ThinLinc by Cendio

Integrate ThinLinc with Windows Active Directory

 

This guide describes the steps and components used for authenticating users against the Windows Active Directory service. When complete, both local Linux passwd users and Windows users are allowed to login to the ThinLinc server. The server is also joined to an Active Directory (AD) through this process and you will find a computer account created for the server in the computer's OU.

You should perform these steps on all ThinLinc servers in your cluster for authentication of users.

1. First you need to install the following components required to join an AD:

        yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation

2. Configure your ThinLinc server to resolve hosts using the Windows DNS service for the proper service entries in dns and verify that you can discover your AD domain like:

       [localhost]# realm discover LAB.LKPG.CENDIO.SE
       lab.lkpg.cendio.se
            type: kerberos
            realm-name: LAB.LKPG.CENDIO.SE
            domain-name: lab.lkpg.cendio.se
            configured: no
            server-software: active-directory
            client-software: sssd
            required-package: oddjob
            required-package: oddjob-mkhomedir
            required-package: sssd
            required-package: adcli
            required-package: samba-common-tools

3. To join the domain run the following command and provide the domain administrator password for access:

       realm join LAB.LKPG.CENDIO.SE

4. Verify that you can resolve a user in your AD using the following command:

        [localhost]# id testuser@lab.lkpg.cendio.se
        uid=1253001106(testuser@lab.lkpg.cendio.se) gid=1253000513(domain users@lab.lkpg.cendio.se) groups=1253000513(domain users@lab.lkpg.cendio.se)

5. Verify that you can authenticate as an user using Kerberos like following:

       kinit testuser@LAB.LKPG.CENDIO.SE

    also verify that you your ticket cache contains a TGT:

       [root@lab-129 ~]# klist
       Ticket cache: KEYRING:persistent:0:0
       Default principal: testuser@LAB.LKPG.CENDIO.SE

       Valid starting       Expires              Service principal
       04/06/2017 10:41:48  04/06/2017 20:41:48  krbtgt/LAB.LKPG.CENDIO.SE@LAB.LKPG.CENDIO.SE
       renew until 04/13/2017 10:41:45

6. This step is optional. At this point users are identified with fully qualified names such as you have seen above, testuser@lab.lkpg.cendio.se. If you do not require this fully qualified name, eg. your ThinLinc server does not authenticate users against different domains, you can configure this in SSSD configuration /etc/sssd/sssd.conf. Edit this file and change the configuration setting 'use_fully_qualified_names' to 'False' and you can identify user with domain qualifier. A restart of SSSD service is required after this change 'systemctl restart sssd'.