Howto install guacamole

A module is ready to be tested!

Guacamole is a remote desktop gateway. rpmfusion repo is used as epel seems to have no web client :unamused:
I decided to make a howto out of this thread. Thanks to all contributors.

Features:

  • service integration
  • installation script used - thanks to @jackyes
  • reverse proxy to have it on standard https port and using NS certificate - thanks to @greavette
  • script for importing NS cert to java keystore if one doesnā€™t want to use reverse proxy - thanks to @ftimmers
  • openjdk 1.7 instead of 1.8 for having same java version as webtop
  • LDAP/AD - thanks to @sharpec
  • Fix Uploads/Downloads - thanks to @dz00te

Todos:

  • import cert to java keystore or use letsencrypt cert in samba container to make AD work

Please try Guacamole, I think itā€™s a nice tool. Corrections, suggestions for default settings and improvements are always welcome.

Installation

# service
mkdir -p /etc/e-smith/db/configuration/defaults/guacd
echo "service" > /etc/e-smith/db/configuration/defaults/guacd/type
echo "enabled" > /etc/e-smith/db/configuration/defaults/guacd/status
config set guacd service status enabled
signal-event runlevel-adjust

# reverse proxy
cat << EOF > /etc/httpd/conf.d/guacamole.conf
SSLProxyEngine on
ProxyPass /guacamole http://localhost:8080/guacamole
ProxyPassReverse /guacamole http://localhost:8080/guacamole
<Location /guacamole>
    SSLRequireSSL
</Location>
EOF
systemctl restart httpd

# installation
yum -y install nethserver-mysql java-1.7.0-devel
wget http://sourceforge.net/projects/guacamoleinstallscript/files/CentOS/guacamole-install-script.sh
chmod +x guacamole-install-script.sh
cat ~/.my.cnf
./guacamole-install-script.sh

Database config

Scroll up to copy your mariadb root password from the output of ā€œcat ~/.mycnfā€ and just copy/paste it:

 Enter the root password for MariaDB: YOURMARIADBPW
 Enter the Guacamole DB name: guacamole
 Enter the Guacamole DB username: guacamole
 Enter the Guacamole DB password: guacamole
 Enter the Java KeyStore password (least 6 characters): guacamole
 Do you wish to Install the Proxy feature (Nginx)?: no

Certificate

Then you are asked to complete the Java keystore wizard (when you are using reverse proxy, this certificate is not used):

What is your first and last name?
  [Unknown]:  Markus
What is the name of your organizational unit?
  [Unknown]:  Users
What is the name of your organization?
  [Unknown]:  NethServer
What is the name of your City or Locality?
  [Unknown]:  Vienna
What is the name of your State or Province?
  [Unknown]:  Vienna
What is the two-letter country code for this unit?
  [Unknown]:  AT
Is CN=Markus, OU=Users, O=NethServer, L=Vienna, ST=Vienna, C=AT correct?
  [no]:  yes

LDAP (optional)

wget https://netix.dl.sourceforge.net/project/guacamole/current/extensions/guacamole-auth-ldap-0.9.13-incubating.tar.gz
tar -zxvf guacamole-auth-ldap-0.9.13-incubating.tar.gz
cp guacamole-auth-ldap-0.9.13-incubating/guacamole-auth-ldap-0.9.13-incubating.jar /var/lib/guacamole/extensions/
systemctl restart tomcat
systemctl restart guacd

Add the following to /etc/guacamole/guacamole.properties for LDAP:

# LDAP properties
ldap-hostname: localhost
ldap-port: 389
ldap-encryption-method:none
ldap-user-base-dn: dc=directory,dc=nh
ldap-search-bind-dn: cn=ldapservice,dc=directory,dc=nh
ldap-search-bind-password: ****

Login

Browse to https://YOURNETHSERVER/guacamole/ and login with username guacadmin and password guacadmin.

16 Likes

Good step towards a module, Iā€™d like to involve @Adam @edi @wbilger @ghost @Ctek @Hunv @FMFREAK @Enzo @FixitFelix @MagicFab as well.
Please help us to test the howto :slight_smile:

3 Likes

Good stuff. I canā€™t test this for now (or justify spending much time on it) as I already have a separate instance running in production in Debian.
I am interested in authenticating against LDAP or AD in Nethserver, keep in mind those are two completely diferent setups. If I understand this correctly CIFS/Samba file shares implementation requires setting up AD, and using LDAP only in Nethserver would prevent having such setup.

1 Like

Excellent how to! Very clear instructions and they worked perfectly. I must really praise @mrmarkuz for your guide as it is the easiest set of instructions that Iā€™ve read yet to install guacamole. Excellent job!

1 Like

it works perfectly, really a great job!
Thanks @mrmarkuz

1 Like

@mrmarkuz if you want to add LDAP config, i have try this

edit /etc/guacamole/guacamole.properties

#Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

ldap-hostname: AD.YOURDOMAIN.IT
ldap-port:389
ldap-encryption-method:none
ldap-user-base-dn: CN=Users,DC=YOURDOMAIN,DC=IT
ldap-search-bind-dn: ldapservice@YOURDOMAIN.IT
ldap-search-bind-password: YOURPASSWORD
ldap-username-attribute: name

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole
mysql-username: guacamole
mysql-password: guacamole

copy ldap jar in /var/lib/guacamole/extensions/

wget https://netix.dl.sourceforge.net/project/guacamole/current/extensions/guacamole-auth-ldap-0.9.13-incubating.tar.gz
tar -zxvf guacamole-auth-ldap-0.9.13-incubating.tar.gz
cp guacamole-auth-ldap-0.9.13-incubating.jar /var/lib/guacamole/extensions/

restart service

systemctl restart tomcat
systemctl restart guacd

with guacadmin login add only username of your LDAP user and set access permission.

obviously check, never trust!

5 Likes

@mrmarkuz

Iā€™d love to test this, but as Iā€™m moving in less than 2 weeks, that will have to wait.
Moving is always a pita (Pain in the Aā€¦), but has to be done.

Great Work again!

Andy

1 Like

Thanks @sharpec, great work :clap:, I added it to the howto. LDAP works like a charm.
AD only worked when setting ldap server require strong auth = no in the smb.conf of the AD container.
I couldnā€™t make AD work with SSL, I tried to import the NS cert to java keystore with keytool but I am afraid a self-signed cert is not working. I assume it works with a letsencrypt certā€¦

1 Like

great work @sharpec thank you (and of course to @mrmarkuz) :clap:
just tested with an external 2012R2 AD (the ns7 is not joined to AD)
i had to adapt a little bit the config file:

# LDAP properties
ldap-hostname: ad.yourdomain.demo
ldap-port: 3268 #some problems with port 389 and AD on 2012R2
ldap-user-base-dn: CN=Users,DC=yourdomain,DC=demo
#ldap-encryption-method:none #disable encryption
ldap-user-base-dn: dc=yourdomain,dc=demo
ldap-search-bind-dn: cn=ldapservice,CN=Users,dc=yourdomain,dc=demo
ldap-search-bind-password: yourpassword
ldap-username-attribute:   sAMAccountName
3 Likes

@mrmarkuz

Hi
Finally got down to installing Guacamole on NethServer - and it works really great!

Where do I find the NS container to do this:

Great work!

Andy

1 Like

Hi

Great work!

A small bug it seems: Inside the Web-GUI, guacadmin canā€™t change his own password, even if set in the Users section of the config.

22

Changing the password using PHPMyAdmin works.
However, that needs a second user with the correct password, as MySQL only saves the salt and the hash, but not the password itselfā€¦
That password hash and salt can be copied to guacadmin, that will work.

Thx

Andy

1 Like

some more testā€¦ i had problem in upload/download file from ssh backend server
following manual https://guacamole.apache.org/doc/gug/proxying-guacamole.html#proxying-with-apache
if someone has the same problem, at the end this config seems to work for me

SSLProxyEngine on
ProxyPass /guacamole http://localhost:8080/guacamole  flushpackets=on
ProxyPassReverse /guacamole http://localhost:8080/guacamole
<Location /guacamole>
    SSLRequireSSL
</Location>

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
</Location>

honestly, iā€™m not sure if i have changed something else, working on it now and then :frowning:
as soon as i have time iā€™ll try with a new install

1 Like

A first draft nethserver-guacamole package is ready to be tested! Donā€™t use in production!

Local LDAP works, AD makes problems with self-signed certificates so we may import a valid letsencrypt cert to the samba container as described here
Be patient at installation, guacamole is compiled in the backgroundā€¦

5 Likes

As an aside, if you use DNS validation for the Letā€™s Encrypt certificates, you donā€™t need to have a public A/CNAME record for your hostname. Iā€™ve posted some other information here on implementing DNS validation:

https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers

This way, you could get a cert for ad.yourdomain.tld (or whatever), without having that domain resolve, on the public Internet, to your domain controller. Since I moved my DNS hosting to Cloudflare, Iā€™ve used the technique I posted in the wiki for most of my internal resources. But now that Iā€™ve put acme-dns onto my Neth box (as described in the first link), I think Iā€™m going to move that way, so I donā€™t need to have as many copies of my Cloudflare API key floating around.

1 Like

Thatā€™s a HUGE news! Thanks this is awesome

2 Likes

Will be in core for 7.5

4 Likes

I am trying to get guacamole to work on my machine but get the following message when trying to access the app.
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

I searched the log files from log viewer and attaching everything I could find then searched for the word Guacamole.

https://vmakol.com/nextcloud/index.php/s/oPmqxWaa4LYetyo

Thanks in advance for your help!

Did you setup guacamole manually from the howto or did you install the module?

It seems like the guacamole db user credentials are wrong:

### Error querying database. Cause: java.sql.SQLException: Access denied for user 'guacamole'@'localhost' (using password: YES)

I installed the module. Is there any way to uninstall and redo it?

Yes, you may remove module, src and database and install it again:

yum remove nethserver-guacamole
rm -Rf /usr/local/src/guacamole/
mysql
drop database guacamole;
quit;
yum install nethserver-guacamole