Is this Nethserver module helpful to you?
Please consider donating to the author

Thank you kindly!

2019/03/04 06:06 · HF

Guacamole

Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.

  • SSH/VNC/RDP connections
  • LDAP/AD authentication
  • Group permissions
  • Mariadb as database backend
  • Fail2ban for security
  • Virtualhost

mrmarkuz repo

mrmarkuz repo is required for installation/updates.

NethServer-guacamole

Install nethserver-guacamole:

yum install -y --enablerepo=mrmarkuz nethserver-guacamole

Virtual Host

It's possible to access Guacamole over a virtualhost.

config setprop guacd VirtualHost example.com
signal-event nethserver-guacamole-update

Guacamole is now reachable at https://example.com instead of https://anotherexample.org/guacamole

Usage

Browse to https://YOURNETHSERVER/guacamole and login.

Username: guacadmin
Password: guacadmin

Nethserver AD

To make Nethserver AD work with Guamacole you have 2 options:

Disable strong auth

Samba uses strong auth by default.

To change it do the following:

Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add following line to [global] section:

ldap server require strong auth = no

Restart samba (AD):

systemctl -M nsdc restart samba

To setup Guacamole enter the following on CLI:

config setprop guacd ldapPort 389
config setprop guacd Encryption none
signal-event nethserver-guacamole-update

Letsencrypt cert

To use a valid cert in the Samba container we get a letsencrypt cert and copy it to the AD container.

Get a letsencrypt certificate.

Copy it to the samba container and restart NSDC samba.

\cp -f /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
\cp -f /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba

See Jeroens Samba Patch

User management

Guacamole uses AD/LDAP or it's own mysql database as user base. Connections and permissions are stored in the mysql database.

So just add users as admin user (default guacadmin) and set their allowed connections and permissions.

LDAP/AD group

It's possible to set the rights for a user through a group. This way you don't have to declare passwords and if passwords change in LDAP, users can still login to guacamole.

The Neth Admins group in AD are “Domain Admins”, for LDAP you may use “domain admins”.

Guacamole group permissions

LDAP/AD users

For managing AD users permissions you may create a user in Guacamole with same name as in LDAP/AD. If you login with that user you can see all AD/LDAP users/groups and set specific permissions. Using groups instead of users is recommended as you don't need to save passwords or respect password changes.

You only need to fill user name and permissions.

Guacamole permissions

Fail2Ban

The module now supports Fail2Ban integration to block IPs after 3 failed login attempts.

To enable the Fail2Ban jail for Guacamole:

config setprop guacd jailStatus enabled
signal-event nethserver-fail2ban-save

Disable jail:

config setprop guacd jailStatus disabled
signal-event nethserver-fail2ban-save

Please raise Issues on NethServer Community