Joining Fedora Linux to an enterprise domain

Photo by Gene Gallin on Unsplash

When you think about corporate networks, the most widely used Linux-based operating system that comes to mind is Red Hat Enterprise Linux (RHEL), used mostly on servers, but also as workstations. Fedora Linux is also a very good choice for a workstation, and comes packed with lots of features to work in the corporate environment and makes management an easy task.

When you work with many machines in your network you need a way to manage users and machines in a centralized way. That’s why FreeIPA and Active Directory are the technologies of choice for this task. They allow a sysadmin to manage a huge amount of machines using a directory of all the entities in their network.

Fedora and Active Directory

Active Directory is very common in corporate environments. Fedora and RHEL integrate well with services such as FreeIPA or Active Directory by using the System Security Services Daemon (SSSD). SSSD is a system service to access remote directories and authentication mechanisms. A machine using this software is able to authenticate with remote credentials and access other services available in that directory network.

To join a domain network, you need the domain administrator’s permission to add the machine. Maybe by setting special permissions on your domain credentials or doing the pre-configuration of that machine on your behalf. Fedora Linux has an option to configure a machine during installation called Enterprise Login. If your machine network is automatically configured for the enterprise domain network, then you can login with your domain credentials directly.

Screen capture of the Fedora Linux installer prompting for enterprise login settings.

In the case your configuration is not automated—or you have Fedora Linux already installed—you can join an Active Directory domain with a few configuration steps:

  1. Set up the DNS for this machine. To connect to a directory service, you need first to be able to resolve the directory domain name. If your network sets up the correct DNS using DHCP, you can skip this step.
  2. Change your machine name to reflect it will be part of the new domain. Edit the file /etc/hostname and change the machine name to “machinename.my_domain”
  3. Join the domain by executing this command: sudo realm join my_domain -v (replace “my_domain” with the name of your domain)

After running this command, the system will ask for the credentials of a user allowed to join new machines in that domain. If there are no errors in the process, the machine will become part of the domain.

GNOME's Online Accounts screen showing a configured Enterprise Login account.

Now that this machine is part of your domain you can:

  • Login with a domain username into the machine
  • Get kerberos tickets to access different services in the domain network
  • Access other services, depending on how the domain is configured

Manage Fedora Linux with Fleet Commander

Now the machine is part of your domain, you can manage it with the domain administrator tools for Active Directory. Since your machine is not running Windows, you are limited to authentication and access to network and directory services. You cannot set up things like desktop-related configuration on this machine.

Luckily, Fedora has a tool called Fleet Commander.

Create configuration

Fleet Commander is a management tool that allows you to set up desktop configuration profiles for all Fedora Linux machines across your network.

This means, you can set up any configuration for GNOME desktop, Firefox, Chrome, LibreOffice, and other supported software in an easy way, and then make that configuration to be applied on login to the selected users/groups/machines in a granular way.

To use this tool, install the fleet-commander-admin package

sudo dnf install fleet-commander-admin

Next, visit http://localhost:9090 in your browser to log in. On the menu to the left, click on Fleet Commander.

Fleet Commander has a tool to set up the configuration profiles intuitively using a “live session” mechanism. It runs a VM that serves as a template of your base machines. You have to manually make the configuration changes you want. Then you review all the configuration changes, select the ones you want to add to the profile, and deploy it.

Manage clients

In each of your Fedora Linux or RHEL machines, you will need to install the Fleet Commander client service. This service activates when a user logs in. It searches the domain for the profiles that apply to current user/machine, and applies the configuration for the session.

To install the fleet-commander-client:

sudo dnf install fleet-commander-client

The software will detect if the machine is part of a domain automatically. When a user logs in, it will set up the session with the profiles that apply to the user.

For System Administrators

14 Comments

  1. Marcelo

    Congratulations on the article, very useful to know these resources, thank you.

  2. LavaCreeperKing

    Wow did not know about all of this. I don’t have a Windows server(Windows is terrible) to create an active directory with, but there is a tool to create Linux domains with. So I now need to play with setting up a Linux domain.

  3. MT

    I tested it on a stock Fedora 34 Workstation Installation and a Windows Server 2016 Standard Edition.
    I have to add “rc4-hmac” in the file “/etc/krb5.conf.d/crypto-policies” on my Fedora Workstation. Then the join succeeded. Without “rc4-hmac” it did not work.

  4. DDG

    What would happen if i install this on my laptop, bring said laptop outside with no connection to my FreeIPA/AD boxes at home? Can i still login?

    • James

      Yes, SSSD caches the last-seen good credentials.

    • René Genz

      SSSD supports offline login: https://fedoraproject.org/wiki/Features/SSSD#Benefit_to_Fedora
      First log in with directory-based account must happen on-site. Fleet Commander client not required for offline login.

      • Yes. SSSD caches the login information so you can login offline. Fleet Commander Client is not required for login. It just fires after login, and in the case of Active Directory, checks if the directory services are present, downloads the profiles for that user and then apply them. In the case of FreeIPA, the profiles are downloaded and cached by SSSD.

        If Fleet Commander is not able to download the profiles in Active Directory and there was a previous login, if will reuse the cached profiles.

    • Mike

      Yes, SSSD allows for cached credentials. Well it did for my test when I was playing with it a couple years ago.

  5. Torsten Nielsen

    Joining a machine during installation went without a hitch, but I’m wondering how to get admin/root/sudo priviledges after the installation is complete. I didn’t create any local admin account. Logging in with AD-credentials work, but I don’t have sudo rights. Do I have to manage sudo via AD? or am I missing something obvious?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: