Guacamole Setup Question - LDAP

**NethServer Version: NethServer 7.8.2003
**Module:Guacamole (

Hello @mrmarkuz,

I’ve installed Guacamole on a second Nethserver (Nethserver2) that is not my domain Nethserver. My domain Nethserver. But I’ve connected my Nethserver2 to my Domain Nethserver.

My Guacamole is working well with my reverse proxy (HAProxy) and I can access Guacamole using our office cert.

I would like to have my Guacamole Server use my domain users from my Domain Nethserver. I see in your wiki page - you mention two options to make Nethserver AD work with Guacamole.

Option #1 - Disable strong Auth. I don’t want to disable or reduce the strength of our AD in Samba.

What is Option #2? I can’t see where the second option is available to provide connection to my Domain Nethserver? Can you provide direction or advice for me on how I can connect my Nethserver2 with Guacamole installed to my Domain Nethserver?

Thank you.

Option 2 uses a letsencrypt cert for the AD because guacamole needs a valid cert to connect by SSL but it should work with any valid cert.
In your case you may upload your office cert to the AD DC Neth and copy it to the samba container as described here.

1 Like

Hello @mrmarkuz and thank you for this reply.

We have a wildcard cert we use for our domain (company). I’ve installed this successfully in our Domain Nethserver. But we don’t use our Nethserver Domain server for SSL. I’ve installed HAproxy on a separate server using the same wildcard ssl certificate. I route all my applications (including ones hosted on Nethserver) through my HAproxy server successfully and I’ve done the same routing for this new Guacamole server.

So knowing the above…how would you recommend I get my Guacamole Server (running on my Nethserver2) connected to my Domain Nethserver when I use HAproxy? Do I still through the steps you linked and copy my wildcard cert to the samba container? And where is the Samba container…on my Domain Nethserver? Or do I need to copy my wildcard cert to my Guacamole Server?

Based on my setup (using two Nethserver’s) I’m unsure where to copy my wildcard ssl certficate files and how I do this when I’m using HAproxy?

Thank you.

I assume your haproxy does not cover the AD cert on port 636 so you need to copy the wildcard cert to the samba container.

The samba container is on your AD Domain Nethserver so you need to copy your wildcard cert to the samba DC container.
You can use a letsencrypt cert too, it just needs to be valid.
Copy your cert to /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem and /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem and restart the samba DC as described in the wiki. Maybe backup both .pem files before to be on the safe side if something goes wrong.


So the SSL cert I added to my Domain Nethserver using the GUI is not good enough for the SAMBA DC container?

Perhaps I can add to my HAproxy server to be able to cover 636 as well? Will that allow my Nethserver2 to connect to my Domain Nethserver without the need to add my pem and key files to the Samba DC container on my Domain Nethserver?


Or maybe I don’t need to use my HAproxy at all? My Nethserver2 running Guacamole is connected to my Nethserver Domain server already using these instructions:

So my Nethsever2 is already connected to my Nethserver Domain server. So what will it take to allow my Guacamole Server to be allowed to use domain users to login to it?

One more edit here. :slight_smile: Is there a reason why adding a certificate to the Nethserver GUI does not copy this same cert to the /var/lib/machines/nsdc/var/lib/samba/private/tls/ location? Not sure if you can answer this or if this is a question for @support_team.

Secondly…If I need to add my office cert to my Nethserver Domain Server to this location: /var/lib/machines/nsdc/var/lib/samba/private/tls/, what certs do I copy there? I have 3 that I’ve used, .pem, key and bundle. Please confirm which I need:

  1. 3 separate files, main cert, private key, ca cert
  2. all 3 files embedded into one
  3. main cert+private key into one, and ca cert separate.



Hi Charles

A Windows type connnection, even when using samba, doesn’t need / use SSL certificates…
(Regarding your NS2…).

Guacamole needs valid ssl from your AD for authentification, it does not use the existing NS2 connection to AD.

And at the moment, your Samba-AD does not have a valid SSL…

My 2 cents

1 Like

Thank you Andy for stepping into help. Are you aware of a reason why uploading my office ssl cert to the Nethserver GUI on my Nethserver Domain Server does not copy this cert to the Samba-AD directory for SSL (/var/lib/machines/nsdc/var/lib/samba/private/tls/)?

Thank you.


Probably the same reason why you don’t have to deal with SSL certs on a Windows AD Server: It’s just not needed for normal use cases!

If an AD needs a SSL, self generated certs are used, but that’s not enough for third party apps, like Guacamole (or others).

If using LetsEncrypt, you’ld need to copy the certs as a “hook” by the letsencrypt update script, as it needs to change every three months…

My 2 cents

1 Like

Hi @Andy_Wismer,

We own our own wildcard cert which I’ve installed on my HAproxy server. I can copy these ssl files to my Nethserver Domain sever to this location - /var/lib/machines/nsdc/var/lib/samba/private/tls/.

But do you know what files I need to put into this location on my Nethserver Domain Server?


To be honest, I have absolutely no idea what files belong there.
So i took the liberty of checking my home NethServer, which has an AD, but still “virgin” according to NethServer.

[root@awr7-nethserver ~]# ls  /var/lib/machines/nsdc/var/lib/samba/private/tls/
ca.pem  cert.pem  key.pem
[root@awr7-nethserver ~]# 

I’d say, it’s sufficient replacing the files there with the ssl certs you intend to use.
You don’t need to replace the CA, as the certs are from a certified ssl-provider.

As Markus said above:

My 2 cents

1 Like