GUACAMOLE-2057: Add configuration parameters for supporting Kerberos authentication for RDP.#581
Draft
necouchman wants to merge 1 commit intoapache:mainfrom
Draft
GUACAMOLE-2057: Add configuration parameters for supporting Kerberos authentication for RDP.#581necouchman wants to merge 1 commit intoapache:mainfrom
necouchman wants to merge 1 commit intoapache:mainfrom
Conversation
…authentication for RDP.
necouchman
force-pushed
the
working/rdp-kerberos
branch
from
08026b5 to
5c1032c
Compare
jbostoen
reviewed
May 9, 2025
|
|
||
| /** | ||
| * The authentication package to use based on the underlying FreeRDP support | ||
| * for alternatives to NTML. Currently FreeRDP2 only supports NTLM, while |
Comment on lines
+1750
to
+1770
| switch(guac_settings->auth_pkg) { | ||
|
|
||
| case GUAC_AUTH_PKG_NTLM: | ||
| freerdp_settings_set_string(rdp_settings, FreeRDP_AuthenticationPackageList, "ntlm,!kerberos"); | ||
| break; | ||
|
|
||
| case GUAC_AUTH_PKG_KERBEROS: | ||
| freerdp_settings_set_string(rdp_settings, FreeRDP_AuthenticationPackageList, "!ntlm,kerberos"); | ||
| break; | ||
|
|
||
| case GUAC_AUTH_PKG_ANY: | ||
| freerdp_settings_set_string(rdp_settings, FreeRDP_AuthenticationPackageList, "ntlm,kerberos"); | ||
| break; | ||
|
|
||
| } | ||
|
|
||
| if (guac_settings->kdc_url != NULL) | ||
| freerdp_settings_set_string(rdp_settings, FreeRDP_KerberosKdcUrl, guac_strdup(guac_settings->kdc_url)); | ||
|
|
||
| if (guac_settings->kerberos_cache != NULL) | ||
| freerdp_settings_set_string(rdp_settings, FreeRDP_KerberosCache, guac_strdup(guac_settings->kerberos_cache)); |
Member
There was a problem hiding this comment.
The specific Kerberos code should only be enabled with FreeRDP >= 3.x to avoid compilation errors in 2.x.
mike-jumper
reviewed
Mar 29, 2026
Comment on lines
+318
to
+320
| * When kerberos authentication is in use, the path to the kerberos ticket | ||
| * cache, relative to GUACAMOLE_HOME. If not specified, the default system | ||
| * cache of the underlying system on which guacd is running will be used. |
Contributor
There was a problem hiding this comment.
It doesn't look to me like the path is evaluated relative to GUACAMOLE_HOME, but passed to FreeRDP unaltered (and then interpreted by FreeRDP relative to somewhere?).
Comment on lines
+302
to
+308
| /** | ||
| * The authentication package to use based on the underlying FreeRDP support | ||
| * for alternatives to NTML. Currently FreeRDP2 only supports NTLM, while | ||
| * FreeRDP3 introduces support for Kerberos and continues to support NTLM. | ||
| * The default is to negotiate between guacd and the remote server. | ||
| */ | ||
| IDX_AUTH_PKG, |
Contributor
There was a problem hiding this comment.
Should this be part of the security parameter, rather than separate?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the required parameters to configure the FreeRDP library to force Kerberos and configure a couple of the parameters related to that, if required. I have tested the changes against both servers with NTLM still enabled and against one where NTLM is disabled, and it seems to work, but others should feel free to test.
I do need one bit of help with this - I have not added the detection of the Kerberos support to the
configure.acfile, yet, as I'm struggling to figure out how to do that. In my mind, it needs 2-3 checks:FreeRDP_AuthenticationPackageListsetting. This is probably the biggest thing I'm struggling with, as this setting is part of anenumin one of the FreeRDP header files, but I'm having trouble finding any guidance on how to generate an autoconf check for an enum member? Any hints on the best way to do that would be appreciated.buildconfig.hfile, within the constantFREERDP_BUILD_CONFIGthat showsWITH_KRB5=ON, but, again, I'm struggling with how to get autoconf to check for this, or identify a sane method or member to use with one of the other autoconf checks.