Howto configure Active Directory, Ubuntu Client and Authenticated Proxy

Howto
, ,
1

@ARTHUR_AIDA shared a great howto in this post. Here is the English translation:

TUTORIAL TO CONFIGURE NETHSERVER 7 (NS7) AS A DOMAIN SERVER ACTIVE DIRECTORY

  1. Many of the information in this tutorial comes from Microsoft documentation for the management of an ACTIVE DIRECTORY (AD) environment. Use the Google Chrome browser to access the links with the translation option.
  2. Download the manual (well updated by signal) available at http://docs.nethserver.org/en/v7/ in the [Read the Docs] section or [Read the document] by selecting the language [es] and the NS [7] by clicking on PDF or HTML (in this, open the index.html file inside the zip file, which can be translated into Google Chrome). Read it, it will be your bible on this subject;
  3. Plan the required data. Set the IP addresses of the NS7 and the Active Directory server. Define a unique host name for NS7, a unique domain name, unique FQDN name (hostname + domain name) for NS7, and a unique name for the domain server with AD. Also define the root and administrator password. The NS7 host name, real server, must be unique and different from the host name of the AD server, virtual server, whose IP is also different, as instructed in the above manual;
  4. Download the NS7 ISO and use the documentation from http://docs.nethserver.org/en/v7/ to install. Configure the NS7 network IP address to access your firewall / router. In the firewall / OpnSense block access for all IPs and authorize traffic only to the IP of the NS7;
  5. Use the documentation available at http://docs.nethserver.org/en/v7/packages.html to update and download the [PORTUGUESE] language pack; log off and re-login by changing the language option from English to Portuguese;
  6. Select the [Account Provider] option on the NS7 Administration WEB page. Select [Active Directory] and then [Create a new domain] by providing the requested data by completing service provisioning;
  7. Activate the time server with the suggested ntp server and configure the DHCP server. Time synchronization between the server and the client is critical and the NS7 must be configured as a time server by DHCP. So, configure the DHCP server in the advanced options: IP gateway [with the same Nethserver administration IP]; DNS Servers [IP Informed During Active Directory Server Provisioning]; WINS Address [previous id]; NTP servers [IP Gateway ID];
  8. Create a dedicated user account in AD and set a complex password that does not expire for it, specifically to perform the JOIN task to AD;
  9. To log in to AD with UBUNTU 16.04, users must also be created with passwords without expiration and in the sequence, one must log in to the domain; then log off and then re-enable the expiration option. The maintenance of future passwords will be for the account of the user via specific utility;
  10. Management can be performed through an MS Windows station (at least PRO version) attached to the domain through the Microsoft RSAT utility. However, management via the NS7 WEB interface is also very efficient, especially in the Users and Groups, Web Proxy and Filters sections;
  11. In this tutorial, the configuration provides only one network adapter, which becomes a BRIDGE when you provision the AD. The proxy, in this environment, must be enabled because this server is the gateway DHCP informed to clients. Custom and content filters can be created for specific groups or users, with all activation features by week / time schedule, acting transparently in the browser, depending on the user logged into the station;
  12. The installation of NextCloud also facilitates centralized backup, effectively replacing the SMB / CIFS server for Windows networks. However, keep the admin user of NS7, in the blocked AD, using the default password of the site, allowing to manage all the features of Nextcloud as the definition of a default quota, which applies to all AD users.

TUTORIAL FOR UBUNTU 16.04 AUTHENTICATE ON PROVIDED DOMAIN SERVER WITH NETHSERVER 7

  1. All AD client stations must be configured to receive the IP via DHCP, as this updates the DNS of the server with the name of the station, making it easier to join the domain;
  2. Remember to enable [All users can connect to this network] on the General tab of the [Editing (network name)] window, especially if it is WIFI, allowing a connection to the DHCP server to be made before it even takes place login to AD;
  3. In the JOIN action on the UBUNTU client (whose hostname must be up to 15 characters - see Microsoft documentation on AD), enter the [DNS Domain Name] available on the ACTIVE DIRECTORY local [Account Provider] tab for your domain, on the Nethserver administration page;
  4. There are two packages that provide access to the installable AD in UBUNTU 16.04. PBIS-open and C-I-D. The latter, more intuitive in relation to the resources offered to the end user, is also the one chosen to make the connection to the AD;
  5. The Closed in directory manual available at https://sourceforge.net/projects/c-i-d/files/docs/usermanual.pdf provides all the information for the installation at the UBUNTU station, containing all the guidelines for a standard installation from an ISO downloaded from the site ubuntu.com, is attached to the domain and is fully functional, however, sometimes there is a warning that can be ignored;
  6. In the specific case of this lab, we used a script that customizes the standard ISO downloaded from the ubuntu site by performing updates, installing drivers, removing / installing various useless tools useful to the corporate environment. The script also configures the home page, proxy address and type, in mozilla firefox;
  7. Nextcloud-client configuration, with user provisioning and password, allows the content of the logged-in user’s NextCloud folder to be always synchronized with NS7, coupled with advanced versioning capabilities, highly granular controls sharing, and activity log auditability , available in the user’s web interface.

Planning and step-by-step installation of NethServer 7 (NS7) for provisioning a proxy server and domain authentication with Active Directory (AD)

  1. Define and annotate a host name of the NS7 server;
  2. Define and annotate a domain name;
  3. Define and annotate a FQDN name;
  4. Define and note a name for the domain server with AD;
  5. Define and annotate a root password;
  6. Define and annotate an administrator password;
  7. Define and annotate a unique IP address for the NS7 server, according to the network range received from its array, if it is to implement an intranet, or VPN;
  8. Define and annotate a unique IP address for the Active Directory virtual server, which will be installed in a container;
  9. Search with the firewall / gateway administrator the IP address of the gateway of your network;
  10. If your organization has a dedicated link for a corporate intranet, look for the network range of the IP addresses of this intranet (usually 10.0.0.0), the intranet network mask (usually 255.0.0.0), and the IP address of the router for this corporate network. Write them down to create a static route to reach all intranet addresses via the gateway’s IP address which provides connectivity to the entire corporate intranet;
  11. Download the stable ISO of the NS7, test the integrity with the MD5SUM;
  12. Download the manual according to the tutorial and read it;
  13. Create a virtual machine or mount a physical host with a network card and start the installation of NS7;
  14. During the installation, make the network settings with static IP, inform the gateway, enter the root password and the keyboard type;
  15. Continue with the installation and wait for the end of the process;
  16. From a remote administration station, open the WEB browser, enter the same IP address (p7) of the NS7 server informed on the installation to access the Apache HTTP server test page;
  17. Click the [Server Manager] link in the test portal;
  18. The unsecured page warning will be displayed, click [ADVANCED], and then under [go to server’s unsafe IP] or [add exception] in mozilla;
  19. On the new page, type [root] for user and the password that was set for the installation (p5);
  20. Complete the Installation Wizard on the first login by entering the host name FQDN (p3) (NS7 server name + dot + domain name). Also tell the [Time zone] of your geographic region. Change the ssh port, if applicable. Proceed and apply the settings;
  21. The server administration page will be displayed;
  22. Select the [Domains accounts] option, select the user accounts provider [Active Directory] button, click [Create a new domain], accept or change the preconfigured data, and provide the IP address (p8) of the controller of domain;
  23. A warning to configure Admin user on a yellow banner will be displayed. Do not configure [Enable admin user] password if using NEXTCLOUD;
  24. Access the [Software center] option in the side menu;
  25. Click the [Updates] tab and click [DOWNLOAD AND INSTALL];
  26. Click on the [Available] tab and as a suggestion, for a corporate network, select the [Instant Messaging] [Portuguese language] [Web filter] [Web proxy] packages. Search the resources available for each package to create your package profile;
  27. If you want to use NEXTCLOUD also select [Nextcloud] in the above item, and after applying and installing the packages and already on the NS7 management page, click the [Applications] option and a frame named [Nextcloud] will appear. Click the [Open] icon to start another adminclient of nextcloud, informing the admin user and the default administration password of the installation found at http://docs.nethserver.org/en/v7/nextcloud.html;
  28. On the nextcloud page, click the circular icon (containing the letter A, from admin) and from the drop-down list, select the [Users] option;
  29. On the new user administration page, a gear will appear in the lower left corner, giving access to [Limit Settings] for [Default Quota] of new users (these options are hidden if the admin user is enabled, according to the warning) . More specific settings show the power of control of this file server. Explore;
  30. Define the default quota, in the NS7 administration side menu, go to the [Users and groups] option and create the groups (internetALL, SEMvideos, SOsitesGOV, SOsitesBR, SOedu, SOintranet, SOredeLOCAL, TEMvpn, etc.) and users to log in to AD. The proxy configured in authenticated mode becomes transparent by blocking access to the sites according to the logged-in user’s profile.
  31. Set the proxy as authenticated, enable the blocking of http and https. Configure the Web filter to manage the accesses;
  32. If you have a corporate intranet gateway, create a static route to the network of this intranet and inform the gateway IP to this intranet, set it to the primary, intranet, and secondary DNS of the router.
11 Likes
2

Thanks for the translation :wink: really long!

1 Like