Linux VPN (PPTPD) + Windows AD unified authentication

Topology:

Note: The company's Intranet environment requires domain support;

The front-end two VPN servers are Linux operating systems;

A green line indicates the physical link of the network environment;

Red indicates the authentication method;

# When a user requests a VPN connection, use the domain account to log on. DNSPOD determines whether it is a China Telecom or a China Unicom (China Netcom) Resource and then delivers it to the corresponding vpn Server, then, user requests are directed to the Active Directory by configuring the VPN. Check whether the user name and password are verified. After the user name and password are verified, the user can log on normally. Otherwise, verification fails and cannot be used.

The following are the configurations of a single vpn.

1. Configure the system environment and add it to the domain:

1.1 initialize the environment

1) System Environment

[Root @ test-CentOS ~] # Cat/etc/RedHat-release

CentOSrelease 6.5 (Final)

 

2) Disable SELINUX (disabling SELINUX will affect Winbind-based user authentication)

# Vim/etc/selinux/config

SELINUX = disabled

3) Configure DNS (here the DNS address must be configured with the ad dns, otherwise it will affect the next inbound domain)

# Vim/etc/resolv. conf

Searchcorp. autohome. inc

Nameserver10.168.0.104

4) Enable IP packet forwarding (disabled by default)

# Vim/etc/sysctl. conf

# Controls IP packet forwarding

Net. ipv4.ip _ forward = 1

# Sysctl-p

Net. ipv4.ip _ forward = 1

 

5) check whether the linux kernel supports iptables_nat and PPP

[Root @ test-centos ~] # Modprobe iptable_nat

[Root @ test-centos ~] # Lsmod | grep iptable

Iptable_nat 6158 1

Nf_nat 22759 2 ipt_MASQUERADE, iptable_nat

Nf_conntrack_ipv4 9506 4 iptable_nat, nf_nat

Nf_conntrack 79758 5 ipt_MASQUERADE, iptable_nat, nf_nat, nf_conntrack_ipv4, xt_state

Iptable_filter 2793 1

Ip_tables 17831 2 iptable_nat, iptable_filter

[Root @ test-centos ~] # Dmesg | grep PPP

PPPgeneric driver version 2.4.2

6) Synchronization time (ensure that the time difference between the Linux server and the domain cannot exceed 5 minutes)

Echo '*/5 *****/usr/sbin/ntpdate time.windows.com>/dev/null 2> & 1'>/var/spool/cron/root

 

1.2 install related components

1) install the epel Source

# Rpm-ivhhttp: // dl.Fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

# Rpm -- import/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

2) install PPTP, Samba, hearbeat, and Kerberos

# Yum install pptpd ppp samba-common samba-client heartbeat krb5-libskrb5-workstation krb5-devel-y

1.3Samba and Kerberos Configuration

1) make the following changes to the samba configuration file:

[Root @ test-centos ~] # Cat/etc/samba/smb. conf | grep-v "^ $"

[Global]

# Define the netbios name of the domain

Workgroup = CORP

# Define the pptp server netbios name

Netbios name = test-centos

# Server description

Server string = pptpd server

# Define the AD domain name

Realm = CORP. AUTOHOME. INC

# Printer stuff

Printcap name =/etc/printcap

Load printers = no

# Log file stuff

Log file =/var/log/samba/% m. log

Max log size = 50

# Must set to ads

Security = ADS

# Enable encrypt passwords

Encrypt passwords = yes

# Not to be a master browser

Domain master = no

Preferred master = no

# Winbind stuff

Idmap uid = 50001-550000

Idmap gid = 50001-550000

Winbind separator = +

Winbind refresh tickets = yes

Winbind use default domain = no

Winbind enum users = yes

Winbind enum groups = yes

Template shell =/bin/bash

Template homedir =/home/% D/% U

 

2) Configure Kerberos

[Root @ test-centos ~] # Cat/etc/krb5.conf

[Logging]

Default = FILE:/var/log/krb5libs. log

Kdc = FILE:/var/log/krb5kdc. log

Admin_server = FILE:/var/log/kadmind. log

 

[Libdefaults]

Default_realm = CORP. AUTOHOME. INC

Dns_lookup_realm = false

Dns_lookup_kdc = false

Ticket_lifetime = 24 h

Renew_lifetime = 7d

Forwardable = true

Clockskew = 300

 

[Realms]

CORP. AUTOHOME. INC = {

Kdc = autohome-ad.corp.autohome.inc

Admin_server = 10.168.0.104

}

 

Corp. autohome. inc = {

Kdc = autohome-ad.corp.autohome.inc

Admin_server = autohome-ad.corp.autohome.inc

}

 

[Domain_realm]

Corp. autohome. inc = CORP. AUTOHOME. INC

. Corp. autohome. inc = CORP. AUTOHOME. INC

 

[Appdefaults]

Pam = {

Ticket_lifetime = 1d

Renew_lifetime = 1d

Forwardable = true

Proxiable = false

Retain_after_close = false

Minimum_uid = 0

Try_first_pass = true

}

3) test Kerberos (note that the domain name must be capitalized)

[Root @ test-centos ~] # Kinit-V administrator@CORP.AUTOHOME.INC

Usingdefault cache:/tmp/krb5cc_0

Usingprincipal: administrator@CORP.AUTOHOME.INC

Passwordfor administrator@CORP.AUTOHOME.INC:

Authenticatedto Kerberos v5

[Root @ test-centos ~] # Klist

Ticketcache: FILE:/tmp/krb5cc_0

Defaultprincipal: administrator@CORP.AUTOHOME.INC

 

Validstarting Expires Service principal

02/27/1418: 35: 48 02/28/14 04:36:26 krbtgt/CORP.AUTOHOME.INC@CORP.AUTOHOME.INC

Renew until 03/06/14 18:35:48

1.4 join the CORP domain and Test

1) join the corp domain

[Root @ localhost samba] # netads join-U administrator@CORP.AUTOHOME.INC

Enteradministrator@CORP.AUTOHOME.INC's password:

Usingshort domain name -- CORP

Joined 'pptpd-vpn' to dns domain 'corp. autohome. inc'

NoDNS domain configured for pptpd-vpn. Unable to perform DNS Update.

DNSupdate failed!

2) enable the Service and test winbind

Enable samba and winbind services

#/Etc/init. d/smb start

#/Etc/init. d/nmb start

#/Etc/init. d/winbind start

Test whether winbind works properly

[Root @ test-centos ~] # Wbinfo-t # test whether the domain is added

Checkingthe trust secret for domain CORP via rpc cils succeeded

# Wbinfo-g # Read domain user group information

# Wbinfo-u # Read domain user information

# Wbinfo-m # Check the added domain

BUILTIN

PPTPD-VPN

CORP

Set startup

# Chkconfig winbind on

# Chkconfig nmb on

# Chkconfig smb on

CentOS 6.2 PPTPd installation experience

Configure Linux pptp vpn Public Network VPN

Build and configure PPTP and OpenVPN in CentOS5-based Linux

Use PPTP to build a VPN

PPTPD for RHEL5.4 VPN service configuration

The problem of configuring NAT forwarding in PPTPd on Ubuntu VPS

1 2 Next Page