[Systems] FreeBSD 10 server

Discussion in 'The Common Room' started by Elf, Sep 6, 2015.

  1. Elf

    Elf Immortal Staff Member

    Messages:
    105
    Likes Received:
    6
    Location:
    Clark County, WA
    Here is a guide for how I configure FreeBSD 10 server installations. I am making a set of new Virtual Machines and thought it would be a good time to document it. I will assume a hypervisor setup where you are provisioning this as a VM and have the ability to create multiple virtual hard drives.

    This is really more for my own reference than anything. However, someone else may find it useful.

    Install from media
    1. Create a VM of the desired specifications with an 80GB system drive -- other drives for other partitions can be created and mounted later
    2. Utilize the FreeBSD 10 DVD ISO installation media and boot the installer
    3. Select the Install option
    4. Set the hostname as appropriate
    5. Deselect all distributions (e.g. lib32, ports), although if it is a multi-user shell server you may want to leave games
    6. For partitioning, select the Auto (ZFS) Guided Root-on-ZFS option
      1. Leave the ZFS Configuration options as default
      2. Select the stripe Virtual Device type
      3. Select the VM's system disk (e.g. da0) and proceed
      4. Select yes to "destroy the current contents" of the disk
    7. Set the root user password
    8. Proceed with configuring the main network interface (IPv4, IPv6) as appropriate
      1. I often use the OpenDNS servers for DNS: 208.67.222.222, 208.67.220.220
    9. Select UTC as the system time zone
    10. Enable sshd, ntpd, and dumpdev services
    11. If the server will be a standalone server (e.g. no LDAP / AD authentication), add local user accounts now
      1. Add the wheel group as a secondary group to the users to enable su access
    12. Exit the installer and reboot
    Post-install setup
    After finishing with the installer, further steps will be necessary to bring the system to a usable state.

    Packages
    1. Log in as the root user
    2. Update FreeBSD base:
      Code:
      freebsd-update fetch
      freebsd-update install
    3. Fetch down the ports tree:
      Code:
      portsnap fetch
      portsnap extract
    4. Set up pkg and install zsh, portmaster:
      Code:
      pkg
      pkg update
      pkg install zsh portmaster
      echo 'WITH_PKGNG=yes' >> /etc/make.conf
      pkg2ng
    5. Edit /etc/rc.conf
      1. Below the ntpd_enable line, add boot time syncs: ntpd_sync_on_start="YES"
      2. Disable sendmail at the bottom: sendmail_enable="NONE"
      3. Save the file and exit the editor
    SSH
    1. Edit /etc/ssh/sshd_config to increase SSH security (vi /etc/ssh/sshd_config)
      1. Select a non-standard SSH port and uncomment/change the Port line, e.g.: Port 4422
      2. Uncomment/change the PermitRootLogin line to disable root logins, e.g.: PermitRootLogin No
      3. Save the file and exit the editor
    Firewalling
    1. Determine the management subnets that should be allowed to reach SSH (e.g. 1.2.3.0/24, 2.3.4.16/28).
    2. Use an editor to populate /etc/pf.conf. See the PF FAQ for information on constructing rulesets. For example, with hn0 as the primary network interface:
      Code:
      ext_if="hn0"
      
      table <mgmt> { \
          1.2.3.0/24, \
          2.3.4.16/28 \
        }
      
      set skip on lo
      
      scrub in
      
      block in
      pass out
      
      antispoof quick for { lo }
      
      pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { \
          unreach, redir, echoreq, timex \
        }
      pass in on $ext_if inet proto tcp from <mgmt> to ($ext_if) port 5122
    3. Add pf_enable="YES" to /etc/rc.conf
    4. shutdown -r now to reboot the VM
     
    Last edited: Sep 6, 2015
  2. Elf

    Elf Immortal Staff Member

    Messages:
    105
    Likes Received:
    6
    Location:
    Clark County, WA
    Active Directory Authentication
    FreeBSD can be joined up to a Windows Active Directory domain for centralized authentication and authorization by using the 'winbind' component of Samba and Kerberos.

    For the purposes of this example, I will build on the base install procedure above. Also I will use the sample Active Directory parameters below:
    • AD Domain: example.corp.com
    • AD Domain NetBIOS name: EXAMPLE
    • Domain Administrator user: Administrator
    • Domain controllers (in the same site as the CentOS server)
      • dc-1.example.corp.com / 1.2.3.4
      • dc-2.example.corp.com / 1.2.3.5
    • FreeBSD server name: fbsd-1.example.corp.com
    • Group of users allowed to log in: fbsd-1 login
    The hostname (in /etc/rc.conf) should be set to the fully qualified AD domain name as per the above (fbsd-1.example.corp.com), to successfully register the server in AD.

    Packages
    A set of packages will need to be installed to facilitate the AD domain join and authentication:
    Code:
    pkg install samba41 pam_mkhomedir sudo
    DNS
    Modify /etc/resolv.conf and change the search domain to your AD domain. You may also wish to set your nameservers to the AD DCs if the domain is not Internet DNS resolvable. For example:
    Code:
    search example.corp.com
    nameserver 1.2.3.4
    nameserver 1.2.3.5
    Kerberos & Samba
    Invoke your favorite editor to create the Kerberos configuration in /etc/krb5.conf:
    Code:
    [libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_ccache_name = KEYRING:persistent:%{uid}
    default_realm = EXAMPLE.CORP.COM
    
    [realms]
    EXAMPLE.CORP.COM = {
      kdc = dc-1.example.corp.com
      kdc = dc-2.example.corp.com
      admin_server = dc-1.example.corp.com
      admin_server = dc-2.example.corp.com
      kdc = dc-1.example.corp.com
      kdc = dc-2.example.corp.com
    }
    
    EXAMPLE.CORP.COM = {
      kdc = dc-1.example.corp.com
      kdc = dc-2.example.corp.com
    }
    
    [domain_realm]
    example.corp.com = EXAMPLE.CORP.COM
    .example.corp.com = EXAMPLE.CORP.COM
    Now create /usr/local/etc/smb4.conf:
    Code:
    [global]
       workgroup = EXAMPLE
       password server = dc-1.example.corp.com dc-2.example.corp.com
       realm = EXAMPLE.CORP.COM
       security = ads
       idmap config * : backend = rid
       idmap config * : range = 10000-99999
       template homedir = /usr/home/%U
       template shell = /usr/local/bin/zsh
       kerberos method = secrets only
       winbind use default domain = true
       winbind offline logon = false
       winbind separator = +
       winbind enum users = yes
       winbind enum groups = yes
       winbind use default domain = yes
       winbind refresh tickets = yes
       server string = Samba Server Version %v
    Domain Join
    1. Test domain controller lookup. This should return familiar, favorable results about one of your domain controllers. If not, check network connectivity or your authconfig settings.
      Code:
      net ads lookup dc
    2. Join the domain using Domain Administrator credentials:
      Code:
      net ads join -U Administrator
    3. Enable winbind and nscd by adding to /etc/rc.conf:
      Code:
      nscd_enable="YES"
      samba_server_enable="YES"
      winbindd_enable="YES"
    4. Start winbind: /usr/local/etc/rc.d/samba_server start
    5. Check the domain join: net ads info
    6. Test Kerberos:
      Code:
      kinit Administrator
      klist
    7. Show AD user/group info: wbinfo -ug
    8. Enable passwd/group integration with AD using winbind, by updating the group and passwd lines in /etc/nsswitch.conf. Remove the _compat lines as well:
      Code:
      group: files winbind
      hosts: files dns
      networks: files
      passwd: files winbind
      shells: files
      services: compat
      services_compat: nis
      protocols: files
      rpc: files
    Authentication
    1. Enable Kerberos authentication in PAM by editing the relevant files in /etc/pam.d/. system and ssh are good places to start, but you will want to change the PAM settings for every service that you wish to utilize AD authentication.
      1. Uncomment all pam_krb5.so lines in each file except for the password line (I have not tested changing AD passwords via Kerberos)
      2. Add a line to the end of the session group, but above any pam_permit.so entries:
        Code:
        session         required       /usr/local/lib/pam_mkhomedir.so
    2. Reboot the server and attempt to log in using a domain user
    Authorization
    1. Enable users in the Domain Admins and Enterprise Admins groups to use sudo
      1. Execute visudo to edit the sudoers file
      2. Add the following lines:
        Code:
        User_Alias WINADMINS = %Domain\ Admins, %Enterprise\ Admins
        WINADMINS ALL=(ALL) ALL
      1. Save the file and exit the editor
    2. Restrict the domain users allowed to log in to the machine
      1. In Windows
        1. Create the fbsd-1 login group in Active Directory (Active Directory Administrative Center or Active Directory Users and Computers)
        2. Add the users allowed to log in to the machine to the fbsd-1 login group
        3. Use Powershell to locate the SID of the group created:
          Code:
          $g = New-Object System.Security.Principal.NTAccount("fbsd-1 login")
          $g.Translate([System.Security.Principal.SecurityIdentifier]).Value
          For example, the SID here may be S-1-5-21-2363080627-1058686939-1320131010-1607
    • On the FreeBSD server, edit the relevant files in /etc/pam.d/ where you previously enabled pam_krb5.so. Rearrange the auth block, moving pam_krb5.so to optional at the end, and marking pam_unix.so as sufficient. Then add pam_winbind.so to check for proper group membership for AD users. For example, from an out of the box /etc/pam.d/system:
      Code:
      auth            sufficient      pam_opie.so             no_warn no_fake_prompts
      auth            requisite       pam_opieaccess.so       no_warn allow_local
      #auth           sufficient      pam_ssh.so              no_warn try_first_pass
      auth            sufficient      pam_unix.so             no_warn try_first_pass nullok
      auth            optional        pam_krb5.so             no_warn try_first_pass
      auth            required        pam_winbind.so          use_first_pass require_membership_of=S-1-5-21-2363080627-1058686939-1320131010-1607
     
    Last edited: Sep 7, 2015