Joining a Mint Linux Machine to the Domain and Enabling RDP

This guide was one of several that was pieced together during our recent network overhaul and expansion project. It is intended for a Linux Mint 21.3 machine with the default Cinnamon desktop environment. You might have success with versions close to 21.3 or other desktop environments using this guide.

Follow these detailed steps to join your Mint Linux machine to the domain and enable RDP functionality.

Step 1: Update and Install Necessary Software

First, update your system and install the required software, including SSH.

sudo apt update
sudo apt upgrade -y
sudo apt-get install -y openssh-server # OPTIONAL
sudo reboot

Step 2: Install Required Packages and Prepare the System

Next, install the necessary packages for domain integration and configure some initial settings.

sudo apt-get install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli lightdm-gtk-greeter libpam-mkhomedir xrdp xorgxrdp
# You'll be prompted to enter your domain: YOURDOMAIN.COM
sudo usermod -a -G ssl-cert xrdp
sudo apt -y remove avahi-daemon
sudo nano /etc/sudoers # OPTIONAL

OPTIONAL: If you’d like to add any users or groups to the sudo file, for example:

%myWorkstationAdmins ALL=(ALL) ALL
%myDomainAdmins ALL=(ALL) ALL

Step 3: Configure Login Screen Integration

Update PAM configuration to create home directories automatically upon first login.

sudo pam-auth-update --enable mkhomedir
sudo nano /etc/pam.d/common-session

Add the following line:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Update the LightDM PAM configuration:

sudo nano /etc/pam.d/lightdm

Replace the entire file with the following..

# /etc/pam.d/lightdm - PAM configuration for LightDM
#%PAM-1.0
# Prevent non-root users from login when /etc/nologin exists
auth    requisite       pam_nologin.so
# Allow users in the 'nopasswdlogin' group to bypass authentication
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
# Include common authentication settings
@include common-auth
# Optional support for GNOME and KDE keyrings
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet.so
-auth   optional        pam_kwallet5.so

# Include common account settings
@include common-account

# Include common session settings
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required        pam_loginuid.so
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional        pam_gnome_keyring.so auto_start
-session optional        pam_kwallet.so auto_start
-session optional        pam_kwallet5.so auto_start
session required        pam_env.so readenv=1
session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale

# Include common password settings
@include common-password

# Allow users to be authenticated by SSSD
auth    sufficient      pam_sss.so

# Include common account settings again for pam_sss
account [default=bad success=ok user_unknown=ignore] pam_sss.so

# Include common session settings again for pam_sss
session optional        pam_sss.so

# Include common password settings again for pam_sss
password sufficient     pam_sss.so

Update LightDM configuration:

sudo nano /etc/lightdm/lightdm.conf

Add the following lines:

[Seat:*]
greeter-session=lightdm-gtk-greeter
autologin-user-timeout=0
greeter-show-manual-login=true
greeter-hide-users=true

Update the LightDM greeter configuration:

sudo nano /etc/pam.d/lightdm-greeter

Add the following lines to the top of the file:

auth    required    pam_permit.so
account required    pam_permit.so
session required    pam_permit.so

Step 4: Join the Domain and Configure SSSD

Configure DNS and host files for domain joining:

sudo nano /etc/resolv.conf

Replace the nameserver line:

nameserver 192.168.0.5

Make the file immutable to prevent changes:

sudo chattr +i /etc/resolv.conf
sudo nano /etc/hosts

Replace the second line:

192.168.0.25       mintMachine mintMachine.yourdomain.com

Add the domain controller to the hosts file:

sudo -i
sudo echo 192.168.0.5 servername.yourdomain.com servername >> /etc/hosts

Join the Domain

Discover and join the domain:

sudo realm discover yourdomain.com # TEST to see if the domain is visible
sudo realm join --user=Administrator yourdomain.com
sudo id [email protected]  # TEST to see if you can pull a user. If not, you may just need to reboot the machine.

Configure SSSD:

sudo nano /etc/sssd/sssd.conf

Match the following configuration:

[sssd]
domains = yourdomain.com
config_file_version = 2
services = nss, pam

[domain/yourdomain.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = YOURDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = yourdomain.com
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

Set the correct permissions and reboot:

sudo chmod 600 /etc/sssd/sssd.conf
sudo reboot

My Account

Step 1: Update and Install Necessary Software

Step 2: Install Required Packages and Prepare the System

Step 3: Configure Login Screen Integration

Step 4: Join the Domain and Configure SSSD

Joining a EndeavourOS client to the Domain and Enabling RDP

Joining a Uwuntu Machine to the Domain and Enabling RDP

Leave a Reply Cancel reply

Joining a EndeavourOS client to the Domain and Enabling RDP

Joining a Uwuntu Machine to the Domain and Enabling RDP