Supporting Ubuntu Desktops in traditional Active Directory environments are working quite well using sssd, adsys and landscape.
But when it comes to an all cloud native environment using Entra ID, the traditional methods no longer works. So, what is the supported way to get Ubuntu Desktops to work in such an environment?
I’ve found this article https://ubuntu.com/blog/azure-ad-authentication-comes-to-ubuntu-desktop-23-04 However this seems already deprecated? Then there is the authd project here, https://github.com/ubuntu/authd but it’s unclear if this is a supported tool, and it doesn’t appear to be included in Ubuntu 24.04 LTS
Also, ADsys don’t work with Entra ID as there are no GPO’s in Entra. What’s the proposed way to manage clients then? MS InTune is very limited when it comes to what it can do in Linux. Landscape might be an alternative if one uses the cloud version. But even landscape lacks in functionality.
Hi @jdoe53851 ! Your read of the status is correct, we’re reworking our aad_auth interim release implementation to support a wider range of use-cases and brokers. This work is happening in the new authd however we are not yet ready to land this work in the distro. We plan to bring it to Ubuntu 24.04 LTS with support for Entra ID in a future point release once the new functionality has been finalised and did not include aad_auth as a result. You can follow the development on Github and we’ll provide an update once its ready with additional documentation.
In terms of policy support this is a separate topic that is more complex as GPO support would indeed ideally be handled by MS Intune and therefore implemented by Microsoft.
I managed to install authd but I fail to understand how I should set up the broker, can anyone point me in the right direction please.
I managed to get aad auth to work using the traditional method but I am having issues with sudo, which should now be resolved on authd if I manage to set up a broker but I cannot find any documentation to understand how a broker should be set up.
Hi @taspanja authd will be supported officially later this year, in the meantime we’re working on enabling a test PPA with some brief documetantion ahead of that. Please bear with us whilst we prepare that package and check back in towards the end of this month.
As soon as it is published to a PPA (hopefully by end of this month) you can definitely help testing and reporting bugs or improvements. I’ll let you know when it is ready to test.
@seanffc@german the authd PPA is now ready for testing, there are some outstanding issues still to be resolved before it’s considered stable but the current implementation is at a point where your feedback would be beneficial! 02 Installation · ubuntu/authd Wiki · GitHub
After going through the setup process at the link you provided and attempting to login in an Ubuntu 24.04 Desktop install, I see one of three behaviors.
The first is it waits a little bit and returns to the general login page with the local user and the “Not listed?” option.
The second is it waits a little bit, returns to the select the broker screen, and then goes back to general login page with the local user and the “Not listed?” option.
The third (albeit rare behavior) is it shows the following error message:
"could not authneticate user: oauth2: “invalid_client”
“AADSTS700218: The request body must contain the following”
I’m not able to see the last line, for whatever reason it seems to be cut off.
Is there any chance you could expand on what the “Client credentials” or web “Redirect URIs” are configured as at 03 Configuration · ubuntu/authd Wiki · GitHub?
I tried setting the web Redirect URI as http://localhost, however, it doesn’t seem to make a difference compared to leaving it blank.
Hi @callanova , it’s great that you’re testing the PPA but do you mind filing these Q’s as issues on the authd github rather than here. Discourse isn’t designed for troubleshooting and that way it’ll get straight to the dedicated engineers.