Intranet/Intranet Reference Build Ubuntu

WORK IN PROGRESS

This page documents the OS and initial configuration that is used and tested against within this series of articles. The focus is on a system that will work in the vast majority of corporate environments that make use of Active Directory and have a robust security policy. One of the design goals of this article is to cover the sort of issues that are faced by a corporate sysadmin who would rather get on and use Mediawiki rather than fiddle with securing and integrating.

All of these steps have been tested on a real system. The following table shows when it was last tested.


 * 1) Todo - create a EXAMPLE.CO.UK AD for use with the reference build.  This will ensure that the examples given are accurate.

Hardware
See screenshot

Initial Installation

 * Ubuntu 16.04 (Xenial) LTS minimal https://help.ubuntu.com/community/Installation/MinimalCD
 * Static IP address
 * Guided partitioning with LVM, suggested start off with at least 30GB disc space
 * Only add OpenSSH server role

Internet access via a web proxy
If www access must be via a proxy, then during the installation, when prompted enter a proxy URL similar to these:

NTLM authentication:

EXAMPLE is the domain name and %5C is the encoding for "\". The port number after the colon ":" is likely to be either 8080 or 3128 Basic authentication: This will set up APT to always use the proxy. See /etc/apt/apt.conf

VM Guest tools and ntp
Ensure that ntp is able to see enough time sources. You could use use your AD DCs for example, especially the one with the PDC emulator role. The reference system uses the esxi hosts themselves as sources each of which have five external sources of time.

For the reference /etc/ntp.conf, remove anything in the default file under # Specify one or more ... to the next comment block that starts #Access control. Then insert something like the following. These settings are suitable for an intranet with good communication speeds and will cause the clock to sync quite rapidly. "tinker panic 0" means that if the local clock is more than 30 seconds adrift it will still sync to the servers rather than declaring them insane!

The reference system also gets these (optional) packages.

System proxy settings
If you need proxy settings then set the standard variables as follows in /etc/environment

CA SSL certificate
This will be necessary to use LDAPS against a domain controller, for example, without having to disable SSL checks.:
 * Export the AD CA certificate as Base 64 encoded. Its name must end in .crt
 * Copy it to /usr/local/share/ca-certificates
 * Run the following command. Also shown is a command to list of CA certs that the system uses.  The new one should be listed at the bottom.
 * 1) This is not quite correct - find a better way to test TLS and prove CA is trusted

Verify that you can connect to an AD Domain Controller via LDAPS. Here we are connecting to the Global Catalogue over TLS (port 3269) you can also test against :636. There is a lot more output but verify return:1 means that the certificate is trusted. Press CRTRL-C to abort. Now is a good time to shutdown the VM and take a snapshot

AD integration - Samba
Install software. acl will be used later in the build to make the system Kerberos keytab available to services as required. When prompted for a realm, type in the Active Directory domain name in CAPITALS. For example: EXAMPLE.CO.UK.

By default, smbd and nmbd will be started. They are unnecessary for the purpose of running a wiki. Unless you want them running them, shut them down and disable them: Configure Samba by moving the default config file out of the way In the following reference config, you must set your workgroup and realm (AD). Also set the domain shortname (Netbios name) in the idmap config lines further down. The rest of the example can be used without change. Note that the min protocol will mean that Windows XP machines will be unable to access this system as a file server. Check that all is OK. This command should give sensible output. Join the domain. "username" should be a user that has AD permissions to create a workstation object. DNS update errors are not fatal Restart winbind and verify that the domain can be accessed and that Kerberos is working

Winbind and NSS
This makes AD users into Unix users. Edit /etc/nsswitch.conf and add winbind Verify it is working Create /etc/security/pam_winbind.conf

sudo
With this configuration, your initial Unix user can still login at the console of the system if AD is unavailable or networking is broken. sshd uses the "host" service principals which should already be in the keytab and because it runs as root it is able to read the keytab.
 * Create a group in AD for users that will be able to run sudo on this system and add some users to it. I call mine sysadmin.  It does not matter where the group is within the AD structure.


 * Create a file called /etc/sudoers.d/local (the name is unimportant)

Kerberize ssh
Edit /etc/ssh/ssh_config and uncomment and enable GSSAPI authentication. This is for using ssh on the system itself to another one Edit /etc/sshd_config and enable GSSAPI authentication. Disable clear text passwords. I also recommend explicitly disabling RootLogin Restart the OpenSSH daemon You should now be able to ssh directly in as an AD user. A reasonably modern version of PuTTY can do this from a Windows workstation, provided GSSAPI is enabled and the tickbox to use the logged in username is ticked. Also bear in mind that Unix systems are case sensitive so you may have to reset the case on your Windows account's various naming attributes.

Database - MariaDB
Install software and secure it. The root password is initially blank so hit enter when prompted for the current root password. Note that root in this case is not the same as the root user for the system itself, it simply has the same name. Keep a note of the password that you set. Check that you can access the database server with the password you set earlier. Type \q and hit enter to exit.

Webserver - Apache

 * 1) Todo - verify AD rights needed for SP creation and the install steps in this section

Install basic software. Apache runs as the www-data user which can't access the Kerberos keytab by default so setfacl is used to allow it to read it. net ads keytab add is used to add a service principal for HTTP which is the default for Apache. The final command should list several entries starting HTTP/. "AD_username" should be an account that has permissions to set service principals (Domain Admin??). The Apache installer will enable and start the web server. Point a browser at it and you should get the Ubuntu default page. You will get a certificate error in your browser when you test because the server is currently using a self signed certificate.

AD CA SSL Certificate

 * 1) Todo

vhost with LDAP and Kerberos

 * Remove all website configuration links (you could use the a2dissite command instead)
 * Create a user in AD, which in this example is called ldapseach. It only needs enough rights to connect and read public attributes.

Enable the Apache site configuration: Create a simple testing php script at /var/www/html/index.php Remove the default page so that index.php is executed instead.
 * Create a new website configuration. Ensure you make the required changes for your environment.  You put this file in the sites-available directory and then symlink it in the sites-enabled directory. The symlink command is listed after the config example.

Point a browser at http://wiki.example.co.uk and it should redirect you to https and output your username followed by phpinfo - lots of handy debugging information. Ensure you are logged in as a member of the AD "A_USER_GROUP" group. When it is working, I suggest you delete or disable the index.php script.

AD CA signed cert
You will need a Windows CA for this step. Chrome(ium), at least, require that a certificate has a Subject Alternative Name for the Common Name to be considered secure. There are several ways to do the job, here is one. Create a configuration file called /etc/apache2/csr.conf which will be used to override the system defaults. "CN =" is the Common Name which is the name that should match what is typed into the browser. "subjectAltName =" here, is a pointer to a list that is created under the [alt_names ] heading. You should put your own settings for everything under [ dn ], apart from CN you can put anything suitable.
 * Create a directory to hold the certificate related files, set permissions and cd into it.
 * Generate a CSR

A Certificate Signing Request is simple text with a clearly defined header and footer. To quickly get the contents of wiki.csr to a Windows box you could "cat" it to your terminal and then copy and paste that into notepad. Save it as wiki.csr somewhere eg c:\tmp - a folder I habitually create for things like this. Watch out for Notepad silently putting .txt on the end of the file name. You will need to run the following command as a user with the correct rights #### What are they? ####  This will create wiki.crt.
 * Create a private key wiki.key and CSR wiki.csr. Note the shell redirection used to pass the custom configuration file's contents to the -config parameter.
 * Obtain a certificate from an AD CA
 * Install the certificate
 * 1) WIP ####

Firewall - UFW
The Ubuntu minimal installer includes the Uncomplicated Firewall (UFW) which is a package to configure the standard iptables Linux firewall, and the reference build uses it as an additional layer of protection.


 * 1) Todo

Testing and checks
Verify using netstat that services are listening. You should see MariaDB (mysqld) listening only on the loopback address. sshd is the OpenSSL daemon, Apache is listening on ports 80 and 443. ntpd listens on everything by default. The reference system uses the Uncomplicated Firewall (ufw). To verify that it is working, you should port scan the system from another machine or several depending on your organisation's policy. nmap/zenmap are a great way to test. Zenmap is a GUI for nmap and is available with a Windows pre compiled build from the NMAP site. Follow the link to "Latest stable release self-installer" in the Windows section of the download links. Be very careful that you download nmap/zenmap from fyodor's (Gordon Lynn) real site. Search on Google and another search engine and cross check the result. I have deliberately not provided a link here. That advice also applies to PuTTY amongst other packages that might be targeted by unpleasant people.