Show pagesourceOld revisionsBacklinksBack to top Share via Share via... Twitter LinkedIn Facebook Pinterest Telegram WhatsApp Yammer RedditRecent ChangesSend via e-MailPrintPermalink × Table of Contents Guacamole (web remote desktop gateway) Maintainer Description Features Installation mrmarkuz repo NethServer-guacamole Virtual Host Usage Nethserver AD Fail2Ban Branding Login username attribute Log files Glyph Caching Issues Related documentation Links Is this Nethserver module helpful to you? Please consider donating to the author Thank you kindly! 2019/03/04 12:06 · HF Guacamole (web remote desktop gateway) Maintainer mrmarkuz | dev@markusneuberger.at | https://www.markusneuberger.at Description Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. Please see this general demo video Features SSH/VNC/RDP connections LDAP/AD authentication Group permissions Mariadb as database backend Fail2ban for security Virtualhost Installation mrmarkuz repo mrmarkuz repo is required for installation/updates. NethServer-guacamole Install nethserver-guacamole: yum install -y --enablerepo=mrmarkuz nethserver-guacamole Virtual Host It's possible to access Guacamole over a virtualhost. config setprop guacd VirtualHost example.com signal-event nethserver-guacamole-update Guacamole is now reachable at https://example.com instead of https://anotherexample.org/guacamole Usage Browse to https://YOURNETHSERVER/guacamole and login. Username: guacadmin Password: guacadmin Nethserver AD To make Nethserver AD work with Guamacole you have 2 options: Disable strong auth Samba uses strong auth by default. To change it do the following: Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add following line to [global] section: ldap server require strong auth = no Restart samba (AD): systemctl -M nsdc restart samba To setup Guacamole enter the following on CLI: config setprop guacd ldapPort 389 config setprop guacd Encryption none signal-event nethserver-guacamole-update Letsencrypt cert To use a valid cert in the Samba container we get a letsencrypt cert and copy it to the AD container. Get a letsencrypt certificate. Copy it to the samba container and restart NSDC samba. \cp -f /etc/pki/tls/certs/localhost.crt /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem \cp -f /etc/pki/tls/private/localhost.key /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem systemctl -M nsdc restart samba See Jeroens Samba Patch User management Guacamole uses AD/LDAP or it's own mysql database as user base. Connections and permissions are stored in the mysql database. So just add users as admin user (default guacadmin) and set their allowed connections and permissions. LDAP/AD group It's possible to set the rights for a user through a group. This way you don't have to declare passwords and if passwords change in LDAP, users can still login to guacamole. The Neth Admins group in AD are “Domain Admins”, for LDAP you may use “domain admins”. LDAP/AD users For managing AD users permissions you may create a user in Guacamole with same name as in LDAP/AD. If you login with that user you can see all AD/LDAP users/groups and set specific permissions. Using groups instead of users is recommended as you don't need to save passwords or respect password changes. You only need to fill user name and permissions. Fail2Ban The module now supports Fail2Ban integration to block IPs after 3 failed login attempts. To enable the Fail2Ban jail for Guacamole: config setprop guacd jailStatus enabled signal-event nethserver-fail2ban-save Disable jail: config setprop guacd jailStatus disabled signal-event nethserver-fail2ban-save Branding It's possible to customize the login screen because the guacamole-customize-loginscreen-extension is included. The content of /var/lib/guacamole/extensions/branding.jar can be easily edited with mc and unzip or 7zip in Windows. The login text can be found in /var/lib/guacamole/extenstions/branding.jar/login.html The title is the app name in /var/lib/guacamole/extenstions/branding.jar/translations/en.json After changes to the file you need to execute signal-event nethserver-guacamole-update Login username attribute One can login with username or username@serverdomain.tld. The username attribute can now be set in the config database. In this example only full name logins are allowed. AD: config setprop guacd usernameAttribute displayname LDAP: config setprop guacd usernameAttribute gecos To remove the attribute and go back to default: config setprop guacd usernameAttribute '' Apply the changes: signal-event nethserver-guacamole-update Log files See Guacamole manual for debug logging. The logs are in /var/log/messages and in /opt/tomcat8/logs Glyph Caching If you experience RDP connection issues to Win 7 Clients you may need to disable glyph caching, see https://community.nethserver.org/t/enabling-ip-mac-binding-gives-error/8834/4?u=mrmarkuz Issues Please raise Issues on NethServer Community Related documentation * Install Guacamole 1.1.0 with ldap and fail2ban via cockpit - Great tutorial including screenshots Links Feature thread: https://community.nethserver.org/t/guacamole-package/2030 Howto thread: https://community.nethserver.org/t/howto-install-guacamole/9047 module mrmarkuzrepo guacamole.txt Last modified: 2023/02/17 07:42by HF