{"id":104,"date":"2024-06-17T10:18:36","date_gmt":"2024-06-17T15:18:36","guid":{"rendered":"https:\/\/it.blackcatsystems.org\/?p=104"},"modified":"2024-06-22T11:06:02","modified_gmt":"2024-06-22T16:06:02","slug":"joining-a-uwuntu-machine-to-the-domain-and-enabling-rdp","status":"publish","type":"post","link":"https:\/\/it.blackcatsystems.org\/index.php\/2024\/06\/17\/joining-a-uwuntu-machine-to-the-domain-and-enabling-rdp\/","title":{"rendered":"Joining a Uwuntu Machine to the Domain and Enabling RDP"},"content":{"rendered":"\n

This is another guide pieced together during our recent network overhaul and expansion project. This is the second image we built and there wasn’t much of a difference between Linux Mint and this Uwuntu instance. This article is longer. Uwuntu is a variant of Ubuntu that is jam packed with all kinds of little Anime and weeb<\/em> goodies for you to enjoy. You can thank @PenguinPlans for introducing this fun to the community over in our Discord.
The version of Uwuntu used for this guide is 22.10 with the default Budgie desktop environment, but you may have success with other versions and desktops, or maybe even with OG Ubuntu itself.<\/p>\n\n\n\n

Follow these detailed steps to join your Uwuntu machine to the domain and enable RDP functionality.<\/p>\n\n\n\n

Step 1: Update and Install Necessary Software<\/strong><\/p>\n\n\n\n

First, update your system and install the required software, including SSH.<\/p>\n\n\n\n

sudo apt update\nsudo apt upgrade -y\nsudo apt-get install -y openssh-server # OPTIONAL\nsudo reboot<\/code><\/pre>\n\n\n\n
Step 2: Install Required Packages and Prepare the System<\/strong><\/p>\n\n\n\n
Next, install the necessary packages for domain integration and configure some initial settings.<\/p>\n\n\n\n
sudo apt-get install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli lightdm-gtk-greeter libpam-mkhomedir xrdp xorgxrdp\n# When prompted, enter: YOURDOMAIN.COM\nsudo usermod -a -G ssl-cert xrdp\nsudo nano \/etc\/xrdp\/startwm.sh<\/code><\/pre>\n\n\n\n
Replace the contents of startwm.sh<\/code> with the following script to support the Budgie desktop:<\/p>\n\n\n\n
#!\/bin\/sh\nif test -r \/etc\/profile; then\n        . \/etc\/profile\nfi\n\n# Add support for Budgie\nexport DESKTOP_SESSION=budgie-desktop\nexport XDG_SESSION_DESKTOP=budgie-desktop\nexport XDG_CURRENT_DESKTOP=Budgie:GNOME\nexport XDG_CONFIG_DIRS=\/etc\/xdg\/xdg-budgie-desktop:\/etc\/xdg\n\nexec \/usr\/bin\/budgie-desktop<\/code><\/pre>\n\n\n\n
Remove the avahi-daemon<\/code> package:<\/p>\n\n\n\n
sudo apt -y remove avahi-daemon\nsudo nano \/etc\/sudoers # OPTIONAL<\/code><\/pre>\n\n\n\n
OPTIONAL: Add the following lines under the sudo section if you have any admin groups in AD that you’d like to have access to sudo:<\/p>\n\n\n\n
%myWorkstationAdmins ALL=(ALL) ALL\n%myDomainAdmins ALL=(ALL) ALL<\/code><\/pre>\n\n\n\n
Step 3: Configure Login Screen Integration<\/strong><\/p>\n\n\n\n
Update PAM configuration to create home directories automatically upon first login.<\/p>\n\n\n\n
sudo pam-auth-update --enable mkhomedir\nsudo nano \/etc\/pam.d\/common-session<\/code><\/pre>\n\n\n\n
Add the following line:<\/p>\n\n\n\n
session required pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/code><\/pre>\n\n\n\n
Update the LightDM PAM configuration:<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/lightdm<\/code><\/pre>\n\n\n\n
Replace the entire file with the following…<\/p>\n\n\n\n
# \/etc\/pam.d\/lightdm - PAM configuration for LightDM\n#%PAM-1.0\n# Prevent non-root users from login when \/etc\/nologin exists\nauth    requisite       pam_nologin.so\n# Allow users in the 'nopasswdlogin' group to bypass authentication\nauth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin\n# Include common authentication settings\n@include common-auth\n# Optional support for GNOME and KDE keyrings\n-auth   optional        pam_gnome_keyring.so\n-auth   optional        pam_kwallet.so\n-auth   optional        pam_kwallet5.so\n\n# Include common account settings\n@include common-account\n\n# Include common session settings\nsession [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close\n#session required        pam_loginuid.so\nsession required        pam_limits.so\n@include common-session\nsession [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open\n-session optional        pam_gnome_keyring.so auto_start\n-session optional        pam_kwallet.so auto_start\n-session optional        pam_kwallet5.so auto_start\nsession required        pam_env.so readenv=1\nsession required        pam_env.so readenv=1 user_readenv=1 envfile=\/etc\/default\/locale\n\n# Include common password settings\n@include common-password\n\n# Allow users to be authenticated by SSSD\nauth    sufficient      pam_sss.so\n\n# Include common account settings again for pam_sss\naccount [default=bad success=ok user_unknown=ignore] pam_sss.so\n\n# Include common session settings again for pam_sss\nsession optional        pam_sss.so\n\n# Include common password settings again for pam_sss\npassword sufficient     pam_sss.so<\/code><\/pre>\n\n\n\n
Update LightDM configuration:<\/p>\n\n\n\n
sudo nano \/etc\/lightdm\/lightdm.conf<\/code><\/pre>\n\n\n\n
Add the following lines:<\/p>\n\n\n\n
[Seat:*]\ngreeter-session=lightdm-gtk-greeter\nautologin-user-timeout=0\ngreeter-show-manual-login=true\ngreeter-hide-users=true<\/code><\/pre>\n\n\n\n
Update the LightDM greeter configuration:<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/lightdm-greeter<\/code><\/pre>\n\n\n\n
Add the following lines to the top of the file:<\/p>\n\n\n\n
auth    required    pam_permit.so\naccount required    pam_permit.so\nsession required    pam_permit.so<\/code><\/pre>\n\n\n\n
Step 4: Join the Domain and Configure SSSD<\/strong><\/p>\n\n\n\n
Configure DNS and host files for domain joining:<\/p>\n\n\n\n
sudo nano \/etc\/resolv.conf<\/code><\/pre>\n\n\n\n
Replace the nameserver line:<\/p>\n\n\n\n
nameserver 192.168.0.5<\/code><\/pre>\n\n\n\n
Make the file immutable to prevent changes:<\/p>\n\n\n\n
sudo chattr +i \/etc\/resolv.conf\nsudo nano \/etc\/hosts<\/code><\/pre>\n\n\n\n
Replace the second line:<\/p>\n\n\n\n
192.168.0.5       myServer myServer.yourdomain.com<\/code><\/pre>\n\n\n\n
Add the domain controller to the hosts file:<\/p>\n\n\n\n
sudo -i\nsudo echo 192.168.0.5 myServer.yourdomain.com myServer >> \/etc\/hosts<\/code><\/pre>\n\n\n\n
Discover and join the domain:<\/p>\n\n\n\n
sudo realm discover yourdomain.com\nsudo realm join --user=Administrator yourdomain.com\nsudo id myuser@yourdomain.com  # TEST<\/code><\/pre>\n\n\n\n
Configure SSSD:<\/p>\n\n\n\n
sudo nano \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n
Match the following configuration:<\/p>\n\n\n\n
[sssd]\ndomains = yourdomain.com\nconfig_file_version = 2\nservices = nss, pam\n\n[domain\/yourdomain.com]\ndefault_shell = \/bin\/bash\nkrb5_store_password_if_offline = True\ncache_credentials = True\nkrb5_realm = YOURDOMAIN.COM\nrealmd_tags = manages-system joined-with-adcli\nid_provider = ad\nfallback_homedir = \/home\/%u@%d\nad_domain = yourdomain.com\nuse_fully_qualified_names = False\nldap_id_mapping = True\naccess_provider = ad\nad_gpo_access_control = permissive\n\n[nss]\nfilter_groups = root\nfilter_users = root\nreconnection_retries = 3\n\n[pam]\nreconnection_retries = 3<\/code><\/pre>\n\n\n\n
Set the correct permissions and reboot:<\/p>\n\n\n\n
sudo chmod 600 \/etc\/sssd\/sssd.conf\nsudo reboot<\/code><\/pre>\n\n\n\n
That’s all.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is another guide pieced together during our recent network overhaul and expansion project. This…<\/p>\n","protected":false},"author":55,"featured_media":118,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/comments?post=104"}],"version-history":[{"count":2,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/104\/revisions"}],"predecessor-version":[{"id":106,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/104\/revisions\/106"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/media\/118"}],"wp:attachment":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/media?parent=104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/categories?post=104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/tags?post=104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}