Get best of the week

Is it possible to use Linux Desktop in a Windows infrastructure?

Hello everyone! On Habré repeatedly raised questions about how to prepare a Linux distribution for input into Active Directory, as well as for integration with some other Windows servers. At the same time, no article has yet been written about whether it is worth doing this at all, and whether the final result will be worth the time and effort spent.

Why did this question arise? I was asked to configure Linux for guys who are tired of the updates and gluttony of Windows 10 (especially filled with GPO policies). In addition, one of the indisputable advantages of Linux (and even its ardent opponents recognize it) is its openness for free. This is also a significant argument.

A regular user in an average company, the computer uses for Word and Excel, a browser, plus in rare cases, it works with some remote application, for example, via RDP. An unusual user, such as an entire programmer, without significant difficulties can ask admins to find the required IDE, Jenkins, git, and what else do programmers need there? Messengers, the lack of which in Linux in the next article complain, Linux is in every possible abundance. Skype, Viber, ICQ, even a client blocked in the Russian Federation, fully available on official sites, are perfectly supported and fully identical in UI with clients designed for Windows.

So, you look at the requirements of users for the system, compare them with the capabilities of Linux and you think, solid advantages, as well as the savings are clearly visible. Why, then, are there any objections to such a beautiful idea as transferring a user from Windows to Linux? Just bad habits?

I am not a cool user of open operating systems at all, but I want to share some minimal practical experience that I got (when transferring users from Windows to Linux).

I sincerely hope that experienced users Habra nada hand that tell me where my actions could be improved, and where, perhaps, redo it again.

After all, it may well be that I do not see any pitfalls that are known to older and more experienced comrades, I will be sincerely grateful if the ordinary user points out such problems to me. I sincerely hope that the information presented by me is reproducible.

Preparing a local repository


Linux (at least Ubuntu), like Windows, fully supports network / local installation. It would be possible to omit this step, since linux is also perfectly installed from the Internet. But given that the installation of the system, the task is often repeated, we will try to automate it, and to avoid unnecessary problems with an external repository that we do not control, we will prepare a virtual machine with a local repository on which the installation files of the system, the answer file, (and at the same time, all the software we need, as well as future updates).

Installation files and all additional software, for the LTS version of Ubuntu 20.04 Focal Fossa, occupy approximately 80 GB.

As an OS for a virtual machine - I used Ubuntu Server 20.04This is a stable release that will be fully supported until 2025.

After the installation is completed, set a human-friendly name for our computer

sudo nano /etc/hostname  
#      ,
#

Install the package for repository cloning

sudo apt install apt-mirror 

sudo nano /etc/apt/mirror.list 
#

/etc/apt/mirror.list


############# config ##################
set base_path    /repo  
set mirror_path  $base_path/mirror
set skel_path    $base_path/skel
set var_path     $base_path/var
set cleanscript $var_path/clean.sh
set postmirror_script $var_path/postmirror.sh
set run_postmirror 0
set limit_rate 2000000
set nthreads   20
set _tilde 0
############# end config ##############
#------------------------------------------------------------------------------#
#                            OFFICIAL UBUNTU REPOS                               #
#------------------------------------------------------------------------------#
###### Ubuntu Main Repos
# 18.04 mirroring
deb http://archive.ubuntu.com/ubuntu focal main main/debian-installer restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-updates main main/debian-installer restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-security main main/debian-installer restricted universe multiverse

clean http://archive.ubuntu.com/ubuntu

#------------------------------------------------------------------------------#
#                           UNOFFICIAL UBUNTU REPOS                            #
#------------------------------------------------------------------------------#
###### 3rd Party Binary Repos
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main

I want to note that this configuration shows the ability to control the number of streams and the speed of downloading files when cloning a repository, and also demonstrates the ability to clone external repositories that do not belong to Canonical. For example, Google Chrome.

Also, it is noteworthy that, in addition to the configuration, it is necessary to register the main / debian-installer branch, although it is a child of the main branch. It was not obvious to me, I did not find that this was written before, and at first I couldn’t understand what's the matter.

sudo apt-mirror 
#   (,   >= 80 Gb)

You need to run the sudo apt-mirror command, for example, weekly, to update our repository - the “server” for updating client computers.

An example of setting up auto-update of a repository with a record of update logs

sudo nano /etc/crontab
30 02     * * 0   admin      /usr/bin/apt-mirror > /path/to/your.log
#   02:30
#        #https://crontab.guru/examples.html

Installing a web server (for distributing files to our future customers)


sudo apt install apache2  
ln –s /repo/mirror/archive.ubuntu.com/ /var/www/html/ubuntu 
#(       )
sudo systemctl restart apache2 
# ( -).

To verify that everything turned out as planned, you must try to log into our ip through a browser. As a result, we should see the repository files.

Install tftpd to install ubuntu over a network


sudo apt install tftpd-hpa  
sudo nano /etc/default/tftpd-hpa 


# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"   
TFTP_DIRECTORY="/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure -l -v -m /etc/tftpd.remap"


#   /etc/tftpd.remap    
rg \\/

sudo mkdir /tftpboot  
#(   )
sudo chmod -R 755 /tftpboot
cd /tftpboot


#  syslinux
wget https://www.kernel.org/pub/linux/utils/boot/syslinux/4.xx/syslinux-4.07.tar.gz

Unzip and recursively copy all found .c32 library files from syslinux to / tftpboot in any way convenient for you, and also create pxelinux.cfg folders and / linft folder in / tftpboot

/tftpboot/pxelinux.cfg there will be a bootloader menu (file named default)

default

ui vesamenu.c32
ALLOWOPTIONS 0 
PROMPT 0
menu title Microsoft SCCM Enterprice Endpoint :-)
MENU WIDTH 77
MENU MARGIN 10
MENU PASSWORDMARGIN 3
MENU ROWS 12
MENU TABMSGROW 18
MENU CMDLINEROW 18
MENU ENDROW 24
MENU PASSWORDROW 11
MENU TIMEOUTROW 60
NOESCAPE 0
MENU COLOR SCREEN 44;30 #00FFFFFF #00000000
MENU COLOR BORDER 44;30 #FFFFFFFF #FF000000
MENU COLOR TITLE 1;44;30 #FFFFFFFF #FF000000
MENU COLOR SCROLLBAR 44;30
MENU COLOR HOTKEY 44;30 #FFFFFF00 #FF000000
MENU COLOR UNSEL 44;30 #FFFFFFFF #FF000000
MENU COLOR HOTSEL 1;30 #FFFFFFFF #FF333333
MENU COLOR SEL 7;44;30 #FFFFFF00 #FF333333
MENU COLOR CMDMARK 44;30
MENU COLOR CMDLINE 44;30
MENU COLOR TABMSG 44;30
MENU COLOR DISABLED 44;30
MENU COLOR HELP 44;30
MENU COLOR PWDBORDER 44;30 #FF187CCA #FFFFFFFF
MENU COLOR PWDHEADER 1;44;30 #FF187CCA #FFFFFFFF
MENU COLOR PWDENTRY 5;44;30 #FF187CCA #FFFFFFFF
TIMEOUT 120
LABEL HDD
MENU LABEL Boot from first HDD
KERNEL chain.c32
APPEND hd0 0
ENDTEXT
LABEL TEST
MENU LABEL Install Ubuntu 20.04
KERNEL linux/linux
IPAPPEND 1
APPEND initrd=linux/initrd.gz url=http://server.local/preseed/ubuntu2.cfg auto=true priority=critical debian-installer/locale=en_US keyboard-configuration/layoutcode=us languagechooser/language-name=en_US countrychooser/shortlist=US localechooser/supported-locales multiselect en_US splash noprompt noshell ---
ENDTEXT


The following files should be located in / tftpboot / linux:

ubuntu2.cfg response file, initrd.gz loader, linux kernel file

Below is an example of a preseed file (response file).

It can be supplemented endlessly, but with the proposed setting, without a single keystroke, the system is fully automatically installed. (True, I must admit that the user and his password are intended in the answer file, so the system will be installed password-protected

ubuntu2.cfg

https://github.com/drumit/ubuntu_config/blob/master/ubuntu2.cfg

The kernel and bootloader were obtained at this address:

archive.ubuntu.com/ubuntu/dists/focal/main/installer-amd64/20101020ubuntu614/legacy-images/netboot/ubuntu-installer/amd64

The answer file allows you to automatically select the system language, installation language system, set the required partition and formatting of the disk, and even set the password hashes to the bootloader and local administrator (at the time of installation - the only PC user).

With the pre-configured DHCP (options 66 and 67) including the boot file and IP address of the tftp server after loading and selecting the line “Install Ubuntu 20.04” Everything else will be done without our intervention. (The system will install about 25-30 minutes).

After entering the login and password, in the vast majority of cases the system will be completely ready to work with documents, pictures, audio and video files, the Internet, without any difficulties.

Installation takes about 25-30 minutes. and runs completely automatically. This is enough for the average user.

But we are talking about the work of Ubuntu in a corporate environment, which means we will talk about integration with Active Directory, Exchange, DFS, etc. Maybe somewhere in the way of finding interaction with these services there will be problems? Maybe something of the above is already done wrong at this stage? In the next part of the article I will write about my way of integrating a Linux system into a corporate Windows infrastructure.

To manage and configure remote computers, it is necessary to install an Ansible configuration management system on a “server” with a repository

Install and configure Ansible (for auto setup and administration of Ubuntu)


sudo apt install ansible
sudo nano /etc/ansible/hosts 
#  ,       ,   hostname.   IP
# ,     ,   ,    hostname  IP .

After filling out the inventory file, we must connect the client machine to the server.
ssh-keyhen (create a private / public key pair on the server)

d /home/localadm/.ssh/
ssh-copy-id localadm@192.168.*.*
#        (,   #

To verify the success of the settings, enter the command.

ansible  all –m ping

If we see a response from the client PC, our settings are correct.

After successfully checking the settings, you need to run the script to reinstall the necessary packages and enter the PC into the domain.

Roles are usually created in Ansible to control the behavior of a computer, but since we have a trivial task to simply install, uninstall, configure and enter a Ubuntu computer into a domain, we will use a simple script (in the terminology of Ansible playbook).

Before starting a playbook, it is extremely important to encrypt the login and password under which we will enter the computer into the domain, ideally this should be a service account, and it should be encrypted with the ensemble.

ansible-vault encrypt playbook3.yaml
#(   ).

To run the script after bringing the script to working form:

1. ansible-playbook playbook3.yaml –ask-vault-pass
2.      
3.

When you run the script, the computer must be restarted several times. After restarting the script manually from the server, after rebooting the client, the script will continue execution from the moment it stopped (after indexing the previous steps). The script action (along with reboots) will take no more than 10 minutes.

Here is the script:

playbook3.yaml

https://github.com/drumit/ubuntu_config/blob/master/playbook3.yaml


Ansible script refers to several additional scripts configuring kerberos, sssd, samba and some other important files

krb5.conf.j2

https://github.com/drumit/ubuntu_config/commits/master/krb5.conf

sssd.conf.j2

https://github.com/drumit/ubuntu_config/blob/master/sssd.conf.j2


samba.conf.j2

https://github.com/drumit/ubuntu_config/blob/master/samba.conf.j2


nsswitch.conf.j2
  
https://github.com/drumit/ubuntu_config/blob/master/nsswitch.conf.j2


common-auth.j2

https://github.com/drumit/ubuntu_config/blob/master/common-auth.j2

common-account.j2

https://github.com/drumit/ubuntu_config/blob/master/common-account.j2

common-password.j2

https://github.com/drumit/ubuntu_config/blob/master/common-password.j2

common-session.j2

https://github.com/drumit/ubuntu_config/blob/master/common-session.j2

common-session-noninteractive.j2

https://github.com/drumit/ubuntu_config/blob/master/common-session-noninteractive.j2


PS I missed the opportunity to write above about the wonderful Evolution product which, together with the Evolution-ews plug-in, successfully interacts via the EWS protocol with the Excgange server, "giving" not only mail, but also interacting perfectly with the calendar.

Separately, I note that all the settings mentioned above are done 1 time. Then fully installing and configuring the system takes no more than 1 hour.

So why is Linux bad and is it suitable for the average user? And for the user in a corporate environment?

More articles:


All Articles