If the Ubuntu box is active directory domain joined for user authentication, the domain users cannot authenticate without changes to the sssd.conf file.
sudo -i
cd /etc/sssd
nano sssd.conf
add 3 lines
case_sensitive = False
ad_gpo_access_control = enforcing
ad_gpo_map_remote_interactive = +xrdp-sesman
restart sssd
systemctl restart sssd
For domain user name use the full domain in this format.
user@nameof.domain
Just discovered there is an option to join 22.04 to Active Directory when installing the OS. This worked smoothly and allowed immediate access authenticating against AD. The DHCP server must hand out a DNS address that works to resolve the domain name. Very important in home setups. There is no option to enter a different DNS server during setup. If it can’t find the AD server, the install will continue but without AD authentication.
The initial login screen shows only the local admin account created during setup. You need to select “not listed” and enter user@domain.name. If you just do the domain user name without the extension, it fails. After the local account setup is done, the domain user will appear as an option on the login screen.
If you use Quick Create in Windows 10/11 Hyper-V to make an Ubuntu VM, there is no option to domain join; you have to AD join manually following creation of the VM. Personally, I find it easier to manually create a VM and use auto join during install.
Caution if creating a virtual machine in Hyper-V. Be sure to first create an external virtual switch and assign it when configuring the VM. The default VM network connection is internal and will not connect to the AD domain controller. However, the test for connection will pass during configuration because setup is using the host network. It will fail during actual implementation because the VM is using its assigned virtual network switch, not the host.
To check which DNS servers Ubuntu uses: nmcli dev show | grep DNS
The following is how to domain join after the OS is installed or if you are using an earlier version that 22.04.
Ran thru a bunch of instruction sets for authenticating to a domain and the one below worked the first time and easy to implement. You might want use a test virtual machine first as you can brick it but I did live on real hardware, no problem.
However, there are 2 gotchas left out of the instructions:
First, before starting, add the computer to be joined to Windows DNS otherwise you get a lot of messages saying computer not found while following the instructions. However, it will join and authenticate.
Second, you need to enable and start the systemd.resolved service once you’ve finished joining. My machine could not connect to the internet or authenticate at the GUI until that was done; however, the SSH connection in the demo did work. No issues after restarting the service. I’m not sure if it’s even necessary to disable the service but that’s for later.
He does go thru the commands fast and it’s sometimes difficult to stop on the text plus the font is small and hard to read, so here are the basics. Check the video for explanations.
First install all the required packages.
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
Next stop the local DNS resolution and verify.
sudo systemctl disable systemd-resolved.service
then stop – just replace disable with stop
then status – replace stop with status
Set host name to match AD schema
hostname.sub.domain.extension
e.g. ubuntu1.internal.bogus.org
Configure DNS
sudo nano /etc/resolv.conf
replace nameserver 127.0.0.1 with nameserver AD DNS server address
Test DNS connection
realm discover internal.bogus.org
Enter name of computer into AD DNS otherwise get error message
“unable to resolve hostname.sub.domain.bogus.org”
It will still connect but error messages continue the thru rest of the process.
Join AD
sudo realm join -U someADadmin internal.bogus.org
You’ll get a prompt for the password. No output when successful.
Check you have joined
realm list
Halfway done. Now you have to allow users to authenticate against AD and create home directories
sudo nano /usr/share/pam-configs/mkhomedir
Default yes
Priority 900
Delete Session-Interactive-Only
Update pam
sudo pam-auth-update
check box for “Create home directory on login”
restart sssd
sudo systemctl restart sssd
sudo systemctl status sssd
check you can find users in AD
id user@internal.bogus.org
should return uid and status
allow AD users to login to the computer
sudo realm permit –all
See video on how to make domain admins local sudo holders
Enable and restart DNS resolution or you have problems reaching the network and logging in
The usual instructions to connect from Windows via RDP to Ubuntu failed on18.0.4. The problem is a dependency in a needed package has been broken in the installation of XRDP on Ubuntu. The fix is to install xorgxrdp manually but it is missing dependencies so you have to install xserver-xorg-core first. However, that also uninstalls some packages needed for mouse and cursor control in an RDP session so you add them back with xserver-xorg-input-all. After that, you can install xorgxrdp manually and the connection works.
The web page with write up on details is: https://c-nergy.be/blog/?p=13390
The broken dependencies in XRDP seem to have been corrected in the 20.04 install.
Still some flakey stuff about color scheme authorization when you connect but that’s more of a nuisance.
Update 1 Aug 2021
Found the web site which correctly address the color scheme authorization problem. I used it for Ubuntu 20.04 since I had the same problem with it as I did with 18.0.4.
Xrdp – Connect Ubuntu Linux Remote Desktop via RDP from Windows
One gottcha is you have to log out of Ubuntu before you attempt the remote desktop, otherwise all you get is a blank screen. Likewise logout of Ubuntu when exiting the RDP session, otherwise you get a blank screen when trying to login in to the physical box. Reboot is necessary to clear it. Might be a command line session you can do from putty but rebooting is quick and easy.
For Raspberry Pi, the process is much easier. Just install XRDP. The connection spawns a new window so you can have one window on the Raspberry Pi while working on a completely different window in the RPD session.
Update 2 Nov 2022
For Ubuntu 22.04 the problems have been addressed and installation is trivially easy.
Change to the root account for all commands to work.
sudo -i
install xrdp
apt install xrdp
Add xrdp to the certificate. Must be root to work.
usermod -a -G ssl-cert xrdp
Modify the firewall
ufw allow 3389/tcp
ufw allow 3389/udp
Logoff before trying RDP from windows. There will be 2 additional password authentications on connection to enable color pallet and color device management. This is for local users not AD users.
Active Directory authentication for RDP session
If the Ubuntu box is active directory domain joined for user authentication, the domain users cannot authenticate without some changes to the sssd.conf file.
sudo -i
cd /etc/sssd
nano sssd.conf
add 2 lines
ad_gpo_access_control = enforcing
ad_gpo_map_remote_interface = +xrdp-sesman
restart sssd
For domain user name use the full domain in the format
user@nameof.domain
Another option.
You can also go to settings, enable remote desktop, check enable legacy VNC protocol. This has slightly different login behavior with the authentication requests: one for color pallet and another for keyring unlock. However, the 2 procedures do not conflict and both can be active at the same time. You still get an xrdp login box under RDP.
I removed VNC and tried to connect with RDP and could not authenticate. RDP would not even connect to the remote machine unless I was logged in on the remote machine. This is xrdp behavior where you must be logged out to authenticate even though a connection can be made. From some posts, it appears this protocol is showing the same screen and the person logged in, not spawning a new one. After some more searching, this login failure appears to be a common problem with no definitive answer for now. Some people get it to work, others can’t.
Jerry's blog 