Linux-Based Solution for Domain Management

Linux-based solution for domain management?

Not sure if this is what you had in mind, but Linux w/Samba can act as a domain controller for Windows desktops. For example, see SAMBA (Domain Controller) Server For Small Workgroups at HowToForge. This works for file/print sharing etc.

For something more akin to Microsoft's Active Directory, you might check out Red Hat Directory Server:

Red Hat Directory Server is an LDAP-based server that centralizes application
settings, user profiles, group data, policies, and access control information
into an operating system-independent, network-based registry.

If cost is a concern, there's a Fedora Directory Server version that's the community version for free.

Another potential offering would be Sun's OpenDS project:

OpenDS is an open source community project building a free and
comprehensive next generation directory service based on LDAP
and DSML. OpenDS is designed to address large deployments, to
provide high performance, to be highly extensible, and to be
easy to deploy, manage and monitor.

Best DNS web based management and slave/master installer linux

Okay I found for now, two things,

SMManager https://bobcares.com/blog/simple-management-for-bind/

Second is WEBMIN which I suggest and in my opinion is the best ATM

Here are webmin installation tutorial by DO

  • https://www.digitalocean.com/community/tutorials/how-to-install-webmin-on-ubuntu-16-04

  • https://www.digitalocean.com/community/tutorials/how-to-install-webmin-on-ubuntu-18-04

Regards.

Designing a Linux-based system for transferability of ownership/admin rights without total trust

First and foremost, you did say design :) My answer will contain references to stuff that you can use right now, but some of it is not yet stable enough for production. My answer will also contain allusions to stuff that would need to be written.

You can not accomplish this unless you (as user9876 pointed out) fully and completely trust the individual or company that did the initial installation. If you can't trust this, your problem is infinitely recursive.

I was very active in a new file system several years ago called ext3cow, a copy on write version of ext3. Snapshots were cheap and 100% immutable, the port from Linux 2.4 to 2.6 broke and abandoned the ability to modify or delete files in the past.

Pound for pound, it was as efficient as ext3. Sure, that's nothing to write home about, but it was (and for a large part) still is the production standard FS.

Using that type of file system, assuming a snapshot was made of the pristine installation after all services had been installed and configured, it would be quite easy to diff an entire volume to see what changed and when.

At this point, after going through the diff, you can decide that nothing is interesting and just change the root password, or you can go inspect things that seem a little odd.

Now, for the stuff that has to be written if something interesting is found:

  • Something that you can pipe the diff though that investigates each file. What you're going to see is a list of revisions per file, at which time they would have to be recursively compared. I.e. , present against former-present, former-present against past1, past1 against past2, etc , until you reach the original file or the point that it no longer exists. Doing this by hand would seriously suck. Also, you need to identify files that were never versioned to begin with.
  • Something to inspect your currently running kernel. If someone has tainted VFS, none of this is going to work, CoW file systems use temporal inodes to access files in the past. I know a lot of enterprise customers who modify the kernel quite a bit, up to and including modules, VMM and VFS. This may not be such an easy task - comparing against 'pristine' may not be tenable since the old admin may have made good modifications to the kernel since it was installed.
  • Databases are a special headache, since they change typically each second or more, including the user table. That's going to need to be checked manually, unless you come up with something that can check to be sure that nothing is strange, such a tool would be very specific to your setup. Classic UNIX 'root' is not your only concern here.

Now, consider the other computers on the network. How many of them are running an OS that is known to be easily exploited and bot infested? Even if your server is clean, what if this guy joins #foo on irc and starts an attack on your servers via your own LAN? Most people will click links that a co-worker sends, especially if its a juicy blog entry about the company .. social engineering is very easy if you're doing it from the inside.

In short, what you suggest is tenable, however I'm dubious that most companies could enforce best practices needed for it to work when needed. If the end result is that you find a BOFH in your work force and need to can him, you had better of contained him throughout his employment.

I'll update this answer more as I continue to think about it. Its a very interesting topic. What I've posted so far are my own collected thoughts on the same.

Edit:

Yes, I know about virtual machines and checkpointing, a solution assuming that brings on a whole new level of recursion. Did the (now departed) admin have direct root access to the privileged domain or storage server? Probably, yes, which is why I'm not considering it for the purposes of this question.

What's the best virtualization or open source cloud platform for Linux/CentOS?

Currently there are many open source virtualization or cloud platform. When you say cloud computing I think you are looking for a IaaS system. You can use a cloud solution like OpenStack, CloudStack, Eucalyptus. Of course, several pure virtualization softwares can also meet your requirements. For example, XenServer Free edition, oVirt contributed mainly by RedHat, Convirt open source edition. I would strongly recommend XenServer for several reasons.

  • It is much more mature than oVirt. XenServer has been existing as a commercial solution for several years. The free edition is open source and powerful.
  • It is very easy to deploy. You don't need to install and configure hypervisors like KVM or Xen. XenServer is distributed as an ISO image. Install it as a new OS and everything is ready.
  • It is easy to use. XenServer has both command line tools and a GUI tool called XenCenter to manage your VMs. Bad news is that XenCenter is a windows only application
  • It is easy to deploy a VM. XenServer provides a lot of built in guest OS templates which make life very much easy to create a new VM.
  • Resource pool. Even the free edition allows you to manage multiple nodes in the form of resource pool. A resource pool can contain up to 16 nodes.(Not caused by that it is a free edition. Even the paid editions also have such a limit)

Document management under Linux

Lucene is a great development tool, but if you prefer something that will work out of the box Alfresco would work, but it's probably over kill. One of these will likely work as well.

Where to learn Linux user administration for a Web server?

Here's what I did and recommend:

  1. Learn the basic linux commands.
  2. Learn about the filesystem structure. What are the files stored in /etc?
  3. Learn about linux permissions. -rwx-r-x-r-x what?!
  4. Learn about linux processes. There's demon.. eh.. daemons in linux?!
  5. Briefly read up the popular servers that can be run on linux. Apache, MySQL, DNS, NFS, Samba, Squid - I have it all!
  6. Try to set up a web or fileserver. Seriously, do it.
  7. Learn a little about shell scripting. Can you automate your daily work?
  8. Learn to use the man command - I use it every day.
  9. If you don't remember exactly what the command was, type the first letter or two of the command and press Tab twice, this will list all commands starting with the given letter.

Playing around, moving files, starting and stopping processes, setting up Apache etc. is the best way to learn in my opinion.

Linux web front-end best practices

Have the specialized service daemon running as a distinct user -- let's call it 'managerd'. Set up your /etc/sudoers file so that 'managerd' can execute the various commands you want it to be able to run, as root, without a password.

Have the web server drop "trigger" files containing the commands to run in a directory that is mode '770' with a group that only the web server user and 'managerd' are members of. Make sure that 'managerd' verifies that the files have the correct ownership before executing the command.

Make sure that the web interface side is locked down -- run it over HTTPS only, require authentication, and if all possible, put in IP-specific ACLs, so that you can only access it from known locations, in advance.

How to attach domain name to my server?

Just to explain, you have multiple things here:

  • Domain name
  • DNS nameservers
  • Web server(s)

All of these can be hosted with separate providers, but depending on your provider you might have different management options.

Domain name

Your domain name has a registrar (who you bought it from). That registrar will keep a list of 1-3 'nameservers' which are the addresses for the provider that hosts your DNS.

DNS nameservers

Your DNS is like your address book. That needs to be hosted somewhere, and if your old host didn't let you edit it, it's probably just part of their shared hosting service, and not something you can manage. You will need to change your domain name to point to another set of nameservers at a provider you can manage. Your VPS provider probably has a DNS service, but possibly not free (although many are). If needed you can use a free DNS host like XName or ClouDNS, but depending on your level of knowledge you might find these difficult to use.

A basic web server record you will want to add is known as an A record, and will point my-domain.com. and/or www.my-domain.com. (using a separate record) to your web server's IP address.

Web server

Your server has an IP address. If you need to load-balance for performance reasons you'll need your hosting company to provide you a 'virtual IP' or a load-balancer service, behind which you can have multiple servers.

Summary

The way the request goes is:

  1. User types my-domain.com into their browser
  2. The user's ISP's DNS server is queried for my-domain.com
  3. The web server IP address for my-domain.com is returned
  4. The user's browser sends a HTTP GET request to your server to get the web page

One part of the process leads onto the next, so you need to make the 3 things work in harmony to get your site to function.


Related Topics

Cache Coloring on Slab Memory Management in Linux Kernel

When Is Posix Thread Cancellation Not Immediate

How to Log from a Non-Root Debian Linux Daemon

Chmod a Freshly Mounted External Drive to Set Up Writing Access

Gui Svn Client for Debian Linux

How to Add a Ssh Key to Remote Server

How Run Different Versions of Node.Js in Same Time

Ffmpeg Concat and Scale Simultaneously

How Intrusive Is Tcpdump

Gnu Find: When Does The Default Action Apply

Would It Be Possible to Read Out Physical Keyboard Strokes in Node.Js

Linux - Modify File Modify/Access/Change Time

Linux Command 'Ll' Is Not Working

Why Does Wget Output to Stderr Rather Than Stdout

Libv4L2: Error Turning on Stream: No Space Left on Device

How to Use "Xargs" Properly When Argument List Is Too Long

Passing an Array as Command Line Argument for Linux Kernel Module

Bash - Date Command and Space


Leave a reply



Submit