VMConfigs

A League of Their Own, 1992

ssh## On the Windows DC 

# enable the AD DS role on the server create the forest and domain. name what you want - include  valid top level domain (.com, .local) and netbiosname 

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools


Install-ADDSForest -DomainName "sustaining.org" -DomainNetBiosName "sustaining" -InstallDns

# server will reboot, your local login will not work anymore, but your same uname/pwd will work on the domain you'll connnect to `[email protected]`


# set the DC up to be the NTP authority. (time has to be in sync for kerb to be happy)
# https://be-virtual.net/domain-controller-ntp-server-configuration/


# configure your network adapter for "static" IP (change to your local IP and gateway)

    netsh int ip set address "Ethernet 2" static 10.12.0.4 255.255.255.0 10.12.0.1
    netsh int ip set dns "Ethernet 2" static 10.12.0.4 primary 


## on a windows machine (not the DC)

# point DNS to the Domain Controller and reboot. join the domain after reboot
# make sure NTP is using the DC as the time authority

# I used a servercore instance for the DC - if you want the graphical controls for active directory and dns, you install them on this machine and point them to the DC
# you'll need AD admin tools and DNS - this powershell will install the whole suite but takes a few minutes. 

# Install Active Directory Domain Services and Lightweight Directory Tools
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

# Install DNS Server Tools
Add-WindowsCapability -Online -Name Rsat.Dns.Tools~~~~0.0.1.0


# optional (create a dedicated user for the PROXY to use) or use an admin user. 
# Ensure the following is true when creating the account.
# User must change password at next logon Un-ticked
# User cannot change password Ticked
# Password never expires Ticked
# Account is disabled Un-ticked
# By default the squid account will not be able to query the "memberOf" attribute in AD. Select the top level of your active directory domain in Active Directory Users and Computers, Right click on it and choose properties, Security Tab, Add the squid user and give it read permissions 
# (should happen by default) and allow it to read "This Object and all child objects" by going into Advanced options.


# dns configuration using DNS tools 
# create DNS forward lookup zone for the domain 
# create reverse DNS and PTR records for the DC and the PROXY machines with their FQDN and local IP 
# must be able to ping between by name 



## Linux machine for squid server

#install the things and stuff
sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get autoremove && sudo apt-get autoclean
apt install ntp squid krb5_user libkrb5-dev 

# setup NTP to use windows DC as authority
# https://www.tekopolis.com/configuring-ntp-linux-client/

sudo nano /etc/ntp.conf

sudo systemd-resolve --interface eth0 --set-dns 10.12.0.4  --set-domain sustaining.org

curl --negotiate -u : https://localhost:3128/_security/_authenticate --verbose

sudo systemd-resolve --interface wlp2s0 --set-dns 192.168.88.22 --set-domain yourdomain.local


# update linux box and install packages
sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get autoremove && sudo apt-get autoclean

apt install ntp squid krb5_user libkrb5-dev ldap-utils msktutil


# set DNS to use the windows DC and the domain for the search. must be "sticky" and not reset to default after every reboot
sudo nano /etc/resolv.conf

# test the connection 
ping kerbdc.sustaining.org -c 4 && ping google.com -c 4

dig -x ip of server
dig -x ip of windows 

#configure NTP and point to the dc
https://www.tekopolis.com/configuring-ntp-linux-client/

sudo nano /etc/ntp.conf

# restart ntp and test
invoke-rc.d ntp restart
ntpq -p

# configure kerb
# need to add link to gist example 
nano /etc/krb5.conf 

# squid
# need to add gist link
nano /etc/squid/squid.conf

# set path to default keytab
KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAME

# crontab to refresh kerb tickets
crontab -e
00 4  *   *   *     msktutil --auto-update --verbose --computer-name squidkerb | logger -t msktutil

# init a kerb session to server
#kinit <ad user for proxy>
kinit proxyuser

# klist to verify that you received a ticket 

# create keytab

msktutil -c -b "CN=COMPUTERS" -s HTTP/kerbproxy.sustaining.org -k /etc/squid/PROXY.keytab --computer-name kerbproxy --upn HTTP/kerbproxy.sustaining.org --server kerbdc.sustaining.org --verbose --enctypes 28
# msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k /etc/squid/PROXY.keytab --computer-name squid-http --upn HTTP/<fqdn> --server <domain controller> --verbose --enctypes 28
msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid/PROXY.keytab --computer-name SQUIDKERB --upn HTTP/squidkerb.sustaining.org --server kerbdc.sustaining.org --verbose

# Set the permissions on the keytab so squid can read it.
chgrp proxy /etc/squid/PROXY.keytab
chmod g+r /etc/squid/PROXY.keytab

chgrp squid /etc/squid/PROXY.keytab; chmod g+r /etc/squid/PROXY.keytab
nano /etc/default/squid
KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAME

# verify that you can read the tab and that it can update
# go to active directory on windows machine.  right click and reset the computer account for the proxy machine. you can also double check that the correct DNS PTR record was updated

msktutil --auto-update --verbose


# test the squid connection to kerb

/usr/lib/squid/negotiate_kerberos_auth_test -k /etc/squid/PROXY.keytab -s HTTP/[email protected]

# test the proxy with some internets
curl -O -L https://www.redhat.com/index.html --proxy-negotiate -u : -x squidkerb:3128



#squid logs

/var/log/squid/access.log and cache.log 

devboxVMsetup.txt

## Windows Setup

# Install DD prerequisites

$ProgressPreference = 'SilentlyContinue'

# hyper-v
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
# containers:
Enable-WindowsOptionalFeature -online -FeatureName containers -NoRestart

#virtual machine platform
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -All

# restart 
Restart-Computer -Force

## Install choco and tools wanted

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
choco feature enable -n allowGlobalConfirmation


choco install vscode
choco install visualstudio2019professional
choco install git
choco install gh
choco install sysinternals
choco install firefox
choco install chromium
choco install github-desktop
choco install docker-desktop
choco install -y Microsoft-Windows-Subsystem-Linux -source windowsfeatures

# Restart
Restart-Computer -Force

# Install wsl2
wsl --install -d ubuntu

# reboot
#Restart-Computer -Force

# Launch your linux distro and install homebrew plus tools for WSL (doesnt matter that we installed most of them in windows)
ubuntu

# pre-reqs for homebrew
sudo apt-get update
sudo apt-get install build-essential procps curl file git

# Install homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# add to $path
(echo; echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"') >> /home/unix/.bashrc
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"

#install stuff
brew install gcc
brew install gh


#set pat
export HOMEBREW_GITHUB_API_TOKEN="{{ token }}"

#gh auth
gh auth login  

#tap into docker/internal
brew tap docker/internal


# download docker tools like bt and hub
brew install docker-auth
brew install hub-bt




$check = get-windowsfeature -name Microsoft-Hyper-V
if ($check.Installed -ne "True") {
        #Install/Enable hyper-v
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V | Out-Null
}
$check = get-windowsfeature -name containers
if ($check.Installed -ne "True") {
        #Install/Enable hyper-v
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V | Out-Null
}
$check = get-windowsfeature -name Microsoft-Windows-Subsystem-Linux
if ($check.Installed -ne "True") {
        #Install/Enable hyper-v
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V | Out-Null
}
$check = get-windowsfeature -name VirtualMachinePlatform
if ($check.Installed -ne "True") {
        #Install/Enable hyper-v
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V | Out-Null
}

Install_Gnome_DockerDesktop_rhel.md

sudo dnf install cloud-utils-growpart gdisk lsblk -f sudo pvscan lsblk /dev/sda4 sudo growpart /dev/sda 4 lsblk /dev/sda4 sudo pvresize /dev/sda4 sudo lvresize -r -L +30G /dev/mapper/rootvg-rootlv sudo lvresize -r -L +30G /dev/mapper/rootvg-tmplv sudo lvresize -r -L +30G /dev/mapper/rootvg-usrlv sudo lvresize -r -L +30G /dev/mapper/rootvg-varlv sudo lvresize -r -L +30G /dev/mapper/rootvg-homelv sudo pvscan

sudo modprobe kvm sudo modprobe kvm_intel nested=1 sudo usermod -aG kvm $USER sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm sudo dnf update -y sudo dnf grouplist sudo dnf groupinstall "Workstation" sudo dnf install -y xrdp sudo dnf install -y xfce4-session sudo systemctl enable xrdp; echo xfce4-session >~/.xsession sudo dnf install -y gnome-terminal sudo dnf install -y gnome-shell-extension-appindicator sudo dnf install -y pass sudo dnf install -y chromium

Generate a new GPG key without passphrase protection

gpg --quick-generate-key docker --no-protection

Alternatively, generate a key with a batch file or command (if needed for other configurations)

gpg --batch --passphrase '' --quick-gen-key [email protected] default default

Extract the GPG key ID for the newly generated key

key_id=$(gpg --list-keys --with-colons | grep '^pub' | head -n1 | cut -d':' -f5)

Initialize pass with the GPG key ID

pass init $key_id

Add a firewall rule for RDP, SSH and reboot

sudo firewall-cmd --permanent --add-service=rdp sudo firewall-cmd --permanent --add-service=ssh

Install Docker Desktop

sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo curl -lO https://desktop-stage.docker.com/linux/main/amd64/139021/docker-desktop-4.28.0-x86_64-rhel.rpm sudo dnf install -y ./docker-desktop-4.28.0-x86_64-rhel.rpm systemctl --user enable docker-desktop sudo reboot

InstallDDforAllUsers.md

How to install Docker Desktop for all users on a Windows 11 machine

The install process is the same, except for two extra steps after Docker Desktop is installed. This guide will walk you through installing Docker Desktop through the command line and how to make it available for all users, not just the logged in user.

• This does create a security risk in Windows by nesting the everyone or Authenticated users groups within the local docker-users group

####Run all commands in powershell as an administrator

---

1 - Install Windows pre-requisites. Download the latest public Docker Desktop version. Reboot

$ProgressPreference='SilentlyContinue'
New-Item -ItemType Directory -Force -Path C:\dockerconfig
Set-Location -Path c:\dockerconfig
Start-Transcript -Path config1.txt -Append
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName containers -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart
Invoke-WebRequest -UseBasicParsing -Uri "https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe" -OutFile "Docker Desktop Installer.exe"
Restart-Computer -Force

 

2 - Install Docker Desktop as you normally would. The install flags are not required, you can add or delete them as as needed, but the --quiet flag will make your life easier. If you do the GUI install make sure that when the install ends, don't reboot yet. Don't click the "Close and Log out" button either. Click the X in the top corner

$ProgressPreference = 'SilentlyContinue'
Set-Location -Path c:\dockerconfig
& '.\Docker Desktop Installer.exe' install --quiet --accept-license --always-run-service

  3 - Users have to be part of the docker-users local group to use DD, and if the user has logged into the machine before it's easy to add them but it's tedious and done per user. It's different for users that have not logged into the machine before. To get around this, you have to add the everyone group or the authenticated users group to the local docker-users Windows security group.

Add-LocalGroupMember -Group docker-users -Member everyone

  4 - Copy the Docker Desktop icon to the Public desktop folder and reboot

Set-Location "c:\users\YOURUSERNAME\desktop"
copy '.\Docker Desktop.lnk' 'C:\Users\Public\Desktop'
Restart-Computer -Force

---

krb5.conf

[libdefaults]
      default_realm = SUSTAINING.ORG
      dns_lookup_kdc = yes
      dns_lookup_realm = yes
      default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2003
;      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

; for MIT/Heimdal kdc no need to restrict encryption type

[realms]
      SUSTAINING.ORG = {
              kdc = dckhalid.sustaining.org
              admin_server = dckhalid.sustaining.org
      }

[domain_realm]
      .linux.home = SUSTAINING.ORG
      .sustaining.org = SUSTAINING.ORG
      sustaining.org = SUSTAINING.ORG

[logging]
  kdc = FILE:/var/log/kdc.log
  admin_server = FILE:/var/log/kadmin.log

machineconfig.ps1

# includes pre-reqs and stuff, reboots, installs DD and then reboots again

$ProgressPreference = 'SilentlyContinue'
# create working directory
New-Item -ItemType Directory -Force -Path C:\dockerconfig
Set-Location -Path c:\dockerconfig
Start-Transcript -Path config1.txt -Append -IncludeInvocationHeader

# Download latest DD from main channel
Invoke-WebRequest -UseBasicParsing -Uri "https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe" -OutFile "Docker Desktop Installer.exe"

# download 2nd config file to run after reboot. I need to rethink this part
Invoke-WebRequest -UseBasicParsing -Uri "https://gist.githubusercontent.com/jason-bivins/587f13c9e10901a975c33e4e88989503/raw/9dd269fbe91d01945eedd75a8f7332f3225acc73/windowssetup.ps1" -Outfile "windowssetup.ps1"

# Check for and enable system requirements
# hyper-v
$hyperVFeature = Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -ErrorAction SilentlyContinue
if ($hyperVFeature.State -ne 'Enabled') {
    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart
}

# containers
$containersFeature = Get-WindowsOptionalFeature -Online -FeatureName containers -ErrorAction SilentlyContinue
if ($containersFeature.State -ne 'Enabled') {
    Enable-WindowsOptionalFeature -Online -FeatureName containers -NoRestart
}

#virtual machine platform
$vmpFeature = Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -ErrorAction SilentlyContinue
if ($vmpFeature.State -ne 'Enabled') {
    Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart
}

#windows subsystem for linux
$mwslFeature = Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -ErrorAction SilentlyContinue
if ($mwslFeature.State -ne 'Enabled') {
    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart
}

# trigger the next steps to run on next login

$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" ('C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -executionPolicy Unrestricted -File ' + "C:\dockerconfig\windowssetup.ps1")

# stop loggin
Stop-Transcript
#Reboot
Restart-Computer -Force

squid.conf

### /etc/squid3/squid.conf Configuration File ####
#cache_effective_group proxy
#cache_effective_user proxy
### negotiate kerberos

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab
auth_param negotiate children 10
auth_param negotiate keep_alive on

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED

### enforce authentication
http_access deny !auth
http_access allow auth
http_access deny all
http_port 3128