I’ve installed Guacamole on a second Nethserver (Nethserver2) that is not my domain Nethserver. My domain Nethserver. But I’ve connected my Nethserver2 to my Domain Nethserver.
My Guacamole is working well with my reverse proxy (HAProxy) and I can access Guacamole using our office cert.
I would like to have my Guacamole Server use my domain users from my Domain Nethserver. I see in your wiki page - https://wiki.nethserver.org/doku.php?id=guacamole you mention two options to make Nethserver AD work with Guacamole.
Option #1 - Disable strong Auth. I don’t want to disable or reduce the strength of our AD in Samba.
What is Option #2? I can’t see where the second option is available to provide connection to my Domain Nethserver? Can you provide direction or advice for me on how I can connect my Nethserver2 with Guacamole installed to my Domain Nethserver?
Option 2 uses a letsencrypt cert for the AD because guacamole needs a valid cert to connect by SSL but it should work with any valid cert.
In your case you may upload your office cert to the AD DC Neth and copy it to the samba container as described here.
We have a wildcard cert we use for our domain (company). I’ve installed this successfully in our Domain Nethserver. But we don’t use our Nethserver Domain server for SSL. I’ve installed HAproxy on a separate server using the same wildcard ssl certificate. I route all my applications (including ones hosted on Nethserver) through my HAproxy server successfully and I’ve done the same routing for this new Guacamole server.
So knowing the above…how would you recommend I get my Guacamole Server (running on my Nethserver2) connected to my Domain Nethserver when I use HAproxy? Do I still through the steps you linked and copy my wildcard cert to the samba container? And where is the Samba container…on my Domain Nethserver? Or do I need to copy my wildcard cert to my Guacamole Server?
Based on my setup (using two Nethserver’s) I’m unsure where to copy my wildcard ssl certficate files and how I do this when I’m using HAproxy?
I assume your haproxy does not cover the AD cert on port 636 so you need to copy the wildcard cert to the samba container.
The samba container is on your AD Domain Nethserver so you need to copy your wildcard cert to the samba DC container.
You can use a letsencrypt cert too, it just needs to be valid.
Copy your cert to /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem and /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem and restart the samba DC as described in the wiki. Maybe backup both .pem files before to be on the safe side if something goes wrong.
So the SSL cert I added to my Domain Nethserver using the GUI is not good enough for the SAMBA DC container?
Perhaps I can add to my HAproxy server to be able to cover 636 as well? Will that allow my Nethserver2 to connect to my Domain Nethserver without the need to add my pem and key files to the Samba DC container on my Domain Nethserver?
Or maybe I don’t need to use my HAproxy at all? My Nethserver2 running Guacamole is connected to my Nethserver Domain server already using these instructions:
So my Nethsever2 is already connected to my Nethserver Domain server. So what will it take to allow my Guacamole Server to be allowed to use domain users to login to it?
One more edit here. Is there a reason why adding a certificate to the Nethserver GUI does not copy this same cert to the /var/lib/machines/nsdc/var/lib/samba/private/tls/ location? Not sure if you can answer this or if this is a question for @support_team.
Secondly…If I need to add my office cert to my Nethserver Domain Server to this location: /var/lib/machines/nsdc/var/lib/samba/private/tls/, what certs do I copy there? I have 3 that I’ve used, .pem, key and bundle. Please confirm which I need:
3 separate files, main cert, private key, ca cert
or
all 3 files embedded into one
or
main cert+private key into one, and ca cert separate.
Thank you Andy for stepping into help. Are you aware of a reason why uploading my office ssl cert to the Nethserver GUI on my Nethserver Domain Server does not copy this cert to the Samba-AD directory for SSL (/var/lib/machines/nsdc/var/lib/samba/private/tls/)?
We own our own wildcard cert which I’ve installed on my HAproxy server. I can copy these ssl files to my Nethserver Domain sever to this location - /var/lib/machines/nsdc/var/lib/samba/private/tls/.
But do you know what files I need to put into this location on my Nethserver Domain Server?
To be honest, I have absolutely no idea what files belong there.
So i took the liberty of checking my home NethServer, which has an AD, but still “virgin” according to NethServer.
[root@awr7-nethserver ~]# ls /var/lib/machines/nsdc/var/lib/samba/private/tls/
ca.pem cert.pem key.pem
[root@awr7-nethserver ~]#
I’d say, it’s sufficient replacing the files there with the ssl certs you intend to use.
You don’t need to replace the CA, as the certs are from a certified ssl-provider.
Is there a reason why adding a certificate to the Nethserver GUI does not copy this same cert to the /var/lib/machines/nsdc/var/lib/samba/private/tls/ location? Not sure if you can answer this or if this is a question for