I will integrate the wheel group into the HowTo, the integration in the AD would be vy cool…
For running virtualized Windows still are necessaries licenses.
I recently used only Xubuntu as Client Enviroment. Someone had some experience with OpenSUSE or Debian?
# Open a Terminal become root:
sudo su
# Add extra Repositories
# EPEL
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# NUX
rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
# Yum update:
yum clean all && rm -rf /var/cache/yum && yum -y update
# Install some pakages:
yum -y install nano realmd oddjob oddjob-mkhomedir sssd adcli samba-common samba-common-tools krb5-workstation \
openldap-clients policycoreutils-python policycoreutils-gui pam_mount authconfig-gtk
# Get your DNS domain name from:
Configuration > Accounts provider > DNS domain name
# Join CentOS-Desktop to AD domain
realm join --user=administrator ad.example.org
# Check realm:
realm list
# Change and add /etc/sssd/sssd.conf:
use_fully_qualified_names = False
fallback_homedir = /home/%u
override_homedir = /home/%u
override_shell = /bin/bash
# Restart sssd:
systemctl restart sssd
# Add sudoers permission:
usermod -aG wheel admin
usermod -aG wheel administrator
# Reboot the CentOS7 Desktop
reboot
# GUI logon with AD-User:
user: <your-AD-user>
pass: <your-admin-password>
--------------- optional ---------------
## Install remote-desktop server
yum -y install xrdp tigervnc-server
systemctl start xrdp
netstat -antup | grep xrdp
systemctl enable xrdp
# setup firewall
firewall-cmd --permanent --add-port=3389/tcp
firewall-cmd --reload
# setup selinux
chcon --type=bin_t /usr/sbin/xrdp
chcon --type=bin_t /usr/sbin/xrdp-sesman
## Install remote-desktop client
yum install remmina remmina-plugins-*
--------------- optional ---------------
Followed your How to On a Fedora from # Install some pakages:
(obviously used dnf instead of yum) until # Restart sssd:
with success; thanx!
(although one nasty quirk: authentication of screensaver does not work for me.)
Instead of locally adding admin and administrator to the wheel
group, i make a wheel group on my Nethserver (wheel@example.org
) and added the domain admins group (domain admins@example.org
) to it as members and a regular user (i.e.john@example.org
) aswel.
On the domain-client (only) the users added to wheel@example.org
group (ie admin, administrator and john) have sudo rights
Sure:
Install Suse ( https://de.opensuse.org/Portal:42.3 1 to download ) I use the Gnome version.
After Install search for domain windows in the Dash- there will be an oppertunity to connect to a WIndows Domain- Put in your credentials, then there will be installation of further software, please accept; I think after a restart using at login other User you should be able to log in to your domain using "yourdomain\user
see also: https://freecastleit.wordpress.com/2016/12/21/howto-join-an-opensuse-leap-42-2-client-to-an-existing-windows-activedirectory-ussing-sssd-authentication/ 1
What we also did for having all the data on the server: Mounting the home directory directly at the users home on NS- which is absolutly great- all files and settings are directly stored at the Server and also therefore backuped with the normal backup prozedure- only the network connection must be garanteed. Done on every cllent makes roaming unnecessary. See also Roaming profiles in ns7 Active Directory
We had trouble using our Java based medical documentation software on Gnome so we changed/ additionally installed the KDE Desktop.
Hope that works.
I’m running 4 OpenSuse right now, mostly for test, but one on my laptop;
But you could also make a edgy CentOS by using the last kernel with elrepo;
than making snapshot with snapper by using https://copr.fedorainfracloud.org/coprs/andybe/Centos7Btrfs/packages/
As I mention in another post; the most advantage of OpenSUSE is to be a Rolling Version, than after that snapper.
I also have a VM running Nethserver on btrfs with the last kernel and snapper;
Let’s say; for now everything works fine.
Hi JOduMonT, do you mean the hypervisor or the NS runs on btrfs?
I guess the hypervisor, which one do you use?
The KVM hypervisor is a OpenSUSE Tumbleweed which use brtfs
The VM is based on CentOS/Nethserver which also run on brtfs
oh! in case you ask
simply install CentOS as usual but choose btrfs as filesystem
then initiate snapper
- install the repo
- install the soft + the plugin for yum :
yum install -y snapper yum-plugin-snapper
- create the config for your root
snapper -c root create-config /
enjoy and use at your own risk
and also
ref
Oh, vy nice! I have to investigate this solution…
Tried it but without luck, did you do something else?
[admin@ap002 ~]$ groups
domain users domain admins denied rodc password replication group wheel
[admin@ap002 ~]$ sudo su
[sudo] Passwort für admin:
admin ist nicht in der sudoers-Datei. Dieser Vorfall wird gemeldet.
I was able to get sudo rights with the edit of /etc/sudoers:
%domain\ admins ALL=(ALL) NOPASSWD: ALL
But of course this is not the same as the wheel-group method…
No, no extra steps. Did it on fedora, let me spin up a centos vm and report my findings.
OK, thank you, there is no hurry…
Can confirm it does not work on Centos out of the box.
Deducted it to differences centos <> fedora in configuration of nsswitch.
It worked as expected after boldly taking fedora’s nsswitch.conf :
EDIT: removed nsswitch.conf
Did not find smoking gun witch settings made it possible, just adding the missing sudoers: files
to the centos default nsswitch.conf did not do the trick. hence the bold move, which no one should do!, to take the complete configuration over.
Grzt Mark
EDIT: found “the smoking gun”
OK Mark, thank you for confirming this issue…
Found why the “ad wheel group” works on fedora and not on centos, on centos in /etc/nsswitch.conf:
missing entry sudoers: files
order of service- calls for group
matters: first call the sss
and second files
Service
# diff -aur /etc/nsswitch.conf.org /etc/nsswitch.conf
--- /etc/nsswitch.conf.org 2018-07-28 17:28:22.250547556 +0200
+++ /etc/nsswitch.conf 2018-07-28 18:10:23.657985095 +0200
@@ -32,7 +32,8 @@
passwd: files sss
shadow: files sss
-group: files sss
+group: sss files
+sudoers: files
#initgroups: files sss
#hosts: db files nisplus nis dns
Very good, I will try it in the next days… Thank you