Миграция ИТ-инфраструктуры на решения «Базальт СПО»

Event program:

Today's event is led by Vladimir Cherny, Director of Products, "BaseALT SPO." He began his presentation by discussing how an enterprise built on a Windows-based infrastructure can transition to import-substitution solutions.

The Microsoft Active Directory (AD) project has been gaining ground on the PCs of various organizations for over 20 years, and it is now difficult to find developed enterprise infrastructures in Russia that have not established an AD domain. Currently, paying the vendor for this domain has become impossible. The use of third-party closed technologies is also a very significant security threat. An additional incentive is provided by the government; Presidential Decree No. 166 mandates the approval of foreign software purchases. Decree No. 250 goes even further, with personal liability up to criminal charges.

What makes AD so attractive? AD is Microsoft's proprietary implementation of a directory service, allowing you to combine various network objects – PCs, servers, printers, and various services – into a single system. In this case, AD acts as a directory database that stores information about users and other objects. LDAP, a lightweight protocol for accessing directories, an open standardized protocol used to work with various implementations of directory services, serves as such a database. The main task of AD is to store information about all objects. To implement this solution, a special server is required – a domain controller – which performs the functions of authenticating users and devices on the network. Access to the domain controller can allow certain actions if there are rights, or block access if there are no such rights.

AD provides a single point of identification. If all the services a user needs are in one organization, in one network, it makes sense to limit yourself to one login-password pair. This is a single sign-on technology, where the user enters the password once and then uses all the services.

With AD, you can divide users and PCs into different workgroups. This significantly simplifies the use of the infrastructure in the case of non-existent group settings; the settings are applied immediately to the entire group of PCs or users. The functionality of the operating system can be reduced for the entire group, for example, you can restrict the use of certain applications to everyone except administrators. This increases security. File sharing is convenient; AD easily implements a distributed file system technology, which is used for file management. This is a distributed network for storing files that are physically located on several servers but logically located in one place.

The AD service allows you to organize all equipment and services into a single system. Not only Microsoft products are supported, but also third-party solutions: "1C", remote desktop gateway, and the like. The domain controller is the central node of this infrastructure and is its critical point in terms of reliability, so there are secondary controllers and their backups are made regularly.

What can replace AD? The Linux world is now replacing Microsoft products. One of the solutions in the Linux world is the Samba project, the first version of which was released in 1992, it was the NB-server program. This solution prompted the programmer to focus on network compatibility with Microsoft products, which appeared in 1999. The Samba project got its name from the SMB (Server Message Block) protocol, of which it is essentially an open implementation. SMB is a network protocol at the application level. The SMB protocol can be used over network protocols. Microsoft expanded this SMB implementation to include authentication support using its own manager. Unlike SMB, the main transport for CIFS is the TCP protocol. A further extension of the protocol was SMB2, which was released in Windows Vista. Samba supports SMB2 starting with version 3.6.

In 2004, the global community attacked Microsoft, and the European Court demanded that the vendor disclose the specifications. The disclosure of these protocols served as an impetus for the release of a new high-quality version of Samba4, which implements an almost complete analogue of AD, including a domain controller, and Microsoft participated in the testing of Samba4.

Thus, Samba4 is actually a replacement for the Microsoft domain controller server and can manage Windows machines in the same way as the native domain manages them. The Samba4 server supports group policies, roaming profiles, and Windows administration tools.

Another project that has existed in the Linux world since 2008 is the FreeIPA solution. It was developed by Red Hat. This project was not created to work with Windows systems. It uses LDAP in the implementation in 389-ds, it also uses the Kerberos protocol for Mit. It also uses the DogTag server, DNS and DHCP. That is, all the same standard services that are in the Samba implementation. However, FreeIPA is not at all designed to work with any Windows.

Our company in 2017 was thinking about where to go and develop. Support for the connectivity of enterprise network nodes is organized by third-party applications, for example, mail (Exchange) through SOGo/Communigate. DNS is solved by third-party projects (or inside Samba). DHCP is also solved by third-party projects. End-to-end authentication is presented by both FreeIPA and Samba projects. Configuration management and file sharing are solved only with Samba. The organization of remote access is not fully solved by any of the projects. The "ALT" OS supports both Samba DC and FreeIPA options.

Samba DC can manage Windows machines and does not prevent storing Windows machine group policy settings on the Samba server. Unfortunately, there are no management tools on it, but the policies will work on Windows machines.

Our company came up with how to implement support for group policies for Linux machines within the Samba project. In 2001, we presented our idea at the Samba conference, colleagues supported this idea, but we are still working in an open field, that is, all our developments are available in the Samba project. Of course, we work for ourselves, we have many features in relation to other distributions. Transfer to other Linux is quite possible.

How to manage group policies? Here the state helped us a little, we were given a small grant (about 100 million rubles).

Features of the implementation of group policies in the "ALT" OS. Group policies, as a mechanism, differ from standard configuration management tools (such as Pippet, Ansible, etc.) in three key features: 1) Integration into the AD infrastructure; 2) Compliance of the declarative part of configuration settings with specific distribution solutions; 3) The presence of not only configuration management of computers, but also configuration of users.

The last point is the most important advantage. Additional conditions can be specified in the group policy objects themselves. Information about the state of the PC, the amount of free disk space, the remaining battery charge of the laptop, etc. is used as filters.

Parameters are divided into user and machine parameters. Since user parameters cannot be planned in advance, since machines are not tied to users, it is not known in advance which of the users will try to log into the system on this host, therefore, user parameters appear at the moment a person logs into the system.

Some configuration management tasks can be solved both through user and through machine parameters.

Group policies can be used for different purposes, for example, setting the home page, and in general, managing browsers, setting a ban on connecting external media, etc.

How and with what are these policies applied? Centralized management and configuration of the machine park with the "ALT" OS is carried out through the GPUPDATE tool, this application was written by our team. This is a console tool, without a graphical interface. It can update policies once an hour, you can set this time yourself.

Policies are of two types: stable and experimental. Stable ones are shown on the next slide. Stable policies are those for which templates have been written.

Experimental policies are shown on the next slide.

Experimental policies must be enabled forcibly. There is a place in the settings where you need to put the appropriate checkmark.

Among these policies: file and logon script management, connecting network drives, managing INI files, managing KDE Plasma settings, installing software, this is a very complex process, so it remains experimental for now, and managing shared directories. We currently have about 1000 policies, Microsoft has about 3000, there is something to strive for.

The policies being developed are shown on the next slide.

We are currently working on password policies, on setting passwords for local users, on connecting printers, synchronizing time via NTP, etc. We are open to everyone, if there are any wishes for policies, please write to us.

Our policies are managed through templates, all of them are posted on an international resource, all Microsoft policies are also located there.

You can manage policies through the RSAT tool. But if we want to get rid of Microsoft completely in the future, then where can we get management tools?

For this, we have developed two tools, one is called ADMC. It was created as a response to the need for a native tool for working with AD and group policies. It was made so that novice users do not have any "misunderstandings" associated with the interface.

The idea of interface management is the same as Microsoft's.

You can view the properties of the user, you can create a policy, bind it to a specific unit. As soon as you click on EDIT, our second graphical tool, called GPUI, will pop up.

This tool is an analogue of the corresponding group policy editing snap-in. With its help, you can edit policies that have 3 states: NOT CONFIGURED, ENABLED and DISABLED.

NOT CONFIGURED and DISABLED are different states. Enabling the "machine" in domains is carried out through a graphical utility, which is located in the control center.

How to implement an approach to migrating the domain infrastructure?

Any transition is quite complex, it requires comprehensive study. Any infrastructure is very individual. There are features of network construction, there are features of the construction of objects, used services, etc. It is better to carry out the transfer not independently, but with full consultation from experienced integrators.

Our company has about 150 developers, we do not do integration. We will attach you to the group of our technical presale, they will help you, including suggesting reliable integrators.

There are 2 standard approaches to any migration: 1) Do not touch anything and build a new one next to it – parallel migration. 2) The method of replacement migration is the most optimal.

What is the meaning of replacement migration? The scenario is as follows: you have a live AD domain, it has an MS AD database that stores all the data. We deploy a secondary Samba DС domain controller inside and copy all the data from this database to the database of the new domain. Then we pull out this domain and deploy this domain controller to the side, in an isolated source system, if there are any, we also deploy additional domain controllers, and simply copy the entire existing infrastructure.

As a result, you can save the domain name, the domain SID is also saved, accounts and passwords of everything-everything-everything are saved, groups are saved, DNS records are also saved, that is, you get an exact copy of the domain, but built not on AD, but on the Samba DC controller.

Then a closed environment is prepared, you unload a snapshot of the database, deploy the first Samba DC KD using the received database, duplicate the structure of the MS AD KD park, but already on Samba DC. Then it publishes the received domain infrastructure, removing windows servers and adding servers to Samba DC.

From the point of view of users, no one should notice anything, as everything worked, so everything will work.

The advantages of the "ALT Domain" solution are presented on the next slide.