CentOS7 Desktop Client?

I will integrate the wheel group into the HowTo, the integration in the AD would be vy cool…


For running virtualized Windows still are necessaries licenses.

I recently used only Xubuntu as Client Enviroment. Someone had some experience with OpenSUSE or Debian?

# Open a Terminal become root:
sudo su

# Add extra Repositories

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

# Yum update:
yum clean all && rm -rf /var/cache/yum && yum -y update

# Install some pakages:
yum -y install nano realmd oddjob oddjob-mkhomedir sssd adcli samba-common samba-common-tools krb5-workstation \
openldap-clients policycoreutils-python policycoreutils-gui pam_mount authconfig-gtk

# Get your DNS domain name from:
Configuration > Accounts provider > DNS domain name

# Join CentOS-Desktop to AD domain
realm join --user=administrator ad.example.org

# Check realm:
realm list

# Change and add /etc/sssd/sssd.conf:
use_fully_qualified_names = False
fallback_homedir = /home/%u

override_homedir = /home/%u
override_shell = /bin/bash

# Restart sssd:
systemctl restart sssd

# Add sudoers permission:
usermod -aG wheel admin
usermod -aG wheel administrator

# Reboot the CentOS7 Desktop

# GUI logon with AD-User:
user: <your-AD-user>
pass: <your-admin-password>

--------------- optional ---------------

## Install remote-desktop server
yum -y install xrdp tigervnc-server
systemctl start xrdp
netstat -antup | grep xrdp
systemctl enable xrdp

# setup firewall
firewall-cmd --permanent --add-port=3389/tcp
firewall-cmd --reload

# setup selinux
chcon --type=bin_t /usr/sbin/xrdp
chcon --type=bin_t /usr/sbin/xrdp-sesman

## Install remote-desktop client
yum install remmina remmina-plugins-*

--------------- optional ---------------

Followed your How to On a Fedora from # Install some pakages: (obviously used dnf instead of yum) until # Restart sssd: with success; thanx!
(although one nasty quirk: authentication of screensaver does not work for me.)

Instead of locally adding admin and administrator to the wheel group, i make a wheel group on my Nethserver (wheel@example.org) and added the domain admins group (domain admins@example.org) to it as members and a regular user (i.e.john@example.org) aswel.

On the domain-client (only) the users added to wheel@example.org group (ie admin, administrator and john) have sudo rights :grinning:

@iglqut Hi Thomas,
Once you said you have joined the domain with a suse client. Can you help @pike?

Still testing, this How-to of @fausp worked for me on debian 9 xfce

Install Suse ( https://de.opensuse.org/Portal:42.3 1 to download ) I use the Gnome version.
After Install search for domain windows in the Dash- there will be an oppertunity to connect to a WIndows Domain- Put in your credentials, then there will be installation of further software, please accept; I think after a restart using at login other User you should be able to log in to your domain using "yourdomain\user
see also: https://freecastleit.wordpress.com/2016/12/21/howto-join-an-opensuse-leap-42-2-client-to-an-existing-windows-activedirectory-ussing-sssd-authentication/ 1
What we also did for having all the data on the server: Mounting the home directory directly at the users home on NS- which is absolutly great- all files and settings are directly stored at the Server and also therefore backuped with the normal backup prozedure- only the network connection must be garanteed. Done on every cllent makes roaming unnecessary. See also Roaming profiles in ns7 Active Directory
We had trouble using our Java based medical documentation software on Gnome so we changed/ additionally installed the KDE Desktop.
Hope that works.


Debian 9, Suse

1 Like

I’m running 4 OpenSuse right now, mostly for test, but one on my laptop;

But you could also make a edgy CentOS by using the last kernel with elrepo;
than making snapshot with snapper by using https://copr.fedorainfracloud.org/coprs/andybe/Centos7Btrfs/packages/

As I mention in another post; the most advantage of OpenSUSE is to be a Rolling Version, than after that snapper.

I also have a VM running Nethserver on btrfs with the last kernel and snapper;
Let’s say; for now everything works fine.

1 Like

Hi JOduMonT, do you mean the hypervisor or the NS runs on btrfs?
I guess the hypervisor, which one do you use?

The KVM hypervisor is a OpenSUSE Tumbleweed which use brtfs
The VM is based on CentOS/Nethserver which also run on brtfs

oh! in case you ask
simply install CentOS as usual but choose btrfs as filesystem
then initiate snapper

  1. install the repo
  2. install the soft + the plugin for yum : yum install -y snapper yum-plugin-snapper
  3. create the config for your root snapper -c root create-config /

enjoy and use at your own risk :wink:

and also

Oh, vy nice! I have to investigate this solution… :grin:

Tried it but without luck, did you do something else?

[admin@ap002 ~]$ groups
domain users domain admins denied rodc password replication group wheel

[admin@ap002 ~]$ sudo su
[sudo] Passwort für admin: 
admin ist nicht in der sudoers-Datei. Dieser Vorfall wird gemeldet.

I was able to get sudo rights with the edit of /etc/sudoers:

%domain\ admins ALL=(ALL) NOPASSWD: ALL

But of course this is not the same as the wheel-group method…

1 Like

No, no extra steps. Did it on fedora, let me spin up a centos vm and report my findings.

OK, thank you, there is no hurry… :sunglasses:

Can confirm it does not work on Centos out of the box.

Deducted it to differences centos <> fedora in configuration of nsswitch.
It worked as expected after boldly taking fedora’s nsswitch.conf :

EDIT: removed nsswitch.conf

Did not find smoking gun witch settings made it possible, just adding the missing sudoers: files to the centos default nsswitch.conf did not do the trick. hence the bold move, which no one should do!, to take the complete configuration over.

Grzt Mark

EDIT: found “the smoking gun”

OK Mark, thank you for confirming this issue…

Found why the “ad wheel group” works on fedora and not on centos, on centos in /etc/nsswitch.conf:

missing entry sudoers: files
order of service- calls for group matters: first call the sss and second files Service

# diff -aur /etc/nsswitch.conf.org /etc/nsswitch.conf
--- /etc/nsswitch.conf.org      2018-07-28 17:28:22.250547556 +0200
+++ /etc/nsswitch.conf  2018-07-28 18:10:23.657985095 +0200
@@ -32,7 +32,8 @@

passwd:     files sss
 shadow:     files sss
-group:      files sss
+group:      sss files
+sudoers:    files
 #initgroups: files sss

 #hosts:     db files nisplus nis dns

Very good, I will try it in the next days… Thank you :grinning: