Deploy Apache Guacamole 1.6.x on Debian 12 (Bookworm) (Tomcat9, MariaDB, Guacd)

zhangchen 好物分享

This post summarizes the installation steps to install Guacamole on Debian 12.12. 

 

Download and Install Debian 12.12

https://archive.org/details/debian-12-bookworm-collection
debian-12.12.0-amd64-DVD-1.iso

Note: Debian 13 is having issue with Guacamole when using Remote APP which is caused by new release of freeRDP components on Debian 13. 
The Debian 12's installtion steps are similar as Debian 13, as show from these videos and posts: 
  • https://youtu.be/TxaVKYQGNPY
  • https://youtu.be/9nBqvl5Nwj0
  • https://blog.51sec.org/2025/10/debian-apt-update-error-issue.html

Configure Debian 12

root@debian12:~# cat /etc/issue
Debian GNU/Linux 12 /n /l
root@debian12:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@debian12:~#
root@debian12:~# apt update
Ign:1 cdrom://[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05] bookworm InRelease
Err:2 cdrom://[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05] bookworm Release
  Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs
Reading package lists... Done
E: The repository 'cdrom://[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05] bookworm Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@debian12:~# nano /etc/apt/sources.list
  GNU nano 7.2                                                                                     /etc/apt/sources.list
deb cdrom:[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05]/ bookworm contrib main non-free-firmware
The error happens because your /etc/apt/sources.list is pointing only to the installation DVD (deb cdrom:). That line is useful during installation, but once the system is installed, you need to replace it with the official Debian network repositories so apt update can fetch packages online.

1. Change system apt source 

Edit the sources list  

Open the file: 

  • nano /etc/apt/sources.list 


Remove or comment out the CD-ROM line 

Put a # at the beginning of the deb cdrom: line, or delete it: 

  • # deb cdrom:[Debian GNU/Linux 12.12.0 Bookworm ...] 

Add the following six official Debian repositories 

Notes:

main → Free software contrib → Free software that depends on non-free non-free-firmware → Proprietary firmware (needed for Wi-Fi, GPUs, etc.)


Update package lists 

  • apt update –y && apt upgrade -y 

2. Change System IP

Three different solutions to change system Debian's IP address:
Situation Recommended method Key file/command
Desktop / default install NetworkManager nmcli connection modify ...
Minimal server with ifupdown
(without desktop, not installed nmcli)		 /etc/network/interfaces /etc/network/interfaces
Clean server using systemd stack systemd-networkd /etc/systemd/network/*.network
Find interface name
  • ip addr
Edit the interfaces file
  • nano /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug ens32
iface ens32 inet static
    address 192.168.2.196/24
    gateway 192.168.2.1
    dns-nameservers 8.8.8.8 8.8.4.4
Restart networking or reboot:
  • sudo systemctl restart networking
  • sudo reboot

Install Guacamole

https://guacamole.apache.org/doc/gug/guacamole-native.html

1. Change system apt source and upgrade system to latest 

Edit the sources list  

Open the file: 

  • nano /etc/apt/sources.list 

Remove or comment out the CD-ROM line 

Put a # at the beginning of the deb cdrom: line, or delete it: 

# deb cdrom:[Debian GNU/Linux 12.12.0 Bookworm ...] 

Add the official Debian repositories 

deb http://deb.debian.org/debian bookworm main contrib non-free-firmware 

deb-src http://deb.debian.org/debian bookworm main contrib non-free-firmware 

deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware 

deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware 

 deb http://deb.debian.org/debian bookworm-updates main contrib non-free-firmware 

deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free-firmware 

 

Update package lists 

  • apt update –y && apt upgrade -y 

  • sudo apt update 

  • sudo apt full-upgrade -y 

  • sudo reboot 

 

Notes: 

Below steps will use official guide as reference: 

https://guacamole.apache.org/doc/gug/guacamole-native.html 

 

2. Install Required Dependencies 

 

sudo apt install -y build-essential libcairo2-dev libjpeg-turbo8-dev / 

    libpng-dev libtool-bin libossp-uuid-dev libavcodec-dev libavformat-dev / 

    libavutil-dev libwebsockets-dev freerdp2-dev libpango1.0-dev / 

    libssh2-1-dev libtelnet-dev libvncserver-dev libssl-dev / 

    libvorbis-dev libpulse-dev 

 

sudo apt install -y build-essential libcairo2-dev libjpeg62-turbo-dev / 

    libpng-dev libtool-bin libossp-uuid-dev libavcodec-dev libavformat-dev / 

    libavutil-dev libwebsockets-dev freerdp2-dev libpango1.0-dev / 

    libssh2-1-dev libtelnet-dev libvncserver-dev libssl-dev / 

    libvorbis-dev libpulse-dev 

 

sudo apt install -y build-essential libcairo2-dev libjpeg62-turbo-dev / 

    libpng-dev libtool-bin libossp-uuid-dev libavcodec-dev libavformat-dev / 

    libavutil-dev libswscale-dev libpango1.0-dev libssh2-1-dev libtelnet-dev / 

    libvncserver-dev libpulse-dev libssl-dev libwebp-dev freerdp2-dev / 

    libfreerdp2-2 ghostscript wget curl 

 

 

3. Install Java and Tomcat 

sudo apt install -y openjdk-11-jdk tomcat9 tomcat9-admin 

root@debian12:~# sudo apt install -y openjdk-11-jdk tomcat9 tomcat9-admin 

Reading package lists... Done 

Building dependency tree... Done 

Reading state information... Done 

Package tomcat9 is not available, but is referred to by another package. 

This may mean that the package is missing, has been obsoleted, or 

is only available from another source 

  

E: Unable to locate package openjdk-11-jdk 

E: Package 'tomcat9' has no installation candidate 

E: Unable to locate package tomcat9-admin 

 

 

Install Tomcat 9 from Debian 11 (Bullseye) repo 

  • sudo nano /etc/apt/sources.list 

  • sudo apt update 

  • sudo apt install -t bullseye tomcat9 tomcat9-admin tomcat9-common 

 

After the installation, comment the bullseye repo out 

  • sudo apt update 

 

 

4. Install MySQL and Set Root Password 

Use MySQL secure installation: 

 

sudo apt install -y mysql-server mysql-client 

root@debian12:~# apt install -y mysql-server mysql-client 

Reading package lists... Done 

Building dependency tree... Done 

Reading state information... Done 

Package mysql-server is not available, but is referred to by another package. 

This may mean that the package is missing, has been obsoleted, or 

is only available from another source 

  

Package mysql-client is not available, but is referred to by another package. 

This may mean that the package is missing, has been obsoleted, or 

is only available from another source 

  

E: Package 'mysql-server' has no installation candidate 

E: Package 'mysql-client' has no installation candidate 

root@debian12:~# 

 

sudo apt install -y mariadb-server  

sudo mysql_secure_installation 

 

During the prompts: 

  • Set the MySQL root password (7x7IsNot48!) 

  • n to unix_socket authentication 

  • n to change the root password 

  • Y to Remove anonymous users 

  • Y to Disallow remote root login 

  • Y to Remove test database 

  • Y to Reload privileges 

 

sudo mysql 

 

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '7x7IsNot48!'; 

ALTER USER 'root'@'localhost' IDENTIFIED BY '7x7IsNot48!'; 

FLUSH PRIVILEGES; 

EXIT; 

 

 

5. Build and Install guacamole-server 

wget https://downloads.apache.org/guacamole/1.6.0/source/guacamole-server-1.6.0.tar.gz 

tar -xvzf guacamole-server-1.6.0.tar.gz 

cd guacamole-server-1.6.0 

./configure --with-init-dir=/etc/init.d 

make 

sudo make install 

sudo ldconfig 

 

 

6. Enable and Start guacd 

sudo systemctl enable guacd 

sudo systemctl start guacd 

sudo systemctl status guacd 

 

 

7. Deploy Guacamole Web App 

wget https://downloads.apache.org/guacamole/1.6.0/binary/guacamole-1.6.0.war 

sudo mv guacamole-1.6.0.war /var/lib/tomcat9/webapps/guacamole.war 

sudo systemctl restart tomcat9 

 

8. Set GUACAMOLE_HOME 

sudo mkdir -p /etc/guacamole/{extensions,lib} 

echo "GUACAMOLE_HOME=/etc/guacamole" | sudo tee -a /etc/default/tomcat9 

sudo systemctl restart tomcat9 

 

9. Install JDBC Authentication 

a. Download JDBC Extension 

wget https://downloads.apache.org/guacamole/1.6.0/binary/guacamole-auth-jdbc-1.6.0.tar.gz 

tar -xvzf guacamole-auth-jdbc-1.6.0.tar.gz 

sudo cp guacamole-auth-jdbc-1.6.0/mysql/guacamole-auth-jdbc-mysql-1.6.0.jar /etc/guacamole/extensions/ 

 

b. Install MySQL Connector/J 

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.0.33.tar.gz 

tar -xvzf mysql-connector-j-8.0.33.tar.gz 

sudo cp mysql-connector-j-8.0.33/mysql-connector-j-8.0.33.jar /etc/guacamole/lib/ 

 

c. Create Database and Guacamole User 

Remember to change 'YourStrongPassword to an actual password. 

 

sudo mysql -u root -p 

Inside MySQL shell: 

CREATE DATABASE guacamole_db; 

CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'YourStrongPassword!'; 

GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost'; 

FLUSH PRIVILEGES; 

EXIT; 

 

d. Import Guacamole Schema 

cat guacamole-auth-jdbc-1.6.0/mysql/schema/*.sql | sudo mysql -u root -p guacamole_db 

  • Use mysql root password to complete this step 

 

10. Configure guacamole.properties 

sudo nano /etc/guacamole/guacamole.properties 

It is empty file , please add: 

mysql-hostname: localhost 

mysql-port: 3306 

mysql-database: guacamole_db 

mysql-username: guacamole_user 

mysql-password: YourStrongPassword! 

 

Save and exit. 

 

11. Restart Services 

sudo systemctl restart tomcat9 guacd mysql 

 

12. Log In and Verify 

  • Open: http:// 172.16.0.6:8080/guacamole 

  • Default credentials: 

  • Username: guacadmin 

  • Password: guacadmin 

 Immediately change the password and create your own admin account. 

Configure Tomcat9 to Set Default Site to Guacamole site

 

13. Modify so http://localhost:8080 opens Guacamole 

sudo systemctl stop tomcat9 

sudo rm -rf /var/lib/tomcat9/webapps/ROOT 

sudo cp /var/lib/tomcat9/webapps/guacamole.war /var/lib/tomcat9/webapps/ROOT.war 

sudo systemctl start tomcat9 

Configure Guacamole.properties & user-mapping.xml

 

To define how Guacamole connects to guacd, create the guacamole.properties file under /etc/guacamole directory with the following content.

vim /etc/guacamole/guacamole.properties
guacd-hostname: localhost guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

After that, save the configuration file and link the Guacamole configurations directory to Tomcat servlet directory as shown below.

ln -s /etc/guacamole /usr/share/tomcat9/.guacamole

Configure Guacamole Authentication Method

Guacamole’s default authentication method reads all users and connections from a single file called user-mapping.xml. In this file,you need to define the users allowed to access Guacamole web UI, the servers to connect to and the method of connection.

Therefore, run the command below to create this file with the following contents.

vim /etc/guacamole/user-mapping.xml

Be sure to replace password with your strong password.

<user-mapping> <!-- Per-user authentication and config information --> <!-- A user using md5 to hash the password guacadmin user and its md5 hashed password below is used to   login to Guacamole Web UI--> <authorize username="guacadmin" password="5f4dcc3b5aa765d61d8327deb882cf99" encoding="md5"> <!-- First authorized Remote connection -->  <connection name="CentOS-Server"> <protocol>ssh</protocol> <param name="hostname">192.168.56.156</param> <param name="port">22</param> </connection> <!-- Second authorized remote connection -->  <connection name="Windows 7"> <protocol>rdp</protocol> <param name="hostname">192.168.56.122</param> <param name="port">3389</param> <param name="username">netsec</param> <param name="ignore-cert">true</param> </connection> </authorize> </user-mapping>

Generate the MD5 hash of passwords for the user used for logging into Guacamole web user interface. Replace you password accordingly;

echo -n password | openssl md5
printf '%s' password | md5sum

You should get following md5 value for your password string:

5f4dcc3b5aa765d61d8327deb882cf99

If you need to explicitly define usernames and passwords, add the parameters;

<param name="username">USERNAME</param> <param name="password">PASSWORD</param>

Save and exit the configuration file.

You can check how to enable Guacamole OpenLDAP Authentication;

Setup Apache Guacamole OpenLDAP Authentication

Restart both Tomcat and guacd to effect the changes.

systemctl restart tomcat9 guacd

Be sure to check the syslog, /var/log/syslog or /var/log/tomcat9/CATALINA-* for any issues.

Videos

 

https://blog.51sec.org

版权声明:
作者:zhangchen
链接:https://www.techfm.club/p/228368.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>