Join Ubuntu to Windows Active Directory(AD) domain and adding remote desktop protocol

by Posted on

Active Directory(AD) is a directory service developed by Microsoft for Windows domain networks. It widely uses in modern world network infrastructure.

Remote Desktop Protocol (RDP) is a network protocol developed by Microsoft than allow users to remotely access and interact with the graphical user interface of a remote Windows server. Usually, it widely uses with Windows as it’s a default service; however, you can use also this protocol with Linux distros too. For example, xrdp.

As I received a request that an enduser that need to remote in to his Ubuntu with user interface but he didn’t like lag with VNC protocol…also he wanted to put his Ubuntu into Windows active directory domain…that’s a great chance for me to practice! OK, let’s do it!

Join Ubuntu to AD domain

To join Ubuntu to AD domain, I’m using System Security Services Daemon (SSSD) to retrieve information within the same AD resource forest(not suit for multiple forests). After that, I need to configure sudo rules for users logging in through AD. Basically, the progress looks like this:

First of all, should be same for all Linux distro:

$ sudo apt -y update

Change Ubuntu’s host name with correct domain component:

$ sudo hostnamectl set-hostname hostname.domain    # change your host name to hostname.domain

$ hostnamectl      # to make sure host name has been changed

Also check DNS is configured correctly (add domain host into local host as needed):

$ cat /etc/resolv.conf

It’s time to next step and add required packages for joining Ubuntu system to AD domain (just be sure all packages are installed):

$ sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

With all required packages are installed, we could use realm discover to make sure you could find your domain:

$ sudo realm discover domain_name   # replace domain_name with valid AD domain

After to make sure AD domain could be discovered, next thing would use realm join command to integrate Ubuntu with Windows AD domain; also, AD administrative user account is required for this action:

$ sudo realm join -U Administrator example.com   # replace Administrator with AD admin account

$ realm list     # to make sure the device joined to AD domain

On RHEL based system, user’s home directory would be create automatically. On Ubuntu/Debian, this feature need to be manually enabled:

sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF

then activate with below command and make sure “activate mkhomedir” is selected:

$ sudo pam-auth-update

sssd.conf configuration file is located at /etc/sssd/sssd.conf. Whenever there is a change in the file, restart is required, then check to make sure sssd is running:

$ sudo systemctl restart sssd
$ systemctl status sssd
$ id username@domain     # replace with user name that need to be checked.

In AD domain, access could be controlled by either both users and groups types, the action would modify sssd.conf file:

# permit access to single user or multiple users
sudo realm permit user1@domain
sudo realm permit user2@domain user3@domain

# permit access to group
sudo ream permit -g sysadmins
sudo realm permit -g 'Security Users'
sudo realm permit 'Domain Users' 'admin users'

# permit access to allow all users
sudo realm permit --all

# deny access for all domain users
sudo realm  deny --all

Unlike Windows devices, AD user permission might not act correctly on Linux device that joined to domain. (i.e. administrator privilege won’t apply correctly); domain users have to be granted access based on usernames or groups:

# use text editor to open sudo user list
sudo nano /etc/sudoers.d/domain_admins    # you could use any editor like vim

# add users
user1@domain     ALL=(ALL)   ALL

# add group
%group1@domain    ALL=(ALL)   ALL

Above are all the steps to add Ubuntu to Windows AD domain and assign necessary privileges to users. After those steps, SSH into Ubuntu with admin privilege would be OK now, but in my request, end user prefer to use UI to access….

Preparing RDP protocol for Ubuntu by using xrdp

In my case, Ubuntu is already installed with desktop environment, so I don’t need to install that. I would direct install xrdp:

$ sudo apt install xrdp -y

# check xrdp status after it installed and make sure it's running
$ sudo systemctl status xrdp

# here is the output if xrdp run correcrtly
● xrdp.service - xrdp daemon
     Loaded: loaded (/lib/systemd/system/xrdp.service; enabled; vendor preset: enabled)
     Active: **active (running)** since Sun 2022-08-07 13:00:44 UTC; 26s ago
       Docs: man:xrdp(8)
             man:xrdp.ini(5)
   Main PID: 17904 (xrdp)
      Tasks: 1 (limit: 1131)
     Memory: 1016.0K
     CGroup: /system.slice/xrdp.service
             └─17904 /usr/sbin/xrdp

# if xrdp didn't run yet, use this command to start or reboot
$ sudo systemctl start xrdp

To make sure xrdp run properly, the configuration file need to be checked. It stored user /etc/xrdp/xrdp.ini and can be modified to meed RDP connection requirements.

The configuration file contains different sessions:

  • Globals defines some global configuration settings for xrdp.
  • Logging defines logging subsystem parameters for logs.
  • Channels defines multiple channel parameters that RDP supports.
  • Session types defines multiple supported session types by xrdp. Every session type configuration is defined as a separate section under its session type name enclosed in square brackets, such as [Xorg] and [XVnc]. There is no [Sessions types] heading in the file; instead, it is written as a comment.

Open configuration file with text editor, navigate to the Session types section. You will find multiple supported session types and their parameters listed:

...

;
; Session types
;

; Some session types such as Xorg, X11rdp, and Xvnc start a display server.
; Startup command-line parameters for the display server are configured
; in sesman.ini. See and configure also sesman.ini.
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20

[Xvnc]
name=Xvnc
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
#xserverbpp=24
#delay_ms=2000

[vnc-any]
...

[neutrinordp-any]
...

...

You can see with default configure, username and password parameters are set to ask, which means user will prompted to enter their username and password to connect over RDP. You could set to your user name and password for easy connection, but not recommend….

You will need create a .xsession file under user’s home directory and add the xfce4-session as the session manager to use upon login:

# if you are not in your home directory, use this first
$ cd ~

$ echo "xfce4-session" | tee .xsession

# restart xrdp to take affect
$ sudo systemctl restart xrdp

Note: 
tee writes the echoed string "xfce4-session" to the file .xsession. The above configuration ensures that xfce4-session is used as a session manager upon graphical login request. As a result of installing xfce as your desktop environment, xfce4-session serves as its session manager. If you don’t include this information in the .xsession file, no session manager is chosen, and the RDP session will fail to connect to the graphical display.

Firewall rule should be automatically added. You can manually add the rule if you have problem to connect.

During my test, I had difficulty to connect with domain user accounts which had remote privilege…here is my solution:

– Use “simple” as access provider instead of group policy, modify sssd.conf as below:

[sssd]
domains = mydomain.corp
config_file_version = 2
services = nss, pam

[domain/mydomain.corp]
ad_domain = mydomain.corp
... a bunch of config not related ...
access_provider = simple

This change could skip GPO policy and you also can manually assign AD user/group to have access to it:

# to permit a single user
$ realm permit [email protected]

# to permit a group
$ realm permit -g [email protected]

– Also, sssd.conf could be modified as below to accept GOP policy:

[sssd]
domains = mydomain.corp
config_file_version = 2
services = nss, pam

[domain/mydomain.corp]
ad_domain = mydomain.corp
... a bunch of config not related ...
access_provider = ad
ad_gpo_access_control = enforcing
ad_gpo_map_remote_interactive = +xrdp-sesman

Conclusion

Join Linux devices to Windows AD domain could manage account access direct through domain setting; setup might cause issues and take times. RDP to a Linux devices is not common but some users would like to do…however, most advanced Linux users would like SSH into the device and work on it. Hope end user would like SSH and/or VNC…not RDP for trouble access…. 🙁

Jason Ding

Published by Jason Ding