Sponsored Links

Donate via Bitcoin

Donate to Scarygliders
«  
  »

xrdp authentication with Active Directory

By Kevin Cave, on May 26th, 2012

A couple of readers asked how they could get xrdp to authenticate with Active Directory.

Here's how…  ;)

Prerequisites

  • I assume your xrdp server already has either the Likewise/Likewise-Open or as it's now known by,  PowerBroker Identity Services
  • I assume that your xrdp server has already been joined to the Active Directory
  • I assume that you've installed xrdp and X11rdp – either manually, or automatically via the X11rdp-o-Matic & RDPsesconfig utilities.

1) Specify the default RDP session for new AD logins…

Likewise/PowerBroker Identity Services create a user directory on the linux system (the xrdp server) upon first login by that user.

On my default setup, Likewise/pbis creates these directories under /home/local/SCARYGLIDERS/<username>. SCARYGLIDERS being my domain name.

Obviously, your domain name and location for these directories depends on your particular configuration of Likewise/pbis.

Likewise/pbis uses /etc/skel to create these new directories, so create a default .xsession file in /etc/skel, containing the desktop environment that the AD user will see upon first login.

So for example, say you want each new AD login to be presented with the excellent LXDE desktop. You'd simply create a .xsession file in /etc/skel with the following;

startlxde

Really, it's that simple.

If you've got a bunch of AD users who have logged into this linux/xrdp system before, then you'll have to copy that .xsession file into each user's directory.

2) Get xrdp to authenticate with AD (and local linux users)

Xrdp uses PAM to authenticate logins, so this one was remarkably easy to solve.

In the directory /etc/pam.d , you will notice there is a file called xrdp-sesman. This file specifies how xrdp uses PAM to authenticate users.

The default one won't authenticate against AD, so we need to change it.

Rename that file to xrdp-sesman.old (or remove it – doesn't matter either way).

Then create a new xrdp-sesman file with the following contents;

 

#%PAM-1.0
@include common-auth
@include common-account
@include common-session
@include common-password
 
No need to restart the xrdp service. 
 
The common-* files have all been altered when you installled LikeWise/PowerBroker Identity Services to include the necessary bits to authenticate against AD.
 
This should now mean your Active Directory users can now log into your RDP server.
 
To log in, either put your DOMAINNAME\USERNAME combination, or if you have a simple AD setup, just the AD username – both worked for me – then your AD password for that user.
 

 

 

 

 

 

 

 

 
 
 
 
 
 
 
 
 
 
And that's that. :)
 
If I get enough interest, I'll update my utilities to help configure RDP sessions for your AD accounts
 
As always – please donate if this has saved you from a massive headache ;) Donations also increase my motivation to add this feature to my utilities ;)
 
 
 

How did you get on with this?

 
 
 
VN:F [1.9.22_1171]
Rate This Article
Rating: 8.8/10 (4 votes cast)
xrdp authentication with Active Directory, 8.8 out of 10 based on 4 ratings
Share the knowledge :
Facebook Twitter Pinterest Linkedin Digg Delicious Reddit Stumbleupon Posterous Email Snailmail

May 26th, 2012 | Tags: , , , , , , , , , | Category: Active Directory, Linux Tips & Tricks, RDP, Technical

4 comments to xrdp authentication with Active Directory

  • Stephen
    September 16, 2012 at 10:16 am · Reply

    What about using samba/samba-winbind?  Would that be a similar setup?
    Just found your site today, liking your XRDP stuff, keep it up.

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • lords3t
    January 11, 2013 at 10:12 pm · Reply

    I followed your instructions on installing X11rdp with your automating scripts and then these steps to get Active Directory based XRDP authenticaiton. It works with ssh just fine, but I cannot get a domain account to log in through XRDP. It will start connecting… looks like the authentication is fine… but then it simply blinks out.

    Here are the permissions on /etc/skel/.xsession

    -rwxr–r– 1 root root 39 Jan 11 16:59 .xsession

    Here is the one line in the file

    gnome-session –session=gnome-fallback

     

    Any ideas?

     

     

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Henrik
    April 22, 2013 at 12:03 pm · Reply

    Is there a way to have windows automatically filling in the the AD credentials (always correct password), aka single sign on)?

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

Leave a Reply

  

  

  

CAPTCHA Image

*

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>