Joining a EndeavourOS client to the Domain and Enabling RDP

A screenshot of EndeavourOS's KDE Desktop upon signing in

A screenshot of EndeavourOS's KDE Desktop upon signing in

We have yet another Linux distro that was configured and imaged as apart of our recent network overhaul and expansion project. Unlike our other Debian counterparts, this distro was an absolute pain in the ass to figure out, to join to the domain, as well as configure xrdp. It was configured for EndeavourOS Gemini 2024.04.20 on Cinnamon Desktop and it took four long days to get it all together for ya’.

As a matter of fact, it may not even work for you. That’s right, during the testing process, realmd decided that it would no longer build. Our EndeavourOS image that we have on our PXE server was built from a test image, instead of building it fresh from a live CD like the other operating systems we have, simply because realmd would not build. You may already be aware that its broken. I tried compiling it from its source files with all of its dependencies installed and it still would not work. I apologies as this guide may not be of complete help, but this shit was broken. Still, included with this guide is the commands to build realmd, just in case someone decides to fix it. In the event that it does build, please reach out to me on the Discord so that I can come back here and reword this accordingly.

Follow these detailed steps to join your Endeavour or maybe even Arch machine to the domain and enable RDP functionality. The following instructions are tailored for the pacman package manager.

Step 1: Update and Install Necessary Software

First, update your system and install the required software, including SSH.

sudo pacman -Syu
sudo pacman -S openssh # OPTIONAL
sudo systemctl start sshd # OPTIONAL
sudo systemctl enable sshd # OPTIONAL

Step 2: Install Required Packages and Configure Initial Settings

Install the necessary packages for domain integration and configure the initial settings.

yay -Sy realmd sssd xrdp xorgxrdp

Update the xrdp configuration:

sudo nano /etc/xrdp/xrdp.ini

Change the port configuration to:

port=://:3389

Create an iptables setup script:

sudo nano /usr/local/bin/iptables-setup.sh

Match the contents with the following script:

#!/bin/bash
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables-save | tee /etc/iptables/iptables.rules
systemctl enable iptables
systemctl start iptables

Make the script executable and create a systemd service for it:

sudo chmod +x /usr/local/bin/iptables-setup.sh
sudo nano /etc/systemd/system/iptables-setup.service

Match the contents with the following configuration:

[Unit]
Description=Setup iptables rules
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/iptables-setup.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Update the xrdp session start script:

sudo nano /etc/xrdp/startwm.sh

Match the contents with the following script:

#!/bin/sh

if [ -r /etc/profile ]; then
    . /etc/profile
fi

if [ -r /etc/environment ]; then
    . /etc/environment
fi

export DESKTOP_SESSION=cinnamon
export XDG_SESSION_DESKTOP=cinnamon
export XDG_CURRENT_DESKTOP=cinnamon

exec /usr/bin/cinnamon-session

Reload systemd daemon and start the services:

sudo systemctl daemon-reload
sudo systemctl enable iptables-setup.service
sudo systemctl start iptables-setup.service
sudo systemctl enable xrdp
sudo systemctl start xrdp
sudo systemctl enable xrdp-sesman
sudo systemctl start xrdp-sesman
ss -tuln | grep 3389   # Verify listening
sudo iptables -L   # Verify iptables rules

Download and run the realmd-arch-helper script:

wget https://raw.githubusercontent.com/robinrosenberger/realmd-arch-helper/master/realmd-arch-helper.sh
chmod +x realmd-arch-helper.sh
sudo -i
sudo ./realmd-arch-helper.sh --patch-config

Update the sudoers file:

sudo nano /etc/sudoers # OPTIONAL

Add the following lines under the sudo section:

%myWorkstationAdmins ALL=(ALL) ALL
%myDomainAdmins ALL=(ALL) ALL

Step 3: Configure PAM and Login Screen

Update the PAM configuration for su:

sudo nano /etc/pam.d/su

Match the contents with the following configuration:

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            sufficient      pam_unix.so
auth            sufficient      pam_sss.so
auth            required        pam_unix.so

account         required        pam_unix.so
account         sufficient      pam_sss.so
account         required        pam_unix.so

session         required        pam_unix.so
session         optional        pam_sss.so
session         required        pam_unix.so

password        include         system-auth

Update the LightDM PAM configuration:

sudo nano /etc/pam.d/lightdm

Replace the contents with the following…

#%PAM-1.0
auth        required    pam_env.so
auth        sufficient  pam_unix.so try_first_pass
auth        sufficient  pam_sss.so use_first_pass
auth        required    pam_deny.so

account     required    pam_unix.so
account     sufficient  pam_sss.so
account     required    pam_permit.so

password    required    pam_unix.so
password    sufficient  pam_sss.so use_authtok
password    required    pam_deny.so

session     required    pam_limits.so
session     required    pam_unix.so
session     optional    pam_sss.so
session     optional    pam_mkhomedir.so skel=/etc/skel umask=0077
session     optional    pam_systemd.so

Update the LightDM configuration:

sudo nano /etc/lightdm/lightdm.conf

Match the contents with the following configuration:

[LightDM]
logind-check-graphical=true
[Seat:*]
greeter-session=lightdm-gtk-greeter
autologin-user-timeout=0
greeter-show-manual-login=true
greeter-hide-users=true
session-wrapper=/etc/lightdm/Xsession
user-session=cinnamon

Update the NSS configuration:

sudo nano /etc/nsswitch.conf

Ensure it matches the following:

passwd: files systemd sss
group: files [SUCCESS=merge] systemd sss
shadow: files systemd sss
gshadow: files systemd sss
netgroup: files sss

Step 4: Install XFCE and Systemd Components

Even though we’re configuring this image for Cinnamon desktop. These packages are required in order for xrdp to work as intended.

sudo pacman -S xfce4 xfce4-goodies xorg xorg-server lightdm-gtk-greeter-settings lightdm-gtk-greeter
sudo pacman -Syu systemd
sudo systemctl enable systemd-logind
sudo systemctl start systemd-logind

Step 5: Join the Domain and Configure SSSD

Configure hostname and hosts files:

sudo nano /etc/hosts

Replace the second line with:

192.168.0.25       myEndeavourOS myEndeavourOS.yourdomain.com

Add domain controllers to the hosts file:

sudo -i
sudo echo 192.168.0.5 myServer.yourdomain.com myserver >> /etc/hosts

Discover and join the domain:

sudo realm discover yourdomain.com   # TRY FIRST
sudo realm join --user=Administrator yourdomain.com
systemctl enable realmd

Configure SSSD:

sudo nano /etc/sssd/sssd.conf

Match the contents with the following configuration:

[sssd]
domains = yourdomain.com
config_file_version = 2
services = nss, pam

[domain/yourdomain.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = YOURDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = yourdomain.com
#use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

Set the correct permissions and reboot. Once you’re signed in again, install all of the following again. For some reason this is required..

sudo chmod 600 /etc/sssd/sssd.conf
sudo pacman -S xfce4 xfce4-goodies xorg xorg-server lightdm-gtk-greeter-settings lightdm-gtk-greeter
sudo pacman -Syu systemd
sudo reboot

Upon doing that and rebooting a 2nd time, you should now be able to sign in with a AD user.

Leave a Reply

Your email address will not be published. Required fields are marked *