Fedora 27 Corporate Workstation Installation
Linux, independent of its variations, is the operating system most used the word in a server environment, usually, we can see a lot of end users adopting it. Is impossible to miss considerate the effort of the Open Source community contributors to make Linux more friendly and usable for non-Jedi users. This work was written with the focus on corporate end users and a corporate environment (SMB- small-medium business).
Contextualization
The Linux Fedora is one of the best distros and can be considered really stable to use in the production environment for end users, the first release was in 2003 with the name Fedora Core 1 and was based on Red Hat Linux who steel based nowadays.
I chose wrote this article about Fedora because it gave a good experience and results in a real production environment, for advanced and beginners users with a lot of corporate variables, purposes, and activities.
The environment of this article consists of joining a Fedora Workstation on a Domain Controller who can be Samba 4 or Microsoft Active Directory, set up the authentication process for domain users and domain admins on a workstation, local or remotely through ssh.
This article so does mention about some proprietary software for Linux, we must considerate that on the real environment a lot of resources are necessary according to each business needs.
Disclaimer
This article was written with end users focus and I can not guarantee that all settings will work in your environment, but I can try to answer any doubts related. Security is another important subject, but this article does not cover it.
Resources
Is some ways to install Fedora, for test purposes I recommend you use a Virtual Machine, you can use VirtualBox or any other virtualization environment if you prefer, so you can use a physical computer. The pre-requirements for Fedora installation is 1GHz or faster processor, 1GB System Memory, and 10GB unallocated drive space. To complete the configuration you need a domain controller, I recommend Samba 4, but you can use Microsoft Active Directory.
Installing Fedora 27
To download Fedora 27 you can use the direct link (http://fedora.c3sl.ufpr.br/linux/releases/27/Workstation/x86_64/iso/) or choose the best mirror for you at https://getfedora.org/. After the download, you can burn a DVD or create a bootable pen drive with the iso file. Usually, I use Etcher to do this task, you can find this open source software at (https://etcher.io/).
At the first screen choose the option Start Fedora-Workstation-Live 27:
Select the option Install to Hard Drive to start the installation:
Choose your language and the keyboard layout of your computer:
Choose the option Installation Destination and select the HardDrive that you want to install if you have more than one, and mark the option Automatically configure partitioning and press done:
Choose the option Begin installation:
Set up the root password, you don’t need to create a user now. A local user will be created later for management proposes, remember, this computer will be joined on a domain, and all users from your network will be able to authenticate in this computer.
Remember, always use a strong password.
When the installation is complete, press Quit button.
Eject the ISO or DVD and reboot your computer. The basic installation is done.
After reboot, the system will login automatically and you can do the additional set-up.
The first screen is related to the basic configuration and every user at the first login is able to define your own Fedora settings.
Choose the language.
Choose the keyboard layout.
Turn on the location services if you need it.
Choose the time zone.
For additional software, turn on Proprietary software sources repositories:
Connect to the online third party services Google, Nextcloud, Microsoft or Facebook.
Create a local user filling the following form. Only for advice, work with root user is not a good practice. For this lab the name of the user is localuser:
Don’t use the option Set Up Enterprise Login.
Use a strong password, the administration rights will be given automatically to the new user.
The system is ready for use.
Select Start Using Fedora and log in with localuser to continue the configuration.
The first thing to do after login is open the terminal and update system. Run the followings commands and type the password:
[[email protected] ~]$ sudo su
[[email protected] localuser]# dnf update
Press y and press enter. The first system update can be slow, be patient. Usually, I reboot the system after the update is complete.
Install Additional Repositories and Packages on Fedora 27
To meet the purposes of this article, we need install additional software repositories and third-party packages. The repositories needed is listed below, run the following commands to install it:
[[email protected] ~]$ sudo su
[[email protected] localuser]# dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-27.noarch.rpm
[[email protected] localuser]# dnf install https://go.skype.com/skypeforlinux-64.rpm
The commands below are to configure google repository:
[[email protected] localuser]# rpm –import https://dl.google.com/linux/linux_signing_key.pub
[[email protected] localuser]# printf ‘%s\n’ ‘[google-chrome]’ ‘name=google-chrome’ ‘baseurl=http://dl.google.com/linux/chrome/rpm/stable/x86_64’ ‘enabled=1’ ‘gpgcheck=1’ ‘gpgkey=https://dl.google.com/linux/linux_signing_key.pub’ >/etc/yum.repos.d/google-chrome.repo
After configuring the repositories, run the command:
[[email protected] localuser]# dnf update
Now, begin to install the list with all packages that we need for this Fedora setup, I will show how to install all packages in an easy way below. At this list, you can see some additional packages that can improve user experience besides system packages who increase the Fedora features, who will be used to join Fedora 27 on the network domain.
samba
realmd
sssd
oddjob
oddjob-mkhomedir
adcli
samba-common-tools
krb5-workstation
openldap-clients
policycoreutils-python
samba-winbind-clients
samba-winbind
gnome-tweak-tool.noarch
java-openjdk
icedtea-web
unzip
thunderbird.x86_64
gimp
vim
gnome-music.x86_64
gnome-photos
p7zip
vlc
curl
cabextract
xorg-x11-font-utils
fontconfig
https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
gscan2pdf.noarch
system-config-printer
tesseract.x86_64
tesseract-langpack-enm.noarch
libreoffice-langpack-en.x86_64
brasero.x86_64
nautilus-extensions.x86_64
brasero-nautilus.x86_64
nautilus-sendto.x86_64
nautilus-font-manager.noarch
gnome-terminal-nautilus.x86_64
nautilus-image-converter.x86_64
nautilus-search-tool.x86_64
sushi.x86_64
raw-thumbnailer.x86_64
Pinta.x86_64
dnf-automatic
dconf-editor
NetworkManager
To install all packages in an easy way, create a file with the list above (one package per line), and run:
[[email protected] localuser]# for i in `cat package.txt`; do dnf install -y $i; done
The installation can be slow, be patient.
Enable Automatic Security Updates on Fedora 27
It’s a best practice enable automatic security updates for an operational system. Its provide a lot of bug fixes and keep your system safer.
To configure only the security updates edit with vim the /etc/dnf/automatic.conf file and change the following params (press insert to edit):
[[email protected] localuser]# vim /etc/dnf/automatic.conf
The config file to look like this content. Change the values for the lines upgrate_type and aply_updates like the lines below:
[commands]
# What kind of upgrade to perform:
# default = all available upgrades
# security = only the security upgrades
upgrade_type = security
random_sleep = 300
# Whether updates should be downloaded when they are available.
download_updates = yes
# Whether updates should be applied when they are available.
# Note that if this is set to no, downloaded packages will be left in the
# cache regardless of the keepcache setting.
apply_updates = yes
[emitters]
# Name to use for this system in messages that are emitted. Default is the
# hostname.
# system_name = my-host
# How to send messages. Valid options are stdio, email and motd. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via includes motd, /etc/motd file will have the messages.
# Default is email,stdio.
emit_via = stdio
[email]
# The address to send email messages from.
email_from = [email protected]
# List of addresses to send messages to.
email_to = root
# Name of the host to connect to send email messages.
email_host = localhost
[base]
# This section overrides dnf.conf
# Use this to filter DNF core messages
debuglevel = 1
To save the changes at vim, press ESC, wq! and Enter.
After changing the file, you need to enable the schedule of automatic security updates:
[[email protected] localuser]# systemctl enable dnf-automatic.timer
[[email protected] localuser]# systemctl start dnf-automatic.timer
Change Computer name on Fedora 27
To change the computer hostname run the following commands (choose the hostname that you want, I used Workstation-Fedora27):
[[email protected] ~] sudo su
[[email protected] localuser]# hostnamectl set-hostname –pretty Workstation-Fedora27
[[email protected] localuser]# hostnamectl set-hostname –transient Workstation-Fedora27
[[email protected] localuser]# hostnamectl set-hostname –static Workstation-Fedora27
To verify the changes go to settings and press details.
Also, you can verify on terminal running the following command:
[[email protected] localuser]# hostname
The output must be the hostname, in this case, Workstation-Fedora27.
Disable SELinux (Security-Enhanced Linux) on Fedora 27
SELinux is an acronym for Security-enhanced Linux, It is a security feature of the Linux kernel. To keep this article more friendly, I not cover the setup of SELinux, we disabled it because I found some problems to join the computer at the domain with SELinux enabled. By the way, if you want to know more about security and SELinux, you can find good articles explaining this subject. To disable SELinux, run the command:
[[email protected] localuser]# vim /etc/sysconfig/selinux
Change the value enforcing to disabled, save the file and reboot your computer.
Join Fedora 27 on Active Directory or SAMBA 4
To join the Fedora Workstation into Active Directory or Samba 4 you need to pay attention to your network DNS (Domain Server Name), usually, the first DNS from a network is the IP address of the Domain Controller and is delivered to DHCP server (Dynamic Host Configuration Protocol). If your network environment uses a static IP address, you must configure it manually on the Fedora Workstation.
To check the DNS configuration at your network run the following command:
[[email protected] localuser]# nmcli device show
The output looks like this:
GENERAL.DEVICE: enp0s3
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 08:00:27:AA:5E:4F
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONECTION: enp0s3
GENERAL.CAMINHO CON: /org/freedesktop/NetworkManager/ActiveConnection/0
WIRED-PROPERTIES.CARRIER: active
IP4.ADDRESS[1]: 10.0.2.15/24
IP4.GATEWAY: 10.0.2.2
IP4.DNS[1]: 10.0.2.100 <<<< DOMAIN CONTROLLER IP ADDRESS
IP4.DNS[2]: 10.0.2.101
IP4.DNS[3]: 10.0.2.102
IP6.ADDRESS[1]: fe80::a84e:4e53:d696:ddc9/64
IP6.GATEWAY:
If the output doesn’t show DNS IP ADDRESS information, you can add this manually though Network Configuration on System settings or through the terminal. To do this through the terminal, run the following command and insert the information listed above:
[[email protected] localuser]# nmtui
Choose the option Edit a Connection and OK.
Fill nmtui IPV4 Configuration according to your network environment information. Another useful test is trying to ping the name of your domain.
[[email protected] localuser]# ping mylocaldomain.com
To join the Fedora Workstation at the domain, run the following commands:
[[email protected] localuser]# realm join –user=Administrator mylocaldomain.com
Note: The user and domain is an example, at this point you need to use a user with rights to join Fedora at the domain controller. If you want to unjoin Fedora, use the following command:
[[email protected] localuser]# realm leave –user=Administrator mylocaldomain.com
Edit the file /etc/samba/smb.conf :
[[email protected] localuser]# vim /etc/samba/smb.conf
Add the following lines to the file:
[global]
realm = mylocaldomain.com
workgroup = mylocaldomain
dns forwarder = 10.0.2.100
security = ADS
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind use default domain = Yes
idmap config *:range = 50000-1000000
idmap config * : backend = tdb
store dos attribute = Yes
map acl inherit = Yes
vfs objects = acl_xattr
Save the changes (on vim press ESC and “wq!”).
To enable cache logins you need to configure SSSD (System Security Services Daemon), to do this, edit the file /etc/sssd/sssd.conf.
[[email protected] localuser]# vim/etc/sssd/sssd.conf
The main lines that we need to change are:
use_fully_qualified_names = False
fallback_homedir = /home/%[email protected]
The SSSD file looks like this:
domains = mylocaldomain.com
config_file_version = 2
services = nss, pam
[domain/mylocaldomain.com]
ad_domain = mylocaldomain.com
krb5_realm = mylocaldomain.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%[email protected]
access_provider = ad
Enable user authentication through SSH with Active Directory (SAMBA 4) Fedora 27
To configure SSH for remote authentication of the domain users, you need to edit the following file /etc/ssh/sshd_config:
[[email protected] localuser]# vim /etc/ssh/ssh_config
At the end of the file include the following lines:
AllowGroups wheel domain^admins domain admins domain?admins
UsePAM yes
You can configure the groups how you wish (eg. it_support).
Sudoers Users and Active Directory (SAMBA 4) Fedora 27
To configure domain users as the member of sudoers edit the file /etc/sudoers :
[[email protected] localuser]# vim /etc/sudoers
Add the following lines:
%domain\ admins ALL=(ALL) ALL
%[username] ALL=(ALL) ALL
The second line you can fill with the domain users who need administrative rights (eg. %johnwoo ALL=(ALL) ALL).
User login box in the Fedora 27 system session
When we work with Fedora 27 in a domain we encounter an authentication problem when we need to perform activities that require administrative rights in a graphical environment (Gnome). When you try to install an application through the “software” tool, an authentication box is displayed for root or Administrator user authentication. The image below illustrates this issue:
To display the user’s username in the authentication box create the file 51.fedora-admin.conf at the directory /etc/polkit-1/localauthority.conf.d/:
[[email protected] localuser]# touch /etc/polkit-1/localauthority.conf.d/51.fedora-admin.conf
[[email protected] localuser]# vim /etc/polkit-1/localauthority.conf.d/51.fedora-admin.conf
Add the following lines to the file:
[Configuration]
AdminIdentities=unix-group:admin;unix-group:Domain Admins;unix-user:0
After the configuration, the all users of your network will be able to login with the own username and password to execute activities who need special rights. Only users in the sudoers file can execute activities who need special rights.
The authentication of users not listed in the sudoers file will fail.
The productivity tools available to use on Fedora 27 are awesome. Since office tools like LibreOffice or Microsoft Office that can be installed through PlayonLinux and can meet the business needs. OCR (Optical Character Recognition ) Resources is available at Gscan2pdf, GimageReader and too at Master PDF, who is the best tool to handle PDF files that I know.
In the communications tools, Fedora 27 has a lot of resources, is available Skype, Empathy, Thunderbird, Facebook, Telegram, Twitter, Gnome Gmail, Ekiga Softphone, etc.
If you work in some area of IT, Fedora is a Swiss Army Knife. There are a lot of tools to work in high level with networking (GNS3, Wireshark), software development (Eclipse, Netbeans), end-user support environments (RDP and VNC Clients), tests, media creating, web design, etc.
By the way, all features and the productivity can be increased through the Gnome Extensions use, that provides a lot of extensions to integrate Gnome environment with a lot of services and installed applications that can be found here https://extensions.gnome.org.