Joining a EndeavourOS client to the Domain and Enabling RDP
We have yet another Linux distro that was configured and imaged as apart of our recent network overhaul and expansion project. Unlike our other Debian counterparts, this distro was an absolute pain in the ass to figure out, to join to the domain, as well as configure xrdp. It was configured for EndeavourOS Gemini 2024.04.20 on Cinnamon Desktop and it took four long days to get it all together for ya’.
As a matter of fact, it may not even work for you. That’s right, during the testing process, realmd decided that it would no longer build. Our EndeavourOS image that we have on our PXE server was built from a test image, instead of building it fresh from a live CD like the other operating systems we have, simply because realmd would not build. You may already be aware that its broken. I tried compiling it from its source files with all of its dependencies installed and it still would not work. I apologies as this guide may not be of complete help, but this shit was broken. Still, included with this guide is the commands to build realmd, just in case someone decides to fix it. In the event that it does build, please reach out to me on the Discord so that I can come back here and reword this accordingly.
Follow these detailed steps to join your Endeavour or maybe even Arch machine to the domain and enable RDP functionality. The following instructions are tailored for the pacman package manager.
Step 1: Update and Install Necessary Software
First, update your system and install the required software, including SSH.
sudo pacman -Syu
sudo pacman -S openssh # OPTIONAL
sudo systemctl start sshd # OPTIONAL
sudo systemctl enable sshd # OPTIONAL
Step 2: Install Required Packages and Configure Initial Settings
Install the necessary packages for domain integration and configure the initial settings.
yay -Sy realmd sssd xrdp xorgxrdp
Update the xrdp configuration:
sudo nano /etc/xrdp/xrdp.ini
Change the port configuration to:
port=://:3389
Create an iptables setup script:
sudo nano /usr/local/bin/iptables-setup.sh
Match the contents with the following script:
#!/bin/bash
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables-save | tee /etc/iptables/iptables.rules
systemctl enable iptables
systemctl start iptables
Make the script executable and create a systemd service for it:
sudo chmod +x /usr/local/bin/iptables-setup.sh
sudo nano /etc/systemd/system/iptables-setup.service
Match the contents with the following configuration:
[Unit]
Description=Setup iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/iptables-setup.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Update the xrdp session start script:
sudo nano /etc/xrdp/startwm.sh
Match the contents with the following script:
#!/bin/sh
if [ -r /etc/profile ]; then
. /etc/profile
fi
if [ -r /etc/environment ]; then
. /etc/environment
fi
export DESKTOP_SESSION=cinnamon
export XDG_SESSION_DESKTOP=cinnamon
export XDG_CURRENT_DESKTOP=cinnamon
exec /usr/bin/cinnamon-session
Reload systemd daemon and start the services:
sudo systemctl daemon-reload
sudo systemctl enable iptables-setup.service
sudo systemctl start iptables-setup.service
sudo systemctl enable xrdp
sudo systemctl start xrdp
sudo systemctl enable xrdp-sesman
sudo systemctl start xrdp-sesman
ss -tuln | grep 3389 # Verify listening
sudo iptables -L # Verify iptables rules
Download and run the realmd-arch-helper script:
wget https://raw.githubusercontent.com/robinrosenberger/realmd-arch-helper/master/realmd-arch-helper.sh
chmod +x realmd-arch-helper.sh
sudo -i
sudo ./realmd-arch-helper.sh --patch-config
Update the sudoers file:
sudo nano /etc/sudoers # OPTIONAL
Add the following lines under the sudo section:
%myWorkstationAdmins ALL=(ALL) ALL
%myDomainAdmins ALL=(ALL) ALL
Step 3: Configure PAM and Login Screen
Update the PAM configuration for su
:
sudo nano /etc/pam.d/su
Match the contents with the following configuration:
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth sufficient pam_unix.so
auth sufficient pam_sss.so
auth required pam_unix.so
account required pam_unix.so
account sufficient pam_sss.so
account required pam_unix.so
session required pam_unix.so
session optional pam_sss.so
session required pam_unix.so
password include system-auth
Update the LightDM PAM configuration:
sudo nano /etc/pam.d/lightdm
Replace the contents with the following…
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_sss.so
account required pam_permit.so
password required pam_unix.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_systemd.so
Update the LightDM configuration:
sudo nano /etc/lightdm/lightdm.conf
Match the contents with the following configuration:
[LightDM]
logind-check-graphical=true
[Seat:*]
greeter-session=lightdm-gtk-greeter
autologin-user-timeout=0
greeter-show-manual-login=true
greeter-hide-users=true
session-wrapper=/etc/lightdm/Xsession
user-session=cinnamon
Update the NSS configuration:
sudo nano /etc/nsswitch.conf
Ensure it matches the following:
passwd: files systemd sss
group: files [SUCCESS=merge] systemd sss
shadow: files systemd sss
gshadow: files systemd sss
netgroup: files sss
Step 4: Install XFCE and Systemd Components
Even though we’re configuring this image for Cinnamon desktop. These packages are required in order for xrdp to work as intended.
sudo pacman -S xfce4 xfce4-goodies xorg xorg-server lightdm-gtk-greeter-settings lightdm-gtk-greeter
sudo pacman -Syu systemd
sudo systemctl enable systemd-logind
sudo systemctl start systemd-logind
Step 5: Join the Domain and Configure SSSD
Configure hostname and hosts files:
sudo nano /etc/hosts
Replace the second line with:
192.168.0.25 myEndeavourOS myEndeavourOS.yourdomain.com
Add domain controllers to the hosts file:
sudo -i
sudo echo 192.168.0.5 myServer.yourdomain.com myserver >> /etc/hosts
Discover and join the domain:
sudo realm discover yourdomain.com # TRY FIRST
sudo realm join --user=Administrator yourdomain.com
systemctl enable realmd
Configure SSSD:
sudo nano /etc/sssd/sssd.conf
Match the contents with the following configuration:
[sssd]
domains = yourdomain.com
config_file_version = 2
services = nss, pam
[domain/yourdomain.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = YOURDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = yourdomain.com
#use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
Set the correct permissions and reboot. Once you’re signed in again, install all of the following again. For some reason this is required..
sudo chmod 600 /etc/sssd/sssd.conf
sudo pacman -S xfce4 xfce4-goodies xorg xorg-server lightdm-gtk-greeter-settings lightdm-gtk-greeter
sudo pacman -Syu systemd
sudo reboot
Upon doing that and rebooting a 2nd time, you should now be able to sign in with a AD user.