Integrating ThinLinc with Windows Active Directory

This guide describes the steps and components used for authenticating users against the Windows Active Directory service. When complete, both local Linux passwd users and Windows users are allowed to login to the ThinLinc server. The server is also joined to an Active Directory (AD) through this process and you will find a computer account created for the server in the computer’s OU.

You should perform these steps on all ThinLinc servers in your cluster for authentication of users.

1. First you need to install the following components required to join an AD:

yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation

2. Configure your ThinLinc server to resolve hosts using the Windows DNS service for the proper service entries in dns and verify that you can discover your AD domain like:

[localhost]# realm discover LAB.LKPG.CENDIO.SE
lab.lkpg.cendio.se
type: kerberos
realm-name: LAB.LKPG.CENDIO.SE
domain-name: lab.lkpg.cendio.se
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools

3. To join the domain run the following command and provide the domain administrator password for access:

realm join LAB.LKPG.CENDIO.SE

4. Verify that you can resolve a user in your AD using the following command:

[localhost]# id testuser@lab.lkpg.cendio.se
uid=1253001106(testuser@lab.lkpg.cendio.se) gid=1253000513(domain users@lab.lkpg.cendio.se) groups=1253000513(domain users@lab.lkpg.cendio.se)

5. Verify that you can authenticate as an user using Kerberos like following:

kinit testuser@LAB.LKPG.CENDIO.SE

also verify that you your ticket cache contains a TGT:

[root@lab-129 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: testuser@LAB.LKPG.CENDIO.SE

Valid starting Expires Service principal
04/06/2017 10:41:48 04/06/2017 20:41:48 krbtgt/LAB.LKPG.CENDIO.SE@LAB.LKPG.CENDIO.SE
renew until 04/13/2017 10:41:45

6. Make sure ThinLinc is a recognized service:

Edit the file /etc/sssd/sssd.conf and make sure the following is added in the domain specific section:

ad_gpo_map_remote_interactive = +thinlinc

You need to restart sssd after changing this setting:

[root@lab-129 ~]# systemctl restart sssd

7. This step is optional but very important if we want Kerberos to work in ThinLinc session.

At this point users are identified with fully qualified names such as you have seen above, testuser@lab.lkpg.cendio.se. If you do not require this fully qualified name, eg. your ThinLinc server does not authenticate users against different domains, you can configure this in SSSD configuration /etc/sssd/sssd.conf. Edit this file and make sure you have the following configuration in the domain specific section:

use_fully_qualified_names = False

Make sure you restart sssd after changing this setting.

Need some extra help?

Please contact us and we will get back to you.