To support True SSO on an Ubuntu desktop, integrate the desktop with an Active Directory domain using the Samba and Winbind solutions.
Use the following procedure to integrate an Ubuntu desktop with an AD domain.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the host name of your Ubuntu desktop. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
myhost |
Host name of your Ubuntu desktop |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
admin-user |
User name of the AD domain administrator |
Prerequisites
- The Active Directory (AD) server is resolvable by DNS on the Linux system.
- The Network Time Protocol (NTP) is configured on the Linux system.
Procedure
- On your Ubuntu desktop, install the samba and winbind packages.
sudo apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
- When prompted, configure the Kerberos Authentication settings as follows.
- For Default Kerberos version 5 realm, enter the DNS name of your AD domain using all capital letters.
For example, if your AD domain name is
mydomain.com, enter
MYDOMAIN.COM.
- For Kerberos servers for your realm, enter the host name of your AD server (represented as ads_hostname in the examples throughout this procedure).
- For Administrative server for your Kerberos realm, enter the host name of your AD server again.
- Update the PAM configuration.
- Open the PAM configuration page.
- Select Create home directory on login, and then select Ok.
- Edit the /etc/nsswitch.conf configuration file, as shown in the following example.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
- To ensure that the auto-generated resolv.conf file refers to your AD domain as a search domain, edit the NetworkManager settings for your system connection.
- Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For Method, select Automatic (DHCP) addresses only. In the DNS servers text box, enter the IP address of your DNS name server (represented as dns_IP_ADDRESS in the examples throughout this procedure). Then click Save.
- Edit the configuration file for your system connection located in /etc/NetworkManager/system-connections. Use the following example.
[ipv4]
dns=dns_IP_ADDRESS
dns-search=mydomain.com
ignore-auto-dns=true
method=auto
Note: A new virtual network adapter is added when a new instant-cloned virtual desktop is created. Any setting in the network adapter, such as the DNS server, in the virtual desktop template is lost when the new network adapter is added to the instant-cloned virtual desktop. To avoid losing the DNS server setting when the new network adapter is added to a cloned virtual desktop, you must specify a DNS server for your Linux system.
- Specify the DNS server by editing the /etc/resolv.conf configuration file, as shown in the following example.
nameserver dns_IP_ADDRESS
search mydomain.com
- Reboot your system and log back in.
- Edit the /etc/hosts configuration file, as shown in the following example.
127.0.0.1 localhost
127.0.1.1 myhost.mydomain.com myhost
- Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
[global]
security = ads
realm = MYDOMAIN.COM
workgroup = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
kerberos method = secrets and keytab
winbind refresh tickets = true
- Restart the smbd service.
sudo systemctl restart smbd.service
- Edit the /etc/krb5.conf configuration file so that it has content similar to the following example.
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYDOMAIN.COM = {
kdc = ads-hostname
admin_server = ads-hostname
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
- Join your Ubuntu desktop to the AD domain.
- Initiate a Kerberos ticket.
sudo kinit admin-user
When prompted, enter your administrator password.
- Verify that the ticket has been created successfully.
sudo klist
This command returns information about the ticket, including its valid starting time and expiration time.
- Create a Kerberos keytab file.
sudo net ads keytab create -U admin-user
- Join the AD domain.
sudo net ads join -U admin-user
- Restart and verify the Winbind service.
- Restart the Winbind service.
sudo systemctl restart winbind.service
- To verify the Winbind service, run the following commands and check that they return the correct output.
- wbinfo -u
- wbinfo -g
- getend passwd
- getend group
- Reboot your system and log back in.