When you think about corporate networks, the most widely used Linux-based operating system that comes to mind is Red Hat Enterprise Linux (RHEL), used mostly on servers, but also as workstations. Fedora Linux is also a very good choice for a workstation, and comes packed with lots of features to work in the corporate environment and makes management an easy task.
When you work with many machines in your network you need a way to manage users and machines in a centralized way. That’s why FreeIPA and Active Directory are the technologies of choice for this task. They allow a sysadmin to manage a huge amount of machines using a directory of all the entities in their network.
Fedora and Active Directory
Active Directory is very common in corporate environments. Fedora and RHEL integrate well with services such as FreeIPA or Active Directory by using the System Security Services Daemon (SSSD). SSSD is a system service to access remote directories and authentication mechanisms. A machine using this software is able to authenticate with remote credentials and access other services available in that directory network.
To join a domain network, you need the domain administrator’s permission to add the machine. Maybe by setting special permissions on your domain credentials or doing the pre-configuration of that machine on your behalf. Fedora Linux has an option to configure a machine during installation called Enterprise Login. If your machine network is automatically configured for the enterprise domain network, then you can login with your domain credentials directly.
In the case your configuration is not automated—or you have Fedora Linux already installed—you can join an Active Directory domain with a few configuration steps:
- Set up the DNS for this machine. To connect to a directory service, you need first to be able to resolve the directory domain name. If your network sets up the correct DNS using DHCP, you can skip this step.
- Change your machine name to reflect it will be part of the new domain. Edit the file /etc/hostname and change the machine name to “machinename.my_domain”
- Join the domain by executing this command: sudo realm join my_domain -v (replace “my_domain” with the name of your domain)
After running this command, the system will ask for the credentials of a user allowed to join new machines in that domain. If there are no errors in the process, the machine will become part of the domain.
Now that this machine is part of your domain you can:
- Login with a domain username into the machine
- Get kerberos tickets to access different services in the domain network
- Access other services, depending on how the domain is configured
Manage Fedora Linux with Fleet Commander
Now the machine is part of your domain, you can manage it with the domain administrator tools for Active Directory. Since your machine is not running Windows, you are limited to authentication and access to network and directory services. You cannot set up things like desktop-related configuration on this machine.
Luckily, Fedora has a tool called Fleet Commander.
Fleet Commander is a management tool that allows you to set up desktop configuration profiles for all Fedora Linux machines across your network.
This means, you can set up any configuration for GNOME desktop, Firefox, Chrome, LibreOffice, and other supported software in an easy way, and then make that configuration to be applied on login to the selected users/groups/machines in a granular way.
To use this tool, install the fleet-commander-admin package
sudo dnf install fleet-commander-admin
Next, visit http://localhost:9090 in your browser to log in. On the menu to the left, click on Fleet Commander.
Fleet Commander has a tool to set up the configuration profiles intuitively using a “live session” mechanism. It runs a VM that serves as a template of your base machines. You have to manually make the configuration changes you want. Then you review all the configuration changes, select the ones you want to add to the profile, and deploy it.
In each of your Fedora Linux or RHEL machines, you will need to install the Fleet Commander client service. This service activates when a user logs in. It searches the domain for the profiles that apply to current user/machine, and applies the configuration for the session.
To install the fleet-commander-client:
sudo dnf install fleet-commander-client
The software will detect if the machine is part of a domain automatically. When a user logs in, it will set up the session with the profiles that apply to the user.
Congratulations on the article, very useful to know these resources, thank you.
Very useful information.
Wow did not know about all of this. I don’t have a Windows server(Windows is terrible) to create an active directory with, but there is a tool to create Linux domains with. So I now need to play with setting up a Linux domain.
I tested it on a stock Fedora 34 Workstation Installation and a Windows Server 2016 Standard Edition.
I have to add “rc4-hmac” in the file “/etc/krb5.conf.d/crypto-policies” on my Fedora Workstation. Then the join succeeded. Without “rc4-hmac” it did not work.
Muhammad Zamri Bin Muhamad Suharini
Thanks for the info
re-adding “rc4-hmac” is a bad solution considering security, see:
better enable AES in Active Directory
What would happen if i install this on my laptop, bring said laptop outside with no connection to my FreeIPA/AD boxes at home? Can i still login?
Yes, SSSD caches the last-seen good credentials.
SSSD supports offline login: https://fedoraproject.org/wiki/Features/SSSD#Benefit_to_Fedora
First log in with directory-based account must happen on-site. Fleet Commander client not required for offline login.
Yes. SSSD caches the login information so you can login offline. Fleet Commander Client is not required for login. It just fires after login, and in the case of Active Directory, checks if the directory services are present, downloads the profiles for that user and then apply them. In the case of FreeIPA, the profiles are downloaded and cached by SSSD.
If Fleet Commander is not able to download the profiles in Active Directory and there was a previous login, if will reuse the cached profiles.
Yes, SSSD allows for cached credentials. Well it did for my test when I was playing with it a couple years ago.
Joining a machine during installation went without a hitch, but I’m wondering how to get admin/root/sudo priviledges after the installation is complete. I didn’t create any local admin account. Logging in with AD-credentials work, but I don’t have sudo rights. Do I have to manage sudo via AD? or am I missing something obvious?
We are working on that.