul 25 10:07 rdpgfx-client.so
-rwxr-xr-x. 1 root root 28480 Jul 25 10:07 rdpsnd-client-alsa.so
-rwxr-xr-x. 1 root root 24400 Jul 25 10:07 rdpsnd-client-pulse.so
-rwxr-xr-x. 1 root root 28232 Jul 25 10:07 serial-client.so
-rwxr-xr-x. 1 root root 15904 Jul 25 10:07 tsmf-client-alsa-audio.so
-rwxr-xr-x. 1 root root 32808 Jul 25 10:07 tsmf-client-gstreamer-decoder.so
-rwxr-xr-x. 1 root root 20104 Jul 25 10:07 tsmf-client-pulse-audio.so
-rwxr-xr-x. 1 root root 50200 Jul 25 10:07 tsmf-client.so

が、駄目…

ただ、logはちょっと変わる。

Dec 11 23:32:26 localhost.localdomain guacd[789]: Creating new client for protocol "rdp"
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[789]: INFO:        Creating new client for protocol "rdp"
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[789]: INFO:        Connection ID is "$54d3a08d-f713-46b5-a02d-5e167b35cb02"
Dec 11 23:32:26 localhost.localdomain guacd[789]: Connection ID is "$54d3a08d-f713-46b5-a02d-5e167b35cb02"
Dec 11 23:32:26 localhost.localdomain guacd[1383]: No security mode specified. Defaulting to RDP.
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: INFO:        No security mode specified. Defaulting to RDP.
Dec 11 23:32:26 localhost.localdomain guacd[1383]: Resize method: none
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: INFO:        Resize method: none
Dec 11 23:32:26 localhost.localdomain guacd[1383]: User "@42465ec4-0887-4285-9ae2-7e424009a49f" joined connection "$54d3a08d-f713-46b5-a02d-5e167b35cb02" (1 users now present)
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: INFO:        User "@42465ec4-0887-4285-9ae2-7e424009a49f" joined connection "$54d3a08d-f713-46b5-a02d-5e167b35cb02" (1 users now present)
Dec 11 23:32:26 localhost.localdomain guacd[1383]: Loading keymap "base"
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: INFO:        Loading keymap "base"
Dec 11 23:32:26 localhost.localdomain guacd[1383]: Loading keymap "en-us-qwerty"
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: INFO:        Loading keymap "en-us-qwerty"
Dec 11 23:32:26 localhost.localdomain guacd[1383]: Error connecting to RDP server
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: ERROR:        Error connecting to RDP server
Dec 11 23:32:26 localhost.localdomain guacd[1383]: User "@42465ec4-0887-4285-9ae2-7e424009a49f" disconnected (0 users remain)
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: INFO:        User "@42465ec4-0887-4285-9ae2-7e424009a49f" disconnected (0 users remain)
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[1383]: INFO:        Last user of connection "$54d3a08d-f713-46b5-a02d-5e167b35cb02" disconnected
Dec 11 23:32:26 localhost.localdomain guacd[1383]: Last user of connection "$54d3a08d-f713-46b5-a02d-5e167b35cb02" disconnected
Dec 11 23:32:26 localhost.localdomain guacd[789]: [23:32:26:342] [1383:1389] [ERROR][com.freerdp.legacy] - freerdp_set_last_error 0x2000C
Dec 11 23:32:26 localhost.localdomain guacd[789]: [23:32:26:342] [1383:1389] [ERROR][com.freerdp.legacy] - Error: protocol security negotiation or connection failure
Dec 11 23:32:26 localhost.localdomain guacd[789]: Connection "$54d3a08d-f713-46b5-a02d-5e167b35cb02" removed.
Dec 11 23:32:26 localhost.localdomain guacd[789]: guacd[789]: INFO:        Connection "$54d3a08d-f713-46b5-a02d-5e167b35cb02" removed.

らちがあかない。接続先のwindowsでlogを見てみる。

Server Managerを開き Tools -> Event Viewer と進む。
Applications and Services Logs -> Microsoft -> Windows -> RemoteDesktopServices-RdpCoreTS あたりをあさる。

怪しいログは出ているが…

Screenshot_rdp.png

RDP_TCP: An error was encountered when transitioning from StatePreparingX224CC in response to Event_ERROR_SendingX224CC (error code 0x0).

結局このログから原因にはたどり着けなかった…

解決

こんな記事を見つけた。
(RDPのセキュリティに関するもの。)
https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/

RDPのセキュリティ設定をレジストリから変えられるみたい。
変えてみる。

Server Managerを開き Tools -> Registry Editor
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp を開く。
SecurityLayer を探すと…

Screenshot_rdp2.png

2になっている。これを1にする。
そしてGuacamoleにログインし直すと…

Screenshot_20191211_145640.png

やったぜ。

わかったこと

guacd のログに出ているように、guacdからはRDP(tlsなし)で繋ぎに行って、セキュリティ設定の2はtlsを要求するから繋がらないみたい。

Dec 11 23:32:26 localhost.localdomain guacd[1383]: No security mode specified. Defaulting to RDP.

registryの値を戻して、Guacamole側からtlsで繋ぎに行くように設定を変える。

user-mappingのconnection配下に追加
<param name="security">tls</param>

まだ失敗するがログはわかりやすい。
この環境で証明書の確認は必要ない。
とどめをさす。

Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:912] [2550:2556] [ERROR][com.freerdp.legacy] - creating directory /sbin/.config/freerdp
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:912] [2550:2556] [ERROR][com.freerdp.legacy] - creating directory /sbin/.config/freerdp/certs
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:912] [2550:2556] [ERROR][com.freerdp.legacy] - creating directory /sbin/.config/freerdp/server
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:912] [2550:2556] [ERROR][com.freerdp.legacy] - certificate_store_open: error opening [/sbin/.config/freerdp/known_hosts] for writing
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - The hostname used for this connection (192.168.130.137)
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - does not match the name given in the certificate:
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - Common Name (CN):
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] -         WIN-TESTING
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - A valid certificate for the wrong name should NOT be trusted!
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - tls_do_handshake: certificate not trusted, aborting.
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - freerdp_set_last_error 0x2000B
Dec 12 00:03:38 localhost.localdomain guacd[789]: [00:03:38:921] [2550:2556] [ERROR][com.freerdp.legacy] - Error: protocol security negotiation or connection failure
user-mappingのconnection配下に追加
<param name="ignore-cert">true</param>

Screenshot_20191211_150830.png

やったぜ。

最終的に

user-mappingは以下のようになる。

/etc/guacamole/user-mapping.xml
<user-mapping>
  <authorize username="test" password="password">
    <connection name="windows">
      <protocol>rdp</protocol>
      <param name="hostname">192.168.0.1</param>
      <param name="security">tls</param>
      <param name="ignore-cert">true</param>
   </connection>
 </authorize>
</user-mapping>

Symbolic linkは汚いが動いてるからいいか…

それにしてもWindowsのオペレーションは難しいな…

終わり

6
10
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
6
10

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?