When you think about corporate networks, the most widely used Linux-based operating system that comes to mind is Red Hat Enterprise Linux (RHEL), used mostly on servers, but also as workstations. Fedora Linux is also a very good choice for a workstation, and comes packed with lots of features to work in the corporate environment and makes management an easy task.
When you work with many machines in your network you need a way to manage users and machines in a centralized way. That’s why FreeIPA and Active Directory are the technologies of choice for this task. They allow a sysadmin to manage a huge amount of machines using a directory of all the entities in their network.
Fedora and Active Directory
Active Directory is very common in corporate environments. Fedora and RHEL integrate well with services such as FreeIPA or Active Directory by using the System Security Services Daemon (SSSD). SSSD is a system service to access remote directories and authentication mechanisms. A machine using this software is able to authenticate with remote credentials and access other services available in that directory network.
To join a domain network, you need the domain administrator’s permission to add the machine. Maybe by setting special permissions on your domain credentials or doing the pre-configuration of that machine on your behalf. Fedora Linux has an option to configure a machine during installation called Enterprise Login. If your machine network is automatically configured for the enterprise domain network, then you can login with your domain credentials directly.
In the case your configuration is not automated—or you have Fedora Linux already installed—you can join an Active Directory domain with a few configuration steps:
- Set up the DNS for this machine. To connect to a directory service, you need first to be able to resolve the directory domain name. If your network sets up the correct DNS using DHCP, you can skip this step.
- Change your machine name to reflect it will be part of the new domain. Edit the file /etc/hostname and change the machine name to “machinename.my_domain”
- Join the domain by executing this command: sudo realm join my_domain -v (replace “my_domain” with the name of your domain)
After running this command, the system will ask for the credentials of a user allowed to join new machines in that domain. If there are no errors in the process, the machine will become part of the domain.
Now that this machine is part of your domain you can:
- Login with a domain username into the machine
- Get kerberos tickets to access different services in the domain network
- Access other services, depending on how the domain is configured
Manage Fedora Linux with Fleet Commander
Now the machine is part of your domain, you can manage it with the domain administrator tools for Active Directory. Since your machine is not running Windows, you are limited to authentication and access to network and directory services. You cannot set up things like desktop-related configuration on this machine.
Luckily, Fedora has a tool called Fleet Commander.
Fleet Commander is a management tool that allows you to set up desktop configuration profiles for all Fedora Linux machines across your network.
This means, you can set up any configuration for GNOME desktop, Firefox, Chrome, LibreOffice, and other supported software in an easy way, and then make that configuration to be applied on login to the selected users/groups/machines in a granular way.
To use this tool, install the fleet-commander-admin package
sudo dnf install fleet-commander-admin
Next, visit http://localhost:9090 in your browser to log in. On the menu to the left, click on Fleet Commander.
Fleet Commander has a tool to set up the configuration profiles intuitively using a “live session” mechanism. It runs a VM that serves as a template of your base machines. You have to manually make the configuration changes you want. Then you review all the configuration changes, select the ones you want to add to the profile, and deploy it.
In each of your Fedora Linux or RHEL machines, you will need to install the Fleet Commander client service. This service activates when a user logs in. It searches the domain for the profiles that apply to current user/machine, and applies the configuration for the session.
To install the fleet-commander-client:
sudo dnf install fleet-commander-client
The software will detect if the machine is part of a domain automatically. When a user logs in, it will set up the session with the profiles that apply to the user.