Comprehensive Guide to Configuring a Jump Server on Ubuntu: Enabling GUI, RDP Access, and Active Directory Integration

In this, we will check How to configure the Ubuntu server edition to Ubuntu GUI for the Production Jump server setup in step-by-step.

:brain:Scenario:

We are running Ubuntu Server Edition. The team planned to make this one as a jump server for our production environment. Also, manage user access from the Windows Active directory.

:jigsaw:Solution:

First, convert the Ubuntu server edition to the desktop by installing GUI packages and configure the RDP-ready access for login remotely for all. Then configure the authentication with AD users with LDAP.

Key Skills:

Ubuntu Server, XRDP, Windows Active Directory, SSSD, LDAP.

:point_down:Summary of Steps :

1. Ubuntu Jump Server setup — Install Ubuntu GUI and enable Desktop Mode

2. Configure XRDP for remote RDP connections

3. Join Ubuntu to Active Directory - Connect Active Directory users to Ubuntu

1. Install Ubuntu Desktop Environment

Install Cinnamon and Xrdp on Ubuntu 22

Desktop — Ubuntu

Install Cinnamon GUI Desktop for the Ubuntu server it’s easy.

you can choose other Desktop Environments also like Mate, and XFCE.

First, we need to install packages for Ubuntu GUI with RDP for production environments.

let’s configure.

Step 1: Always Update your system first

sudo apt-get update

Step 2: Install the Required Packages

#Install Cinnamon GUI
sudo add-apt-repository universe
sudo add-apt-repository multiverse
sudo apt update -y
sudo apt-get install cinnamon -y

2. Configure XRDP for remote RDP connections

Install XRDP packages

sudo apt install xrdp -y

Step 3: Enable the service while boot and start the service

systemctl start xrdp && systemctl enable xrdp

By this, we are adding RDP enablement on the Ubuntu machine.

Security Tips:

In default, there is no security on the RDP connection. If you need a Secure SSL connection, Please check here.

If you wish to run RDP on a different port change the port settings on /etc/xrdp/xrdp.conf

Step 4: Allow From the firewall (optional)

sudo ufw allow from 192.168.1.0/24 proto tcp to any port 3389

Note: In IP address field enter your subnet

Step 5: Config Xclients

echo "cinnamon" > ~/.Xclients
chmod +x ~/.Xclients

Step 6: Restart the Xrdp service

sudo systemctl restart xrdp.service

Step 7: Log in via RDP IP:3389.

3. Connect Active Directory users to Ubuntu(SSO):

Active Directory (Domain Joining) to Ubuntu

Joining a Windows Active Directory (AD) domain can enhance the management of Linux systems within a Windows environment, enabling centralized authentication and policy enforcement. This guide will walk you through the process of joining a Ubuntu or Debian machine to a Windows AD domain.

Prerequisites

Before proceeding, ensure you have the following:

  1. Administrative Access: You need sudo or root access on the Ubuntu/Debian machine.
  2. Domain Information: Know the Fully Qualified Domain Name (FQDN) of your AD domain (e.g., example.com).
  3. Required Packages: Ensure you have the necessary packages installed on your system.

Step 1: Install Required Packages

To join an AD domain, you need to install the realmd, sssd, and adcli packages. Open a terminal and run the following command:

sudo apt update
sudo apt install realmd sssd adcli samba-common-bin

These packages enable integration with the AD and provide the necessary tools for joining the domain.

Step 2: Discover the Active Directory Domain

Host file:

Before that we need to Add /etc/hosts:

root@server-1:~# vim /etc/hosts
127.0.1.1 server-01
192.168.111.1 example.com EXAMPLE.COM

Use the realm command to discover the `AD` domain:

realm discover example.com

Replace example.com with your actual domain name. If the discovery is successful, you should see details about the domain, including its configuration.

Step 3: Join the Active Directory Domain

To join the domain, use the following command:

sudo realm join --user=administrator example.com

Replace administrator with a user account that has permission to join computers to the domain. You will be prompted to enter the password for the specified user.

Example:

sudo realm join --user=admin@example.com example.com

Step 4: Verify the Domain Join

After successfully joining the domain, verify the configuration by running:

realm list

This command displays information about the domain you’ve joined, confirming that the machine is part of the domain.

Expected Output Example:

example.com
  type: kerberos
  realm-name: EXAMPLE.COM       # DOMAINNAME
  domain-name: example.com      
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins:
  permitted-groups:

Step 5: Configure SSSD (Optional)

SSSD (System Security Services Daemon) can be configured to manage user authentication from the AD. Edit the SSSD configuration file at /etc/sssd/sssd.conf to customize settings as needed.

Example configuration for sssd.conf:

[sssd]
domains = example.com         # DomainName
config_file_version = 2
services = nss, pam
[domain/example.com]
default_shell = /bin/bash
ad_server = example.com        # DomainName
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.COM        # DOMAINNAME
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u       # only username without @domain.com
ad_domain = example.com           # DomainName
use_fully_qualified_names = False # only username without @domain.com
ldap_id_mapping = True
access_provider = simple
ldap_sasl_authid = SERVER-1$
ldap_sasl_mech = GSSAPI
#simple_allow_groups =               # AD Group Name allow users only from this group
#ad_gpo_access_control = enforcinig  # Enable GPO for ubuntu 
#ad_gpo_ignore_unreadable = True     # 
  • fallback_homedir = /home/%u : home directory location. %u mentions the username.
  • use_fully_qualified_names : If this is enabled username should be entered as @<domain.com>

Ex:

AD username: karthick AD name: example.com

In Ubuntu username will be: karthick@example.com

  • simple_allow_groups : Only Allow specified AD groups, other users will deny.

Step 6: PAM Configuration

By editing the `/etc/pam.d/xrdp-sesman` file, enable PAM authentication for RDP connections.

#%PAM-1.0
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
@include common-auth
@include common-account
@include common-session
@include common-password

Update pam

sudo pam-auth-update - enable mkhomedir

Edit nsswitch:

Edit the /etc/nsswitch.conf and change the below parameters.

passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
#config end

Restart the services:

sudo systemctl restart sssd xrdp

Step 7: Test Domain User Authentication

To test if domain users can log in, you can use the following command:

id username@example.com
(OR)
getent passwd <AD_username>

Replace username@example.com with the actual domain user account. If successful, the output will display the user ID and groups associated with that account.

Example:

getent passwd user1
user1:*:1971415214:1971400513:user:/home/user1:/bin/bash

Ubuntu AD Domain integration with GUI

Joining an Ubuntu or Debian system to a Windows AD domain allows for streamlined user management and authentication.

By following these steps, you can successfully integrate your Linux system into a Windows-based environment. Ensure that security and policy settings are reviewed to maintain a secure configuration that aligns with your organization’s requirements.

Additional Considerations

  • Firewall Settings: Ensure that your firewall settings allow traffic to and from the domain controller.
  • DNS Configuration: Properly configure your DNS settings to resolve the domain controller’s address.
  • Logging and Monitoring: Implement logging and monitoring solutions to track domain join operations and user authentications.

With this setup, your Ubuntu/Debian system will be better integrated into your organizational infrastructure, enhancing both usability and security.