Jump to content
Welcome to our new Citrix community!
  • 0

Use MCS to deploy Linux VMs: No support for PBIS?


tylital520

Question

Hi,

 

we use PBIS to join our Linux VMs to our Active Directory domain because that is the only method which enables users from trusted domain to login to the Linux VDI. The problem is that after we use MCS to create new Linux VMs something gets broken. The /etc/samba/smb.conf and /etc/krb5.conf are changed after the MCS deployment and PBIS doesn't work anymore.

 

Over here: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/installation-overview/use-mcs-to-create-linux-vms.html

on Step 1f: Set up the runtime environment it says that in /var/xdl/mcs/mcs.conf AD_INTEGRATION should be set to either "winbind" or "SSSD", and there's no mention about PBIS. We've left it to default which is winbind.

 

So my question is, we're not able to use PBIS if we want to use MCS to deploy Linux VDI's? Could somebody from Citrix answer to this?

 

Our env:

Citrix Apps and Desktops 1906

LinuxVDA-1906.ubuntu18.04.deb

Ubuntu 18.04.3 LTS Desktop

VMware ESXi 6

Link to comment

12 answers to this question

Recommended Posts

  • 0
2 hours ago, Chenxiang Wang said:

PBIS is not supported when use MCS to deploy Linux VDI's.

Are you planning to support PBIS at some point? Any schedule for this? Like I said it is the only domain join method that works with domain trusts.  PBIS enables users from trusted domain to login to domain joined Linux.

Link to comment
  • 0
1 minute ago, tylital520 said:

Are you planning to support PBIS at some point? Any schedule for this? Like I said it is the only domain join method that works with domain trusts.  PBIS enables users from trusted domain to login to domain joined Linux.

We don't have a plan to support PBIS recently. I'm sorry for that. If we plan to support PBIS, I will tell you.

Link to comment
  • 0
1 hour ago, Chenxiang Wang said:

Could you give a more detailed explanation about your env about trusted domain please?  We have tested the subdomain with Winbind domain join method and it works. It should also work with trusted domain.

 

We have our lab Active Directory domain (Domain A in Forest A) which has a one-way trust with corp domain (Domain B in Forest B).

Users access Receiver for Web URL with web browser and enter their Domain B credentials. They are able to launch and access Windows 10 VDI's which are joined to Domain A (our lab domain). So because of the trust they can login to Domain A resources with Domain B credentials.

 

 

image.thumb.png.c6e633c6e959932587b3383f00e8c650.png

With Linux, e.g. Ubuntu we have not been able to get this to work with winbind or SSSD. Only PBIS seems to work in the scenario I have described. If you know how winbind or SSSD should be configured to get this to work please let me know.

Link to comment
  • 0
10 hours ago, Jigao Huang said:

Hello,

unfortunately this does not help much:

Quote

For HDX session authentication, user accounts must reside in the same domain as the VDA or in a outgoing trusted domain. Stated differently, the VDA is trusting of the users’ domain but the users’ domain does not necessarily need to trust the VDA domain.

For more information, look for the Active Directory planning guides for deploying the Linux VDA into complex AD environments.

 

But based on that quote I understand that one-way trust should also work with winbind or SSSD on Linux VDA - meaning that users from trusted domain should be able to login to the Linux VDA? Is this true?

 

When I deploy Linux VDA's with MCS I get the following error after logging in with user account from a trusted domain (one-way trust):

 

image.thumb.png.96934e6987dc44ee94c4a7e5e14abfb3.png

Link to comment
  • 0
21 hours ago, tylital520 said:

Do you @Jigao Huang or @Chenxiang Wang have any input for this? Should I be able to get this to work with winbind?

Confirmed with development team, this scenario is never tested, not sure if it is supported. They will add this test scenario into their test plan. If this case is urgent, please contact Citirx Tech Support to accelerate this process.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...