Administration of ald domain on Astra Linux
Introduction
For more than a year I have been administering the operating system Astra Linux, this operating system is based on the debian operating system, but in terms of administration, these operating systems have differences, and Astra Linux also has services of its own design. This post is about administration. ald domain, server part, as well as the client part (how to correctly enter the system into the domain and the correct formation of the hosts file).
Server part
I make the settings on virtual machines in virtualbox, on the server the ip address is 192.168.1.1, the repository is also located on this server (configuring ip addresses and repositories is no different from the settings in debian). The first thing to set up is time synchronization, we will raise an ntp server that will take time from the current machine, for this it is enough to edit the /etc/ntp.conf file, making the following changes to it:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
Specify the subnet parameters according to your ip addresses.
Let’s start the service:
systemctl enable ntp
systemctl start ntp
Since ald does not have its own dns server, its replacement is a correctly configured /etc/hosts file, which should be the same on all machines in the domain. Before editing this file, set the correct hostname for the server:
hostnamectl set-hostname dc1.local
In this situation, the hostname of the server will be dc1, and the domain name, respectively, local, it is these parameters that ald-server will be guided by during initialization. The final touch before initializing the ald server is to correctly configure the /etc/hosts file:
127.0.0.1 localhost
#127.0.1.1 hostname
192.168.1.1 dc1.local dc1
192.168.1.101 host1.local host1
192.168.1.102 host2.local host2
It is imperative to “comment out” 127.0.1.1, and it is also important to consistently specify the full host name, i.e. the host name with a domain must be specified first, and only then the host name without a domain.
In this example, one domain and two workstations are specified (if there are more workstations, then, accordingly, all of them must be listed in this file, and this file must also be copied to all machines that are planned to be added to the domain). After these manipulations, you can proceed to install the necessary packages, as well as initialize the server:
sudo apt install ald-server-common fly-admin-ald-server smolensk-security-ald
The smolensk-security-ald package will add the ability to administer the ald server in the standard fly-admin-smc utility (this will be discussed later).
During installation, you will be prompted to create a domain administrator password, for the current publication the password 12345678 will be created, then this password will be used to enter all machines in the domain. After installing all the packages, be sure to reboot the machine.
IMPORTANT: If for some reason your server settings have gone wrong, then you can edit them in the /etc/ald/ald.conf file, the DOMAIN parameter is important in the current file, the value of this parameter should always begin with . (points), i.e. in the current example, this line will look like this:
DOMAIN = .local
After rebooting the server, you can start initializing the server with the command:
ald-init init
During the domain initialization process, you will once again be prompted to create a domain administrator password, as well as a request to create a password for the kerberos database. If everything went well, a message will appear on the screen as in Figure 1.
After these manipulations, the server setup is completed, let’s start configuring the client part.
Client side
The client part is configured quite simply, just configure the ntp client to synchronize the time, copy the hosts file from the server, set the host name, and configure /etc/ald/ald.conf. In the /etc/ntp.conf file, you need to add the lines:
server dc1.local
Let’s start the ntp service:
systemctl start ntp
systemctl enable ntp
Let’s set the host name (in this example, the ip address of the host is 192.168.1.101):
hostnamectl set-hostname host1
Before setting up ald.conf, you need to install the necessary packages:
sudo apt install fly-admin-ald-client ald-client
After the packages are installed, you need to reboot the machine, after the machine is rebooted, you can start setting up ald.conf and entering the machine into the domain, Figure 2 shows an example of the ald.conf file (this file is similar to the ald.conf file from the server )
After these manipulations, you can enter the machine into the domain with the command:
ald-client join
During initialization, you must enter the password of an account that has rights to enter the machine into the domain.
If everything went well, the screen will display the text as in Figure 3
This completes the configuration of the client part, you can begin to administer the ald server.
ald server administration
As it was written earlier, administration can be done through the standard system utility fly-admin-smc, it can be launched through the console, or in the control panel by going to the security tab and running the “Security Policy” applet. The first thing to set up is the password policy according to your requirements:
Figure 4 shows the password policy tab. After setting up the password policy, you can start creating users and configuring user rights.
On the users tab, you must click on the + button, enter the username, set the file system type to local (you can also store directories on network resources), and also uncheck the “new” box opposite the “Primary group” inscription, and the user will be added to the “domain user” group. Next, we will create a password for the user.
On the “Domain Privileges” tab, you can make the user an “administrator” of the domain, as well as allow authorization from specific domain machines, or from any machines included in the domain.
On the “MRD” tab, it is configured which labels the user can have access to, as well as the level integrity.
Additionally
Imagine such a situation, the future domain will include 100 or more machines, it will be quite problematic to scatter the hosts file manually, in this situation bash with a similar syntax will help.
The test bench has a subnet 192.168.1.0/24, 192.168.1.1 – server, 192.168.1.2-192.168.1.100 – workstations. On each machine (including the server) there is a user user, with a password of 12345678. This user must be a full-fledged administrator (with sudo access, a user with these rights is created during system installation) of the system and have an integrity level of 63, to execute For this purpose, you need to run the following commands:
sudo usermod -aG astra-admin,astra-console user
sudo pdpl-user -l 0:0 -i 63 user
If the user user is not present in the system, run the following commands:
sudo useradd -m -G astra-admin,astra-console -s /bin/bash user
sudo psswd user
sudo pdpl-user -l 0:0 -i 63
In order not to enter a password when distributing keys, you need to install the sshpass utility:
sudo apt install sshpass
After these manipulations, you can begin to generate a key (without sudo, with user rights user), for without password access:
shh-keygen -t rsa -b 1024
Distribute keys to workstations:
for((i=2;i<101;i++)); do sshpass -p 12345678 ssh-copy-id -f -o StrictHostKeyChecking=no user@192.168.1.$i; done
Copy the hosts file to all machines using the scp utility:
for((i=2;i<101;i++)); do scp /etc/hosts user@192.168.1.$i:/home/user; ssh user@192.168.1.$i sudo cp /home/user/hosts /etc/hosts; done
After executing these commands, the hosts file will be distributed to all machines that will be included in the domain.
In the same way, you can edit this file on all hosts in the domain (for example, you need to delete the line with the host name – host40):
for((i=2;i<102;i++)); do ssh user@192.168.1.$i sudo sed -i '/host40/d' /etc/hosts; done
Conclusion
As can be seen from this publication, the ald domain is quite easy to deploy, and also very easy to administer using the standard fly-admin-smc system utility.
