To support True SSO on an Ubuntu desktop, integrate the desktop with an Active Directory domain using the Samba and Winbind solutions.

Use the following procedure to integrate an Ubuntu desktop with an AD domain.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the host name of your Ubuntu desktop. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
myhost Host name of your Ubuntu desktop
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
admin-user User name of the AD domain administrator

Prerequisites

  • The Active Directory (AD) server is resolvable by DNS on the Linux system.
  • The Network Time Protocol (NTP) is configured on the Linux system.

Procedure

  1. On your Ubuntu desktop, install the samba and winbind packages.
    sudo apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
  2. When prompted, configure the Kerberos Authentication settings as follows.
    1. For Default Kerberos version 5 realm, enter the DNS name of your AD domain using all capital letters.
      For example, if your AD domain name is mydomain.com, enter MYDOMAIN.COM.
    2. For Kerberos servers for your realm, enter the host name of your AD server (represented as ads_hostname in the examples throughout this procedure).
    3. For Administrative server for your Kerberos realm, enter the host name of your AD server again.
  3. Update the PAM configuration.
    1. Open the PAM configuration page.
      pam-auth-update
    2. Select Create home directory on login, and then select Ok.
  4. Edit the /etc/nsswitch.conf configuration file, as shown in the following example.
    passwd: compat winbind
    group: compat winbind
    shadow: compat
    gshadow: files
  5. To ensure that the auto-generated resolv.conf file refers to your AD domain as a search domain, edit the NetworkManager settings for your system connection.
    1. Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For Method, select Automatic (DHCP) addresses only. In the DNS servers text box, enter the IP address of your DNS name server (represented as dns_IP_ADDRESS in the examples throughout this procedure). Then click Save.
    2. Edit the configuration file for your system connection located in /etc/NetworkManager/system-connections. Use the following example.
      [ipv4]
      dns=dns_IP_ADDRESS
      dns-search=mydomain.com
      ignore-auto-dns=true
      method=auto
      Note: A new virtual network adapter is added when a new instant-cloned virtual desktop is created. Any setting in the network adapter, such as the DNS server, in the virtual desktop template is lost when the new network adapter is added to the instant-cloned virtual desktop. To avoid losing the DNS server setting when the new network adapter is added to a cloned virtual desktop, you must specify a DNS server for your Linux system.
    3. Specify the DNS server by editing the /etc/resolv.conf configuration file, as shown in the following example.
      nameserver dns_IP_ADDRESS
      
      search mydomain.com
    4. Reboot your system and log back in.
  6. Edit the /etc/hosts configuration file, as shown in the following example.
    127.0.0.1     localhost
    127.0.1.1     myhost.mydomain.com myhost
  7. Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
    [global]
    security = ads
    realm = MYDOMAIN.COM
    workgroup = MYDOMAIN
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    winbind use default domain = yes
    restrict anonymous = 2
    kerberos method = secrets and keytab
    winbind refresh tickets = true
  8. Restart the smbd service.
    sudo systemctl restart smbd.service
  9. Edit the /etc/krb5.conf configuration file so that it has content similar to the following example.
    [libdefaults]
          default_realm = MYDOMAIN.COM
          dns_lookup_realm = true
          dns_lookup_kdc = true
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname 
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
    
  10. Join your Ubuntu desktop to the AD domain.
    1. Initiate a Kerberos ticket.
       sudo kinit admin-user
      When prompted, enter your administrator password.
    2. Verify that the ticket has been created successfully.
      sudo klist
      This command returns information about the ticket, including its valid starting time and expiration time.
    3. Create a Kerberos keytab file.
      sudo net ads keytab create -U admin-user
    4. Join the AD domain.
      sudo net ads join -U admin-user
  11. Restart and verify the Winbind service.
    1. Restart the Winbind service.
      sudo systemctl restart winbind.service 
    2. To verify the Winbind service, run the following commands and check that they return the correct output.
      • wbinfo -u
      • wbinfo -g
      • getend passwd
      • getend group
  12. Reboot your system and log back in.

What to do next

Configure True SSO on Ubuntu Desktops