拓撲圖:
說明:首先公司內網環境需要有域的支持;
前端兩臺***服務器爲Linux操作系統;
綠色線條表示網絡環境的物理鏈路;
紅色則表示認證的方式;
##當用戶請求鏈接***時,使用域賬號進行登錄,由DNSPOD判斷爲電信還是聯通(網通)資源,然後交給相應的***服務器,再由***內部的配置將用戶請求指向AD。檢查是否通過用戶名和密碼驗證,通過後則可以正常登錄使用。否則驗證失敗無法使用。
以下是單臺***配置,雙臺配置相同。
1配置系統相應環境並加入域:
1.1初始化環境
1)系統環境
[root@test-centos~]# cat /etc/redhat-release
CentOSrelease 6.5 (Final)
2)關閉 SELINUX(不關閉會影響基於 Winbind 的用戶驗證)
#vim /etc/selinux/config
SELINUX=disabled
3)配置 DNS(這裏 DNS 地址一定要配置 AD 的DNS,要不然會影響到後面的入域)
#vim /etc/resolv.conf
searchcorp.autohome.inc
nameserver10.168.0.104
4)開啓 IP 包轉發功能(默認是關閉的)
#vim /etc/sysctl.conf
#Controls IP packet forwarding
net.ipv4.ip_forward= 1
#sysctl -p
net.ipv4.ip_forward= 1
5)確定 linux 內核是否支持 iptables_nat 跟 PPP
[root@test-centos~]# modprobe iptable_nat
[root@test-centos~]# lsmod | grep iptable
iptable_nat 6158 1
nf_nat 22759 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 9506 4 iptable_nat,nf_nat
nf_conntrack 79758 5 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state
iptable_filter 2793 1
ip_tables 17831 2 iptable_nat,iptable_filter
[root@test-centos~]# dmesg | grep PPP
PPPgeneric driver version 2.4.2
6)同步時間(確保Linux服務器和域之間時差不要超過5分鐘)
echo '*/5 * * * */usr/sbin/ntpdate time.windows.com >/dev/null 2>&1'>>/var/spool/cron/root
1.2相關組件安裝
1)安裝 epel 源
#rpm -ivhhttp://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
#rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
2)安裝 PPTP、Samba、hearbeat、Kerberos
#yum install pptpd ppp samba samba-common samba-client heartbeat krb5-libskrb5-workstation krb5-devel -y
1.3Samba和 Kerberos 配置
1)對samba配置文件進行如下更改:
[root@test-centos~]# cat /etc/samba/smb.conf |grep -v "^$"
[global]
# define the netbios name of the domain
workgroup = CORP
# define the pptp server netbios name
netbios name = test-centos
# server description
server string =pptpd server
# define the AD domain name
realm = CORP.AUTOHOME.INC
# printer stuff
printcap name = /etc/printcap
load printers = no
# log file stuff
log file = /var/log/samba/%m.log
max log size = 50
# must set to ads
security = ADS
# enable encrypt passwords
encrypt passwords = yes
# not to be a master browser
domain master = no
preferred master = no
# winbind stuff
idmap uid = 50001-550000
idmap gid = 50001-550000
winbind separator = +
winbind refresh tickets =yes
winbind use default domain= no
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir =/home/%D/%U
2)配置 Kerberos
[root@test-centos~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CORP.AUTOHOME.INC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clockskew = 300
[realms]
CORP.AUTOHOME.INC = {
kdc =autohome-ad.corp.autohome.inc
admin_server = 10.168.0.104
}
corp.autohome.inc = {
kdc =autohome-ad.corp.autohome.inc
admin_server =autohome-ad.corp.autohome.inc
}
[domain_realm]
corp.autohome.inc = CORP.AUTOHOME.INC
.corp.autohome.inc =CORP.AUTOHOME.INC
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
3)測試 Kerberos(注意域名得大寫)
[root@test-centos ~]# kinit-V [email protected]
Usingdefault cache: /tmp/krb5cc_0
Usingprincipal: [email protected]
Passwordfor [email protected]:
Authenticatedto Kerberos v5
[root@test-centos ~]# klist
Ticketcache: FILE:/tmp/krb5cc_0
Defaultprincipal: [email protected]
Validstarting Expires Service principal
02/27/1418:35:48 02/28/14 04:36:26 krbtgt/[email protected]
renew until 03/06/14 18:35:48
1.4加入CORP域並測試
1)加入corp域
[root@localhost samba]# netads join -U [email protected]
[email protected]'s password:
Usingshort domain name -- CORP
Joined'PPTPD-***' to dns domain 'corp.autohome.inc'
NoDNS domain configured for pptpd-***. Unable to perform DNS Update.
DNSupdate failed!
2)開啓服務並測試winbind
開啓 samba、winbind 服務
#/etc/init.d/smb start
#/etc/init.d/nmb start
#/etc/init.d/winbind start
測試 winbind 是否工作正常
[root@test-centos~]# wbinfo –t #測試是否加入域
checkingthe trust secret for domain CORP via RPC calls succeeded
#wbinfo -g #讀取域用戶組信息
#wbinfo -u #讀取域用戶信息
#wbinfo -m #檢測加入的域
BUILTIN
PPTPD-***
CORP
設置開機啓動
#chkconfig winbind on
#chkconfig nmb on
#chkconfig smb on
2pptpd設置
2.1 配置 /etc/pptpd.conf
[root@test-centos ~]# cat/etc/pptpd.conf |egrep -v "^#|^$"
ppp/usr/sbin/pppd
speed115200
option/etc/ppp/options.pptpd
debug
stimeout 30
localip10.168.0.219
remoteip10.0.0.2-253
pidfile/var/run/pptpd.pid
2.2 配置 /etc/ppp/options.pptpd
[root@test-centos~]# cat /etc/ppp/options.pptpd |egrep -v "^#|^$"
namepptpd
debug
logfile/var/log/pptpd.log
require-mschap-v2
ms-dns 10.168.0.104
ms-dns8.8.4.4
ms-wins10.168.0.104
ms-wins10.168.0.105
proxyarp
lock
nobsdcomp
nodeflate
nopcomp
noaccomp
novj
novjccomp
nologfd
nodefaultroute
pluginwinbind.so
ntlm_auth-helper"/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 "
2.3 額外配置 MTU(適合那些 XP 系統)
[root@test-centos~]# cat /etc/ppp/ip-up
#!/bin/bash
#This file should not be modified -- make local changes to
#/etc/ppp/ip-up.local instead
PATH=/sbin:/usr/sbin:/bin:/usr/bin
exportPATH
LOGDEVICE=$6
REALDEVICE=$1
[-f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] &&/etc/sysconfig/network-scripts/ifup-post --realdevice ${REALDEVICE}ifcfg-${LOGDEVICE}
/etc/ppp/ip-up.ipv6to4${LOGDEVICE}
[-x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
/sbin/ifconfig $1 mtu 14000
exit0
3IPTABLES防火牆設置
3.1先執行以下命令:
Iptables -F
Iptables -X
Iptables -Z
iptables-P FORWARD ACCEP
3.2Iptables 規則如下:
-AINPUT -p tcp -m tcp --dport 80 -j ACCEPT
-AINPUT -p tcp -m tcp --dport 389 -j ACCEPT
-AINPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-AINPUT -p tcp -m tcp --dport 47 -j ACCEPT
-AINPUT -i lo -j ACCEPT
-AINPUT -s 10.168.0.0/24 -j ACCEPT
-AINPUT -s 10.168.9.0/24 -j ACCEPT
-AINPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-AFORWARD -i eth4 -j ACCEPT
-AFORWARD -o eth4 -j ACCEPT
3.3NAT設置如下:
Iptables-t nat -A POSTROUTING -s 10.0.0.0/24 -o eth4 -j MASQUERADE
Iptables-t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 117.251.201.25
###注,eth4爲內網網卡,eth5爲外網網卡(即:117.251.201.25的網卡)
注:最後在客戶端建立撥號連接,並將地址制定到***的外網IP地址進行撥號。