Guacamole with Jetty and MySQL auth in a Jail

dublea

Dabbler
Joined
May 27, 2015
Messages
33
Is there a more modern guide of this for 11.1 U6 or 11.2 Beta / RC?

We have docker (kinda) available to us now, as well as iocage jails and full VMs

I have a Guac stack running with Docker. Here is my resource guide I wrote. I plan on updating it in a couple months as there are some major changes I did with mounting the shares, Plex updatablity, Nextcloud, and more. But the Guac stack has not changed. It is all currently working with 11.1-U6.
 

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
I have a Guac stack running with Docker. Here is my resource guide I wrote. I plan on updating it in a couple months as there are some major changes I did with mounting the shares, Plex updatablity, Nextcloud, and more. But the Guac stack has not changed. It is all currently working with 11.1-U6.


Can I confirm you did this on FreeNAS 11.2x RancherOS Docker, to boot?
 

dublea

Dabbler
Joined
May 27, 2015
Messages
33
Can I confirm you did this on FreeNAS 11.2x RancherOS Docker, to boot?

As stated, 11.1-U6. 11.2 is still not released and is currently RC1. I'll probably update the guide with the new UI in mind when I upgrade.
 

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
As stated, 11.1-U6. 11.2 is still not released and is currently RC1. I'll probably update the guide with the new UI in mind when I upgrade.
Thanks for your help.

I've followed the guide and have several suggestions (surprisingly, very little to do with 11.2) - I also am confused - can I use google auth, or duo only?
Are you ok with me giving some suggestions, I have several of them, as this took me quite a while to do.
 

dublea

Dabbler
Joined
May 27, 2015
Messages
33
Thanks for your help.

I've followed the guide and have several suggestions (surprisingly, very little to do with 11.2) - I also am confused - can I use google auth, or duo only?
Are you ok with me giving some suggestions, I have several of them, as this took me quite a while to do.

I mean, I won't say no, lmao! You can post it here, through the discussion for the Resource, or PM me.
 

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
I mean, I won't say no, lmao! You can post it here, through the discussion for the Resource, or PM me.
Sorry, I've been meaning to but I've been so busy.

One question before I do a quick write up, you mention google authenticator, but I didn't see that part? Can we use google auth (Authy) rather than the Duo app?
 

dublea

Dabbler
Joined
May 27, 2015
Messages
33
... you mention google authenticator, but I didn't see that part? Can we use google auth (Authy) rather than the Duo app?

Apache Guacamole supports Duo two-factor authentication. I'm using the Duo Free subscription in my environment with a mix of some Google 2FA.

Sorry for the confusion but my intention in the statement was that I am primarily using Duo 2FA with some other hosted items using Google 2FA. Unfortunately, Nextcloud & Cisco Meraki do not support Duo 2FA or I would use it as I prefer the push option.

Per the Apache Guacamole Manual:
Guacamole supports Duo as a second authentication factor, layered on top of any other authentication extension, including those available from the main project website.

While someone could build a Google 2FA, Guacamole currently only supports Duo.
 
Last edited:

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
Sorry for the confusion but my intention in the statement was that I am primarily using Duo 2FA with some other hosted items using Google 2FA. Unfortunately, Nextcloud & Cisco Meraki do not support Duo 2FA or I would use it as I prefer the push option.

Per the Apache Guacamole Manual:


While someone could build a Google 2FA, Guacamole currently only supports Duo.

That's fine, I appreciate it, at least I know.
I'll send some notes next week. I'm so busy lately, thanks though.
 

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
Sorry for the confusion but my intention in the statement was that I am primarily using Duo 2FA with some other hosted items using Google 2FA. Unfortunately, Nextcloud & Cisco Meraki do not support Duo 2FA or I would use it as I prefer the push option.

Per the Apache Guacamole Manual:


While someone could build a Google 2FA, Guacamole currently only supports Duo.


Aaand here I am again, still without the guide changes suggestions.
However :(
My guac server is 'dead' - I've rebooted both the rancher VM and the entire FreeNAS machine.
I know it's guacamole, since _ALL_ my connections don't work, both SSH to my FreeNAS machine and RDP to 2 different workstations.

I can get into the guacamole UI without an issue, the 2 factor for duo is working fine.
I can add / edit connections.
I've even SSH / dockerered into the bash shell for the main guacamole docker to confirm it can ping the machine I'd like to access.
I would (ASSUME) the sqlDB is working, if the UI is coming up and my connections are 'editable'
I haven't added a firewall and I know SSH / RDP to my destination boxes is fine, via 'normal' methods


Any ideas what this might be? Seems odd it would just die, I thought dockers were kinda reliable as heck due to their design?
(Also, it was working, I have connection history for 2 of them)


Where do I start diagnosing this, without just outright following the entire guide again? Love to know why it happened so I can prevent in future. :)

Code:
"An internal error has occurred within the Guacamole server, and the connection has been terminated. If the problem persists, please notify your system administrator, or check your system logs."
 
Last edited:

dublea

Dabbler
Joined
May 27, 2015
Messages
33

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
I still haven't provided you with the information I wanted either, so sorry.

I got it working on my new system.

Let me just say, the biggest stumping point for me, initially, was the fact that adding a SIDEKICK container, means NOT clicking create, but scrolling back to the top and clicking the plus to attach it to the container you're working on.

Secondly, there's another point where the doco says "fire up sudo nano" and nano isn't installed, so stick consistent with VI in the docs maybe?
 

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
I was looking around for the installation how to for Guac on FreeNAS jail but was unable to find one so I decided to write down the steps I took during the installation and post it here.

from http://guac-dev.org/:



Create new jail with default settings
Login to the jail Shell by clicking on shell icon in Jail section in FreeNAS gui or by doing jexec # csh from FreeNAS shell where # is the jail id that you can check by doing jls

(for all the ports below when asked leave default settings)
Code:
portsnap fetch extract
cd /usr/ports/graphics/cairo
make install clean
cd /usr/ports/net/libvncserver
make install clean
cd /usr/ports/misc/ossp-uuid
make install clean
cd /usr/ports/x11-toolkits/pango
make install clean
cd /usr/ports/security/libssh2
make install clean
cd /usr/ports/java/openjdk7
make install clean
cd /usr/ports/www/jetty
make install clean
cd /usr/ports/databases/mysql56-server
make install clean


OR if you don't want to stare on the screen for an hour you can do: (it will still take some time but will not require your interaction until it finishes)
Code:
portsnap fetch extract && cd /usr/ports/graphics/cairo && make -DBATCH install clean && cd /usr/ports/net/libvncserver && make -DBATCH install clean && cd /usr/ports/misc/ossp-uuid && make -DBATCH install clean && cd /usr/ports/x11-toolkits/pango && make -DBATCH install clean && cd /usr/ports/security/libssh2 && make -DBATCH install clean && cd /usr/ports/java/openjdk7 && make -DBATCH install clean && cd /usr/ports/www/jetty && make -DBATCH install clean && cd /usr/ports/databases/mysql56-server && make -DBATCH install clean


Thanks to Deviant0ne for this next part. Go ahead or give him a like or something on the post below.

Install older version of FreeRDP to make RDP work:
Code:
mkdir ~/old_freerdp
svn co -r 387082 svn://svn.freebsd.org/ports/head/net/freerdp ~/old_freerdp
cd ~/old_freerdp && make install clean BATCH=yes


Download Guacamole server source, Guacamole web app, Guacamole jdbc auth modules and MySQL connector for JAVA
Code:
cd ~
fetch http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.8.tar.gz
fetch http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.8.war
fetch http://sourceforge.net/projects/guacamole/files/current/extensions/guacamole-auth-jdbc-0.9.8.tar.gz
fetch http://cdn.mysql.com/Downloads/Connector-J/mysql-connector-java-5.1.36.tar.gz


Extract what needs to be extracted
Code:
tar -zxvf guacamole-server-0.9.8.tar.gz
tar -zxvf guacamole-auth-jdbc-0.9.8.tar.gz
tar -zxvf mysql-connector-java-5.1.36.tar.gz


Configure, compile and install Guacamole Server
Code:
cd ~/guacamole-server-0.9.8
./configure CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" --with-init-dir=/etc/rc.d
make install


Edit ~/.cshrc (i recommend ee ) and add this under the other setenv lines and save the file
Code:
setenv GUACAMOLE_HOME /usr/local/jetty/.guacamole


Create some directories and move some files
Code:
mkdir /usr/local/jetty/.guacamole /usr/local/jetty/.guacamole/extensions /usr/local/jetty/.guacamole/lib
mv ~/mysql-connector-java-5.1.36/*.jar /usr/local/jetty/.guacamole/lib/
mv ~/guacamole-auth-jdbc-0.9.8/mysql/*.jar /usr/local/jetty/.guacamole/extensions/
mv ~/guacamole-*.war /usr/local/jetty/webapps/guacamole.war


Start MySQL server
Code:
service mysql-server onestart


Set the database up
Code:
mysqladmin -u root password 'YOUR_NEW_ROOT_PASS_FOR_MYSQL'

mysql -u root -p
create database GUACAMOLE_DB_NAME;
create user 'GUACAMOLE_USERNAME'@'localhost' identified by 'GUACAMOLE_USER_PASS';
grant select,insert,update,delete on GUACAMOLE_DB_NAME.* to 'GUACAMOLE_USERNAME'@'localhost';
flush privileges;
quit

cd ~/guacamole-auth-jdbc-0.9.8/mysql/schema
cat ./*.sql | mysql -u root -p GUACAMOLE_DB_NAME


Edit /usr/local/jetty/.guacamole/guacamole.properties (again I recommend ee) the file will be empty (it does not exist yet) type this in and save:
Code:
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: GUACAMOLE_DB_NAME
mysql-username: GUACAMOLE_USERNAME
mysql-password: GUACAMOLE_USER_PASS


Start Jetty and Guacd
Code:
service jetty onestart
service guacd start


Now you should see Jetty start page on http://jour_jail_ip:8080 and Guacamole Login page at: http://your_jail_ip:8080/guacamole/

Default admin login and pass to Guacamole is guacadmin/guacadmin

If everything is working ok you can make Guacamole start automatically with your jail by doing this:

Edit /etc/rc.conf type this in at the end of file and save:
Code:
mysql_enable="YES"
jetty_enable="YES"
guacd_enable="YES"



Edit /etc/rc.d/guacd and after:
Code:
try-restart)
status && restart
;;

add this and save:
Code:
quietstart)
start
;;

Restart your jail and verify that everything is working.
I thought I might try your tutorial and sadly it breaks at this command

"
svn co -r 387082 svn://svn.freebsd.org/ports/head/net/freerdp ~/old_freerdp"

I don't have svn installed.
It was worth a shot though :(
 

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,374
So version 1.0 is released, I think with Google Authenticator support (!!!)

Anyone got this up and running in a jail?
 

palakmar

Dabbler
Joined
Jun 21, 2019
Messages
10
Has anyone been able to get this working on 11.3? I would like to install it but having issues installing older freerdp
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Of course. And it can easily be installed as a ready to use package with all dependencies.
  • create standard jail with VNET
  • make sure networking works and you can SSH and su/sudo
  • pkg install guacamole-client
  • pkg install guacamole-server
  • sysrc guacd_enable="YES"
  • sysrc tomcat9_enable="YES"
Works like a charm since about a year ago or so when I first discovered it. I suggest starting with plain text user authentication (in the user-mapping.xml file) and switching to MySQL after that is successful.

HTH,
Patrick
 

Deviant0ne

Dabbler
Joined
Sep 21, 2015
Messages
20
Has anyone been able to get this working on 11.3? I would like to install it but having issues installing older freerdp


I moved away from FreeNAS in favor of vanilla FreeBSD - FreeNAS has been nothing but a huge disappointment since v10.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
I moved away from FreeNAS in favor of vanilla FreeBSD - FreeNAS has been nothing but a huge disappointment since v10.
In which way is a jail on FreeNAS different from vanilla FreeBSD for you? Really interested ...
I'm doing FreeBSD system administration, development, and advocacy since 1994 ... FreeNAS gives me all of FreeBSD and then some goodies. If it fits the job, it's perfect ;)

Kind regards,
Patrick
 

markymark832

Dabbler
Joined
Feb 28, 2017
Messages
36
Of course. And it can easily be installed as a ready to use package with all dependencies.
  • create standard jail with VNET
  • make sure networking works and you can SSH and su/sudo
  • pkg install guacamole-client
  • pkg install guacamole-server
  • sysrc guacd_enable="YES"
  • sysrc tomcat9_enable="YES"
Works like a charm since about a year ago or so when I first discovered it. I suggest starting with plain text user authentication (in the user-mapping.xml file) and switching to MySQL after that is successful.

HTH,
Patrick
i have got this running in a freenas11.3 jail, but for what ever reason i can only see SSH connections. RDP and VNC aren't available. i'm wondering if it's due to the fact that it maybe missing some dependencies? for VNC and RDP, Patrick does yours work for these connection methods?
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Did you try a static configuration first, that's what I did. Then switched to MySQL after everything worked. I cannot remember that I installed anything special, the guacamole package simply pulled in all the necessary dependencies.

The docs for static configuration can be found here:

For reference, my guacamole config is rather unspectacular:
Code:
# guacgd.conf
[daemon]

[server]
bind_host = localhost
bind_port = 4822

# guacamole.properties
uacd-host:    localhost
guacd-port:     4822

mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole
mysql-username: guacamole
mysql-password: *********
mysql-user-required: true


Plus you need to manually put guacamole-auth-jdbc-mysql-1.0.0.jar into /usr/local/etc/guacamole-client/extensions.

HTH,
Patrick
 
Top