Fedora 27 Corporate Workstation Installation

Linux, independent of its variations, is the operating system most used the word in a server environment, usually, we can see a lot of end users adopting it. Is impossible to miss considerate the effort of the Open Source community contributors to make Linux more friendly and usable for non-Jedi users. This work was written with the focus on corporate end users and a corporate environment (SMB- small-medium business).

Contextualization

The Linux Fedora is one of the best distros and can be considered really stable to use in the production environment for end users, the first release was in 2003 with the name Fedora Core 1 and was based on Red Hat Linux who steel based nowadays.

I chose wrote this article about Fedora because it gave a good experience and results in a real production environment, for advanced and beginners users with a lot of corporate variables, purposes, and activities.

The environment of this article consists of joining a Fedora Workstation on a Domain Controller who can be Samba 4 or Microsoft Active Directory, set up the authentication process for domain users and domain admins on a workstation, local or remotely through ssh.

This article so does mention about some proprietary software for Linux, we must considerate that on the real environment a lot of resources are necessary according to each business needs.

Disclaimer

This article was written with end users focus and I can not guarantee that all settings will work in your environment, but I can try to answer any doubts related. Security is another important subject, but this article does not cover it.

Resources 

Is some ways to install Fedora, for test purposes I recommend you use a Virtual Machine, you can use VirtualBox or any other virtualization environment if you prefer, so you can use a physical computer. The pre-requirements for Fedora installation is 1GHz or faster processor, 1GB System Memory, and 10GB unallocated drive space. To complete the configuration you need a domain controller, I recommend Samba 4, but you can use Microsoft Active Directory.

Installing Fedora 27

To download Fedora 27 you can use the direct link (http://fedora.c3sl.ufpr.br/linux/releases/27/Workstation/x86_64/iso/) or choose the best mirror for you at https://getfedora.org/. After the download, you can burn a DVD or create a bootable pen drive with the iso file. Usually, I use Etcher to do this task, you can find this open source software at (https://etcher.io/).

At the first screen choose the option Start Fedora-Workstation-Live 27:

Installing Fedora 27

Select the option Install to Hard Drive to start the installation:

Install to Hard Drive

Choose your language and the keyboard layout of your computer:

Choose your language

Choose the option Installation Destination and select the HardDrive that you want to install if you have more than one, and mark the option Automatically configure partitioning and press done:

Installation Destination

Choose the option Begin installation:

Begin installation

Set up the root password, you don't need to create a user now. A local user will be created later for management proposes, remember, this computer will be joined on a domain, and all users from your network will be able to authenticate in this computer.

Set up the root password

Remember, always use a strong password.

use a strong password

When the installation is complete, press Quit button.

press Quit button

Eject the ISO or DVD and reboot your computer. The basic installation is done.

After reboot, the system will login automatically and you can do the additional set-up.

The first screen is related to the basic configuration and every user at the first login is able to define your own Fedora settings.

Choose the language.

Choose the language

Choose the keyboard layout.

Choose the keyboard layout

Turn on the location services if you need it.

Turn on the location services

Choose the time zone.

Choose the time zone

For additional software, turn on Proprietary software sources repositories:

turn on Proprietary software sources repositories

Connect to the online third party services Google, Nextcloud, Microsoft or Facebook.

Google, Nextcloud, Microsoft or Facebook

Create a local user filling the following form. Only for advice, work with root user is not a good practice. For this lab the name of the user is localuser:

Create a local user

Don't use the option Set Up Enterprise Login.

Use a strong password, the administration rights will be given automatically to the new user.

Set a password

The system is ready for use.

system is ready

Select Start Using Fedora and log in with localuser to continue the configuration.

Start Using Fedora

The first thing to do after login is open the terminal and update system. Run the followings commands and type the password:

[[email protected] ~]$ sudo su
[[email protected] localuser]# dnf update

Update the system

Press y and press enter. The first system update can be slow, be patient. Usually, I reboot the system after the update is complete.

Install Additional Repositories and Packages on Fedora 27

To meet the purposes of this article, we need install additional software repositories and third-party packages. The repositories needed is listed below, run the following commands to install it:

[[email protected] ~]$ sudo su
[[email protected] localuser]# dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-27.noarch.rpm
[[email protected] localuser]# dnf install https://go.skype.com/skypeforlinux-64.rpm

The commands below are to configure google repository:

[[email protected] localuser]# rpm --import https://dl.google.com/linux/linux_signing_key.pub
[[email protected] localuser]# printf '%s\n' '[google-chrome]' 'name=google-chrome' 'baseurl=http://dl.google.com/linux/chrome/rpm/stable/x86_64' 'enabled=1' 'gpgcheck=1' 'gpgkey=https://dl.google.com/linux/linux_signing_key.pub' >/etc/yum.repos.d/google-chrome.repo

After configuring the repositories, run the command:

[[email protected] localuser]# dnf update

Now, begin to install the list with all packages that we need for this Fedora setup, I will show how to install all packages in an easy way below. At this list, you can see some additional packages that can improve user experience besides system packages who increase the Fedora features, who will be used to join Fedora 27 on the network domain.

samba
realmd
sssd
oddjob
oddjob-mkhomedir
adcli
samba-common-tools
krb5-workstation
openldap-clients
policycoreutils-python
samba-winbind-clients
samba-winbind
gnome-tweak-tool.noarch
java-openjdk
icedtea-web
unzip
thunderbird.x86_64
gimp
vim
gnome-music.x86_64
gnome-photos
p7zip
vlc
curl
cabextract
xorg-x11-font-utils
fontconfig
https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
gscan2pdf.noarch
system-config-printer
tesseract.x86_64
tesseract-langpack-enm.noarch
libreoffice-langpack-en.x86_64
brasero.x86_64
nautilus-extensions.x86_64
brasero-nautilus.x86_64
nautilus-sendto.x86_64
nautilus-font-manager.noarch
gnome-terminal-nautilus.x86_64
nautilus-image-converter.x86_64
nautilus-search-tool.x86_64
sushi.x86_64
raw-thumbnailer.x86_64
Pinta.x86_64
dnf-automatic
dconf-editor
NetworkManager

To install all packages in an easy way, create a file with the list above (one package per line), and run:

[[email protected] localuser]# for i in `cat package.txt`; do dnf install -y $i; done

The installation can be slow, be patient.

Enable Automatic Security Updates on Fedora 27

It’s a best practice enable automatic security updates for an operational system. Its provide a lot of bug fixes and keep your system safer.

To configure only the security updates edit with vim the  /etc/dnf/automatic.conf file and change the following params (press insert to edit):

[[email protected] localuser]# vim /etc/dnf/automatic.conf

The config file to look like this content. Change the values for the lines upgrate_type and aply_updates like the lines below:

[commands]
#  What kind of upgrade to perform:
# default                         = all available upgrades
# security                        = only the security upgrades
upgrade_type = security
random_sleep = 300
# Whether updates should be downloaded when they are available.
download_updates = yes
# Whether updates should be applied when they are available.
# Note that if this is set to no, downloaded packages will be left in the
# cache regardless of the keepcache setting.
apply_updates = yes
[emitters]
# Name to use for this system in messages that are emitted.  Default is the
# hostname.
# system_name = my-host
# How to send messages.  Valid options are stdio, email and motd.  If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages.  If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via includes motd, /etc/motd file will have the messages.
# Default is email,stdio.
emit_via = stdio
[email]
# The address to send email messages from.
email_from = [email protected]
# List of addresses to send messages to.
email_to = root
# Name of the host to connect to send email messages.
email_host = localhost
[base]
# This section overrides dnf.conf
# Use this to filter DNF core messages
debuglevel = 1

To save the changes at vim, press ESC, wq! and Enter.

After changing the file, you need to enable the schedule of automatic security updates:

[[email protected] localuser]# systemctl enable dnf-automatic.timer
[[email protected] localuser]# systemctl start dnf-automatic.timer

Change Computer name on Fedora 27

To change the computer hostname run the following commands (choose the hostname that you want, I used Workstation-Fedora27):

[[email protected] ~] sudo su
[[email protected] localuser]# hostnamectl set-hostname --pretty Workstation-Fedora27
[[email protected] localuser]# hostnamectl set-hostname --transient Workstation-Fedora27
[[email protected] localuser]# hostnamectl set-hostname --static Workstation-Fedora27

To verify the changes go to settings and press details.

Hostname settings

Also, you can verify on terminal running the following command:

[[email protected] localuser]# hostname


The output must be the hostname, in this case, Workstation-Fedora27.

Disable SELinux (Security-Enhanced Linux) on Fedora 27

SELinux is an acronym for Security-enhanced Linux, It is a security feature of the Linux kernel. To keep this article more friendly, I not cover the setup of SELinux, we disabled it because I found some problems to join the computer at the domain with SELinux enabled. By the way, if you want to know more about security and SELinux, you can find good articles explaining this subject. To disable SELinux, run the command:

[[email protected] localuser]# vim /etc/sysconfig/selinux

Change the value enforcing to disabled, save the file and reboot your computer.

Join Fedora 27 on Active Directory or SAMBA 4

To join the Fedora Workstation into Active Directory or Samba 4 you need to pay attention to your network DNS (Domain Server Name), usually, the first DNS from a network is the IP address of the Domain Controller and is delivered to DHCP server (Dynamic Host Configuration Protocol). If your network environment uses a static IP address, you must configure it manually on the Fedora Workstation. 

To check the DNS configuration at your network run the following command:

[[email protected] localuser]# nmcli device show

The output looks like this:

GENERAL.DEVICE:                    enp0s3
GENERAL.TYPE:                        ethernet
GENERAL.HWADDR:                 08:00:27:AA:5E:4F
GENERAL.MTU:                         1500
GENERAL.STATE:                      100 (connected)
GENERAL.CONECTION:           enp0s3
GENERAL.CAMINHO CON:                    /org/freedesktop/NetworkManager/ActiveConnection/0
WIRED-PROPERTIES.CARRIER:              active
IP4.ADDRESS[1]:                        10.0.2.15/24
IP4.GATEWAY:                            10.0.2.2
IP4.DNS[1]:                             10.0.2.100 <<<< DOMAIN CONTROLLER IP ADDRESS
IP4.DNS[2]:                             10.0.2.101
IP4.DNS[3]:                             10.0.2.102
IP6.ADDRESS[1]:                        fe80::a84e:4e53:d696:ddc9/64
IP6.GATEWAY:   

If the output doesn't show DNS IP ADDRESS information, you can add this manually though Network Configuration on System settings or through the terminal. To do this through the terminal, run the following command and insert the information listed above:

[[email protected] localuser]# nmtui

Network manager

Choose the option Edit a Connection and OK.

Edit network connection details

Fill nmtui IPV4 Configuration according to your network environment information. Another useful test is trying to ping the name of your domain.

[[email protected] localuser]# ping mylocaldomain.com

To join the Fedora Workstation at the domain, run the following commands:

[[email protected] localuser]# realm join --user=Administrator mylocaldomain.com

Note: The user and domain is an example, at this point you need to use a user with rights to join Fedora at the domain controller. If you want to unjoin Fedora, use the following command:

[[email protected] localuser]# realm leave --user=Administrator mylocaldomain.com

Edit the file /etc/samba/smb.conf :

[[email protected] localuser]# vim /etc/samba/smb.conf 

Add the following lines to the file:

[global]
realm = mylocaldomain.com
workgroup = mylocaldomain
dns forwarder = 10.0.2.100
security = ADS
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind use default domain = Yes
idmap config *:range = 50000-1000000
idmap config * : backend = tdb
store dos attribute = Yes
map acl inherit = Yes
vfs objects = acl_xattr

Save the changes (on vim press ESC and “wq!”).

To enable cache logins you need to configure SSSD (System Security Services Daemon), to do this, edit the file /etc/sssd/sssd.conf.

[[email protected] localuser]# vim/etc/sssd/sssd.conf 

The main lines that we need to change are:

use_fully_qualified_names = False
fallback_homedir = /home/%[email protected]

The SSSD file looks like this:

domains = mylocaldomain.com
config_file_version = 2
services = nss, pam
[domain/mylocaldomain.com]
ad_domain = mylocaldomain.com
krb5_realm = mylocaldomain.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%[email protected]
access_provider = ad

Enable user authentication through SSH with Active Directory (SAMBA 4) Fedora 27

To configure SSH for remote authentication of the domain users,  you need to edit the following file /etc/ssh/sshd_config: 

[[email protected] localuser]# vim /etc/ssh/ssh_config

At the end of the file include the following lines:

AllowGroups wheel domain^admins domain admins domain?admins
UsePAM yes

You can configure the groups how you wish (eg. it_support).

Sudoers Users and Active Directory (SAMBA 4) Fedora 27

To configure domain users as the member of sudoers edit the file /etc/sudoers :

[[email protected] localuser]# vim /etc/sudoers

Add the following lines:

%domain\ admins ALL=(ALL)    ALL
%[username] ALL=(ALL)    ALL

The second line you can fill with the domain users who need administrative rights (eg. %johnwoo ALL=(ALL)    ALL).

User login box in the Fedora 27 system session

When we work with Fedora 27 in a domain we encounter an authentication problem when we need to perform activities that require administrative rights in a graphical environment (Gnome). When you try to install an application through the "software" tool, an authentication box is displayed for root or Administrator user authentication. The image below illustrates this issue:

User login box in the Fedora 27 system session

To display the user's username in the authentication box create the file 51.fedora-admin.conf at the directory /etc/polkit-1/localauthority.conf.d/:

[[email protected] localuser]# touch  /etc/polkit-1/localauthority.conf.d/51.fedora-admin.conf
[[email protected] localuser]# vim /etc/polkit-1/localauthority.conf.d/51.fedora-admin.conf

Add the following lines to the file:

[Configuration]
AdminIdentities=unix-group:admin;unix-group:Domain Admins;unix-user:0

After the configuration, the all users of your network will be able to login with the own username and password to execute activities who need special rights.  Only users in the sudoers file can execute activities who need special rights. 

Authentication required

The authentication of users not listed in the sudoers file will fail.

Tools for productivity  Fedora 27

The productivity tools available to use on Fedora 27 are awesome. Since office tools like LibreOffice or Microsoft Office that can be installed through PlayonLinux and can meet the business needs. OCR (Optical Character Recognition ) Resources is available at Gscan2pdf, GimageReader and too at Master PDF, who is the best tool to handle PDF files that I know.

In the communications tools, Fedora 27 has a lot of resources, is available Skype, Empathy, Thunderbird, Facebook, Telegram, Twitter, Gnome Gmail, Ekiga Softphone, etc.

If you work in some area of IT, Fedora is a Swiss Army Knife. There are a lot of tools to work in high level with networking (GNS3, Wireshark), software development (Eclipse, Netbeans), end-user support environments (RDP and VNC Clients), tests, media creating, web design, etc.

By the way, all features and the productivity can be increased through the Gnome Extensions use, that provides a lot of extensions to integrate Gnome environment with a lot of services and installed applications that can be found here https://extensions.gnome.org.

Share this page:

Suggested articles

2 Comment(s)

Add comment

Comments

By: Scott Dowdle at: 2018-06-08 22:11:44

Why turn off SELinux?

I'd also recommend using newer install media from the Fedora Respin SIG so you won't have such a ton of updates post-install.

Why not use Fedora 28, it came out over a month ago... Fedora 27 will only have about 5-6 more months of updates (1 month after Fedora 29 comes out).

For giving users sudo access, I'd recommend adding them to the wheel group rather than adding them to the sudo config.

By: All at: 2018-06-11 20:20:43

Nice advices!