Install ALDPro Astra Linux

The complexity of deploying ALDPro is a consequence of the documentation, there are pitfalls that are customary to be silent about. So short and to the point.

In this example, the ALDPro domain controller is deployed, version 1.4.1 (latest at the time of writing) to Astra Linux SE 1.7.3 (frozen).

Unfortunately, there was not one on Habré true articles on this topic)) then they forget to mention something, then almost all repositories are needed, and these are important points.

You should not install old versions, since updating ALDPro and OS to a new version is another quest.

Requirements

The requirements for the server and clients are the same – the main reason for saltstack. It is important to meet all the requirements in this spoiler!

Astra has 3 repositories:

The main repository (main) aka iso
Base repository (base) (contains main)
Extended repository (non-certified packages, not optimized for built-in security)

For each repository, there is an emergency updates repository (uu in url)

For each repository, there is a repository of hardware dependent components. (for the installation of ALD is not relevant at the moment).

There are also two branches stable and frozen.

To deploy ALD Pro – you only need to use frozen branch repositories! and only base and extended! No urgent updates! No third party repositories!

There are no checks during installation, so it is recommended to put on a clean installation, attempts to experiment will lead to a partially non-working ALDPro.

Details on repositories here.

Requirements !

Distribution only Astra Linux SE x86_64
Distribution version only 1.7.2 or 1.7.3
The kernel is generic only.
Mandatory access can be disabled.
Repositories are only frozen 1.7.2 or 1.7.3.
Do not run apt upgrade, no matter where or when!
Domain name and server name – no capital letters and no symbols.
The OS versions on the server and client must match (that is, if the server is 1.7.3, then the client must also be version 1.7.3!
The password is at least 9 characters long, but the $ symbol cannot be used
You can only deploy the domain controller itself without a server group.
The DHCP server is optional, updating the client records A will work.
During the OS installation process, you can remove everything except the fly desktop and system utilities.
Security checkboxes can also be removed.
The level of security for the server is maximum, for clients – any.

ALD versions

There are only two versions 1.0.0 and 2.0.0 (coming soon), version 1 has updates (the latest is 1.4.1).

Keep in mind that upgrading from 1.x to the latest, although it is stated, will not be painless and without the participation of technical support if you are not a Python and Django developer. Personally, I don’t want to spend time debugging code.

Preparation

Before proceeding with the deployment of ALD Pro, it is necessary to prepare the operating system environment, we will skip the installation process, as it is trivial, it is only important to note that during installation choose the maximum level of security, and it is better to turn off auto network configuration so that it does not suffer after, but this can be done later. Important! Desktop Fly (aka gnome) is a must! In general (simplified) at least 8GB of RAM and at least 50GB of HDD/SSD.

If the network connection was configured in network-manager – disable it!

sudo systemctl stop network-manager
sudo systemctl disable network-manager
sudo apt remove network-manager-gnome

Set the network to use a static address in /etc/network/interfaces

Example:

auto eth0
iface eth0 inet static
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers 77.88.8.8 x.x.x.x y.y.y.y
dns-search yy.xxxx.zz
#domain example.com # когда всего один домен но лучше опцию выше

The documentation requires you to specify dns as well, but in fact create the /etc/resolv.conf file and add dns data to it (nameserver 1.1.1.1).

Specify the name of the future ALDPro controller

sudo hostnamectl set-hostname dc01.ald.domain.ru

Remember! If you need integration or migration from MS AD – no capital letters and symbols, including hyphens and underscores!

Next we go to /etc/hosts

127.0.0.1     localhost.localdomain localhost
192.168.0.10  dc01.ald.domain.ru dc01
127.0.1.1     dc01 #(может заглючить salt если убрать, но могу ошибатся не комал глубоко)

We connect OS repositories and ALDPro

sudo nano /etc/apt/sources.list
deb https://dl.astralinux.ru/astra/frozen/1.7_x86-64/1.7.3/repository-base 1.7_x86-64 main non-free contrib
deb https://dl.astralinux.ru/astra/frozen/1.7_x86-64/1.7.3/repository-extended 1.7_x86-64 main contrib non-free


sudo nano /etc/apt/sources.list.d/aldpro.list
deb https://dl.astralinux.ru/aldpro/stable/repository-main/ 1.4.1 main
deb https://dl.astralinux.ru/aldpro/stable/repository-extended/ generic main

Create a priority file

sudo nano /etc/apt/preferences.d/aldpro
Package: *
Pin: release n=generic
Pin-Priority: 900

I deliberately do not write ready-made commands for adding lines to files.

Finally, you can check the level of security, the command should return 2 :

sudo astra-modeswitch get

When the security level is below 2, there is no need to reinstall, just enter the command (details here):

sudo astra-modeswitch set 2

Update and reboot!

sudo apt update && sudo apt dist-upgrade -y

It is important to use just such a command and you cannot use apt upgrade!

For regular versions, non server and non ALDPro clients use astra-update -A -r -T

PS Specially started a ticket for clarification)).

sudo reboot

Installing ALDPro

Checklist before installation:

The amount of RAM is at least 8 GB (for the first controller);
OS Astra Linux operates at the maximum level of security;
In file /etc/hostname the correct name in FQDN format is specified;
To file /etc/hosts the correct data of the first domain controller is specified;
To file /etc/apt/sources.list Astra Linux OS repositories are indicated frozen;
In file /etc/apt/sources.list.d/aldpro.list repositories specified;
Priority file present /etc/apt/preferences.d/aldpro;
The network interface has a static IP address;
Availability of repositories for installation.

It is important to comply with all the points and requirements above under the spoiler!

Perform the updates from the previous paragraph!

Install ALDPro Management Portal (it will pull everything else):

sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y aldpro-mp

After the end, do not reboot!

Correct entries in resolv.conf

sudo nano /etc/resolv.conf
nameserver 127.0.0.1
search ald.domain.ru

and restart network

sudo systemctl restart networking

And we promote the server to the role of a domain controller with the command:

sudo /opt/rbta/aldpro/mp/bin/aldpro-server-install.sh -d ald.domain.ru -n dc01 -p MyPa$$word --ip 192.168.0.10 --no-reboot

before executing, it is advisable to check nslookup or ping both the full name and without the suffix.

Ready! Wait a minute or two and you can reboot.

After the reboot, log in to the server in a desktop session using the domain administrator account (admin) and the password specified in the promotion command. The portal page will open in the default browser (without transparent authorization). Enter the name without the domain suffix. If, after rebooting, the choice of a domain or local host is not displayed in the desktop session authorization window, press Alt + U.

The installation is finished, but that’s not all!

Next, on the domain controller, it is necessary to correct NTP, the BIND config, USB mount for domain clients, create rules for restricting access to servers, add another controller, assign roles for engineers who will be able to add computers to the domain without being able to log on to the controller itself and change settings, configure auto-add rules for a group of computers, and create custom salt policies for installing and configuring additional software. You can also disable local logon on domain computers.

If the publication is interesting and it will be missed, I will write a series of publications on further customization and updating. I will post a script for automatically installing the server and clients, with additional options like renaming a computer in the domain, updating client IP addresses, setting up network folders, and so on. did for your own convenience.