So my Windows work PC is connected to the company’s AD. VPN Connection is done with L2TP with PAP and a Yubikey.
I’d like to work from within a Linux environment if possible but need access to the files on the network drive and connect to a terminal server via VPN and RDP.
Is there a way to set this up? My first idea was, maybe a Linux VM could be configured to share the host PC’s external network adapter so from the outside it looks like the Windows machine is connected?
If there’s no other way, maybe WSL can be set up with a full screen X Server running on Windows (or is running Wayland in WSL somehow possible?)
I’m fishing for ideas here, and really just need some fitting terms to google, any help is appreciated.
Questions about violating company policy can be disregarded at the moment. If there is a way to set it up, I’ll ask my boss before implementing it, but it’s a small shop so the need hasn’t arisen for anyone else yet. To be clear, this is not about circumventing restrictions on computer use, just about working in an environment I’m more productive in.
Yes.
First you will need to get the VPN up (or be in the office, in the same network to be able to join the AD domain.
Then you need to join the AD domain using realmd. This will join the computer to the AD domain like any regular windows PC. It will set up the Kerberos client, DNS and everything for you (this part is done in sssd).
Once joined you should be able to access the network shares with SMB.
RedHat and deriviates have good support for this. So I would recommend Fedora Workstation, CentOS Stream or RHEL Desktop to set this up in.
You don’t need to join the domain to access that smb share… You have to use the DOMAIN\username when authenticating though.
Sure, that works too.
But based on OP it seemed to me that the larger intent is to get a Linux workstation set up in an AD environment. He wants to show to his boss it can be done, and this is the most integrated way.
Fair enough. I just read it like “I need to access a smb share from a Linux machine” :)
Windows 11 has GUI capable WSL, that would be your easiest option. Alternatively, I’ve run an X11 server on Windows 10 and that works as well, though it lacks hardware acceleration. This will probably be the easiest solution.
A fully native AD connection should be possible (especially if it’s locally hosted rather than part of some cloud solution). L2TP and PAP work on Linux for sure (Strongswan does this, I think). VPN and RDP too (Reminna). Yubikey support for the VPN should work through PKCS11 but you may need to activate the VPN from the command line. Samba can connect to many Windows shares but if your network is set up securely (i.e. no old NTLM shit, no SMBv1, possibly no SMBv2) that may require a bit of tweaking to get right.
Getting any kind of integrated package out of this will be a challenge. I’m sure a bunch of scripting and maybe a few hooks here and there should be able to make things work relatively painlessly, but it’ll require some work.
It’s possible though nog strictly requires to join the domain from Linux, but I’m not sure what limitations there are on that.
Make sure to also read up on disk encryption possibilities (your company may want to make sure the drive is safe) and maybe consider using the TPM or even the Yubikey to enhance the disk protection to more than just your password. Of course you also need to store a backup key on some secure location. If they’re hesitant and you can answer their questions, knowing what is and isn’t possible helps.
If you’re using a modern laptop, don’t rely on the fingerprint reader,especially in Linux. Fingerprint readers as a whole are full of design flaws, but none that I know of use any kind of secure protocol with Linux.
Also consider antivirus. Yes, I know many Linux people believe they’re too smart for antivirus and that the execute bit makes Linux the only virus resistant operating system in the universe, but Linux machines do get infected, Linux viruses do exist, and companies do care about those. If your company is using an enterprise virus system (one that collects and monitors threads across the network) you may be restricted by the lack of Linux support. There are a bunch of enterprise virus scanners that’ll run fine on Linux, though.
If you hook up a Linux machine to a company network, you’ll want to have at least ClamAV running in the background, but that’s not the best AV out there. Check if the AV your company uses has a Linux equivalent, it may restrict distro choice.
Firewalls aren’t that difficult (though you need to watch out with Docker and other tools that add extra chains to nftables). There are plenty of open source firewalls and all of them are fine. I think UFW will suffice, but firewalld may be required for some more complex firewall management. Both have GUIs for you to use, of course.
If you use WSL, you can easily access the windows drives. In a VM, you can share the folder from the host.
Another method would be to just mount the remote smb location from your DC using
fstab. I use Linux on bare metal, and I added a line to my remote share withnoauto, so it doesn’t mount it automatically at boot, since I need to connect to the VPN first, and I don’t need permanent access. When I do need access, I just runmount admand I’m in.My understanding is that there are modules you can install to AD join a linux machine, i don’t know much about it unfortunatly because it’s not something i’ve ever had to do. I’m also unclear whether there is a different process per distro type.
I would speak to your company IT about it tbh.
I think you can mount network shares with the Kerberos token you got from AD. Sometimes just the user credentials suffice. At least that’s how it used to be when I last tried something like that years ago.
I guess WSL is best way, but I think you’ll only be able to have the Linux windows like windows windows in the taskbar of windows and launch them with windows
