To support True SSO on Ubuntu/Debian desktops, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the Samba and Winbind solutions.

To integrate an Ubuntu/Debian VM with an AD domain, use the following procedure.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the host name of your VM. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
myhost Host name of your Ubuntu/Debian VM
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
admin-user User name of the AD domain administrator

Prerequisites

Verify that:
  • The AD server is resolvable by DNS on the VM.
  • The Network Time Protocol (NTP) is configured on the VM.

Procedure

  1. On the Ubuntu/Debian VM, install the samba and winbind packages.
    sudo apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
  2. Configure the Kerberos Authentication settings.
    1. If the window for Kerberos Authentication settings does not appear on your system, run the following command to display it.
      dpkg-reconfigure krb5-config
    2. For Default Kerberos version 5 realm, enter the DNS name of your AD domain using all capital letters.
      For example, if your AD domain name is mydomain.com, enter MYDOMAIN.COM.
    3. For Kerberos servers for your realm, enter the host name of your AD server (represented as ads_hostname in the examples throughout this procedure).
    4. For Administrative server for your Kerberos realm, enter the host name of your AD server again.
  3. Update the PAM configuration.
    1. Open the PAM configuration page.
      pam-auth-update
    2. Select Create home directory on login, and then select Ok.
  4. Edit the /etc/nsswitch.conf configuration file, as shown in the following example.
    passwd: compat winbind
    group: compat winbind
    shadow: compat
    gshadow: files
  5. (Optional) If the system detects the correct DNS server automatically, skip this step and proceed to the next step. If the system fails to detect the correct DNS server, complete this step to set the DNS server manually.
    To ensure that the auto-generated resolv.conf file refers to your AD domain as a search domain, edit the NetworkManager settings for your system connection. The following substeps provide the example instructions for an Ubuntu 20.04 system.
    1. Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For Method, select Automatic (DHCP) addresses only. In the DNS servers text box, enter the IP address of your DNS name server (represented as dns_IP_ADDRESS in the examples throughout this procedure). Then click Save.
    2. Edit the /etc/dhcp/dhclient.conf file as shown in the following example.
      supersede domain-name "mydomain.com";
      prepend domain-name-servers dns_IP_ADDRESS;
    3. Edit the /etc/systemd/resolved.conf file as shown in the following example.
      DNS=dns_IP_ADDRESS
      Domains="mydomain.com"
      Note: A new virtual network adapter is added when a new instant-cloned virtual desktop is created. When you add the network adapter to a cloned virtual desktop, the virtual desktop template clears the settings for the network adapter, such as the DNS server. To keep the DNS server setting when adding a new network adapter, you must specify a DNS server for your VM.
    4. Specify the DNS server by editing the /etc/resolv.conf configuration file, as shown in the following example. If a warning appears, you can disregard and proceed with the changes.
      nameserver dns_IP_ADDRESS
      
      search mydomain.com
    5. Restart the VM and log back in.
  6. Edit the /etc/hosts configuration file, as shown in the following example.
    127.0.0.1     localhost
    127.0.1.1     myhost.mydomain.com myhost
  7. Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
    [global]
    security = ads
    realm = MYDOMAIN.COM
    workgroup = MYDOMAIN
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    winbind use default domain = yes
    restrict anonymous = 2
    kerberos method = secrets and keytab
    winbind refresh tickets = true
  8. Restart the smbd service.
    sudo systemctl restart smbd.service
  9. Edit the /etc/krb5.conf configuration file so that it has content similar to the following example.
    [libdefaults]
          default_realm = MYDOMAIN.COM
          dns_lookup_realm = true
          dns_lookup_kdc = true
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname 
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
    
  10. Join the Ubuntu/Debian VM to the AD domain.
    1. Initiate a Kerberos ticket.
       sudo kinit admin-user
      When prompted, enter your administrator password.
    2. Verify that the ticket has been created successfully.
      sudo klist
      This command returns information about the ticket, including its valid starting time and expiration time.
    3. Create a Kerberos keytab file.
      sudo net ads keytab create -U admin-user
    4. Join the AD domain.
      sudo net ads join -U admin-user
  11. Restart and verify the Winbind service.
    1. Restart the Winbind service.
      sudo systemctl restart winbind.service 
    2. To verify the Winbind service, run the following commands and check that they return the correct output.
      • wbinfo -u
      • wbinfo -g
      • getent passwd
      • getent group
  12. Restart the VM and log back in.

What to do next

Configure True SSO on Ubuntu/Debian Desktops