Setting the stage


<[ Home | Posts | Tags ]>

Posted at: 2020-09-07 07:00 CEST
Length: 1079 words (6 minutes)
Tags: [ kerberos network home lab ldap freebsd bhyve ]

Preamble

The battleground, as it looks before I start, is a bunch of computers - virtual and physical -, mostly running Linux and FreeBSD (also one Windows 10 and some older systems like Windows 2000, Mac OS X, classic Mac OS, and DOS but those are less relevant to the topic at hand and will most likely not be accounted for).

All in all, I have a little over 10 machines (virtual and physical) running FreeBSD, Debian GNU/Linux, and Arch Linux).

I want to simplify logging in to each of these, being able to change passwords and add users at will without having to do so on every single machine, as well as -if possible- add single-sign-on for mail, SSH, and maybe other services. In order to do this, I'll add another couple of services to the network, Kerberos and LDAP. The combination of Kerberos and LDAP has been in use for many years by mamy big companies all over the world, mostly in the joined form of Microsoft's Active Directory. I could go that route, but since I don't use Windows, don't want to pay for a license of Windows Server, and like to actually figure out how stuff works rather than just push a couple buttons to have stuff done for me without me needing to learn anything, I'll instead go with a couple open-source solutions - Heimdal and OpenLDAP - each on their own new virtual machine running FreeBSD.

The host of the virtual machines runs FreeBSD, uses bhyve as the hypervisor, and I have a tool called vm installed to more easily manage the bhyve virtual machines.

Getting started

First off, I need to create the new virtual machines. I'll use the standard template for a FreeBSD machine using a ZFS volume for its storage, give each of them 10 GiB of storage (way more than required), and 2 GiB of RAM (rather than the 256 MiB that the template sets).

# vm create -t freebsd-zvol -s 10G -m 2G example-heimdal
# vm create -t freebsd-zvol -s 10G -m 2G example-openldap

Next, I make sure they exist:

# vm list
NAME              DATASTORE  LOADER     CPU  MEMORY  VNC  AUTOSTART  STATE
example-heimdal   default    bhyveload  1    2G      -    No         Stopped
example-openldap  default    bhyveload  1    2G      -    No         Stopped

Ok. Good. I'll also need to make sure I have the ISO file for FreeBSD, so that I can actually install the OS.

# vm iso https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/FreeBSD-12.1-RELEASE-amd64-bootonly.iso

Next, I'll install FreeBSD. They'll be identical, except for the naming of each machine and the software installed on top of the OS (in later posts), so I'll only show the process for one.

# vm install example-heimdal FreeBSD-12.1-RELEASE-amd64-bootonly.iso

During install, I select the correct keyboard, and deselect all optional components because I have no need of them, so they only take up space and add time to updates. Both machines will only be running 64-bit binaries, so lib32 is unnecessary, and I'll use pkg to install the software I need, so ports isn't useful either. I also won't to any debugging to the system, nor will I require the source code (nice as it is to have the option).

+---------------------Distribution Select------------------------+
| Choose optional system components to install:                  |
| +------------------------------------------------------------+ |
| | [ ] base-dbg    Base system (Debugging)                    | |
| | [ ] kernel-dbg  Kernel (Debugging)                         | |
| | [ ] lib32-dbg   32-bit compatibility libraries (Debugging) | |
| | [ ] lib32       32-bit compatibility libraries             | |
| | [ ] ports       Ports tree                                 | |
| | [ ] src         System source tree                         | |
| | [ ] tests       Test suite                                 | |
| +------------------------------------------------------------+ |
|                                                                |
|                                                                |
+----------------------------------------------------------------+
|                           <  OK  >                             |
+----------------------------------------------------------------+

The automatic Roont-on-ZFS guide adds a swap partition which I don't want, so for partitioning, I chose the manual setup, created a GUID partition table with a single ZFS volume filling the drive, and accepted the creation of a boot volume.

+------------------Partition Editor--------------------+
| Create partitions for FreeBSD. No changes will be    |
| made until you select Finish.                        |
|+----------------------------------------------------+|
||vtbd0           10 GB   GPT                         ||
||  vtbd0p1       512 KB  freebsd-boot                ||
||  vtbd0p2       10 GB   freebsd-zfs    /            ||
||                                                    ||
||                                                    ||
||                                                    ||
||                                                    ||
||                                                    ||
|+----------------------------------------------------+|
+------------------------------------------------------+
|<Create> <Delete> <Modify> <Revert> < Auto > <Finish> |
+------------------------------------------------------+

After setting a password for root, I make sure the location, date, and time are correct, and enable ntpd while disabling other services (keeping time in sync is always a good idea, but I don't need SSH as I access it from the host if needed).

+------------------------System Configuration---------------------------+
| Choose the services you would like to be started at boot:             |
| +-------------------------------------------------------------------+ |
| | [ ] local_unbound  Local caching validating resolver              | |
| | [ ] sshd           Secure shell daemon                            | |
| | [ ] moused         PS/2 mouse pointer on console                  | |
| | [ ] ntpdate        Synchronize system and network time at bootime | |
| | [*] ntpd           Synchronize system and network time            | |
| | [ ] powerd         Adjust CPU frequency dynamically if supported  | |
| | [ ] dumpdev        Enable kernel crash dumps to /var/crash        | |
| +-------------------------------------------------------------------+ |
|                                                                       |
|                                                                       |
+-----------------------------------------------------------------------+
|                               <  OK  >                                |
+-----------------------------------------------------------------------+

I also enable all security options, because why not? I can always disable some later, if required (maybe syslogd and sendmail are useful).

+-----------------------------System Hardening-------------------------------+
| Choose system security hardening options:                                  |
| +------------------------------------------------------------------------+ |
| |[*] 0 hide_uids       Hide processes running as other users             | |
| |[*] 1 hide_gids       Hide processes running as other groups            | |
| |[*] 2 hide_jail       Hide processes running in jails                   | |
| |[*] 3 read_msgbuf     Disable reading kernel message buffer for unprivil| |
| |[*] 4 proc_debug      Disable process debugging facilities for unprivile| |
| |[*] 5 random_pid      Randomize the PID of newly created processes      | |
| |[*] 6 clear_tmp       Clean the /tmp filesystem on system startup       | |
| |[*] 7 disable_syslogd Disable opening Syslogd network socket (disables r| |
| |[*] 8 disable_sendmailDisable Sendmail service                          | |
| |[*] 9 secure_console  Enable console password prompt                    | |
| |[*] 10 disable_ddtraceDisallow DTrace destructive-mode                  | |
| +------------------------------------------------------------------------+ |
|                                                                            |
|                                                                            |
|                                                                            |
+----------------------------------------------------------------------------+
|                                 <  OK  >                                   |
+----------------------------------------------------------------------------+

I don't need any other users than root at the moment, so I skip adding any.

Next step, install and set up Heimdal.

<- Previous post | Next post ->


Copyright © 2020 Carl K.H.

Latest post at: 2020-09-07 07:00 CEST