If you would like to make use the AD account for logon to a Horizon Ubuntu desktop pool, you will need join the Ubuntu Linux master image to Active Directory first. Following is the procedure of doing so.
1. Joining Ubuntu to AD
Logon the Ubuntu desktop.
Open the Terminal.
Define the host name of the VM by command "sudo nano /etc/hostname".
Make sure a host name is added in the file.
Add the DNS server name and IP address to hosts file by command "sudo nano /etc/hosts".
Add the DNS name and IP of the Ubuntu to the file.
Install NTP client by command "sudo apt install -y ntpdate".
Edit the config fle by command "sudo nano /etc/systemd/timesyncd.conf".
Make sure a valid NTP server is defined in the file.
Verify the settng by command "timedatectl".
There should have result of NTP service: active.
Verify setting of DNS resolve by command "sudo nano /etc/resolv.conf".
The file should have following lines:
nameserver [domain controller IP]
search [domain name]
Install AD join package by command "sudo apt install -y samba krb5-config krb5-user winbind libpam-winbind libnss-winbind".
During the installation, a windows may pop up for asking the domain name. Input the domain name in capital letters (for example, MYDOMAIN.COM). click "OK".
Edit krb5 config file by command "sudo nano /etc/krb5.conf".
Make sure the config file including all following lines in corresponding section. And replace those BOLDED TEXTS with your actual information. Please follow the example below to input part of the information in capital letter.
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAIN.COM = {
kdc = ads-hostname.mydomain.com
admin_server = ads-hostname.mydomain.com
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
pkinit_cert_match = <KU>digitalSignature
pkinit_kdc_hostname = ads-hostname.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
To verify the Kerberos certification. Run command "kinit Administrator@MYDOMAIN.COM" and "klist"
The result should be similar to following.
Edit the SMB config file by command "sudo nano /etc/samba/smb.conf".
Make sure the file including all following lines. And replace those BOLDED TEXTS with your actual information. Please follow the example below to input part of the information in capital letter.
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
password server = ads-hostname.mydomain.com
security = ads
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
template homedir =/home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
passdb backend = tdbsam
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
Join the Ubuntu to AD with command "sudo net ads join -U AdminUser@mydomain.com".
Run following commands to enable AD packages.
sudo systemctl stop samba-ad-dc
sudo systemctl enable smbd nmbd winbind
sudo systemctl restart smbd nmbd winbind
Modify the nsswitch config file by command "sudo nano /etc/nsswitch.conf".
Make sure the file including all following lines.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
To check the result of AD join, run command "wbinfo -u". It should showing all user accounts on AD.
Enable all PAM profiles by command "sudo pam-auth-update".
Select all module and "OK".
Reboot the Ubuntu and you can login using AD account with format "domain\user".
2. Create domain rejoin script for Horizon cloning
Until now, the Ubuntu is ready for authenticating with AD. The next step will be granting sudo right to the VDI domain user group.
Create an AD group name "Ubuntu Admins".
Add corresponding AD account to it..
Logon to the Ubuntu.
Open Terminal.
Edit the admin file Run command "sudo visudo".
Add the following line to the configure file.
"%Ubuntu Admins" ALL=(ALL) ALL
The last step to do will be creating a domain rejoin script. so that the Ubuntu cloned by Horizon will join the domain automatically.
Logon to the Ubuntu.
Open Terminal.
Run command "sudo mkdir /var/vmscript/".
Create the script by command "sudo nano /var/vmscript/rejoindomain".
The script must contain the domain rejoin command "/usr/bin/net ads join -U <ADUserName>%<ADUserPassword>". Since the account password will be saved in the file, it is recommended creating a dedicated AD account with right of domain join only for this purpose.
Make the script executable by command "sudo chmod +x /var/vmscript/rejoindomain".
Edit the VMware config file by command "sudo nano /etc/vmware/viewagent-custom.conf".
Make sure the file containing a line defined the location of the script as follow.
RunOnceScript=/var/vmscript/rejoindomain
Reboot the Ubuntu.
----- END -----
Comments