Is this Nethserver module helpful to you?
Please consider donating to the author

Thank you kindly!

2019/03/04 12:06 · HF

Guacamole (web remote desktop gateway)

Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.

Please see this general demo video

  • SSH/VNC/RDP connections
  • LDAP/AD authentication
  • Group permissions
  • Mariadb as database backend
  • Fail2ban for security
  • Virtualhost

mrmarkuz repo is required for installation/updates.

Install nethserver-guacamole:

yum install -y --enablerepo=mrmarkuz nethserver-guacamole

It's possible to access Guacamole over a virtualhost.

config setprop guacd VirtualHost
signal-event nethserver-guacamole-update

Guacamole is now reachable at instead of

Browse to https://YOURNETHSERVER/guacamole and login.

Username: guacadmin
Password: guacadmin

To make Nethserver AD work with Guamacole you have 2 options:

Disable strong auth

Samba uses strong auth by default.

To change it do the following:

Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add following line to [global] section:

ldap server require strong auth = no

Restart samba (AD):

systemctl -M nsdc restart samba

To setup Guacamole enter the following on CLI:

config setprop guacd ldapPort 389
config setprop guacd Encryption none
signal-event nethserver-guacamole-update

Letsencrypt cert

To use a valid cert in the Samba container we get a letsencrypt cert and copy it to the AD container.

Get a letsencrypt certificate.

Copy it to the samba container and restart NSDC samba.

\cp -f /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
\cp -f /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba

See Jeroens Samba Patch

User management

Guacamole uses AD/LDAP or it's own mysql database as user base. Connections and permissions are stored in the mysql database.

So just add users as admin user (default guacadmin) and set their allowed connections and permissions.

LDAP/AD group

It's possible to set the rights for a user through a group. This way you don't have to declare passwords and if passwords change in LDAP, users can still login to guacamole.

The Neth Admins group in AD are “Domain Admins”, for LDAP you may use “domain admins”.

Guacamole group permissions

LDAP/AD users

For managing AD users permissions you may create a user in Guacamole with same name as in LDAP/AD. If you login with that user you can see all AD/LDAP users/groups and set specific permissions. Using groups instead of users is recommended as you don't need to save passwords or respect password changes.

You only need to fill user name and permissions.

Guacamole permissions

The module now supports Fail2Ban integration to block IPs after 3 failed login attempts.

To enable the Fail2Ban jail for Guacamole:

config setprop guacd jailStatus enabled
signal-event nethserver-fail2ban-save

Disable jail:

config setprop guacd jailStatus disabled
signal-event nethserver-fail2ban-save

It's possible to customize the login screen because the guacamole-customize-loginscreen-extension is included.

The content of /var/lib/guacamole/extensions/branding.jar can be easily edited with mc and unzip or 7zip in Windows.

  • The login text can be found in /var/lib/guacamole/extenstions/branding.jar/login.html
  • The title is the app name in /var/lib/guacamole/extenstions/branding.jar/translations/en.json

After changes to the file you need to execute

signal-event nethserver-guacamole-update

One can login with username or username@serverdomain.tld.

The username attribute can now be set in the config database. In this example only full name logins are allowed.


config setprop guacd usernameAttribute displayname


config setprop guacd usernameAttribute gecos

To remove the attribute and go back to default:

config setprop guacd usernameAttribute ''

Apply the changes:

signal-event nethserver-guacamole-update

See Guacamole manual for debug logging.

The logs are in /var/log/messages and in /opt/tomcat8/logs

If you experience RDP connection issues to Win 7 Clients you may need to disable glyph caching, see

Please raise Issues on NethServer Community

* Install Guacamole 1.1.0 with ldap and fail2ban via cockpit - Great tutorial including screenshots

  • guacamole.txt
  • Last modified: 2023/02/17 07:42
  • by HF