CentOS下基于PPTPD与AD验证的×××服务器构建-优快云博客

本文详细介绍了如何在服务器上安装并配置Kerberos、Samba、NTPdate等软件，实现与AD域同步时间，并通过PPTPD实现远程接入。包括DNS配置、Kerberos认证流程、SMB配置、PPTPD安装与DNS设置，以及加入AD域的具体步骤。

一.×××服务器加入AD域名

1.安装kerberos、samba、ntpdate

yum -y install krb5-workstation pam_krb5 krb5-devel krb5-libs samba ntpdate

2.修改DNS文件

vim /etc/resolv.conf
#在第一行加入
nameserver 192.168.100.238

3.与AD同步时间

ntpdate 192.168.100.238
echo "* */2 * * * /sbin/ntpdate 192.168.100.238" >> /etc/crontab

4.修改vim /etc/krb5.conf

vim /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = LUSHARE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
 LUSHARE.COM = {
  kdc = adserver.lushare.com
  admin_server =  adserver.lushare.com
 }
[domain_realm]
 .lushare.com = LUSHARE.COM
 lushare.com = LUSHARE.COM

5.测试kerberos(需要注意域名的大小写)

kinit administrator@LUSHARE.COM
Password for administrator@LUSHARE.COM:

PS:需要注意LUSHARE.COM一定是大写，否则会出现

kinit: Cannot find KDC for requested realm while getting initial credentials

6.修改/etc/samba/smb.conf

vim /etc/samba/smb.conf
#修改如下内容
workgroup = LUSHARE
server string = pptpd Server
security = ads
realm = LUSHARE.COM
encrypt passwords = yes
password server = adserver.lushare.com
#添加如下内容
idmap uid = 50001-550000
idmap gid = 50001-550000
winbind separator = +
winbind refresh tickets =yes
winbind use default domain= no
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir =/home/%D/%U

7.加入AD

#使用klist查看刚刚使用的kinit命令是否执行成功
[root@graceboy ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LUSHARE.COM
Valid starting     Expires            Service principal
03/29/14 14:34:47  03/30/14 00:34:47  krbtgt/LUSHARE.COM@LUSHARE.COM
        renew until 04/05/14 14:34:47
#使用如下命令加入AD
net ads join -U administrator@LUSHARE.COM
Enter administrator@LUSHARE.COM's password:
Using short domain name -- LUSHARE
Joined 'GRACEBOY' to dns domain 'lushare.com'

8.启动相应的服务并测试加入AD是否正常

service smb restart ;chkconfig smb on
service nmb restart ;chkconfig nmb on
service winbind restart ;chkconfig winbind on
#测试是否可以获取AD中的信息
checking the trust secret for domain LUSHARE via RPC calls succeeded
#查看AD中的账户
wbinfo -u
LUSHARE+administrator
LUSHARE+guest
LUSHARE+support_388945a0
LUSHARE+krbtgt
LUSHARE+luke
LUSHARE+test

二.安装PPTPD(可参考http://fengwan.blog.51cto.com/508652/1385345)

1.安裝ppp

 
          yum -y  
          install 
           ppp perl

2.下载及安装pptpd

 
          wget http: 
          //poptop 
          .sourceforge.net 
          /yum/stable/rhel6/x86_64/pptpd-1 
          .4.0-1.el6.x86_64.rpm 
         
          rpm -ivh pptpd-1.4.0-1.el6.x86_64.rpm

3.配置×××的DNS

 
          vim  
          /etc/ppp/options 
          .pptpd 
         
          #加入以下4行，前2行是设置DNS，后2行是加载AD验证模块 
         
          ms-dns 114.114.114.114 
         
ms-dns 8.8.4.4
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

4.配置ppp的客户端IP

vim /etc/pptpd.conf
#加入以下2行，主要是本地IP,及远程×××客户端使用的IP，不建议使用内部网段
localip 172.16.0.1
remoteip 172.16.0.2-245

本文是参考：http://chengcai.blog.51cto.com/728195/1367677

另外本人测试，只要是启用的账户都可以进行连接，暂时还无法设置某些用户无法使用×××

转载于:https://blog.51cto.com/fengwan/1386589