Use Ubuntu Mate as a terminal server with Active Directory users

If you woke up this morning and said to your self “I'm looking for a good remote desktop connection to my Linux machine and can't find one that is both smooth and clear”, then you are in the right place. (Back by popular demand) Although I have already done several tutorials on the subject, I am going to show how it's done - all at once (and review the procedures to accommodate for the new software versions).

For this tutorial, I'll assume that your FQDN is sub.domain.local, and we will start with the XRDP friendly configuration by choosing Ubuntu MATE flavour.

Download and install Ubuntu MATE from their official page. It's always a good practice to update the newly installed OS, so update your Ubuntu Mate:

sudo apt-get update
sudo apt-get upgrade

Install XRDP on your Ubuntu mate

sudo apt-get install xrdp

If you use non standard keyboard (like I do) You will have to fix the keyboard mapping

At this point, install the SSH server since it is not here by default on the desktop version of Ubuntu, and you will receive an error when trying to join the AD domain.

sudo apt-get install openssh-server

Now you have to join your Ubuntu Mate to Active Directory Domain

Go to Beyond Trust page, and download PBIS open. You will have to register, and will receive the download link via e-mail upon registration

sudo chmod +x install.sh
sudo ./install.sh

Upon installation, if domainjoin-gui doesn't start automatically, start it by typing

sudo .//opt/pbis/bin/domainjoin-gui

When complete, run 'sudo visudo' and add the your domain user to sudoers.

SUB\\username ALL=(ALL) ALL

PowerBroker Identity Services create a user directory on the linux system upon first login by that user. PBIS uses /etc/skel to create these new directories, so create a default .xsession file in /etc/skel, containing the desktop environment that the AD user will see upon first login. Simply create a .xsession file in /etc/skel with the following content:

mate-session

Xrdp uses PAM to authenticate logins, so in the directory /etc/pam.d , you will notice there is a xrdp-sesman link to sesman file. This file specifies how xrdp uses PAM to authenticate users. The default one probably won't authenticate against AD, so you need to change it. Edit the xrdp-sesman file and replace the contents with the following:

#%PAM-1.0
@include common-auth
@include common-account
@include common-session
@include common-password

The common-* files have all been altered when you installled PBIS to include the necessary bits to authenticate against AD.

Your Active Directory users can now log into the OS using the console, RDP or SSH. On the login screen, select 'other' and enter your AD credentials in a form SUB\username. XRDP (and SSH) should work in the same manner.

That's about it. Relatively simple, and very rewarding in most cases.