Sponsored Links

xrdp authentication with Active Directory

A couple of readers asked how they could get xrdp to authenticate with Active Directory.

Here's how…  ;)

Prerequisites

  • I assume your xrdp server already has either the Likewise/Likewise-Open or as it's now known by,  PowerBroker Identity Services
  • I assume that your xrdp server has already been joined to the Active Directory
  • I assume that you've installed xrdp and X11rdp – either manually, or automatically via the X11rdp-o-Matic & RDPsesconfig utilities.

1) Specify the default RDP session for new AD logins…

Likewise/PowerBroker Identity Services create a user directory on the linux system (the xrdp server) upon first login by that user.

On my default setup, Likewise/pbis creates these directories under /home/local/SCARYGLIDERS/<username>. SCARYGLIDERS being my domain name.

Obviously, your domain name and location for these directories depends on your particular configuration of Likewise/pbis.

Likewise/pbis uses /etc/skel to create these new directories, so create a default .xsession file in /etc/skel, containing the desktop environment that the AD user will see upon first login.

So for example, say you want each new AD login to be presented with the excellent LXDE desktop. You'd simply create a .xsession file in /etc/skel with the following;

startlxde

Really, it's that simple.

If you've got a bunch of AD users who have logged into this linux/xrdp system before, then you'll have to copy that .xsession file into each user's directory.

2) Get xrdp to authenticate with AD (and local linux users)

Xrdp uses PAM to authenticate logins, so this one was remarkably easy to solve.

In the directory /etc/pam.d , you will notice there is a file called xrdp-sesman. This file specifies how xrdp uses PAM to authenticate users.

The default one won't authenticate against AD, so we need to change it.

Rename that file to xrdp-sesman.old (or remove it – doesn't matter either way).

Then create a new xrdp-sesman file with the following contents;

 

#%PAM-1.0
@include common-auth
@include common-account
@include common-session
@include common-password
 
No need to restart the xrdp service. 
 
The common-* files have all been altered when you installled LikeWise/PowerBroker Identity Services to include the necessary bits to authenticate against AD.
 
This should now mean your Active Directory users can now log into your RDP server.
 
To log in, either put your DOMAINNAME\USERNAME combination, or if you have a simple AD setup, just the AD username – both worked for me – then your AD password for that user.
 

 

 

 

 

 

 

 

 
 
 
 
 
 
 
 
 
 
And that's that. :)
 
If I get enough interest, I'll update my utilities to help configure RDP sessions for your AD accounts
 
As always – please donate if this has saved you from a massive headache ;) Donations also increase my motivation to add this feature to my utilities ;)
 
 
 

How did you get on with this?

 
 
 
VN:F [1.9.22_1171]
Rate This Article
Rating: 9.4/10 (8 votes cast)
xrdp authentication with Active Directory, 9.4 out of 10 based on 8 ratings
Share the knowledge :
Facebook Twitter Pinterest Linkedin Digg Delicious Reddit Stumbleupon Posterous Email Snailmail

11 comments to xrdp authentication with Active Directory

  • Stephen

    What about using samba/samba-winbind?  Would that be a similar setup?
    Just found your site today, liking your XRDP stuff, keep it up.

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • lords3t

    I followed your instructions on installing X11rdp with your automating scripts and then these steps to get Active Directory based XRDP authenticaiton. It works with ssh just fine, but I cannot get a domain account to log in through XRDP. It will start connecting… looks like the authentication is fine… but then it simply blinks out.

    Here are the permissions on /etc/skel/.xsession

    -rwxr–r– 1 root root 39 Jan 11 16:59 .xsession

    Here is the one line in the file

    gnome-session –session=gnome-fallback

     

    Any ideas?

     

     

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Henrik

    Is there a way to have windows automatically filling in the the AD credentials (always correct password), aka single sign on)?

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Klaus Deiss

    Dear Kevin,

    Also great tutorial ! xrdp-sesman already had correct entries. So I did not change …

    Biggest problem was to setup “likewise open”. I was not able to join the AD. Problem was my domain name which is ending in .local

    After hours I found a problem in my /etc/nsswitch.conf file. You must place the dns entry before the mdns4_minimal entry and before the mdns4 entry – like that here:

    hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4

    On Ubuntu standard is: files mdns4_minimal [NOTFOUND=return] dns mdns4

    I’ve sent you something via PayPal, I like the way you are doing that here ….

    greetz

    Klaus

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Thanks for this! Ran into one (hopefully) last problem with this, hope you can help:

    I am using XFCE for my window manager under Mint Linux Olivia. I am able to log in via xrdp using a local linux user just fine. But when I try to log in with an AD user, I get:

    connecting to sesman ip 127.0.0.1 port 3350
    sesman connect ok
    sending login info to session manager, please wait…
    xrdp_mm_process_login_response: login successful for display
    started connecting
    connecting to 127.0.0.1 5911
    tcp connected
    security level is 2 (1 = none, 2 = standard)
    password failed
    error – problem connecting

    Any idea how to diagnose that password failed message? I know I’m using the correct password for my AD account, so thinking I need to configure something else.

    Any ideas most appreciated, thanks!

    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
    • Can you log into the system (directly not via RDP) as an AD user?

      VN:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
      • Michael

        sorry for jumping in (same problem/error message):
        Yes I can. ssh comnnects and creates a /home///bin directory
        One of the domain users can connect, two others cannot. All have plain ascii passwords.

        Very strange?

        VA:F [1.9.22_1171]
        Rating: 0 (from 0 votes)
  • roberto

    Is it possible to specify which domain group/user can log use xrdp somehow?

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>