Intranet/Intranet Reference Build Ubuntu

This page documents the OS and initial configuration that is used and tested against within this series of articles. The focus is on a system that will work in the vast majority of corporate environments that make use of Active Directory and have a robust security policy. One of the design goals of this article is to cover the sort of issues that are faced by a corporate sysadmin who would rather get on and use Mediawiki rather than research securing and integrating.

All of these steps have been tested on a real system. The following table shows when it was last tested.

The commands shown do not have sudo preceding them. Either put sudo on the front of each command that has a # prompt or run "sudo -i" first to run an interactive shell as root. Ubuntu has the nano and vi editors installed by default. Either use one of those or install another one early on in the process.

Hardware
See screenshot

Initial Installation

 * Ubuntu 18.04 (Bionic) LTS minimal https://help.ubuntu.com/community/Installation/MinimalCD
 * Static IP address
 * Guided partitioning with LVM, suggested start off with at least 30GB disc space
 * Initial Unix username should not match any username in Active Directory. local-sysadmin might make a good choice
 * Only add OpenSSH server role

Internet access via a web proxy
If www access must be via a proxy, then during the installation, when prompted enter a proxy URL similar to these. EXAMPLE is the domain name and %5C is the encoding for "\". The port number after the colon ":" is likely to be either 8080 or 3128. proxyuser and proxypassword should be set accordingly.
 * NTLM authentication
 * Basic authentication This will set up APT to always use the proxy. See /etc/apt/apt.conf where the proxy setting is enabled, after installation.

VM Guest tools and ntp
Ensure that ntp is able to see enough time sources. You could use use your AD DCs for example, especially the one with the PDC emulator role.

For the reference /etc/ntp.conf, remove anything in the default file under # Specify one or more ... to the next comment block that starts #Access control. Then insert something like the following. These settings are suitable for an intranet with good communication speeds and will cause the clock to sync quite rapidly. "tinker panic 0" means that if the local clock is more than 30 seconds adrift it will still sync to the servers rather than declaring them insane!

The reference system also gets these (optional) packages.

System proxy settings
If you need proxy settings then set the standard variables as follows in /etc/environment using the same settings as used above when installing the OS.

CA SSL certificate
This will be necessary to use LDAPS against a domain controller, for example, without having to disable SSL checks: Another method to get the CA certificate. This will display the CA certificate and put it in a file called ca.crt: Verify that you can connect to an AD Domain Controller's LDAP. Here we are connecting to the Global Catalogue over TLS (port 3269) you can also test against :636. There is a lot more output but at the end will be an indication about whether the CA certificate is trusted or not. Press CTRL-C to close the connection.
 * Export the AD CA certificate as Base 64 encoded. Its name must end in .crt.
 * You may be able to download a copy of the CA certificate by pointing a browser at https://ca.example.co.uk/certsrv if the CA's web service has been installed
 * To find your CA you could try:
 * Copy ca.crt to /usr/local/share/ca-certificates The actual name used for the file is unimportant.  You could simply copy the output and paste it into a blank new file instead.  The certificate file should include the -BEGIN CERTIFICATE -- and -END CERTIFICATE - lines.
 * Run the following command. Also shown is a command to dump a list of all the CA certs that the system trusts.  The new one should be listed at the bottom.

This is an example of it not working: Working:

Now is a good time to shutdown the VM and take a snapshot

AD integration - Samba
Install software. acl will be used later in the build to make the system Kerberos keytab available to services as required. If prompted for a realm, type in the Active Directory domain name in CAPITALS. For example: EXAMPLE.CO.UK.

By default, smbd and nmbd will be started. They are unnecessary for the purpose of running a wiki. Unless you want them running for fileserving, shut them down and then disable them: Configure Samba by moving the default config file out of the way  Create a new /etc/samba/smb.conf. In the following reference config, you must set your workgroup and realm (AD). Also set the domain shortname (Netbios name) in the idmap config lines. The rest of the example can be used without change. Note that the min protocol set here will mean that Windows XP machines will be unable to access this system as a file server. Check that all is OK. This command should give sensible output. Join the domain. "username" should be a user that has AD permissions to create a workstation object. DNS update errors are not fatal Restart winbind and verify that the domain can be accessed and that Kerberos is working

Winbind and NSS
This makes AD users into Unix users. Edit /etc/nsswitch.conf and add winbind Verify it is working Create /etc/security/pam_winbind.conf

sudo
With this configuration, your initial Unix user can still login at the console of the system if AD is unavailable or networking is broken. sshd uses the "host" service principals which should already be in the keytab and because it runs as root it is able to read the keytab.
 * Create a group in AD for users that will be able to run sudo on this system and add some users to it. I call mine sysadmin.  It does not matter where the group is within the AD structure.


 * Create a file called /etc/sudoers.d/local (the name is unimportant)

Kerberize ssh
Edit /etc/ssh/ssh_config and uncomment and enable GSSAPI authentication. This is for using ssh on the system itself to another one Edit /etc/sshd_config and enable GSSAPI authentication. Disable clear text passwords. I also recommend explicitly disabling RootLogin Restart the OpenSSH daemon You should now be able to ssh directly in as an AD user. A reasonably modern version of PuTTY can do this from a Windows workstation, provided GSSAPI is enabled and the tickbox to use the logged in username is ticked. Also bear in mind that Unix systems are case sensitive so you may have to reset the case on your Windows account's various naming attributes.

Database - MariaDB
Install software and secure it. The root password is initially blank so hit enter when prompted for the current root password. Note that root in this case is not the same as the root user for the system itself, it simply has the same name. Keep a note of the password that you set. Check that you can access the database server with the password you set earlier. Type \q and hit enter to exit.

Webserver - Apache
Install basic software. Apache runs as the www-data user which can't access the Kerberos keytab by default so setfacl is used to allow it to read it. net ads keytab add is used to add a service principal for HTTP which is the default for Apache. The final command should list several entries starting HTTP/. "AD_username" should be an account that has permissions to set service principals (Domain Admin??). The Apache installer will enable and start the web server. Point a browser at it and you should get the Ubuntu default page. You will get a certificate error in your browser when you test because the server is currently using a self signed certificate. Later on we will obtain a trusted certificate.

vhost with LDAP and Kerberos

 * Remove all website configuration links (you could use the a2dissite command instead)
 * Create a user in AD, which in this example is called ldapsearch. It only needs enough rights to connect and read public attributes.

To use this configuration as-is you must have client systems that are correctly setup to use Negotiate. You could set KrbMethodK5Passwd On which will enable the browser to prompt for a username and password. This configuration requires that all users of the wiki should be members of a particular AD group to even be able to connect to the webserver. The string of numbers before the group name enables this group to have nested groups.
 * Create a new website configuration. Ensure you make the required changes for your environment.  You put this file in the sites-available directory and then symlink it in the sites-enabled directory. The symlink command is listed after the config example.

You should make changes on the indicated lines. my_local_user is not used yet and can be left as is for now. Enable the Apache site configuration: Create a simple testing php script at /var/www/html/index.php Remove the default page so that index.php is executed instead.

Restart the web server Point a browser at http://wiki.example.co.uk and it should redirect you to https and output your username followed by phpinfo - lots of handy debugging information. Ensure you are logged in as a member of the AD "A_USER_GROUP" group. When it is working, I suggest you delete or disable the index.php script.

AD CA signed SSL certificate
You will need a correctly setup Windows CA for this step and its root certificate installed in the local trust store for all clients that access this system. Chrome(ium), at least, requires a certificate has a Subject Alternative Name for the Common Name to be considered secure. There are several ways to do the job, here is one. Create a configuration file called /etc/apache2/ssl/csr.conf which will be used to override the system defaults. "CN =" is the Common Name which is the name that should match what is typed into the browser. "subjectAltName =" here, is a pointer to a list that is created under the [alt_names ] heading. You should put your own settings for everything under [ dn ], apart from CN you can put anything suitable.
 * Create a directory to hold the certificate related files, set permissions and cd into it.
 * Generate a CSR

Transfer wiki.csr to a Windows system that has the certreq command available You will need to run the following command as a user with the correct rights. This will create wiki.crt. Transfer wiki.crt to /etc/apache2/ssl. Edit the Apache configuration /etc/apache2/sites-available/local.conf to use the new SSL certificate Restart Apache and test with your browser. You should not get a certificate related security error.
 * Create a private key wiki.key and CSR wiki.csr. Note the shell redirection used to pass the custom configuration file's contents to the -config parameter.
 * Obtain a certificate from an AD CA
 * Install the certificate

Firewall - UFW
The Ubuntu minimal installer includes the Uncomplicated Firewall (UFW) which is a package to configure the standard iptables Linux firewall, and the reference build uses it as an additional layer of protection and to comply with likely corporate policy. By default ufw will allow outgoing connections and block incoming connections. These commands will allow access from anywhere to ssh and the web server and switch on the firewall.

Upgrading Xenial to Bionic
Some quick notes that were needed for a successful upgrade of a wiki running MW 1.31 on Ubuntu Xenial to 1.33 on Bionic:

PHP was disabled after the upgrade - the wiki home page came up in plain text: PHP-curl was held back to an older version for some reason (The following packages have been kept back:  php-curl) Parsoid source was removed so put it back: The upgrade was done by upgrading Mediawiki itself following the guide here Intranet/Intranet Installation after which the Visual Editor stopped working properly. After upgrading the OS from Xenial to Bionic and fixing PHP, VE worked again.