Hardware #
Now Bluefin will run on most anything, but if you’re planning on using it for Enterprise work you should heed the System Requirements. We used AMD Thinkbooks. Cover all the bullet points in the All Users section to make sure you got all your bases covered. No need to read further, we’ll cover the rest here.
Bluefin Bootable USB #
- Navigate to the Try Out section on the bluefin website
- Select x86_64 for Architecture
- Select Amd | Intel for GPU
- Select Bluefin GTS for update cadence
- Click Download the ISO
- If you’re on Windows use Rufus to create a bootable US.
- If you’re on MacOS use Etcher
- If you’re on Linux download Impression and follow the GUI instructions
Update BIOS Settings #
On the laptop that will have Bluefin installed on it:
- Insert the bootable Bluefin USB
- Enter BIOS, This is typically done by repeatedly pressing F2 or DEL on startup but varies from machine to machine
- Turn off secure boot and fast boot.
- Location in the BIOS UI will vary from machine to machine, you may have to consult manufacturer documentation to find these settings. Typically they can be found under the boot or security sections.
- Go to the boot hierarchy and drag the bootable USB all the way to the top.
- If there is an option to boot directly from USB, choose that.
- Click Save and Exit
Install Bluefin #
- Select Install Bluefin
- Follow the instructions until you get to installation summary
- Go to Time and Date under Localization and set it to Chicago, return to main menu
- Click “Installation Destination” under System
- Select the target hard drive if it isn’t already selected and then press done
- If it asks you whether to delete or keep pre-existing partitions, select delete all
- Click Begin installation
- Once it’s finished click reboot/restart
- When booted into the new system you’ll see a pop up to walk you through setting up the machine
- Skip Wifi configuration
- Select your desired privacy preferences
- Enable third-party repositories
- Create a local account
- Complete Installation
- Enable secure boot
- Reboot
Configure Realm #
Kerberos #
Create a Kerberos configuration file at /etc/krb5.conf and fill it with the following:
[libdefaults]
default_realm = <REALM_DOMAIN_IN_ALL_CAPS>
dns_lookup_realm = true
dns_lookup_kdc = true
NTP #
Add the IP of your NTP (Network Time Protocol) server with echo "NTP=<NTP IP>">> /etc/systemd/timesyncd.conf and then run the following:
timedatectl set-ntp true
systemctl restart systemd-timesyncd.service
timedatectl --adjust-system-clock
Realmd #
Create /etc/realmd.conf and add:
[users]
default-home = /home/%U@%D
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Bluefin Workstation
os-version = <Version_Number>
[service]
automatic-install = no
[<domain_name_in_lower_case>]
fully-qualified-names = yes
automatic-id-mapping = no
user-principal = yes
manage-system = yes
Hosts #
Add the IP of any on premise servers you’d want to access to /etc/hosts
<Server IP> <Alias>
<Server IP2> <Alias2>
...
PAM #
Make home directory creation on first login optional.
echo "session optional pam_mkhomedir.so">> /etc/pam.d/common-session
Hostname #
- Open the Ublue menu in the top left corner of the screen.
- Click About my System
- Edit Device Name to the desired name
Alternatively you can use sudo hostnamectl set-hostname <new-hostname>
Join Realm #
Now you can join the machine to the realm
realm join --verbose --user=<admin user> <domain_in_lower_case>
SSSD #
Add the following line to the end of /etc/sssd/sssd.conf. This resolves a possible bug where users are unable to login to a domain account while connected to the internet.
ad_gpo_ignore_unreadable = True
Sudoers #
Create a file with all the users that should have sudo perms in /etc/sudoers.d/.
echo 'user_name@domain_lower_case ALL=(ALL:ALL) ALL' | sudo tee /etc/sudoers.d/<file_name>
Save and exit then restart the machine.
Creating SMB Credentials #
Storing these credentials will allow us to set up automounting network shares in the user account. Create a file .smbcredentials in the home folder. Add the following lines:
USERNAME=<USERNAME@lower_case_domain_name>
PASSWORD=<PASSWORD>
Make sure that only root may access this file:
sudo chown root .smbcredentials
sudo chmod 600 .smbcredentials
Reboot the machine.
systemctl reboot