Joining a Mint Linux Machine to the Domain and Enabling RDP

A screenshot of Linux Mint's Cinnamon Desktop upon signing in

A screenshot of Linux Mint's Cinnamon Desktop upon signing in

This guide was one of several that was pieced together during our recent network overhaul and expansion project. It is intended for a Linux Mint 21.3 machine with the default Cinnamon desktop environment. You might have success with versions close to 21.3 or other desktop environments using this guide.

Follow these detailed steps to join your Mint Linux machine to the domain and enable RDP functionality.

Step 1: Update and Install Necessary Software

First, update your system and install the required software, including SSH.

sudo apt update
sudo apt upgrade -y
sudo apt-get install -y openssh-server # OPTIONAL
sudo reboot

Step 2: Install Required Packages and Prepare the System

Next, install the necessary packages for domain integration and configure some initial settings.

sudo apt-get install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli lightdm-gtk-greeter libpam-mkhomedir xrdp xorgxrdp
# You'll be prompted to enter your domain: YOURDOMAIN.COM
sudo usermod -a -G ssl-cert xrdp
sudo apt -y remove avahi-daemon
sudo nano /etc/sudoers # OPTIONAL

OPTIONAL: If you’d like to add any users or groups to the sudo file, for example:

%myWorkstationAdmins ALL=(ALL) ALL
%myDomainAdmins ALL=(ALL) ALL

Step 3: Configure Login Screen Integration

Update PAM configuration to create home directories automatically upon first login.

sudo pam-auth-update --enable mkhomedir
sudo nano /etc/pam.d/common-session

Add the following line:

session required skel=/etc/skel/ umask=0022

Update the LightDM PAM configuration:

sudo nano /etc/pam.d/lightdm

Replace the entire file with the following..

# /etc/pam.d/lightdm - PAM configuration for LightDM
# Prevent non-root users from login when /etc/nologin exists
auth    requisite
# Allow users in the 'nopasswdlogin' group to bypass authentication
auth    sufficient user ingroup nopasswdlogin
# Include common authentication settings
@include common-auth
# Optional support for GNOME and KDE keyrings
-auth   optional
-auth   optional
-auth   optional

# Include common account settings
@include common-account

# Include common session settings
session [success=ok ignore=ignore module_unknown=ignore default=bad] close
#session required
session required
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] open
-session optional auto_start
-session optional auto_start
-session optional auto_start
session required readenv=1
session required readenv=1 user_readenv=1 envfile=/etc/default/locale

# Include common password settings
@include common-password

# Allow users to be authenticated by SSSD
auth    sufficient

# Include common account settings again for pam_sss
account [default=bad success=ok user_unknown=ignore]

# Include common session settings again for pam_sss
session optional

# Include common password settings again for pam_sss
password sufficient

Update LightDM configuration:

sudo nano /etc/lightdm/lightdm.conf

Add the following lines:


Update the LightDM greeter configuration:

sudo nano /etc/pam.d/lightdm-greeter

Add the following lines to the top of the file:

auth    required
account required
session required

Step 4: Join the Domain and Configure SSSD

Configure DNS and host files for domain joining:

sudo nano /etc/resolv.conf

Replace the nameserver line:


Make the file immutable to prevent changes:

sudo chattr +i /etc/resolv.conf
sudo nano /etc/hosts

Replace the second line:       mintMachine

Add the domain controller to the hosts file:

sudo -i
sudo echo servername >> /etc/hosts

Join the Domain

Discover and join the domain:

sudo realm discover # TEST to see if the domain is visible
sudo realm join --user=Administrator
sudo id [email protected]  # TEST to see if you can pull a user. If not, you may just need to reboot the machine.

Configure SSSD:

sudo nano /etc/sssd/sssd.conf

Match the following configuration:

domains =
config_file_version = 2
services = nss, pam

default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = YOURDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain =
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

Set the correct permissions and reboot:

sudo chmod 600 /etc/sssd/sssd.conf
sudo reboot

Leave a Reply

Your email address will not be published. Required fields are marked *