Intranet/Intranet Reference Build Ubuntu

This page documents the OS and initial configuration that is used and tested against within this series of articles. The focus is on a system that will work in the vast majority of corporate environments that make use of Active Directory and have a robust security policy. One of the design goals of this article is to cover the sort of issues that are faced by a corporate sysadmin who would rather get on and use Mediawiki rather than fiddle with securing and integrating.

All of these steps have been tested on a real system. The following table shows when it was last tested.

Hardware
See screenshot

Initial Installation

 * Ubuntu 16.04 (Xenial) LTS minimal https://help.ubuntu.com/community/Installation/MinimalCD
 * Static IP address
 * Guided partitioning with LVM, suggested start off with at least 30GB disc space
 * Only add OpenSSH server role

Internet access via a web proxy
If www access must be via a proxy, then during the installation, when prompted enter a proxy URL similar to these:

NTLM authentication:

EXAMPLE is the domain name and %5C is the encoding for "\". The port number after the colon ":" is likely to be either 8080 or 3128 Basic authentication: This will set up APT to always use the proxy. See /etc/apt/apt.conf

VM Guest tools and ntp
Ensure that ntp is able to see enough time sources. You could use use your AD DCs for example, especially the one with the PDC emulator role. The reference system uses the esxi hosts themselves as sources each of which have five external sources of time.

For the reference /etc/ntp.conf, remove anything in the default file under # Specify one or more ... to the next comment block that starts #Access control. Then insert something like the following. These settings are suitable for an intranet with good communication speeds and will cause the clock to sync quite rapidly. "tinker panic 0" means that if the local clock is more than 30 seconds adrift it will still sync to the servers rather than declaring them insane!

The reference system also gets these (optional) packages.

System proxy settings
If you need proxy settings then set the standard variables as follows in /etc/environment

CA SSL certificate
This will be necessary to use LDAPS against a domain controller, for example, without having to disable SSL checks.: Verify that you can connect to an AD Domain Controller via LDAPS. Here we are connecting to the Global Catalogue over TLS (port 3269) you can also test against :636. There is a lot more output but verify return:1 means that the certificate is trusted. Press CRTRL-C to abort. Now is a good time to shutdown the VM and take a snapshot
 * Export the AD CA certificate as Base 64 encoded. Its name must end in .crt
 * Copy it to /usr/local/share/ca-certificates
 * Run the following command. Also shown is a command to list of CA certs that the system uses.  The new one should be listed at the bottom.

AD integration - Samba
Install software. acl will be used later in the build to make the system Kerberos keytab available to services as required. When prompted for a realm, type in the Active Directory domain name in CAPITALS. For example: EXAMPLE.CO.UK.

By default, smbd and nmbd will be started. They are unnecessary for the purpose of running a wiki. Unless you want them running them, shut them down and disable them: Configure Samba by moving the default config file out of the way In the following reference config, you must set your workgroup and realm (AD). Also set the domain shortname (Netbios name) in the idmap config lines further down. The rest of the example can be used without change. Note that the min protocol will mean that Windows XP machines will be unable to access this system as a file server. Check that all is OK. This command should give sensible output. Join the domain. "username" should be a user that has AD permissions to create a workstation object. DNS update errors are not fatal Restart winbind and verify that the domain can be accessed and that Kerberos is working

Winbind and NSS
This makes AD users into Unix users. Edit /etc/nsswitch.conf and add winbind Verify it is working Create /etc/security/pam_winbind.conf

sudo
With this configuration, your initial Unix user can still login at the console of the system if AD is unavailable or networking is broken. sshd uses the "host" service principals which should already be in the keytab and because it runs as root it is able to read the keytab.
 * Create a group in AD for users that will be able to run sudo on this system and add some users to it. I call mine sysadmin.  It does not matter where the group is within the AD structure.


 * Create a file called /etc/sudoers.d/local (the name is unimportant)

Kerberize ssh
Edit /etc/ssh/ssh_config and uncomment and enable GSSAPI authentication. This is for using ssh on the system itself to another one Edit /etc/sshd_config and enable GSSAPI authentication. Disable clear text passwords. I also recommend explicitly disabling RootLogin Restart the OpenSSH daemon You should now be able to ssh directly in as an AD user. A reasonably modern version of PuTTY can do this from a Windows workstation, provided GSSAPI is enabled and the tickbox to use the logged in username is ticked. Also bear in mind that Unix systems are case sensitive so you may have to reset the case on your Windows account's various naming attributes.

Database - MariaDB
Install software and secure it. The root password is initially blank so hit enter when prompted for the current root password. Note that root in this case is not the same as the root user for the system itself, it simply has the same name. Keep a note of the password that you set. Check that you can access the database server with the password you set earlier. Type \q and hit enter to exit.

Webserver - Apache
Install basic software. Apache runs as the www-data user which can't access the Kereros keytab by default so setfacl is used to allow it to read it. net ads keytab add is used to add a service principal for HTTP which is the default for Apache. The final command should list several entries starting HTTP/. "AD_username" should be an account that has permissions to set service principals (Domain Admin??). The Apache installer will enable and start the web server. Point a browser at it and you should get the Ubuntu default page.

Now enable SSL, LDAP and PHP. Disable http. You could make http redirect to https but the reference build avoids listening on port 80 at all to avoid any mistakes. Edit /etc/apache2/ports.conf and comment out Listen 80 Restart Apache You will get a certificate error in your browser when you test because the server is currently using a self signed certificate.