This guide was one of several that was pieced together during our recent network overhaul and expansion project. It is intended for a Linux Mint 21.3 machine with the default Cinnamon desktop environment. You might have success with versions close to 21.3 or other desktop environments using this guide.<\/p>\n\n\n\n
Follow these detailed steps to join your Mint Linux machine to the domain and enable RDP functionality.<\/p>\n\n\n\n
First, update your system and install the required software, including SSH.<\/p>\n\n\n\n
sudo apt update\nsudo apt upgrade -y\nsudo apt-get install -y openssh-server # OPTIONAL\nsudo reboot<\/code><\/pre>\n\n\n\nStep 2: Install Required Packages and Prepare the System<\/h2>\n\n\n\n
Next, install the necessary packages for domain integration and configure some initial settings.<\/p>\n\n\n\n
sudo apt-get install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli lightdm-gtk-greeter libpam-mkhomedir xrdp xorgxrdp\n# You'll be prompted to enter your domain: YOURDOMAIN.COM\nsudo usermod -a -G ssl-cert xrdp\nsudo apt -y remove avahi-daemon\nsudo nano \/etc\/sudoers # OPTIONAL<\/code><\/pre>\n\n\n\nOPTIONAL: If you’d like to add any users or groups to the sudo file, for example:<\/p>\n\n\n\n
%myWorkstationAdmins ALL=(ALL) ALL\n%myDomainAdmins ALL=(ALL) ALL<\/code><\/pre>\n\n\n\nStep 3: Configure Login Screen Integration<\/h2>\n\n\n\n
Update PAM configuration to create home directories automatically upon first login.<\/p>\n\n\n\n
sudo pam-auth-update --enable mkhomedir\nsudo nano \/etc\/pam.d\/common-session<\/code><\/pre>\n\n\n\nAdd the following line:<\/p>\n\n\n\n
session required pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/code><\/pre>\n\n\n\nUpdate the LightDM PAM configuration:<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/lightdm<\/code><\/pre>\n\n\n\nReplace the entire file with the following..<\/p>\n\n\n\n
# \/etc\/pam.d\/lightdm - PAM configuration for LightDM\n#%PAM-1.0\n# Prevent non-root users from login when \/etc\/nologin exists\nauth requisite pam_nologin.so\n# Allow users in the 'nopasswdlogin' group to bypass authentication\nauth sufficient pam_succeed_if.so user ingroup nopasswdlogin\n# Include common authentication settings\n@include common-auth\n# Optional support for GNOME and KDE keyrings\n-auth optional pam_gnome_keyring.so\n-auth optional pam_kwallet.so\n-auth optional pam_kwallet5.so\n\n# Include common account settings\n@include common-account\n\n# Include common session settings\nsession [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close\n#session required pam_loginuid.so\nsession required pam_limits.so\n@include common-session\nsession [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open\n-session optional pam_gnome_keyring.so auto_start\n-session optional pam_kwallet.so auto_start\n-session optional pam_kwallet5.so auto_start\nsession required pam_env.so readenv=1\nsession required pam_env.so readenv=1 user_readenv=1 envfile=\/etc\/default\/locale\n\n# Include common password settings\n@include common-password\n\n# Allow users to be authenticated by SSSD\nauth sufficient pam_sss.so\n\n# Include common account settings again for pam_sss\naccount [default=bad success=ok user_unknown=ignore] pam_sss.so\n\n# Include common session settings again for pam_sss\nsession optional pam_sss.so\n\n# Include common password settings again for pam_sss\npassword sufficient pam_sss.so<\/code><\/pre>\n\n\n\nUpdate LightDM configuration:<\/p>\n\n\n\n
sudo nano \/etc\/lightdm\/lightdm.conf<\/code><\/pre>\n\n\n\nAdd the following lines:<\/p>\n\n\n\n
[Seat:*]\ngreeter-session=lightdm-gtk-greeter\nautologin-user-timeout=0\ngreeter-show-manual-login=true\ngreeter-hide-users=true<\/code><\/pre>\n\n\n\nUpdate the LightDM greeter configuration:<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/lightdm-greeter<\/code><\/pre>\n\n\n\nAdd the following lines to the top of the file:<\/p>\n\n\n\n
auth required pam_permit.so\naccount required pam_permit.so\nsession required pam_permit.so<\/code><\/pre>\n\n\n\nStep 4: Join the Domain and Configure SSSD<\/h2>\n\n\n\n
Configure DNS and host files for domain joining:<\/p>\n\n\n\n
sudo nano \/etc\/resolv.conf<\/code><\/pre>\n\n\n\nReplace the nameserver line:<\/p>\n\n\n\n
nameserver 192.168.0.5<\/code><\/pre>\n\n\n\nMake the file immutable to prevent changes:<\/p>\n\n\n\n
sudo chattr +i \/etc\/resolv.conf\nsudo nano \/etc\/hosts<\/code><\/pre>\n\n\n\nReplace the second line:<\/p>\n\n\n\n
192.168.0.25 mintMachine mintMachine.yourdomain.com<\/code><\/pre>\n\n\n\nAdd the domain controller to the hosts file:<\/p>\n\n\n\n
sudo -i\nsudo echo 192.168.0.5 servername.yourdomain.com servername >> \/etc\/hosts<\/code><\/pre>\n\n\n\nJoin the Domain<\/strong><\/p>\n\n\n\nDiscover and join the domain:<\/p>\n\n\n\n
sudo realm discover yourdomain.com # TEST to see if the domain is visible\nsudo realm join --user=Administrator yourdomain.com\nsudo id myuser@yourdomain.com # TEST to see if you can pull a user. If not, you may just need to reboot the machine.<\/code><\/pre>\n\n\n\nConfigure SSSD:<\/p>\n\n\n\n
sudo nano \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\nMatch the following configuration:<\/p>\n\n\n\n
[sssd]\ndomains = yourdomain.com\nconfig_file_version = 2\nservices = nss, pam\n\n[domain\/yourdomain.com]\ndefault_shell = \/bin\/bash\nkrb5_store_password_if_offline = True\ncache_credentials = True\nkrb5_realm = YOURDOMAIN.COM\nrealmd_tags = manages-system joined-with-adcli\nid_provider = ad\nfallback_homedir = \/home\/%u@%d\nad_domain = yourdomain.com\nuse_fully_qualified_names = False\nldap_id_mapping = True\naccess_provider = ad\nad_gpo_access_control = permissive\n\n[nss]\nfilter_groups = root\nfilter_users = root\nreconnection_retries = 3\n\n[pam]\nreconnection_retries = 3<\/code><\/pre>\n\n\n\nSet the correct permissions and reboot:<\/p>\n\n\n\n
sudo chmod 600 \/etc\/sssd\/sssd.conf\nsudo reboot<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"This guide was one of several that was pieced together during our recent network overhaul…<\/p>\n","protected":false},"author":55,"featured_media":121,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-98","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":3,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":103,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/posts\/98\/revisions\/103"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/media\/121"}],"wp:attachment":[{"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.blackcatsystems.org\/index.php\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}