拓扑图：

说明：首先公司内网环境需要有域的支持；

前端两台VPN服务器为Linux操作系统；

绿色线条表示网络环境的物理链路；

红色则表示认证的方式；

##当用户请求链接VPN时，使用域账号进行登录，由DNSPOD判断为电信还是联通（网通）资源，然后交给相应的vpn服务器，再由VPN内部的配置将用户请求指向AD。检查是否通过用户名和密码验证，通过后则可以正常登录使用。否则验证失败无法使用。

以下是单台vpn配置，双台配置相同。

1配置系统相应环境并加入域：

1.1初始化环境

1）系统环境

[root@test-CentOS~]# cat /etc/RedHat-release 

CentOSrelease 6.5 (Final)

2）关闭 SELINUX（不关闭会影响基于 Winbind 的用户验证）

#vim /etc/selinux/config

SELINUX=disabled

3）配置 DNS（这里 DNS 地址一定要配置 AD 的DNS，要不然会影响到后面的入域）

#vim /etc/resolv.conf

searchcorp.autohome.inc

nameserver10.168.0.104

4）开启 IP 包转发功能（默认是关闭的）

#vim /etc/sysctl.conf

#Controls IP packet forwarding

net.ipv4.ip_forward= 1

#sysctl -p

net.ipv4.ip_forward= 1

5）确定 linux 内核是否支持 iptables_nat 跟 PPP

[root@test-centos~]# modprobe iptable_nat

[root@test-centos~]# lsmod | grep iptable

iptable_nat 6158 1 

nf_nat 22759 2 ipt_MASQUERADE,iptable_nat

nf_conntrack_ipv4 9506 4 iptable_nat,nf_nat

nf_conntrack 79758 5 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state

iptable_filter 2793 1 

ip_tables 17831 2 iptable_nat,iptable_filter

[root@test-centos~]# dmesg | grep PPP

PPPgeneric driver version 2.4.2

6）同步时间（确保Linux服务器和域之间时差不要超过5分钟）

echo '*/5 * * * */usr/sbin/ntpdate time.windows.com >/dev/null 2>&1'>>/var/spool/cron/root

1.2相关组件安装

1）安装 epel 源

#rpm -ivhhttp://dl.Fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

#rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

2）安装 PPTP、Samba、hearbeat、Kerberos

#yum install pptpd ppp samba samba-common samba-client heartbeat krb5-libskrb5-workstation krb5-devel -y

1.3Samba和 Kerberos 配置

1）对samba配置文件进行如下更改：

[root@test-centos~]# cat /etc/samba/smb.conf |grep -v "^$"

[global]

# define the netbios name of the domain

workgroup = CORP

# define the pptp server netbios name

netbios name = test-centos

# server description

server string =pptpd server

# define the AD domain name

realm = CORP.AUTOHOME.INC

# printer stuff

printcap name = /etc/printcap

load printers = no

# log file stuff

log file = /var/log/samba/%m.log

max log size = 50

# must set to ads

security = ADS

# enable encrypt passwords

encrypt passwords = yes

# not to be a master browser

domain master = no 

preferred master = no

# winbind stuff

idmap uid = 50001-550000

idmap gid = 50001-550000

winbind separator = +

winbind refresh tickets =yes

winbind use default domain= no

winbind enum users = yes

winbind enum groups = yes

template shell = /bin/bash

template homedir =/home/%D/%U

2）配置 Kerberos

[root@test-centos~]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = CORP.AUTOHOME.INC

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

clockskew = 300

[realms]

CORP.AUTOHOME.INC = {

kdc =autohome-ad.corp.autohome.inc

admin_server = 10.168.0.104

}

corp.autohome.inc = {

kdc =autohome-ad.corp.autohome.inc

admin_server =autohome-ad.corp.autohome.inc

}

[domain_realm]

corp.autohome.inc = CORP.AUTOHOME.INC

.corp.autohome.inc =CORP.AUTOHOME.INC

[appdefaults]

pam = {

ticket_lifetime = 1d

renew_lifetime = 1d

forwardable = true

proxiable = false

retain_after_close = false

minimum_uid = 0

try_first_pass = true

}

3）测试 Kerberos（注意域名得大写）

[root@test-centos ~]# kinit-V administrator@CORP.AUTOHOME.INC

Usingdefault cache: /tmp/krb5cc_0

Usingprincipal: administrator@CORP.AUTOHOME.INC

Passwordfor administrator@CORP.AUTOHOME.INC: 

Authenticatedto Kerberos v5

[root@test-centos ~]# klist

Ticketcache: FILE:/tmp/krb5cc_0

Defaultprincipal: administrator@CORP.AUTOHOME.INC

Validstarting Expires Service principal

02/27/1418:35:48 02/28/14 04:36:26 krbtgt/CORP.AUTOHOME.INC@CORP.AUTOHOME.INC

renew until 03/06/14 18:35:48

1.4加入CORP域并测试

1）加入corp域

[root@localhost samba]# netads join -U administrator@CORP.AUTOHOME.INC

Enteradministrator@CORP.AUTOHOME.INC's password:

Usingshort domain name -- CORP

Joined'PPTPD-VPN' to dns domain 'corp.autohome.inc'

NoDNS domain configured for pptpd-vpn. Unable to perform DNS Update.

DNSupdate failed!

2）开启服务并测试winbind

开启 samba、winbind 服务

#/etc/init.d/smb start

#/etc/init.d/nmb start

#/etc/init.d/winbind start

测试 winbind 是否工作正常

[root@test-centos~]# wbinfo –t #测试是否加入域

checkingthe trust secret for domain CORP via RPC calls succeeded

#wbinfo -g #读取域用户组信息

#wbinfo -u #读取域用户信息

#wbinfo -m #检测加入的域

BUILTIN 

PPTPD-VPN

CORP

设置开机启动

#chkconfig winbind on

#chkconfig nmb on

#chkconfig smb on