Chapter 2: Operating System Setup
Follow your organization's setup process for new VMs or follow the instructions in this chapter.
- Connect to your newly created Virtual Machine from Chapter 1
- Start your VM
- Upon Start, select Try or Install Ubuntu Server
- Select English (or choose your native language)
- Select Continue without updating
- Leave the defaults
- Select Done
- This varies by organization. I personally select Ubuntu Server
- Click Done
- Set a static IP for your server by changing eth0 to Edit IPv4
- Set IPv4 Method to Manual
- (My home network doesn't have VLANs configured yet so don't judge my 1 VLAN usage)
- Example of Static IP setup (Note, my DNS Server is the IP of my Domain Controller, this will vary by organization and it's definitely recommended to have more than 1 DNS server):
- Click Done
- I don't have a Proxy on my home network. You may have one in your organization. Update this value accordingly.
- I leave this as default
- Click Done
- This will vary by organization. I'm not using a LVM group in this demonstration, so I'll be unchecking Set up this disk as an LVM group.
- I leave this as default. Click Done
- Click Continue to erase your disk
- This will vary by organization.
- Create a name for your account. I typically choose administrator
- Your Server's name: Input the name of your server baserd on your policies in your organization. For my example, I'll be using zhlbitwarden01.
- Input your account's username: I typically create an administrator account
- Click Done
- Select Install OpenSSH Server
- If you use SSH identities, import these now. I personally do not on my home network.
- Click Done
- If you're using a VM, more than likely this will return nothing.
- Click Continue
- We'll install our snaps later. Click Done
- Click Reboot now once install has finished.
- For VMWare ESXI, you may need to manually dismount the ISO from the VM in vCenter.
- For Hyper-V it will say it failed as well but it actually ejects it. Just press Enter.
- Proceed to Step 2.
- This will vary by organization as you would typically have your own procedure for configuring an Operating System. However, if you're following along, this is how I provision my home servers. (I plan on learning to automate Linux installs in 2023, don't judge this manual process, thanks!)
- Type the following command to switch to root:
sudo -i
- Set root's password:
passwd root
- Let's upgrade/update our OS:
sudo apt-get -y update && sudo apt-get -y upgrade
- Restart all services and click Ok
- I personally use UFW to manage my OSes firewall. Type the following to enable UFW:
sudo ufw enable
- Verify the status of UFW by running the following:
sudo ufw status verbose
- The output should be something like
- Adjust this firewall rule to match your network. Since I only use the 1 VLAN, my SSH firewall rule would look like this (in organizations, you may have a dedicated jump box for SSH'ing, this is just an example for my home network):
sudo ufw allow from 192.168.1.0/24 proto tcp to any port 22
- Reload the firewall:
sudo ufw reload
- Enable SSH on boot:
sudo systemctl enable ssh
- NOTE: if you are using Hyper-V, you will get Buffer I/O errors as the VM thinks we have a Floppy Disk attached to our VM. To fix the buffer I/o Errors, do the following:
-
- Verify the VM thinks it has a floppy disk attached to it:
sudo lsmod | grep -i floppy
-
- Open the following file (it should be empty as we're creating a file):
sudo nano /etc/modprobe.d/my-blacklist.conf
-
- Add the following line to the file and save it:
blacklist floppy
-
- Remove the Floppy from the OS:
sudo rmmod floppy
-
- Try enabling SSH again
sudo systemctl enable ssh
- At this point, the instructions assume you are ssh'ing into the server rather than viewing it through your hypervisor.
- These are subjective packages that I use for my OS deployments. I will be using Active Directory for managing my server, so that's what a lot of these packages are.
- List of Packages:
| Package Name | Description |
|---|---|
| NTP | NTP is an Internet protocol used to synchronize the clocks of computers to some time reference. |
| realmd | AD Setup) Allows callers to configure network authentication and domain membership in a standard way. |
| libnss-sss | (AD Setup) Provides a set of daemons to manage access to remote directories and authentication mechanisms. |
| libpam-sss | (AD Setup) Pam module for the System Security Services Daemon. |
| sssd | (AD Setup) Provides a set of daemons to manage access to remote directories and authentication mechanisms. |
| sssd-tools | (AD Setup) Userspace tools for use with the SSSD |
| adcli | (AD Setup) A command line tool that can perform actions in an Active Directory domain. |
| samba-common-bin | (AD Setup) "Samba is an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file sharing with Microsoft Windows, OS X, and other Unix systems. Samba can also function as a domain controller or member server in both NT4-style and Active Directory domains." |
| oddjob | (AD Setup) "The oddjobd service receives requests to do things over the D-Bus system bus. Depending on whether or not the requesting user is authorized to have oddjobd do what it asked, the daemon will spawn a helper process to actually do the work. When the helper exits, oddjobd collects its output and exit status and sends them back to the original requester." |
| oddjob-mkhomedir | (AD Setup) "This package provides the pam_oddjob_mkhomedir.so library, which the authconfig command uses to create home directories." Without it, LDAP users will have incorrect /home permissions upon folder creation. |
| packagekit | (AD Setup) "PackageKit is a system designed to make installing and updating software on your computer easier." In other words, it helps with package installs for AD accounts. |
- Install the above packages:
sudo apt-get -y install ntp realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
- In this step, we'll need to set the Fully-Qualified Domain Name of our server. By running the following command (replace example.com with your domain):
sudo hostnamectl set-hostname zhlbitwarden01.example.com
- This will be different for each environment. I will be using my Domain Controller with the PDC Emulator role to manage my time for this server.
- Open NTP's configuration file:
sudo nano /etc/ntp.conf
- Remove the provided time server pools (e.g., pool 0.ubuntu.pool.ntp.org iburst) and replace it with my Domain Controller with the PDC Emulator role:
- Restart NTP:
sudo systemctl restart ntp
- This step is moreso for me and will vary by organization and environment. I only allow SSH through my 'server_admin' groups in Active Directory (Active Directory will be added in later steps). So, in preparation, I'll be building the configuration file to disallow the root user and allow my Active Directory Server Admin group SSH Access to said server.
- Create a SSH Configuration file (it will be empty):
sudo nano /etc/ssh/sshd_config.d/allow_ad_groups.conf
- To achieve my goal, I'll need to input the following into said file:
# Disable Root Login
PermitRootLogin no
# Groups that are allowed to SSH into the server
# You may comment the line below if the server will not join the domain
AllowGroups "server_admins"
- Save the file
- Restart SSH:
sudo systemctl restart ssh
- Note: If you are not using Active Directory, you may skip to Chapter 3)
- To join my Active Directory domain, I'll just need to run the following command:
# Replace example.com with your domain and provide a username that has permissions to join computers to your domain
sudo realm join example.com --user=account_with_permissions
- Once you've authenticated, run the following command to verify if you're conencted:
sudo realm list
- This step may be different for each organnization.
- The first thing I like to do is create home directories for accounts upon sign-in, which can be accomplished by running:
sudo tee /usr/share/pam-configs/mkhomedir <<'EOF'
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF
- Enable mkhomedir:
sudo pam-auth-update --enable mkhomedir
- The second thing I like to do is creating my own SSSD config as this will allow me to leave/join a server from the domain and keep the changes I make for SSSD (e.g., disabling cached credentials).
- Create a SSSD config file with changes like so (GO THROUGH THIS FILE AFTERWARDS AND READ THE COMMENTS AS YOU'LL NEED TO UPDATE THIS FOR YOUR ENVIRONMENT):
sudo tee /etc/sssd/conf.d/example.conf <<'EOF'
[sssd]
# Replace example.com with your domain
domains = example.com
config_file_version = 2
services = nss, pam
# Replace example.com with your domain
[domain/example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = False
# Replace example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
# If use_fully_qualified_names is set to false, have your fallback_homedir be this
fallback_homedir = /home/%u
# Replace example.com
ad_domain = example.com
# This is so you don't have to type @example.com for your usernames
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = simple
# Replace this with the group name of your server admins
simple_allow_groups = server_admins
EOF
- Save the file
- (Make the necessary changes by opening the file again and tweak the file to your environment)
- Set the following permissions to your new SSSD configuration file:
sudo chmod 600 /etc/sssd/conf.d/example.conf
- NOTE: if you are using your Active Directory account, you need to switch to a different user now as you will lose connection otherwise
- Stop SSSD:
sudo systemctl stop sssd
- Point SSSD service to your new configuration file:
sudo sssd --config /etc/sssd/conf.d/example.conf
- Perform a configuration file check to make sure you didn't have any syntax errors or incorrect values:
sudo sssctl config-check
- Restart SSSD:
sudo systemctl restart sssd
- NOTE: if sssd hanges, hit ctrl+c and run the above command again.
- Run the following command to create your own sudoer's file:
sudo visudo /etc/sudoers.d/example-domain
- Add your Active Directory Group's who require sudoer access to this server. In my example, I want my Active Directory group 'server_admins' added.
- Since I disabled use_fully_qualified_names in my SSSD config, I'll just need to type server_admins as my group name rather than server_admins@example.com.
- Add the following into the sudoer's file:
# The @contoso.com has to be omitted as we set use_fully_qualified_names to False in our custom SSSD config
%server_admins ALL=(ALL) ALL
- Save the file
- Verify changes by opening a second SSH connection to your server with an account attached to your allowed Active Directory groups and try performing a sudo command like:
sudo echo "hi"
