Administration of ald domain on Astra Linux


For more than a year I have been administering the operating system Astra Linux, this operating system is based on the debian operating system, but in terms of administration, these operating systems have differences, and Astra Linux also has services of its own design. This post is about administration. ald domain, server part, as well as the client part (how to correctly enter the system into the domain and the correct formation of the hosts file).

Server part

I make the settings on virtual machines in virtualbox, on the server the ip address is, the repository is also located on this server (configuring ip addresses and repositories is no different from the settings in debian). The first thing to set up is time synchronization, we will raise an ntp server that will take time from the current machine, for this it is enough to edit the /etc/ntp.conf file, making the following changes to it:


fudge stratum 10

restrict mask nomodify notrap

Specify the subnet parameters according to your ip addresses.

Let’s start the service:

systemctl enable ntp

systemctl start ntp

Since ald does not have its own dns server, its replacement is a correctly configured /etc/hosts file, which should be the same on all machines in the domain. Before editing this file, set the correct hostname for the server:

hostnamectl set-hostname dc1.local

In this situation, the hostname of the server will be dc1, and the domain name, respectively, local, it is these parameters that ald-server will be guided by during initialization. The final touch before initializing the ald server is to correctly configure the /etc/hosts file: localhost

# hostname dc1.local dc1 host1.local host1 host2.local host2

It is imperative to “comment out”, and it is also important to consistently specify the full host name, i.e. the host name with a domain must be specified first, and only then the host name without a domain.

In this example, one domain and two workstations are specified (if there are more workstations, then, accordingly, all of them must be listed in this file, and this file must also be copied to all machines that are planned to be added to the domain). After these manipulations, you can proceed to install the necessary packages, as well as initialize the server:

sudo apt install ald-server-common fly-admin-ald-server smolensk-security-ald

The smolensk-security-ald package will add the ability to administer the ald server in the standard fly-admin-smc utility (this will be discussed later).

During installation, you will be prompted to create a domain administrator password, for the current publication the password 12345678 will be created, then this password will be used to enter all machines in the domain. After installing all the packages, be sure to reboot the machine.

IMPORTANT: If for some reason your server settings have gone wrong, then you can edit them in the /etc/ald/ald.conf file, the DOMAIN parameter is important in the current file, the value of this parameter should always begin with . (points), i.e. in the current example, this line will look like this:

DOMAIN = .local

After rebooting the server, you can start initializing the server with the command:

ald-init init

During the domain initialization process, you will once again be prompted to create a domain administrator password, as well as a request to create a password for the kerberos database. If everything went well, a message will appear on the screen as in Figure 1.

Rice.  one
Rice. one

After these manipulations, the server setup is completed, let’s start configuring the client part.

Client side

The client part is configured quite simply, just configure the ntp client to synchronize the time, copy the hosts file from the server, set the host name, and configure /etc/ald/ald.conf. In the /etc/ntp.conf file, you need to add the lines:

server dc1.local

Let’s start the ntp service:

systemctl start ntp

systemctl enable ntp

Let’s set the host name (in this example, the ip address of the host is

hostnamectl set-hostname host1

Before setting up ald.conf, you need to install the necessary packages:

sudo apt install fly-admin-ald-client ald-client

After the packages are installed, you need to reboot the machine, after the machine is rebooted, you can start setting up ald.conf and entering the machine into the domain, Figure 2 shows an example of the ald.conf file (this file is similar to the ald.conf file from the server )

Rice.  2
Rice. 2

After these manipulations, you can enter the machine into the domain with the command:

ald-client join

During initialization, you must enter the password of an account that has rights to enter the machine into the domain.

If everything went well, the screen will display the text as in Figure 3

Rice.  3
Rice. 3

This completes the configuration of the client part, you can begin to administer the ald server.

ald server administration

As it was written earlier, administration can be done through the standard system utility fly-admin-smc, it can be launched through the console, or in the control panel by going to the security tab and running the “Security Policy” applet. The first thing to set up is the password policy according to your requirements:

Rice.  four
Rice. four

Figure 4 shows the password policy tab. After setting up the password policy, you can start creating users and configuring user rights.

Rice.  5
Rice. 5

On the users tab, you must click on the + button, enter the username, set the file system type to local (you can also store directories on network resources), and also uncheck the “new” box opposite the “Primary group” inscription, and the user will be added to the “domain user” group. Next, we will create a password for the user.

Rice.  6
Rice. 6

On the “Domain Privileges” tab, you can make the user an “administrator” of the domain, as well as allow authorization from specific domain machines, or from any machines included in the domain.

Rice.  7
Rice. 7
Rice.  eight
Rice. eight

On the “MRD” tab, it is configured which labels the user can have access to, as well as the level integrity.

Rice.  9
Rice. 9


Imagine such a situation, the future domain will include 100 or more machines, it will be quite problematic to scatter the hosts file manually, in this situation bash with a similar syntax will help.

The test bench has a subnet, – server, – workstations. On each machine (including the server) there is a user user, with a password of 12345678. This user must be a full-fledged administrator (with sudo access, a user with these rights is created during system installation) of the system and have an integrity level of 63, to execute For this purpose, you need to run the following commands:

sudo usermod -aG astra-admin,astra-console user

sudo pdpl-user -l 0:0 -i 63 user

If the user user is not present in the system, run the following commands:

sudo useradd -m -G astra-admin,astra-console -s /bin/bash user

sudo psswd user

sudo pdpl-user -l 0:0 -i 63

In order not to enter a password when distributing keys, you need to install the sshpass utility:

sudo apt install sshpass

After these manipulations, you can begin to generate a key (without sudo, with user rights user), for without password access:

shh-keygen -t rsa -b 1024

Distribute keys to workstations:

for((i=2;i<101;i++)); do sshpass -p 12345678 ssh-copy-id -f -o StrictHostKeyChecking=no user@192.168.1.$i; done

Copy the hosts file to all machines using the scp utility:

for((i=2;i<101;i++)); do scp /etc/hosts user@192.168.1.$i:/home/user; ssh user@192.168.1.$i sudo cp /home/user/hosts /etc/hosts; done

After executing these commands, the hosts file will be distributed to all machines that will be included in the domain.

In the same way, you can edit this file on all hosts in the domain (for example, you need to delete the line with the host name – host40):

for((i=2;i<102;i++)); do ssh user@192.168.1.$i sudo sed -i '/host40/d' /etc/hosts; done


As can be seen from this publication, the ald domain is quite easy to deploy, and also very easy to administer using the standard fly-admin-smc system utility.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *