Linux Server – How to Enable Fingerprint Sensor in Domain and Linux Active Directory

Introduction

Linux-based servers are becoming increasingly popular in offices due to their versatility and ability to handle various tasks such as samba share, DHCP, and active directory for Windows clients. However, enabling a fingerprint sensor for login can be a challenge. In this blog post, we will discuss how to enable a fingerprint sensor in a domain and Linux active directory.

Understanding the Problem

The problem is that the fingerprint sensor login is not working for domain users on Windows clients. Although active directory is enabled on the server and Windows clients can log in as a domain user, the fingerprint sensor login is not working. The user has already tried to allow fingerprint sensor login and Windows Hello/PIN login through Group Policy Objects (GPOs) in both the computer and user configurations, but it did not work.

Windows Server Domain

To enable Windows Hello for Business and thus enable the use of a PIN login or fingerprint sensor, a Windows Server domain is required. However, there is a workaround to enable the use of a fingerprint reader for Windows clients in a domain.

Workaround

To enable the use of a fingerprint reader for Windows clients in a domain, we need to install some software on the Linux server. The software we need is SSSD (System Security Services Daemon) and Fprintd (Fingerprint Daemon). SSSD is a system daemon that provides access to remote identity and authentication providers, while Fprintd is a fingerprint daemon that provides support for fingerprint readers.

Step 1: Install SSSD and Fprintd

To install SSSD and Fprintd, run the following commands in the terminal:

sudo apt-get update
sudo apt-get install sssd libpam-sss libnss-sss fprintd libfprint0

Step 2: Configure SSSD

Next, we need to configure SSSD. Open the sssd.conf file using the following command:

sudo nano /etc/sssd/sssd.conf

Add the following lines to the file:

[sssd]
services = nss, pam
config_file_version = 2
domains = mydomain.local

[nss]
homedir_substring = /home

[pam]
offline_credentials_expiration = 60

[domain/mydomain.local]
id_provider = ad
access_provider = ad
ad_domain = mydomain.local
cache_credentials = true
enumerate = true
fallback_homedir = /home/%u
auth_provider = ad
ldap_id_mapping = true
use_fully_qualified_names = false

Replace mydomain.local with your domain name.

Step 3: Configure PAM

Next, we need to configure PAM. Open the common-auth file using the following command:

sudo nano /etc/pam.d/common-auth

Add the following line to the file:

auth sufficient pam_sss.so

Step 4: Configure Fprintd

Next, we need to configure Fprintd. Open the policy file using the following command:

sudo nano /usr/share/polkit-1/actions/org.freedesktop.fprint.policy

Add the following lines to the file:

<action id="org.freedesktop.fprint.enroll">
  <description>Enroll a fingerprint</description>
  <message>Authentication is required to enroll a fingerprint</message>
  <defaults>
    <allow_any>auth_admin</allow_any>
    <allow_inactive>auth_admin</allow_inactive>
    <allow_active>auth_admin</allow_active>
  </defaults>
</action>

<action id="org.freedesktop.fprint.verify">
  <description>Verify a fingerprint</description>
  <message>Authentication is required to verify a fingerprint</message>
  <defaults>
    <allow_any>auth_admin</allow_any>
    <allow_inactive>auth_admin</allow_inactive>
    <allow_active>auth_admin</allow_active>
  </defaults>
</action>

Save and close the file.

Step 5: Restart Services

Finally, we need to restart the services. Run the following commands in the terminal:

sudo systemctl restart sssd
sudo systemctl restart fprintd

Conclusion

Enabling a fingerprint sensor for login can be a challenge for Linux-based servers in a domain and Linux active directory. However, by using the workaround we discussed in this blog post, we can enable the use of a fingerprint reader for Windows clients in a domain.

It is not possible to use a fingerprint sensor for login in a Linux-based server with an Active Directory configuration. Windows Hello and fingerprint sensor login are features that are specific to the Windows operating system and are not available on Linux systems.

If you want to use a fingerprint sensor for login, you will need to use a Windows Server domain and enable Windows Hello for Business. This will allow you to set up a PIN login or use a fingerprint sensor for login on Windows clients that are joined to the domain.

Alternatively, you can consider using a third-party fingerprint sensor software that is compatible with Linux and supports integration with Active Directory. One such example is Fprint, which is an open-source fingerprint recognition software for Linux. However, keep in mind that this may not be as seamless as using a native Windows solution and may require additional configuration and setup.

I found a solution for enabling fingerprint login on a Windows domain.

1. Edit the registry by going to HKLM\SOFTWARE\Policies\Microsoft\Windows\System and adding a DWORD32 value called “AllowDomainPINLogon” with a value of “1”.
2. Edit the Group Policy Object (GPO) as follows:

• Go to “Computer Configuration”
• Navigate to “Administrative Templates”
• Go to “Windows Components”
• Select “Biometric”
• Enable the policy “Allow domain users to log on using biometric authentication” (Note: the exact wording may vary depending on your language and version of Windows).