Integrate ThinLinc with Windows Active Directory
This guide describes the steps and components used for authenticating users against the Windows Active Directory service. When complete, both local Linux passwd users and Windows users are allowed to login to the ThinLinc server. The server is also joined to an Active Directory (AD) through this process and you will find a computer account created for the server in the computer's OU.
You should perform these steps on all ThinLinc servers in your cluster for authentication of users.
1. First you need to install the following components required to join an AD:
yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation
2. Configure your ThinLinc server to resolve hosts using the Windows DNS service for the proper service entries in dns and verify that you can discover your AD domain like:
[localhost]# realm discover LAB.LKPG.CENDIO.SE lab.lkpg.cendio.se type: kerberos realm-name: LAB.LKPG.CENDIO.SE domain-name: lab.lkpg.cendio.se configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools
3. To join the domain run the following command and provide the domain administrator password for access:
realm join LAB.LKPG.CENDIO.SE
4. Verify that you can resolve a user in your AD using the following command:
[localhost]# id email@example.com uid=1253001106(firstname.lastname@example.org) gid=1253000513(domain email@example.com) groups=1253000513(domain firstname.lastname@example.org)
5. Verify that you can authenticate as an user using Kerberos like following:
also verify that you your ticket cache contains a TGT:
[root@lab-129 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: testuser@LAB.LKPG.CENDIO.SE Valid starting Expires Service principal 04/06/2017 10:41:48 04/06/2017 20:41:48 krbtgt/LAB.LKPG.CENDIO.SE@LAB.LKPG.CENDIO.SE renew until 04/13/2017 10:41:45
6. This step is optional. At this point users are identified with fully qualified names such as you have seen above, email@example.com. If you do not require this fully qualified name, eg. your ThinLinc server does not authenticate users against different domains, you can configure this in SSSD configuration /etc/sssd/sssd.conf. Edit this file and change the configuration setting 'use_fully_qualified_names' to 'False' and you can identify user with domain qualifier. A restart of SSSD service is required after this change 'systemctl restart sssd'.