Howto install guacamole

howto
v7

(Markus Neuberger) #1

A module is ready to be tested!

Guacamole is a remote desktop gateway. rpmfusion repo is used as epel seems to have no web client :unamused:
I decided to make a howto out of this thread. Thanks to all contributors.

Features:

  • service integration
  • installation script used - thanks to @jackyes
  • reverse proxy to have it on standard https port and using NS certificate - thanks to @greavette
  • script for importing NS cert to java keystore if one doesn’t want to use reverse proxy - thanks to @ftimmers
  • openjdk 1.7 instead of 1.8 for having same java version as webtop
  • LDAP/AD - thanks to @sharpec
  • Fix Uploads/Downloads - thanks to @dz00te

Todos:

  • import cert to java keystore or use letsencrypt cert in samba container to make AD work

Please try Guacamole, I think it’s a nice tool. Corrections, suggestions for default settings and improvements are always welcome.

Installation

# service
mkdir -p /etc/e-smith/db/configuration/defaults/guacd
echo "service" > /etc/e-smith/db/configuration/defaults/guacd/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/guacd/status
config set guacd service status enabled
signal-event runlevel-adjust

# reverse proxy
cat << EOF > /etc/httpd/conf.d/guacamole.conf
SSLProxyEngine on
ProxyPass /guacamole http://localhost:8080/guacamole
ProxyPassReverse /guacamole http://localhost:8080/guacamole
<Location /guacamole>
    SSLRequireSSL
</Location>
EOF
systemctl restart httpd

# installation
yum -y install nethserver-mysql java-1.7.0-devel
wget http://sourceforge.net/projects/guacamoleinstallscript/files/CentOS/guacamole-install-script.sh
chmod +x guacamole-install-script.sh
cat ~/.my.cnf
./guacamole-install-script.sh

Database config

Scroll up to copy your mariadb root password from the output of “cat ~/.mycnf” and just copy/paste it:

 Enter the root password for MariaDB: YOURMARIADBPW
 Enter the Guacamole DB name: guacamole
 Enter the Guacamole DB username: guacamole
 Enter the Guacamole DB password: guacamole
 Enter the Java KeyStore password (least 6 characters): guacamole
 Do you wish to Install the Proxy feature (Nginx)?: no

Certificate

Then you are asked to complete the Java keystore wizard (when you are using reverse proxy, this certificate is not used):

What is your first and last name?
  [Unknown]:  Markus
What is the name of your organizational unit?
  [Unknown]:  Users
What is the name of your organization?
  [Unknown]:  NethServer
What is the name of your City or Locality?
  [Unknown]:  Vienna
What is the name of your State or Province?
  [Unknown]:  Vienna
What is the two-letter country code for this unit?
  [Unknown]:  AT
Is CN=Markus, OU=Users, O=NethServer, L=Vienna, ST=Vienna, C=AT correct?
  [no]:  yes

LDAP (optional)

wget https://netix.dl.sourceforge.net/project/guacamole/current/extensions/guacamole-auth-ldap-0.9.13-incubating.tar.gz
tar -zxvf guacamole-auth-ldap-0.9.13-incubating.tar.gz
cp guacamole-auth-ldap-0.9.13-incubating/guacamole-auth-ldap-0.9.13-incubating.jar /var/lib/guacamole/extensions/
systemctl restart tomcat
systemctl restart guacd

Add the following to /etc/guacamole/guacamole.properties for LDAP:

# LDAP properties
ldap-hostname: localhost
ldap-port: 389
ldap-encryption-method:none
ldap-user-base-dn: dc=directory,dc=nh
ldap-search-bind-dn: cn=ldapservice,dc=directory,dc=nh
ldap-search-bind-password: ****

Login

Browse to https://YOURNETHSERVER/guacamole/ and login with username guacadmin and password guacadmin.


Guacamole - AD users and hotsync
Options for network infrastructure device management and monitoring
Tp-link EAP Controller on Nethserver
So, what are you working on? - 5 March 2018
(Alessio Fattorini) #2

Good step towards a module, I’d like to involve @Adam @edi @wbilger @ghost @Ctek @Hunv @FMFREAK @Enzo @FixitFelix @MagicFab as well.
Please help us to test the howto :slight_smile:


(Fabian Rodriguez) #3

Good stuff. I can’t test this for now (or justify spending much time on it) as I already have a separate instance running in production in Debian.
I am interested in authenticating against LDAP or AD in Nethserver, keep in mind those are two completely diferent setups. If I understand this correctly CIFS/Samba file shares implementation requires setting up AD, and using LDAP only in Nethserver would prevent having such setup.


(Dale Cliett) #4

Excellent how to! Very clear instructions and they worked perfectly. I must really praise @mrmarkuz for your guide as it is the easiest set of instructions that I’ve read yet to install guacamole. Excellent job!


(EnzoC) #5

it works perfectly, really a great job!
Thanks @mrmarkuz


(EnzoC) #6

@mrmarkuz if you want to add LDAP config, i have try this

edit /etc/guacamole/guacamole.properties

#Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

ldap-hostname: AD.YOURDOMAIN.IT
ldap-port:389
ldap-encryption-method:none
ldap-user-base-dn: CN=Users,DC=YOURDOMAIN,DC=IT
ldap-search-bind-dn: ldapservice@YOURDOMAIN.IT
ldap-search-bind-password: YOURPASSWORD
ldap-username-attribute: name

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole
mysql-username: guacamole
mysql-password: guacamole

copy ldap jar in /var/lib/guacamole/extensions/

wget https://netix.dl.sourceforge.net/project/guacamole/current/extensions/guacamole-auth-ldap-0.9.13-incubating.tar.gz
tar -zxvf guacamole-auth-ldap-0.9.13-incubating.tar.gz
cp guacamole-auth-ldap-0.9.13-incubating.jar /var/lib/guacamole/extensions/

restart service

systemctl restart tomcat
systemctl restart guacd

with guacadmin login add only username of your LDAP user and set access permission.

obviously check, never trust!


(André Wismer) #7

@mrmarkuz

I’d love to test this, but as I’m moving in less than 2 weeks, that will have to wait.
Moving is always a pita (Pain in the A…), but has to be done.

Great Work again!

Andy


(Markus Neuberger) #8

Thanks @sharpec, great work :clap:, I added it to the howto. LDAP works like a charm.
AD only worked when setting ldap server require strong auth = no in the smb.conf of the AD container.
I couldn’t make AD work with SSL, I tried to import the NS cert to java keystore with keytool but I am afraid a self-signed cert is not working. I assume it works with a letsencrypt cert…


#9

great work @sharpec thank you (and of course to @mrmarkuz) :clap:
just tested with an external 2012R2 AD (the ns7 is not joined to AD)
i had to adapt a little bit the config file:

# LDAP properties
ldap-hostname: ad.yourdomain.demo
ldap-port: 3268 #some problems with port 389 and AD on 2012R2
ldap-user-base-dn: CN=Users,DC=yourdomain,DC=demo
#ldap-encryption-method:none #disable encryption
ldap-user-base-dn: dc=yourdomain,dc=demo
ldap-search-bind-dn: cn=ldapservice,CN=Users,dc=yourdomain,dc=demo
ldap-search-bind-password: yourpassword
ldap-username-attribute:   sAMAccountName

(André Wismer) #10

@mrmarkuz

Hi
Finally got down to installing Guacamole on NethServer - and it works really great!

Where do I find the NS container to do this:

Great work!

Andy


(André Wismer) #11

Hi

Great work!

A small bug it seems: Inside the Web-GUI, guacadmin can’t change his own password, even if set in the Users section of the config.

22

Changing the password using PHPMyAdmin works.
However, that needs a second user with the correct password, as MySQL only saves the salt and the hash, but not the password itself…
That password hash and salt can be copied to guacadmin, that will work.

Thx

Andy


#12

some more test… i had problem in upload/download file from ssh backend server
following manual https://guacamole.apache.org/doc/gug/proxying-guacamole.html#proxying-with-apache
if someone has the same problem, at the end this config seems to work for me

SSLProxyEngine on
ProxyPass /guacamole http://localhost:8080/guacamole  flushpackets=on
ProxyPassReverse /guacamole http://localhost:8080/guacamole
<Location /guacamole>
    SSLRequireSSL
</Location>

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
</Location>

honestly, i’m not sure if i have changed something else, working on it now and then :frowning:
as soon as i have time i’ll try with a new install


(Markus Neuberger) #13

A first draft nethserver-guacamole package is ready to be tested! Don’t use in production!

Local LDAP works, AD makes problems with self-signed certificates so we may import a valid letsencrypt cert to the samba container as described here
Be patient at installation, guacamole is compiled in the background…


(Dan) #14

As an aside, if you use DNS validation for the Let’s Encrypt certificates, you don’t need to have a public A/CNAME record for your hostname. I’ve posted some other information here on implementing DNS validation:


https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers

This way, you could get a cert for ad.yourdomain.tld (or whatever), without having that domain resolve, on the public Internet, to your domain controller. Since I moved my DNS hosting to Cloudflare, I’ve used the technique I posted in the wiki for most of my internal resources. But now that I’ve put acme-dns onto my Neth box (as described in the first link), I think I’m going to move that way, so I don’t need to have as many copies of my Cloudflare API key floating around.


(Alessio Fattorini) #15

That’s a HUGE news! Thanks this is awesome


(Davide Principi) #16

Will be in core for 7.5


NethServer-SavaPage module
(Vinit Makol) #17

I am trying to get guacamole to work on my machine but get the following message when trying to access the app.
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

I searched the log files from log viewer and attaching everything I could find then searched for the word Guacamole.

https://vmakol.com/nextcloud/index.php/s/oPmqxWaa4LYetyo

Thanks in advance for your help!


(Markus Neuberger) #18

Did you setup guacamole manually from the howto or did you install the module?

It seems like the guacamole db user credentials are wrong:

### Error querying database. Cause: java.sql.SQLException: Access denied for user 'guacamole'@'localhost' (using password: YES)


(Vinit Makol) #19

I installed the module. Is there any way to uninstall and redo it?


(Markus Neuberger) #20

Yes, you may remove module, src and database and install it again:

yum remove nethserver-guacamole
rm -Rf /usr/local/src/guacamole/
mysql
drop database guacamole;
quit;
yum install nethserver-guacamole