Option #1 - Disable strong Auth. I don’t want to disable or reduce the strength of our AD in Samba.
What is Option #2? I can’t see where the second option is available to provide connection to my Domain Nethserver? Can you provide direction or advice for me on how I can connect my Nethserver2 with Guacamole installed to my Domain Nethserver?
Option 2 uses a letsencrypt cert for the AD because guacamole needs a valid cert to connect by SSL but it should work with any valid cert.
In your case you may upload your office cert to the AD DC Neth and copy it to the samba container as described here.
We have a wildcard cert we use for our domain (company). I’ve installed this successfully in our Domain Nethserver. But we don’t use our Nethserver Domain server for SSL. I’ve installed HAproxy on a separate server using the same wildcard ssl certificate. I route all my applications (including ones hosted on Nethserver) through my HAproxy server successfully and I’ve done the same routing for this new Guacamole server.
So knowing the above…how would you recommend I get my Guacamole Server (running on my Nethserver2) connected to my Domain Nethserver when I use HAproxy? Do I still through the steps you linked and copy my wildcard cert to the samba container? And where is the Samba container…on my Domain Nethserver? Or do I need to copy my wildcard cert to my Guacamole Server?
Based on my setup (using two Nethserver’s) I’m unsure where to copy my wildcard ssl certficate files and how I do this when I’m using HAproxy?
I assume your haproxy does not cover the AD cert on port 636 so you need to copy the wildcard cert to the samba container.
The samba container is on your AD Domain Nethserver so you need to copy your wildcard cert to the samba DC container.
You can use a letsencrypt cert too, it just needs to be valid.
Copy your cert to /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem and /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem and restart the samba DC as described in the wiki. Maybe backup both .pem files before to be on the safe side if something goes wrong.
So the SSL cert I added to my Domain Nethserver using the GUI is not good enough for the SAMBA DC container?
Perhaps I can add to my HAproxy server to be able to cover 636 as well? Will that allow my Nethserver2 to connect to my Domain Nethserver without the need to add my pem and key files to the Samba DC container on my Domain Nethserver?
So my Nethsever2 is already connected to my Nethserver Domain server. So what will it take to allow my Guacamole Server to be allowed to use domain users to login to it?
One more edit here. Is there a reason why adding a certificate to the Nethserver GUI does not copy this same cert to the /var/lib/machines/nsdc/var/lib/samba/private/tls/ location? Not sure if you can answer this or if this is a question for @support_team.
Secondly…If I need to add my office cert to my Nethserver Domain Server to this location: /var/lib/machines/nsdc/var/lib/samba/private/tls/, what certs do I copy there? I have 3 that I’ve used, .pem, key and bundle. Please confirm which I need:
3 separate files, main cert, private key, ca cert
all 3 files embedded into one
main cert+private key into one, and ca cert separate.
Thank you Andy for stepping into help. Are you aware of a reason why uploading my office ssl cert to the Nethserver GUI on my Nethserver Domain Server does not copy this cert to the Samba-AD directory for SSL (/var/lib/machines/nsdc/var/lib/samba/private/tls/)?