Multiple solutions exist to integrate Linux with Microsoft Active Directory (AD) and Horizon 7 for Linux Desktop has no dependency on which solution is used.

The following solutions are known to work in a Horizon 7 for Linux desktop environment.

  • OpenLDAP Server Pass-through Authentication

  • System Security Services Daemon (SSSD) LDAP Authentication against the Microsoft Active Directory

  • Winbind Domain Join

  • PowerBroker Identity Services Open (PBISO) Authentication

If you use the LDAP-based solutions, you must perform the configuration in a template virtual machine and no additional steps are required in the cloned virtual machines.

Note:

For ease of deployment, use the SSSD LDAP authentication against the Microsoft Active Directory solution.

OpenLDAP Server Pass-Through Authentication

At a high level, the OpenLDAP Pass-through authentication solution involves the following steps:

  1. To enable LDAPS (Lightweight Directory Access Protocol over SSL), install Certificate Services on the Active Directory.

  2. Set up an OpenLDAP server.

  3. Synchronize user information (except password) from the Active Directory to the OpenLDAP server.

  4. Configure the OpenLDAP server to delegate password verification to a separate process such as saslauthd, which can perform password verification against the Active Directory.

  5. Configure the Linux desktops to use an LDAP client to authenticate users with the OpenLDAP server.

System Security Services Daemon (SSSD) LDAP Authentication Against the Microsoft Active Directory

The SSSD LDAP authentication against the Microsoft Active Directory solution involves the following steps:

  1. To enable LDAPS, install the Certificate Services on the Active Directory.

  2. To use LDAP authentication directly against the Microsoft Active Directory, configure the SSSD in the Linux desktop.

Winbind Domain Join

The Winbind Domain Join solution involves the following steps:

  1. Install the Winbind, Samba, and Kerberos packages on the Linux desktop.

  2. Join the Linux desktop to the Microsoft Active Directory.

If you use the Winbind Domain Join solution or other Keberos authentication-based solution, join the template virtual machine to the Active Directory, and re-join the cloned virtual machine to the Active Directory. For example, use the following command:

sudo /usr/bin/net ads join -U <domain_user>%<domain_password>

Use the following options to run the domain re-join command on a cloned virtual machine for the Winbind solution:

PowerBroker Identity Services Open (PBISO) Authentication

Configuring the PowerBroker Identity Services Open (PBISO) authentication solution involves the following steps:

  1. Download PBISO 8.5.6 or later from https://www.beyondtrust.com/products/powerbroker-identity-services-open/.

  2. Install PBISO on your Linux VM.

    sudo ./pbis-open-8.5.6.2029.linux.x86_64.deb.sh
  3. Install Horizon 7 Agent for Linux.

  4. Use PBISO to join the Linux desktop to the AD domain.

    In the following example, lxdc.vdi is the domain name and administrator is the domain user name.

    sudo domainjoin-cli join lxdc.vdi administrator

  5. Set up the default configuration for domain users.

    sudo /opt/pbis/bin/config UserDomainPrefix lxdc 
    sudo /opt/pbis/bin/config AssumeDefaultDomain true 
    sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash 
    sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
  6. Edit the /etc/pamd.d/common-session file.

    1. Locate the line that says session sufficient pam_lsass.so.

    2. Replace that line with session [success=ok default=ignore] pam_lsass.so.

    Note:

    This step must be repeated after you reinstall or update the Horizon Agent for Linux.

  7. Edit the /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf file and append the following lines.

    Note:

    If you are using Ubuntu 14.04, the lightdm configuration file is named 60-lightdm-gtk-greeter.conf.

    allow-guest=false
    greeter-show-manual-login=true
  8. Reboot your system and log in.

Note:
  • If the /opt/pbis/bin/config AssumeDefaultDomain option is set to false, you must update the SSOUserFormat=<username>@<domain> setting in the /etc/vmware/viewagent-custom.conf file.

  • When using the Horizon instant-clone floating desktop pool feature, to avoid losing the DNS Server setting when the new network adapter is added to the cloned VM, modify the resolv.conf file for your Linux system. Use the following example, for an Ubuntu 16.04 system, as a guide for adding the necessary lines in the /etc/resolvconf/resolv.conf.d/head file.

    nameserver 10.10.10.10
    search mydomain.org