Posted at: 2020-09-07 07:00 CEST
Length: 1079 words (6 minutes)
Tags: [
kerberos
network
home lab
ldap
freebsd
bhyve ]
The battleground, as it looks before I start, is a bunch of computers - virtual and physical -, mostly running Linux and FreeBSD (also one Windows 10 and some older systems like Windows 2000, Mac OS X, classic Mac OS, and DOS but those are less relevant to the topic at hand and will most likely not be accounted for).
All in all, I have a little over 10 machines (virtual and physical) running FreeBSD, Debian GNU/Linux, and Arch Linux).
I want to simplify logging in to each of these, being able to change passwords and add users at will without having to do so on every single machine, as well as -if possible- add single-sign-on for mail, SSH, and maybe other services. In order to do this, I'll add another couple of services to the network, Kerberos and LDAP. The combination of Kerberos and LDAP has been in use for many years by mamy big companies all over the world, mostly in the joined form of Microsoft's Active Directory. I could go that route, but since I don't use Windows, don't want to pay for a license of Windows Server, and like to actually figure out how stuff works rather than just push a couple buttons to have stuff done for me without me needing to learn anything, I'll instead go with a couple open-source solutions - Heimdal and OpenLDAP - each on their own new virtual machine running FreeBSD.
The host of the virtual machines runs FreeBSD, uses bhyve as the hypervisor, and I have a tool called vm installed to more easily manage the bhyve virtual machines.
First off, I need to create the new virtual machines. I'll use the standard template for a FreeBSD machine using a ZFS volume for its storage, give each of them 10 GiB of storage (way more than required), and 2 GiB of RAM (rather than the 256 MiB that the template sets).
# vm create -t freebsd-zvol -s 10G -m 2G example-heimdal
# vm create -t freebsd-zvol -s 10G -m 2G example-openldap
Next, I make sure they exist:
# vm list
NAME DATASTORE LOADER CPU MEMORY VNC AUTOSTART STATE
example-heimdal default bhyveload 1 2G - No Stopped
example-openldap default bhyveload 1 2G - No Stopped
Ok. Good. I'll also need to make sure I have the ISO file for FreeBSD, so that I can actually install the OS.
# vm iso https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.1/FreeBSD-12.1-RELEASE-amd64-bootonly.iso
Next, I'll install FreeBSD. They'll be identical, except for the naming of each machine and the software installed on top of the OS (in later posts), so I'll only show the process for one.
# vm install example-heimdal FreeBSD-12.1-RELEASE-amd64-bootonly.iso
During install, I select the correct keyboard, and deselect all optional components because I have no need of them, so they only take up space and add time to updates. Both machines will only be running 64-bit binaries, so lib32 is unnecessary, and I'll use pkg to install the software I need, so ports isn't useful either. I also won't to any debugging to the system, nor will I require the source code (nice as it is to have the option).
+---------------------Distribution Select------------------------+
| Choose optional system components to install: |
| +------------------------------------------------------------+ |
| | [ ] base-dbg Base system (Debugging) | |
| | [ ] kernel-dbg Kernel (Debugging) | |
| | [ ] lib32-dbg 32-bit compatibility libraries (Debugging) | |
| | [ ] lib32 32-bit compatibility libraries | |
| | [ ] ports Ports tree | |
| | [ ] src System source tree | |
| | [ ] tests Test suite | |
| +------------------------------------------------------------+ |
| |
| |
+----------------------------------------------------------------+
| < OK > |
+----------------------------------------------------------------+
The automatic Roont-on-ZFS guide adds a swap partition which I don't want, so for partitioning, I chose the manual setup, created a GUID partition table with a single ZFS volume filling the drive, and accepted the creation of a boot volume.
+------------------Partition Editor--------------------+
| Create partitions for FreeBSD. No changes will be |
| made until you select Finish. |
|+----------------------------------------------------+|
||vtbd0 10 GB GPT ||
|| vtbd0p1 512 KB freebsd-boot ||
|| vtbd0p2 10 GB freebsd-zfs / ||
|| ||
|| ||
|| ||
|| ||
|| ||
|+----------------------------------------------------+|
+------------------------------------------------------+
|<Create> <Delete> <Modify> <Revert> < Auto > <Finish> |
+------------------------------------------------------+
After setting a password for root, I make sure the location, date, and time are correct, and enable ntpd while disabling other services (keeping time in sync is always a good idea, but I don't need SSH as I access it from the host if needed).
+------------------------System Configuration---------------------------+
| Choose the services you would like to be started at boot: |
| +-------------------------------------------------------------------+ |
| | [ ] local_unbound Local caching validating resolver | |
| | [ ] sshd Secure shell daemon | |
| | [ ] moused PS/2 mouse pointer on console | |
| | [ ] ntpdate Synchronize system and network time at bootime | |
| | [*] ntpd Synchronize system and network time | |
| | [ ] powerd Adjust CPU frequency dynamically if supported | |
| | [ ] dumpdev Enable kernel crash dumps to /var/crash | |
| +-------------------------------------------------------------------+ |
| |
| |
+-----------------------------------------------------------------------+
| < OK > |
+-----------------------------------------------------------------------+
I also enable all security options, because why not? I can always disable some later, if required (maybe syslogd and sendmail are useful).
+-----------------------------System Hardening-------------------------------+
| Choose system security hardening options: |
| +------------------------------------------------------------------------+ |
| |[*] 0 hide_uids Hide processes running as other users | |
| |[*] 1 hide_gids Hide processes running as other groups | |
| |[*] 2 hide_jail Hide processes running in jails | |
| |[*] 3 read_msgbuf Disable reading kernel message buffer for unprivil| |
| |[*] 4 proc_debug Disable process debugging facilities for unprivile| |
| |[*] 5 random_pid Randomize the PID of newly created processes | |
| |[*] 6 clear_tmp Clean the /tmp filesystem on system startup | |
| |[*] 7 disable_syslogd Disable opening Syslogd network socket (disables r| |
| |[*] 8 disable_sendmailDisable Sendmail service | |
| |[*] 9 secure_console Enable console password prompt | |
| |[*] 10 disable_ddtraceDisallow DTrace destructive-mode | |
| +------------------------------------------------------------------------+ |
| |
| |
| |
+----------------------------------------------------------------------------+
| < OK > |
+----------------------------------------------------------------------------+
I don't need any other users than root at the moment, so I skip adding any.
Next step, install and set up Heimdal.
<- Previous post | Next post ->
Copyright © 2020 Carl K.H.
Latest post at: 2020-09-07 07:00 CEST