CentOS下基于PPTPD与AD验证的×××服务器构建

一.×××服务器加入AD域名

1.安装kerberos、samba、ntpdate

yum -y install krb5-workstation pam_krb5 krb5-devel krb5-libs samba ntpdate

2.修改DNS文件

vim /etc/resolv.conf
#在第一行加入
nameserver 192.168.100.238

3.与AD同步时间

ntpdate 192.168.100.238
echo "* */2 * * * /sbin/ntpdate 192.168.100.238" >> /etc/crontab

4.修改vim /etc/krb5.conf

vim /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = LUSHARE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
 LUSHARE.COM = {
  kdc = adserver.lushare.com
  admin_server =  adserver.lushare.com
 }
[domain_realm]
 .lushare.com = LUSHARE.COM
 lushare.com = LUSHARE.COM

5.测试kerberos(需要注意域名的大小写)

kinit [email protected]
Password for [email protected]:

PS:需要注意LUSHARE.COM一定是大写,否则会出现

kinit: Cannot find KDC for requested realm while getting initial credentials

6.修改/etc/samba/smb.conf

vim /etc/samba/smb.conf
#修改如下内容
workgroup = LUSHARE
server string = pptpd Server
security = ads
realm = LUSHARE.COM
encrypt passwords = yes
password server = adserver.lushare.com
#添加如下内容
idmap uid = 50001-550000
idmap gid = 50001-550000
winbind separator = +
winbind refresh tickets =yes
winbind use default domain= no
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir =/home/%D/%U

7.加入AD

#使用klist查看刚刚使用的kinit命令是否执行成功
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting     Expires            Service principal
03/29/14 14:34:47  03/30/14 00:34:47  krbtgt/[email protected]
        renew until 04/05/14 14:34:47
#使用如下命令加入AD
net ads join -U [email protected]
Enter [email protected]'s password:
Using short domain name -- LUSHARE
Joined 'GRACEBOY' to dns domain 'lushare.com'

8.启动相应的服务并测试加入AD是否正常

service smb restart ;chkconfig smb on
service nmb restart ;chkconfig nmb on
service winbind restart ;chkconfig winbind on
#测试是否可以获取AD中的信息
checking the trust secret for domain LUSHARE via RPC calls succeeded
#查看AD中的账户
wbinfo -u
LUSHARE+administrator
LUSHARE+guest
LUSHARE+support_388945a0
LUSHARE+krbtgt
LUSHARE+luke
LUSHARE+test

二.安装PPTPD(可参考http://fengwan.blog.51cto.com/508652/1385345)

1.安裝ppp

1
yum -y install ppp perl

2.下载及安装pptpd

1
2
wget http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm
rpm -ivh pptpd-1.4.0-1.el6.x86_64.rpm

3.配置×××的DNS

1
2
3
4
vim /etc/ppp/options.pptpd
#加入以下4行,前2行是设置DNS,后2行是加载AD验证模块
ms-dns 114.114.114.114

ms-dns 8.8.4.4

plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

4.配置ppp的客户端IP

vim /etc/pptpd.conf
#加入以下2行,主要是本地IP,及远程×××客户端使用的IP,不建议使用内部网段
localip 172.16.0.1
remoteip 172.16.0.2-245

本文是参考:http://chengcai.blog.51cto.com/728195/1367677

另外本人测试,只要是启用的账户都可以进行连接,暂时还无法设置某些用户无法使用×××