{"id":107,"date":"2024-06-17T10:51:12","date_gmt":"2024-06-17T15:51:12","guid":{"rendered":"https:\/\/it.blackcatsystems.org\/?p=107"},"modified":"2024-06-22T11:06:53","modified_gmt":"2024-06-22T16:06:53","slug":"joining-a-endeavouros-to-the-domain-and-enabling-rdp","status":"publish","type":"post","link":"https:\/\/it.blackcatsystems.org\/index.php\/2024\/06\/17\/joining-a-endeavouros-to-the-domain-and-enabling-rdp\/","title":{"rendered":"Joining a EndeavourOS client to the Domain and Enabling RDP"},"content":{"rendered":"\n

We have yet another Linux distro that was configured and imaged as apart of our recent network overhaul and expansion project. Unlike our other Debian counterparts, this distro was an absolute pain in the ass to figure out, to join to the domain, as well as configure xrdp. It was configured for EndeavourOS Gemini 2024.04.20 on Cinnamon Desktop and it took four long days to get it all together for ya’.<\/p>\n\n\n\n

As a matter of fact, it may not even work for you. That’s right, during the testing process, realmd decided that it would no longer build. Our EndeavourOS image that we have on our PXE server was built from a test image, instead of building it fresh from a live CD like the other operating systems we have, simply because realmd would not build. You may already be aware that its broken. I tried compiling it from its source files with all of its dependencies installed and it still would not work. I apologies as this guide may not be of complete help, but this shit was broken. Still, included with this guide is the commands to build realmd, just in case someone decides to fix it. In the event that it does build, please reach out to me on the Discord so that I can come back here and reword this accordingly.<\/p>\n\n\n\n

Follow these detailed steps to join your Endeavour or maybe even Arch machine to the domain and enable RDP functionality. The following instructions are tailored for the pacman package manager.<\/p>\n\n\n\n

Step 1: Update and Install Necessary Software<\/strong><\/p>\n\n\n\n

First, update your system and install the required software, including SSH.<\/p>\n\n\n\n

sudo pacman -Syu\nsudo pacman -S openssh # OPTIONAL\nsudo systemctl start sshd # OPTIONAL\nsudo systemctl enable sshd # OPTIONAL<\/code><\/pre>\n\n\n\n
Step 2: Install Required Packages and Configure Initial Settings<\/strong><\/p>\n\n\n\n
Install the necessary packages for domain integration and configure the initial settings.<\/p>\n\n\n\n
yay -Sy realmd sssd xrdp xorgxrdp<\/code><\/pre>\n\n\n\n
Update the xrdp configuration:<\/p>\n\n\n\n
sudo nano \/etc\/xrdp\/xrdp.ini<\/code><\/pre>\n\n\n\n
Change the port configuration to:<\/p>\n\n\n\n
port=:\/\/:3389<\/code><\/pre>\n\n\n\n
Create an iptables setup script:<\/p>\n\n\n\n
sudo nano \/usr\/local\/bin\/iptables-setup.sh<\/code><\/pre>\n\n\n\n
Match the contents with the following script:<\/p>\n\n\n\n
#!\/bin\/bash\niptables -A INPUT -p tcp --dport 3389 -j ACCEPT\niptables-save | tee \/etc\/iptables\/iptables.rules\nsystemctl enable iptables\nsystemctl start iptables<\/code><\/pre>\n\n\n\n
Make the script executable and create a systemd service for it:<\/p>\n\n\n\n
sudo chmod +x \/usr\/local\/bin\/iptables-setup.sh\nsudo nano \/etc\/systemd\/system\/iptables-setup.service<\/code><\/pre>\n\n\n\n
Match the contents with the following configuration:<\/p>\n\n\n\n
[Unit]\nDescription=Setup iptables rules\nAfter=network.target\n\n[Service]\nType=oneshot\nExecStart=\/usr\/local\/bin\/iptables-setup.sh\nRemainAfterExit=yes\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
Update the xrdp session start script:<\/p>\n\n\n\n
sudo nano \/etc\/xrdp\/startwm.sh<\/code><\/pre>\n\n\n\n
Match the contents with the following script:<\/p>\n\n\n\n
#!\/bin\/sh\n\nif [ -r \/etc\/profile ]; then\n    . \/etc\/profile\nfi\n\nif [ -r \/etc\/environment ]; then\n    . \/etc\/environment\nfi\n\nexport DESKTOP_SESSION=cinnamon\nexport XDG_SESSION_DESKTOP=cinnamon\nexport XDG_CURRENT_DESKTOP=cinnamon\n\nexec \/usr\/bin\/cinnamon-session<\/code><\/pre>\n\n\n\n
Reload systemd daemon and start the services:<\/p>\n\n\n\n
sudo systemctl daemon-reload\nsudo systemctl enable iptables-setup.service\nsudo systemctl start iptables-setup.service\nsudo systemctl enable xrdp\nsudo systemctl start xrdp\nsudo systemctl enable xrdp-sesman\nsudo systemctl start xrdp-sesman\nss -tuln | grep 3389   # Verify listening\nsudo iptables -L   # Verify iptables rules<\/code><\/pre>\n\n\n\n
Download and run the realmd-arch-helper script:<\/p>\n\n\n\n
wget https:\/\/raw.githubusercontent.com\/robinrosenberger\/realmd-arch-helper\/master\/realmd-arch-helper.sh\nchmod +x realmd-arch-helper.sh\nsudo -i\nsudo .\/realmd-arch-helper.sh --patch-config<\/code><\/pre>\n\n\n\n
Update the sudoers file:<\/p>\n\n\n\n
sudo nano \/etc\/sudoers # OPTIONAL<\/code><\/pre>\n\n\n\n
Add the following lines under the sudo section:<\/p>\n\n\n\n
%myWorkstationAdmins ALL=(ALL) ALL\n%myDomainAdmins ALL=(ALL) ALL<\/code><\/pre>\n\n\n\n
Step 3: Configure PAM and Login Screen<\/strong><\/p>\n\n\n\n
Update the PAM configuration for su<\/code>:<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/su<\/code><\/pre>\n\n\n\n
Match the contents with the following configuration:<\/p>\n\n\n\n
#%PAM-1.0\nauth            sufficient      pam_rootok.so\n# Uncomment the following line to implicitly trust users in the \"wheel\" group.\n#auth           sufficient      pam_wheel.so trust use_uid\n# Uncomment the following line to require a user to be in the \"wheel\" group.\n#auth           required        pam_wheel.so use_uid\nauth            sufficient      pam_unix.so\nauth            sufficient      pam_sss.so\nauth            required        pam_unix.so\n\naccount         required        pam_unix.so\naccount         sufficient      pam_sss.so\naccount         required        pam_unix.so\n\nsession         required        pam_unix.so\nsession         optional        pam_sss.so\nsession         required        pam_unix.so\n\npassword        include         system-auth<\/code><\/pre>\n\n\n\n
Update the LightDM PAM configuration:<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/lightdm<\/code><\/pre>\n\n\n\n
Replace the contents with the following…<\/p>\n\n\n\n
#%PAM-1.0\nauth        required    pam_env.so\nauth        sufficient  pam_unix.so try_first_pass\nauth        sufficient  pam_sss.so use_first_pass\nauth        required    pam_deny.so\n\naccount     required    pam_unix.so\naccount     sufficient  pam_sss.so\naccount     required    pam_permit.so\n\npassword    required    pam_unix.so\npassword    sufficient  pam_sss.so use_authtok\npassword    required    pam_deny.so\n\nsession     required    pam_limits.so\nsession     required    pam_unix.so\nsession     optional    pam_sss.so\nsession     optional    pam_mkhomedir.so skel=\/etc\/skel umask=0077\nsession     optional    pam_systemd.so<\/code><\/pre>\n\n\n\n
Update the LightDM configuration:<\/p>\n\n\n\n
sudo nano \/etc\/lightdm\/lightdm.conf<\/code><\/pre>\n\n\n\n
Match the contents with the following configuration:<\/p>\n\n\n\n
[LightDM]\nlogind-check-graphical=true\n[Seat:*]\ngreeter-session=lightdm-gtk-greeter\nautologin-user-timeout=0\ngreeter-show-manual-login=true\ngreeter-hide-users=true\nsession-wrapper=\/etc\/lightdm\/Xsession\nuser-session=cinnamon<\/code><\/pre>\n\n\n\n
Update the NSS configuration:<\/p>\n\n\n\n
sudo nano \/etc\/nsswitch.conf<\/code><\/pre>\n\n\n\n
Ensure it matches the following:<\/p>\n\n\n\n
passwd: files systemd sss\ngroup: files [SUCCESS=merge] systemd sss\nshadow: files systemd sss\ngshadow: files systemd sss\nnetgroup: files sss<\/code><\/pre>\n\n\n\n
Step 4: Install XFCE and Systemd Components<\/strong><\/p>\n\n\n\n
Even though we’re configuring this image for Cinnamon desktop. These packages are required in order for xrdp to work as intended.<\/p>\n\n\n\n
sudo pacman -S xfce4 xfce4-goodies xorg xorg-server lightdm-gtk-greeter-settings lightdm-gtk-greeter\nsudo pacman -Syu systemd\nsudo systemctl enable systemd-logind\nsudo systemctl start systemd-logind<\/code><\/pre>\n\n\n\n
Step 5: Join the Domain and Configure SSSD<\/strong><\/p>\n\n\n\n
Configure hostname and hosts files:<\/p>\n\n\n\n
sudo nano \/etc\/hosts<\/code><\/pre>\n\n\n\n
Replace the second line with:<\/p>\n\n\n\n
192.168.0.25       myEndeavourOS myEndeavourOS.yourdomain.com<\/code><\/pre>\n\n\n\n
Add domain controllers to the hosts file:<\/p>\n\n\n\n
sudo -i\nsudo echo 192.168.0.5 myServer.yourdomain.com myserver >> \/etc\/hosts<\/code><\/pre>\n\n\n\n
Discover and join the domain:<\/p>\n\n\n\n
sudo realm discover yourdomain.com   # TRY FIRST\nsudo realm join --user=Administrator yourdomain.com\nsystemctl enable realmd<\/code><\/pre>\n\n\n\n
Configure SSSD:<\/p>\n\n\n\n
sudo nano \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n
Match the contents with the following configuration:<\/p>\n\n\n\n
[sssd]\ndomains = yourdomain.com\nconfig_file_version = 2\nservices = nss, pam\n\n[domain\/yourdomain.com]\ndefault_shell = \/bin\/bash\nkrb5_store_password_if_offline = True\ncache_credentials = True\nkrb5_realm = YOURDOMAIN.COM\nrealmd_tags = manages-system joined-with-adcli\nid_provider = ad\nfallback_homedir = \/home\/%u@%d\nad_domain = yourdomain.com\n#use_fully_qualified_names = True\nldap_id_mapping = True\naccess_provider = ad\nad_gpo_access_control = permissive\n\n[nss]\nfilter_groups = root\nfilter_users = root\nreconnection_retries = 3\n\n[pam]\nreconnection_retries = 3<\/code><\/pre>\n\n\n\n
Set the correct permissions and reboot. Once you’re signed in again, install all of the following again. For some reason this is required..<\/p>\n\n\n\n
sudo chmod 600 \/etc\/sssd\/sssd.conf\nsudo pacman -S xfce4 xfce4-goodies xorg xorg-server lightdm-gtk-greeter-settings lightdm-gtk-greeter\nsudo pacman -Syu systemd\nsudo reboot<\/code><\/pre>\n\n\n\n
Upon doing that and rebooting a 2nd time, you should now be able to sign in with a AD user.<\/p>\n","protected":false},"excerpt":{"rendered":"
We have yet another Linux distro that was configured and imaged as apart of our…<\/p>\n","protected":false},"author":55,"featured_media":120,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-107","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/comments?post=107"}],"version-history":[{"count":5,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/107\/revisions"}],"predecessor-version":[{"id":116,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/107\/revisions\/116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/media\/120"}],"wp:attachment":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/media?parent=107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/categories?post=107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/tags?post=107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}