Connection failed by guacamole linux server

france · May 23, 2020, 9:04am

Hi everyone, I have an ubuntu 18 linux server accredited to the nethserver 7 AD domain.
In this server, Ub Ubuntu is running Guacamole server.
My problem is that I can’t log in from guacamole with users in the Ad domain on the nethserver server.
I read the Guacamole guide on LDAP and AD, so I downloaded the guacamole-auth-ldap-1.1.0.tar.gz module.
Looking at the tomcat9 logs on the ubuntu server, in the first instance it signaled that the connection to the neth7 ldap server required an encrypt method and therefore I modified guacamole.properties accordingly.
I have created an “OU” guaca ", a guacadmin user and password in the active directory. Examining tomcat9’s logs it indicates that it cannot find a valid certificate. The configuration of my server is this:

NetBIOS domain name: INTERNAL2
LDAP server: 192.168.3.78
LDAP server name: nsdc-neth7.ad.internal2.lan
Realm: AD.INTERNAL2.LAN
Bind Path: dc = AD, dc = INTERNAL2, dc = LAN
LDAP port: 389

Join is OK
name: NETH7
objectSid: S-1-5-21-696643729-1815316619-2414607104-1104
accountExpires: 9223372036854775807
sAMAccountName: NETH7 $
pwdLastSet: 131657823169929120
dNSHostName: neth7.internal2.lan
servicePrincipalName: HOST / NETH7
servicePrincipalName: HOST / neth7.internal2.lan
servicePrincipalName: smtp / neth7
servicePrincipalName: smtp / neth7.internal2.lan
servicePrincipalName: pop / neth7
servicePrincipalName: pop / neth7.internal2.lan
servicePrincipalName: imap / neth7
servicePrincipalName: imap / neth7.internal2.lan
whenChanged: 20200522033919.0Z
lastLogon: 132346974911189110
distinguishedName: CN = NETH7, CN = Computers, DC = ad, DC = internal2, DC = lan
Ip 192.168.3.83

I use the neth server with private address br0 192.168.3.83 and as a default certifcate let’s encrypt.

The errors reported are these:
May 23 10:41:19 ubuntu18 tomcat9 [22431]: javax.net.ssl.SSLHandshakeException: SSL handshake failed.
May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.filter.ssl.SslFilter.messageReceived (SslFilter.java:536) ~ [na: na]
May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived (DefaultIoFilterChain.java:650) ~ [na: na]
May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.filterchain.DefaultIoFilterChain.access 1300 (DefaultIoFilterChain.java:49) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.filterchain.DefaultIoFilterChain EntryImpl 1.messageReceived (DefaultIoFilterChain.java:1128) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived (IoFilterAdapter.java:122) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived (DefaultIoFilterChain.java:650) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived (DefaultIoFilterChain.java:643) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.polling.AbstractPollingIoProcessor.read (AbstractPollingIoProcessor.java:539) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.polling.AbstractPollingIoProcessor.access 1200 (AbstractPollingIoProcessor.java:68) ~ [na: na]
May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.polling.AbstractPollingIoProcessor Processor.process (AbstractPollingIoProcessor.java:1222) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.polling.AbstractPollingIoProcessor Processor.process (AbstractPollingIoProcessor.java:1211) ~ [na: na]
May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.core.polling.AbstractPollingIoProcessor Processor.run (AbstractPollingIoProcessor.java:683) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at org.apache.mina.util.NamePreservingRunnable.run (NamePreservingRunnable.java:64) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at java.base / java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128) ~ [na: na] May 23 10:41:19 ubuntu18 tomcat9 [22431]: at java.base / java.util.concurrent.ThreadPoolExecutor Worker.run (ThreadPoolExecutor.java:628) ~ [na: na]
The guacamole.properties file:

mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: password
Auth provider class
auth-provider:
net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
LDAP properties
ldap-hostname: nsdc-neth7.ad.internal2.lan
ldap-port: 389
ldap-username-attribute: sAMAccountName
ldap-encryption-method: starttls
ldap-user-base-dn: OU = guaca, DC = ad, DC = internal2, DC = lan
ldap-search-bind-dn: CN = guacadmin, CN = Users, DC = ad, DC = internal2, DC = lan
ldap-search-bind-password: password

mrmarkuz · May 23, 2020, 2:16pm

You may use letsencrypt or disable strong auth:

https://wiki.nethserver.org/doku.php?id=guacamole#nethserver_ad

france · May 24, 2020, 6:30am

Hello and thanks . I tried at the moment I tried ldap server require strong auth = no but I get error. tomcat9 [4549]: 19: 01: 23.128 [http-nio-8080-exec-2] ERROR oagalAuthenticationProviderService - Unable to bind using search DN "CN = guaca, CN = Users, DC = ad, DC = internal2, DC = lan "
I will try the other way soon

france · May 24, 2020, 11:13am

Hi I think I solved it, I deleted the OU, and in the bindinf I inserted the CN = Users in the DN base
I modified as per your instructions “ldap server require strong auth = no” and I can log in on ubuntu guacamole server with user credentials. Also I entered the same dn bases on pfsense and it works. I keep everything under monitor to check that it is working properly. Your indication was important. Thanks so much !