These are my notes for standing up a CentOS 7 desktop in an enterprise environment.
Packages
Install the EPEL repository for a better experience:
sudo yum -y install epel-release
Desktop experience packages:
sudo yum -y install vlc libreoffice java gstreamer gstreamer1 gstreamer-ffmpeg gstreamer-plugins-good gstreamer-plugins-ugly gstreamer1-plugins-bad-freeworld gstreamer1-libav pidgin rhythmbox ffmpeg keepass xdotool ntfs-3g gvfs-fuse gvfs-smb fuse sshfs redshift-gtk stoken-gui stoken-cli
Additional packages that may come in handy
sudo yum -y install http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
sudo yum -y install libdvdcss gstreamer{,1}-plugins-ugly gstreamer-plugins-bad-nonfree gstreamer1-plugins-bad-freeworld libde265 x265
Enable ssh:
sudo systemctl enable sshd
sudo systemctl start sshd
Google Chrome
Paste into /etc/yum.repos.d/google-chrome.repo:
[google64]
name=Google - x86_64
baseurl=http://dl.google.com/linux/rpm/stable/x86_64
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub
sudo yum -y install google-chrome-stable
Domain
It’s just easier to use PowerBroker Open from beyondtrust
sudo wget -O /etc/yum.repos.d/pbiso.repo http://repo.pbis.beyondtrust.com/yum/pbiso.repo
sudo yum -y install pbis-open
Cliff notes for joining the domain:
domainname=<your_domain_name>
domain_prefix=<your_domain_netbios_name>
domainaccount=<your_domain_admin_account
sudo domainjoin-cli join $domainname $domainaccount
<enter password>
sudo /opt/pbis/bin/config UserDomainPrefix $domain_prefix
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
Add domain admins to sudo, escaping spaces with a backlsash and replacing DOMAIN with your domain:
sudo visudo
%DOMAIN\\Domain\ Administrators ALL=(ALL) ALL
Reboot to make all changes go into effect.
Certificate
You might need to copy your domain’s CA certificate to your certificate trust store:
sudo cp <CA CERT FILENAME> /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
Drive mapping
I use a simple script to use gvfs-mount to mount network drives. Change suffix to match your domain and mounts to suit your needs.
#!/bin/bash
#Simple script to mount network drives on login
suffix=<DOMAIN_SUFFIX>
MOUNTS=(
server1$suffix/folder1
server2$suffix/folder2
server3$suffix/folder3
)
for i in "${MOUNTS[@]}"
do
gvfs-mount "smb://$i"
done
Configure in gnome to run on startup:
Add the following to ~/.config/autostart/mount-drives.desktop, changing Exec= to the path of the above script.
[Desktop Entry]
Name=Mount network drives
GenericName=Mount network drives
Comment=Script to mount network drives
Exec=<location of mount script>
Terminal=false
Type=Application
X-GNOME-Autostart-enabled=true
Network Config
If you wish to add static IP and configure your DNS suffix (search domain) then run
nm-connection-editor
The other GUI for network configuration doesn’t have an option for search domains for some reason.
Smartcard
sudo yum -y install opensc pcsc-tools pcsc-lite
Be sure to install the drivers for your particular card reader. Mine came from here and here.
After installing you can test by starting pcscd and using pcsc_scan
sudo systemctl start pcscd
pcsc_scan
Vmware horizon view
Smartcard support
There is a problem with how the VMware View interacts with the opensc smartcard drivers shipped in popular Linux distributions such as CentOS and Ubuntu. View cannot load the drivers in the default configuration; therefore in order to get VMware View working with smartcards you need manually patch and compile the opensc package (thanks to this site for the information needed to do so.)
First, install the necessary development packages
sudo yum -y groupinstall "Development Tools"
sudo yum -y install openssl-devel pcsc-lite-devel
Next, download and extract opensc-0.13 from sourceforge:
wget http://downloads.sourceforge.net/project/opensc/OpenSC/opensc-0.13.0/opensc-0.13.0.tar.gz
tar zxvf opensc-0.13.0.tar.gz
cd opensc-0.13.0
Now we have to patch two specific files in the source before compiling:
echo "--- ./src/pkcs11/opensc-pkcs11.exports
+++ ./src/pkcs11/opensc-pkcs11.exports
@@ -1 +1,3 @@
C_GetFunctionList
+C_Initialize
+C_Finalize
--- ./src/pkcs11/pkcs11-spy.exports
+++ ./src/pkcs11/pkcs11-spy.exports
@@ -1 +1,3 @@
C_GetFunctionList
+C_Initialize
+C_Finalize" > opensc.patch
patch -p1 -i opensc.patch
Next, compiling and installing:
./bootstrap
./configure
make
sudo make install
Assuming there were no errors, you can now link the compiled driver to the location VMware view expects it. Note: you must rename the library from opensc-pkcs11.so to libopensc-pkcs11.so for this to work (another lovely VMware bug)
sudo mkdir -p /usr/lib/vmware/view/pkcs11/
sudo ln -s /usr/local/lib/pkcs11/opensc-pkcs11.so /usr/lib/vmware/view/pkcs11/libopensc-pkcs11.so
Lync
Install the pidgin-sipe plugin as detailed here
sudo yum -y install pidgin pidgin-sipe
Choose “Office Communicator” as the protocol. Enter your e-mail address for the username, then go to the Advanced tab and check “Use single sign-on.”
On first run all contact names were missing. Per here, simply close and restart the application.
Gnome 3
Disable audible bell
Taken from here
Disable audible bell and enable visual bell with:
gsettings set org.gnome.desktop.wm.preferences audible-bell false
gsettings set org.gnome.desktop.wm.preferences visual-bell true
and change the type of the visual bell if you don’t need the fullscreen flash:
gsettings set org.gnome.desktop.wm.preferences visual-bell-type frame-flash
Extensions
If you can find your extension via yum it tends to work better than the gnome extension site. Make sure you’re using the correct shell version from the site:
gnome-shell --version
sudo yum -y install gnome-shell-extension-top-icons gnome-shell-extension-dash-to-dock
Other useful extensions:
backslide, multi monitors add-on , No topleft hot corner, Dropdown terminal, Media player indicator, Focus my window, Workspace indicator, Native window placement, Openweather, Panel osd, Dash to dock, Gpaste
RSA
For if you have the misfortune of being in an environment that uses RSA SecurID for two factor authentication, here is the official guide
Necessary packages to be installed:
sudo yum -y install selinux-policy-devel policycoreutils-devel
- Download & extract PAM agent, cd to extracted directory
tar -xvf PAM-Agent*.tar
- Create /var/ace directory and place necessary files inside. Create sdopts.rec and add the IP address of the desktop.
mkdir /var/ace
cp sdconf.rec /var/ace
vi /var/ace/sdopts.rec
CLIENT_IP=<IP ADDRESS OF DESKTOP>
- Run the install_pam script and specify UDP authentication
./install_pam.sh
- Modify /etc/pam.d/password-auth to add the RSA authentication agent. Insert above pam_lsass.so smartcard_prompt try_first_pass line, then comment out pam_lsass.so smartcard_prompt try_first_pass line
auth required pam_securid.so
auth required pam_env.so
auth sufficient pam_lsass.so
- Add new system in RSA console: Access / Authentication Agents / Add new
- Test to make sure everything works:
/opt/pam/bin/64bit/acetest