Joining a Uwuntu Machine to the Domain and Enabling RDP

A screenshot of Uwuntu's Budgie Desktop upon signing in
This is another guide pieced together during our recent network overhaul and expansion project. This is the second image we built and there wasn’t much of a difference between Linux Mint and this Uwuntu instance. This article is longer. Uwuntu is a variant of Ubuntu that is jam packed with all kinds of little Anime and weeb goodies for you to enjoy. You can thank @PenguinPlans for introducing this fun to the community over in our Discord.
The version of Uwuntu used for this guide is 22.10 with the default Budgie desktop environment, but you may have success with other versions and desktops, or maybe even with OG Ubuntu itself.
Follow these detailed steps to join your Uwuntu machine to the domain and enable RDP functionality.
Step 1: Update and Install Necessary Software
First, update your system and install the required software, including SSH.
sudo apt update
sudo apt upgrade -y
sudo apt-get install -y openssh-server # OPTIONAL
sudo reboot
Step 2: Install Required Packages and Prepare the System
Next, install the necessary packages for domain integration and configure some initial settings.
sudo apt-get install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli lightdm-gtk-greeter libpam-mkhomedir xrdp xorgxrdp
# When prompted, enter: YOURDOMAIN.COM
sudo usermod -a -G ssl-cert xrdp
sudo nano /etc/xrdp/startwm.sh
Replace the contents of startwm.sh
with the following script to support the Budgie desktop:
#!/bin/sh
if test -r /etc/profile; then
. /etc/profile
fi
# Add support for Budgie
export DESKTOP_SESSION=budgie-desktop
export XDG_SESSION_DESKTOP=budgie-desktop
export XDG_CURRENT_DESKTOP=Budgie:GNOME
export XDG_CONFIG_DIRS=/etc/xdg/xdg-budgie-desktop:/etc/xdg
exec /usr/bin/budgie-desktop
Remove the avahi-daemon
package:
sudo apt -y remove avahi-daemon
sudo nano /etc/sudoers # OPTIONAL
OPTIONAL: Add the following lines under the sudo section if you have any admin groups in AD that you’d like to have access to sudo:
%myWorkstationAdmins ALL=(ALL) ALL
%myDomainAdmins ALL=(ALL) ALL
Step 3: Configure Login Screen Integration
Update PAM configuration to create home directories automatically upon first login.
sudo pam-auth-update --enable mkhomedir
sudo nano /etc/pam.d/common-session
Add the following line:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Update the LightDM PAM configuration:
sudo nano /etc/pam.d/lightdm
Replace the entire file with the following…
# /etc/pam.d/lightdm - PAM configuration for LightDM
#%PAM-1.0
# Prevent non-root users from login when /etc/nologin exists
auth requisite pam_nologin.so
# Allow users in the 'nopasswdlogin' group to bypass authentication
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
# Include common authentication settings
@include common-auth
# Optional support for GNOME and KDE keyrings
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet.so
-auth optional pam_kwallet5.so
# Include common account settings
@include common-account
# Include common session settings
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required pam_loginuid.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet.so auto_start
-session optional pam_kwallet5.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
# Include common password settings
@include common-password
# Allow users to be authenticated by SSSD
auth sufficient pam_sss.so
# Include common account settings again for pam_sss
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# Include common session settings again for pam_sss
session optional pam_sss.so
# Include common password settings again for pam_sss
password sufficient pam_sss.so
Update LightDM configuration:
sudo nano /etc/lightdm/lightdm.conf
Add the following lines:
[Seat:*]
greeter-session=lightdm-gtk-greeter
autologin-user-timeout=0
greeter-show-manual-login=true
greeter-hide-users=true
Update the LightDM greeter configuration:
sudo nano /etc/pam.d/lightdm-greeter
Add the following lines to the top of the file:
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
Step 4: Join the Domain and Configure SSSD
Configure DNS and host files for domain joining:
sudo nano /etc/resolv.conf
Replace the nameserver line:
nameserver 192.168.0.5
Make the file immutable to prevent changes:
sudo chattr +i /etc/resolv.conf
sudo nano /etc/hosts
Replace the second line:
192.168.0.5 myServer myServer.yourdomain.com
Add the domain controller to the hosts file:
sudo -i
sudo echo 192.168.0.5 myServer.yourdomain.com myServer >> /etc/hosts
Discover and join the domain:
sudo realm discover yourdomain.com
sudo realm join --user=Administrator yourdomain.com
sudo id [email protected] # TEST
Configure SSSD:
sudo nano /etc/sssd/sssd.conf
Match the following configuration:
[sssd]
domains = yourdomain.com
config_file_version = 2
services = nss, pam
[domain/yourdomain.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = YOURDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = yourdomain.com
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
Set the correct permissions and reboot:
sudo chmod 600 /etc/sssd/sssd.conf
sudo reboot
That’s all.