Home Lab,  VMware

RDP a different way, HTML5 and using Linux!

So for a while I have been trying to create a new lab of which I may want to share with other to help out their learning paths with some of my mentees or even people in the community. The biggest hurdle we always hit is well licensing…. oh and of course security 🙂

My one goal is to have a lab on demand if me or others may want to try something and build upon the AutoLabs and Terraform things I have done

I decided to dedicate a little bit of time to this after seeing some recent great hands-on labs and I started to debate if I could do something similar. My other key criteria were to also do as much of it open source as much as possible. Well after much tweaking and huffing I found a few solid scripts and tweaks to make this work. So a massive shout out to c-nergy.be (I wish I could find the authors name) and Chase Wright (MysticRyuujin) over on GitHub. Their work made this much easier and a simpler blog/installation process

If you were doing this on a larger scale I would probably put the Guacamole server and NGNIX proxy on a separate box so just follow these bits once you have another server in place if needed. Either way, this is a lab so it’s not ‘production’ ready 😀

This first step is deciding what OS to use for the desktop. I decided to settle with Ubuntu 20.10 at the time of writing and also being the desktop version. There are many other dated guides that show you how to come from the ground up with the server distribution but I felt that this just saves me some time. A good example is here

During the setup process also found the GUI version is just nice and easy to add to your domain like so

You may well get an error like below and it’s always nearly DNS, the best thing is if possible have your DHCP pool on in your lab pointing to your Active Directory server. That said again its best to set a static IP if you can and ensure DNS is pointing to AD

That said you can do this after the install by following this guide here

Once the OS has installed and started up its best to get SSH installed so we can get to the box and use copy and paste with some of the command rather than a console window.

sudo apt install openssh-server

Once this is done SSH to your box with your tool of choice, I just use the in built SSH tool on the Mac but you may want to use PuTTY on Windows

If you do not know the IP of the box you can use ifconfig or ip a to find this

Once in issue you first set of commands below

wget https://www.c-nergy.be/downloads/xrdp-installer-1.2.2.zip

unzip xrdp-installer-1.2.2.zip

chmod +x xrdp-installer-1.2.2.sh

./xrdp-installer-1.2.2.sh 

You may want to get a drink as this can take some time to install depending on the speed of your system, once done reboot the system

From here you should now be able to login with a local account via RDP to check this all works

If you get a black screen this could be down to you not rebooting or you have logged into the console session and this is a known bug from what I have seen, Also be patient the first time 🙂

If you try and login with an RDP user now you are going to get this error

You need to fix the following file and amend the access_provider to simple

sudo nano /etc/sssd/sssd.conf

Once this has done reboot the SSD service

sudo systemctl restart sssd.service

If you test this with an AD account now you should now be able to get in, remember you will need to use the full UPN or you will get an error

So now we have RDP working lets get on with the HTML interface

Lets go grab the Guacamole script installer and get this working

wget https://git.io/fxZq5 -O guac-install.sh

chmod +x guac-install.sh

sudo ./guac-install.sh

Follow the on screen instructions with the options you want, remember nice secure passwords!

The install can also take some time so again go grab a break

Once this is done you need to edit the following file

sudo nano /etc/guacamole/guacamole.properties

In this file, you will need the following but with your details, the AD account password does not need to be the same as the MYSQL password for the AD account.

mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: SuperSecureP@assw0rd!

 # Auth provider class
   auth-provider:    net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

   # LDAP properties (for security reasons, change the ldap-encryption-   method to ssl or tls, "none" is only for testing)   
   ldap-hostname: dc01.yourdomain.tld.com
   ldap-port: 389
   ldap-user-base-dn: CN=Users,DC=domain,DC=co,DC=uk
   ldap-username-attribute: samAccountName
   ldap-encryption-method: none
   ldap-search-bind-dn: CN=guacadmin,CN=Users,DC=domain,DC=co,DC=uk
   ldap-search-bind-password: SuperSecureP@assw0rd!

If you need your LDAP strings if you run this command within AD PowerShell on a DC to work these out

Get-ADUser -Identity guacadmin

You now need to go get the latest version of the LDAP Auth plugin, you then need to extract the file and copy it to the Guacamole extension folder

wget https://mirrors.ukfast.co.uk/sites/ftp.apache.org/guacamole/1.3.0/binary/guacamole-auth-ldap-1.3.0.tar.gz

tar xvf guacamole-auth-ldap-1.3.0.tar.gz 

cd guacamole-auth-ldap-1.3.0/

sudo cp guacamole-auth-ldap-1.3.0.jar /etc/guacamole/extensions/

ls /etc/guacamole/extensions/

If the file is there then you need to reboot the services to make sure this is working

sudo systemctl restart tomcat9 guacd

So now what we need to do is check that this is all working, for me I am using guacadmin as also the AD account, to verify it’s all working you need to go to settings and then users, you should now see all your AD accounts. If you do not see this you have probably logged in with your local account no the AD account, hence why I use different passwords

To get to the Guacamole interface head to http://YOURIP:8080/guacamole/#/settings/users

Once you can see all your users we need to set up the first connection so that we can test all this now works, you can set the connections up by selecting connections. I first set up a group and then the connection, this way its easier to assign this to the users. For now, I still need to find a way of mapping this to AD groups

You will also the variables like below, also if on a separate box the DNS or IP of the RDP host. If you do not add the full AD user (UPN) Ubuntu will not single sign this on forcing your users to re-authenticate. I have to thank Travis Whitney’s blog here for point me in the right direction but he is using Windows 🙂

${GUAC_USERNAME}@yourUPN.domain
${GUAC_PASSWORD}

Now we want to assign this to a group for easy additions and updates to users

Once this is done we need to assign this to a user

So close now… so lets test it out 🙂 Logout of Guacadmin and try your AD user, also the slowness is my lab. Still trying to work out what is causing it 🙂

And there you go! Here is Linux RDP running over Chrome

The only major final piece would be if you want to hide this behind a proxy, for this I use NGNIX. To install this run the below command.

sudo apt install nginx

Once installed you will need to create the following file with the below command

sudo nano /etc/nginx/conf.d/guacamole.conf

In this file put the following data but substituting your domain or public domain of what will access this

  GNU nano 5.2                                                /etc/nginx/conf.d/guacamole.conf                                                          
server {
        listen 80;
        listen [::]:80;
        server_name guacamole.lab.virtualisedfruit.co.uk;

        access_log  /var/log/nginx/guac_access.log;
        error_log  /var/log/nginx/guac_error.log;

        location / {
                    proxy_pass http://127.0.0.1:8080/guacamole/;
                    proxy_buffering off;
                    proxy_http_version 1.1;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    proxy_cookie_path /guacamole/ /;
        }

}

Finally issue the following command to restart the server so its listening on this

sudo systemctl reload nginx

Of course, if you are opening this up to the web you should probably secure this with SSL and there is a great guide here to do that with Let’s Encrypt under the Enable HTTPS section,  Xiao Guoan does this part justice over at https://www.linuxbabe.com/

So what else do I want to try and get sorted

  1. Maybe automate all of this via a script for use of things with like Terraform or templates
  2. Work out how to use AD groups to validate user membership for easy adding of users
  3. Document the black screen issue a little more
  4. Maybe add some nice themes to the login page
  5. Try this out with SSH and Windows machines

I hope you enjoyed this as I did writing it after sifting through many blogs and forum posts, I hope it helps someone out there and please also do pass your Kudos on to the people I referenced throughout the post.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.