top of page
Writer's pictureBarry Ling

Prepare Ubuntu Linux for Active Directory Login

Updated: Jan 24


If you would like to make use the AD account for logon to a Horizon Ubuntu desktop pool, you will need join the Ubuntu Linux master image to Active Directory first. Following is the procedure of doing so.



1. Joining Ubuntu to AD

  • Logon the Ubuntu desktop.

  • Open the Terminal.

  • Define the host name of the VM by command "sudo nano /etc/hostname".

  • Make sure a host name is added in the file.

  • Add the DNS server name and IP address to hosts file by command "sudo nano /etc/hosts".

  • Add the DNS name and IP of the Ubuntu to the file.

  • Install NTP client by command "sudo apt install -y ntpdate".

  • Edit the config fle by command "sudo nano /etc/systemd/timesyncd.conf".

  • Make sure a valid NTP server is defined in the file.

  • Verify the settng by command "timedatectl".

  • There should have result of NTP service: active.

  • Verify setting of DNS resolve by command "sudo nano /etc/resolv.conf".

  • The file should have following lines:

nameserver [domain controller IP]

search [domain name]

  • Install AD join package by command "sudo apt install -y samba krb5-config krb5-user winbind libpam-winbind libnss-winbind".

  • During the installation, a windows may pop up for asking the domain name. Input the domain name in capital letters (for example, MYDOMAIN.COM). click "OK".

  • Edit krb5 config file by command "sudo nano /etc/krb5.conf".

  • Make sure the config file including all following lines in corresponding section. And replace those BOLDED TEXTS with your actual information. Please follow the example below to input part of the information in capital letter.

[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

default_ccache_name = KEYRING:persistent:%{uid}



[realms]

MYDOMAIN.COM = {

kdc = ads-hostname.mydomain.com

admin_server = ads-hostname.mydomain.com

default_domain = mydomain.com

pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem

pkinit_cert_match = <KU>digitalSignature

pkinit_kdc_hostname = ads-hostname.mydomain.com

}



[domain_realm]

.mydomain.com = MYDOMAIN.COM

mydomain.com = MYDOMAIN.COM

  • To verify the Kerberos certification. Run command "kinit Administrator@MYDOMAIN.COM" and "klist"

  • The result should be similar to following.

  • Edit the SMB config file by command "sudo nano /etc/samba/smb.conf".

  • Make sure the file including all following lines. And replace those BOLDED TEXTS with your actual information. Please follow the example below to input part of the information in capital letter.

[global]

workgroup = MYDOMAIN

realm = MYDOMAIN.COM

password server = ads-hostname.mydomain.com

security = ads

kerberos method = secrets only

winbind use default domain = true

winbind offline logon = false

template homedir =/home/%D/%U

template shell = /bin/bash

client use spnego = yes

client ntlmv2 auth = yes

encrypt passwords = yes

passdb backend = tdbsam

winbind enum users = yes

winbind enum groups = yes

idmap uid = 10000-20000

idmap gid = 10000-20000


  • Join the Ubuntu to AD with command "sudo net ads join -U AdminUser@mydomain.com".

  • Run following commands to enable AD packages.

sudo systemctl stop samba-ad-dc

sudo systemctl enable smbd nmbd winbind

sudo systemctl restart smbd nmbd winbind


  • Modify the nsswitch config file by command "sudo nano /etc/nsswitch.conf".

  • Make sure the file including all following lines.

passwd: compat systemd winbind

group: compat systemd winbind

shadow: compat

gshadow: files


  • To check the result of AD join, run command "wbinfo -u". It should showing all user accounts on AD.

  • Enable all PAM profiles by command "sudo pam-auth-update".

  • Select all module and "OK".

  • Reboot the Ubuntu and you can login using AD account with format "domain\user".





2. Create domain rejoin script for Horizon cloning


Until now, the Ubuntu is ready for authenticating with AD. The next step will be granting sudo right to the VDI domain user group.

  • Create an AD group name "Ubuntu Admins".

  • Add corresponding AD account to it..

  • Logon to the Ubuntu.

  • Open Terminal.

  • Edit the admin file Run command "sudo visudo".

  • Add the following line to the configure file.

"%Ubuntu Admins" ALL=(ALL) ALL


The last step to do will be creating a domain rejoin script. so that the Ubuntu cloned by Horizon will join the domain automatically.

  • Logon to the Ubuntu.

  • Open Terminal.

  • Run command "sudo mkdir /var/vmscript/".

  • Create the script by command "sudo nano /var/vmscript/rejoindomain".

  • The script must contain the domain rejoin command "/usr/bin/net ads join -U <ADUserName>%<ADUserPassword>". Since the account password will be saved in the file, it is recommended creating a dedicated AD account with right of domain join only for this purpose.

  • Make the script executable by command "sudo chmod +x /var/vmscript/rejoindomain".

  • Edit the VMware config file by command "sudo nano /etc/vmware/viewagent-custom.conf".

  • Make sure the file containing a line defined the location of the script as follow.

RunOnceScript=/var/vmscript/rejoindomain

  • Reboot the Ubuntu.




----- END -----





346 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page