Integrating ThinLinc with Windows Active Directory
This guide describes the steps and components used for authenticating users against the Windows Active Directory service. When complete, both local Linux passwd users and Windows users are allowed to login to the ThinLinc server. The server is also joined to an Active Directory (AD) through this process and you will find a computer account created for the server in the computer's OU.
You should perform these steps on all ThinLinc servers in your cluster for authentication of users.
1. First you need to install the following components required to join an AD:
yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation
2. Configure your ThinLinc server to resolve hosts using the Windows DNS service for the proper service entries in dns and verify that you can discover your AD domain like:
[localhost]# realm discover LAB.LKPG.CENDIO.SE lab.lkpg.cendio.se type: kerberos realm-name: LAB.LKPG.CENDIO.SE domain-name: lab.lkpg.cendio.se configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools
3. To join the domain run the following command and provide the domain administrator password for access:
realm join LAB.LKPG.CENDIO.SE
4. Verify that you can resolve a user in your AD using the following command:
[localhost]# id email@example.com uid=1253001106(firstname.lastname@example.org) gid=1253000513(domain email@example.com) groups=1253000513(domain firstname.lastname@example.org)
5. Verify that you can authenticate as an user using Kerberos like following:
also verify that you your ticket cache contains a TGT:
[root@lab-129 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: testuser@LAB.LKPG.CENDIO.SE Valid starting Expires Service principal 04/06/2017 10:41:48 04/06/2017 20:41:48 krbtgt/LAB.LKPG.CENDIO.SE@LAB.LKPG.CENDIO.SE renew until 04/13/2017 10:41:45
6. Make sure ThinLinc is a recognized service:
Edit the file
/etc/sssd/sssd.conf and make sure the following is added in the domain specific section:
ad_gpo_map_remote_interactive = +thinlinc
You need to restart sssd after changing this setting:
[root@lab-129 ~]# systemctl restart sssd
7. This step is optional but very important if we want Kerberos to work in ThinLinc session.
At this point users are identified with fully qualified names such as you have seen above, email@example.com. If you do not require this fully qualified name, eg. your ThinLinc server does not authenticate users against different domains, you can configure this in SSSD configuration
/etc/sssd/sssd.conf. Edit this file and make sure you have the following configuration in the domain specific section:
use_fully_qualified_names = False
Make sure you restart sssd after changing this setting.