To support True SSO on Ubuntu/Debian desktops, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the Samba and Winbind solutions.
To integrate an Ubuntu/Debian VM with an AD domain, use the following procedure.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the host name of your VM. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
myhost |
Host name of your Ubuntu/Debian VM |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
admin-user |
User name of the AD domain administrator |
Prerequisites
Verify that:
- The AD server is resolvable by DNS on the VM.
- The Network Time Protocol (NTP) is configured on the VM.
Procedure
- On the Ubuntu/Debian VM, install the samba and winbind packages.
sudo apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
- Configure the Kerberos Authentication settings.
- If the window for Kerberos Authentication settings does not appear on your system, run the following command to display it.
dpkg-reconfigure krb5-config
- For Default Kerberos version 5 realm, enter the DNS name of your AD domain using all capital letters.
For example, if your AD domain name is
mydomain.com, enter
MYDOMAIN.COM.
- For Kerberos servers for your realm, enter the host name of your AD server (represented as ads_hostname in the examples throughout this procedure).
- For Administrative server for your Kerberos realm, enter the host name of your AD server again.
- Update the PAM configuration.
- Open the PAM configuration page.
- Select Create home directory on login, and then select Ok.
- Edit the /etc/nsswitch.conf configuration file, as shown in the following example.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
- (Optional) If the system detects the correct DNS server automatically, skip this step and proceed to the next step. If the system fails to detect the correct DNS server, complete this step to set the DNS server manually.
To ensure that the auto-generated
resolv.conf file refers to your AD domain as a search domain, edit the NetworkManager settings for your system connection. The following substeps provide the example instructions for an Ubuntu 20.04 system.
- Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For Method, select Automatic (DHCP) addresses only. In the DNS servers text box, enter the IP address of your DNS name server (represented as dns_IP_ADDRESS in the examples throughout this procedure). Then click Save.
- Edit the /etc/dhcp/dhclient.conf file as shown in the following example.
supersede domain-name "mydomain.com";
prepend domain-name-servers dns_IP_ADDRESS;
- Edit the /etc/systemd/resolved.conf file as shown in the following example.
DNS=dns_IP_ADDRESS
Domains="mydomain.com"
Note: A new virtual network adapter is added when a new instant-cloned virtual desktop is created. When you add the network adapter to a cloned virtual desktop, the virtual desktop template clears the settings for the network adapter, such as the DNS server. To keep the DNS server setting when adding a new network adapter, you must specify a DNS server for your VM.
- Specify the DNS server by editing the /etc/resolv.conf configuration file, as shown in the following example. If a warning appears, you can disregard and proceed with the changes.
nameserver dns_IP_ADDRESS
search mydomain.com
- Restart the VM and log back in.
- Edit the /etc/hosts configuration file, as shown in the following example.
127.0.0.1 localhost
127.0.1.1 myhost.mydomain.com myhost
- Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
[global]
security = ads
realm = MYDOMAIN.COM
workgroup = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
kerberos method = secrets and keytab
winbind refresh tickets = true
- Restart the smbd service.
sudo systemctl restart smbd.service
- Edit the /etc/krb5.conf configuration file so that it has content similar to the following example.
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYDOMAIN.COM = {
kdc = ads-hostname
admin_server = ads-hostname
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
- Join the Ubuntu/Debian VM to the AD domain.
- Initiate a Kerberos ticket.
sudo kinit admin-user
When prompted, enter your administrator password.
- Verify that the ticket has been created successfully.
sudo klist
This command returns information about the ticket, including its valid starting time and expiration time.
- Create a Kerberos keytab file.
sudo net ads keytab create -U admin-user
- Join the AD domain.
sudo net ads join -U admin-user
- Restart and verify the Winbind service.
- Restart the Winbind service.
sudo systemctl restart winbind.service
- To verify the Winbind service, run the following commands and check that they return the correct output.
- wbinfo -u
- wbinfo -g
- getent passwd
- getent group
- Restart the VM and log back in.