Systems/OS/FreeBSD

From Pumping Station One
Jump to navigation Jump to search

FreeBSD

Bootstrapping a node

  • Install base os
  • Update base with security updates
    • freebsd-update fetch
    • freebsd-update install
  • Reboot
  • Update ports tree
    • portsnap fetch extract
  • Install base packages
    • cd /usr/ports/ports-mgmt/portmaster
    • make install distclean
    • rehash
    • portmaster -d shells/bash editors/vim-lite sysutils/tmux net/nss-pam-ldapd-sasl sysutils/msktutil security/cyrus-sasl2-gssapi
      • NOTE: Make sure to enable GSSAPI for openldap-sasl-client
    • rehash
  • Setup /etc/krb5.conf see Systems/Services/Kerberos
  • Setup /usr/local/etc/openldap/ldap.conf Systems/Services/LDAP
  • Install samba ssl root CA cert in /usr/local/etc/trusted.pem
  • Join the box to the domain
    • kinit [email protected]
    • msktutil -c --server=bob
    • Install /usr/local/sbin/renew.sh (chmod +x)
    • Install /etc/periodic/hourly/100.renew (chmod +x)
    • Enable hourly periodics in /etc/crontab
      • 0 * * * * root periodic hourly
  • Setup /usr/local/etc/nslcd.conf
  • Enable services in rc.conf add the following lines to /etc/rc.conf
    • nscd_enable="YES"
    • nslcd_enable="YES"
    • nslcd_supervisor="YES"
  • Start the services
    • service nscd start
    • service nslcd start
  • Update /etc/nsswitch.conf
    • passwd: files [success=return] cache ldap
    • group: files cache ldap
  • Update pam /etc/pam.d/sshd
    • Uncomment auth line for krb5 module
    • Add ldap line for account under login_access.so: account sufficient /usr/local/lib/pam_ldap.so
  • Update /etc/ssh/sshd_config add the following lines:
    • GSSAPIAuthentication yes
    • GSSAPICleanupCredentials yes
  • Restart sshd: service sshd restart

c

/etc/periodic/hourly/100.renew

#!/bin/sh

if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

/usr/local/sbin/renew.sh
exit 0

/usr/local/sbin/renew.sh

#!/bin/sh

HOSTNAME=`/bin/hostname -s`
TMPFILE=`/usr/bin/mktemp /tmp/kinit_XXXXXX`

moveCC() {
        /usr/bin/install -S -o root -g wheel -m 0600 $TMPFILE /tmp/krb5cc_0
        /usr/bin/install -S -o nslcd -g nslcd -m 0600 $TMPFILE /tmp/krb5cc_928
        /bin/rm $TMPFILE
}

for tries in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
do
        /usr/bin/kinit -c $TMPFILE -t /etc/krb5.keytab ${HOSTNAME}\$
        if [ $? -eq 0 ]; then
                moveCC
                break; exit
        fi
        sleep 30
done

/usr/local/etc/nslcd.conf

uid nslcd
gid nslcd

uri ldap://bob.ad.pumpingstationone.org/ ldap://dc01.ad.pumpingstationone.org/


base dc=ad,dc=pumpingstationone,dc=org
sasl_mech GSSAPI
sasl_realm AD.PUMPINGSTATIONONE.ORG
krb5_ccname /tmp/krb5cc_928

filter  passwd  (objectClass=posixAccount)
filter  group   (objectClass=posixGroup)

map     passwd  homeDirectory      unixHomeDirectory

scope sub
Retrieved from "https://ps1.mywikis.wiki/w/index.php?title=Systems/OS/FreeBSD&oldid=21196"