Shulou(Shulou.com)06/02 Report--

Explanation: I am also a tutorial cobbled together from the Internet. I have tested it over and over again, and I have come to the conclusion that we can avoid a lot of pits, thanks to those original gods.

I. introduction of the company's network environment:

1. The H3C MSR router connects to the public network through the G0ax 2 port, and the public network IP address is fixed: 111.198.18.XX

2. PDC domain server (also DNS server) 10.1.0.1

BDC backup domain server 10.1.0.5

3. PPTPD virtual private network server, create a virtual machine through the vSphere Esxi server:

Centos 7.7 1908, private network address 10.1.0.24

4. Verify the client Windows7.

2. Join Centos to AD domain through Samba+Winbind service:

1. Basic environment preparation:

⑴ modifies the Nic information and adds the DNS address, which is the domain address:

# vim / etc/sysconfig/network-scripts/ifcfg-ens192

⑵ modifies selinux:#vim / etc/sysconfig/selinux

Effective immediately: # setenforce 0

The ⑶ firewall is temporarily disabled and needs to be enabled later:

# systemctl stop firewalld & & systemctl disable firewalld

2. Yum installs the software required for Samba (pre-configured Ali yum source, which is skipped here):

# yum-y install pam_krb5* krb5-libs* krb5-workstation* krb5-devel* samba samba-winbind* samba-client* samba-swat* ntpdate*

After the installation is complete, turn on the relevant services:

# systemctl restart smb nmb; systemctl restart winbind

3. Time synchronization with AD domain:

# ntpdate 10.1.0.5

4. Related configuration:

⑴ modifies smb.conf and only modifies and adds global settings

# vim / etc/samba/smb.conf

[global]

Workgroup = TEST

Realm = TEST.COM

Security = ads

Idmap config *: range = 16777216-33554431

Template shell = / bin/bash

Template homedir = / home/%D/%U

Winbind enum users = yes

Winbind enum groups = yes

Winbind use default domain = true

Winbind offline logon = true

Server string = pptpd server

Log file = / var/log/samba/log.%m

Max log size = 50

Passdb backend = tdbsam

Encrypt passwords = yes

Printing = cups

Printcap name = cups

Load printers = yes

⑵ modifies nsswitch.conf

# vim / etc/nsswitch.conf

⑶ modifies krb5.conf

# vim / etc/krb5.conf

Includedir / etc/krb5.conf.d/

[logging]

Default = FILE:/var/log/krb5libs.log

Kdc = FILE:/var/log/krb5kdc.log

Admin_server = FILE:/var/log/kadmind.log

[libdefaults]

Dns_lookup_realm = false

Dns_lookup_kdc = false

Ticket_lifetime = 24 hours

Renew_lifetime = 7d

Forwardable = true

Rdns = false

Pkinit_anchors = / etc/pki/tls/certs/ca-bundle.crt

Default_realm = TEST.COM

Default_ccache_name = KEYRING:persistent:% {uid}

[realms]

TEST.COM = {

Kdc = 10.1.0.1

Admin_server = 10.1.0.1

}

[domain_realm]

.example.com = TEST.COM

Example.com = TEST.COM

5. Join the AD domain:

# net ad join-Uadministrator

After joining, restart the following services (it is important to note here that it is best not to restart the services together, or else an error may be reported):

# systemctl restart smb

# systemctl restart winbind

6. Test the winbind service:

# wbinfo-t / / Test whether the communication is successful and whether the trust relationship is established

# wbinfo-u / / Test whether user accounts in the domain are synchronized

# wbinfo-g / / Test whether the domain group information is synchronized

7. Test the kerberos service:

# kinit * test1 / / Test user

8. If there is an error in joining the domain, you can try the following command:

⑴ cleans up the cache first:

# rm-rf / var/lib/samba/private/secrets.tdb

# rm-rf / var/lib/samba/gencache.tdb

⑵ samba exit domain:

# net ads leave-Uadministrator

9. Firewall configuration commands:

# systemctl restart firewalld; systemctl enable firewall

# firewall-cmd-- permanent-- add-service=samba / / add samba service

# firewall-cmd-reload

10. Common commands:

⑴ overloads the configuration of smbd, nmbd and winbindd. Please send the reload-config message type to the all destination:

# smbcontrol all reload-config

⑵ test samba configuration parameters:

# testparm / etc/samba/smb.conf

⑶ join AD domain command:

# net ads join-U "DOMAIN\ administrator"

3. Set up a server through PPTPD:

1. PPTPD server installation:

⑴ checks the server-side system version:

# cat / etc/redhat-release

⑵ checks the IP address information:

# ip addr

⑶ checks whether PPP is enabled:

# cat / dev/ppp

# modprobe ppp-compress-18 & & echo ok

⑷ installation PPP:

# yum install-y ppp

⑸ installation PPTPD:

① installation wget:

# yum install-y wget

② add EPEL source:

# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

③ install EPEL source:

# rpm-ivh epel-release-latest-7.noarch.rpm

④ checks the source:

# yum repolist

⑤ update source list:

# yum-y update

⑹ sets the private network IP address range of virtual private network:

# vim / etc/pptpd.conf

Delete the number # in front of the following two lines and configure the IP segment of the virtual private network, or you can set it yourself.

Localip 10.1.0.24 / / Private network IP address of virtual private network server

Remoteip 10.1.2.100-150 / Virtual Private Network connection IP address field

⑺ configuration opptions.pptpd:

# vi / etc/ppp/options.pptpd

① modifies DNS (Ali DNS):

Ms-dns 233.5.5.5

Ms-dns 233.6.6.6

Location of ② modification log:

Nologfd

Logfile / var/log/pptpd.log

③ loads the AD verification module, which is used for AD domain account verification. It is very important to copy it to the appropriate location:

Plugin winbind.so

Ntlm_auth-helper "/ usr/bin/ntlm_auth-- helper-protocol=ntlm-server-1"

⑻ sets the local account of virtual private network (suitable for users who do not have AD domain environment, because we log in to virtual private network with AD domain account, there is no need to set it here):

# vim / etc/ppp/chap-secrets

User Protocol password IP rules

* user1 pptpd 123 * / * means any IP can connect to a virtual private network

⑼ add forwarding policy:

Add: net.ipv4.ip_forward=1 at the bottom

# vim / etc/sysctl.conf

Net.ipv4.ip_forward=1

# sysctl-p / / enter the command to make it effective

⑽ modifies firewall rules:

Create a rules file and add the following rules:

# touch / usr/lib/firewalld/services/pptpd.xml

# vim / usr/lib/firewalld/services/pptpd.xml

Pptpd

PPTP

# systemctl restart firewalld / / restart the firewall

① add Services:

# firewall-cmd-permanent-zone=public-add-service=pptpd

② allows firewalls to camouflage IP:

# firewall-cmd-add-masquerade

③ opens ports 47 and 1723:

# firewall-cmd-permanent-zone=public-add-port=47/tcp

# firewall-cmd-permanent-zone=public-add-port=1723/tcp

④ allows the grep protocol:

# firewall-cmd-permanent-direct-add-rule ipv4 filter INPUT 0-p gre-j ACCEPT

# firewall-cmd-permanent-direct-add-rule ipv4 filter OUTPUT 0-p gre-j ACCEPT

⑤ setting rules allow packets to go in and out of eth0 and ppp+ interfaces (note the name of your network card here):

# firewall-cmd-permanent-direct-add-rule ipv4 filter FORWARD 0-I ppp+-o eth0-j ACCEPT

# firewall-cmd-permanent-direct-add-rule ipv4 filter FORWARD 0-I eth0-o ppp+-j ACCEPT

⑥ sets the forwarding rules. All packets sent from the source address are camouflaged, and the address is changed, which is sent by eth0:

# firewall-cmd-- permanent-- direct-- passthrough ipv4-t nat-I POSTROUTING-o eth0-j MASQUERADE-s 10.1.2.0Comp24

⑾ enables forwarding rules:

There are two forwarding rules. Here I am using the OpenVZ architecture. Enter the second command at the command terminal:

① XEN Architecture:

# iptables-t nat-A POSTROUTING-s 10.1.2.0 Universe 24-o eth0-j MASQUERADE

② OpenVZ Architecture:

# iptables-t nat-A POSTROUTING-s 10.1.2.0 Universe 24-j SNAT-- to-source 111.198.18.XX

/ / Virtual private network public network IP should be replaced with your server's IP, such as 111.198.18.XX

⑿ edits the rc.local file to add forwarding rules:

① gives rc.local execution permission:

# chmod + x / etc/rc.d/rc.local

② edits the rc.local file:

The OpenVZ schema used here:

# vim / etc/rc.d/rc.local

Iptables-t nat-A POSTROUTING-s 10.1.2.0 Universe 24-j SNAT-- to-source 111.198.18.XX

# systemctl restart rc-local

⒀ restart the service, and set boot:

# systemctl restart pptpd; systemctl enable pptpd

# firewall-cmd-reload

⒁ to view PPTPD services:

# ps-aux | grep pptpd

2. H3C MSR36-20 router sets NAT port mapping (other brands own Baidu):

[H3C] sys

[H3C] interface GigabitEthernet 0/2

[H3C] nat server protocol tcp global 111.198.18.XX 1723 inside 10.1.0.24 1723

[H3C] exit

[H3C] save f

[H3C] dis nat all / / View all nat

four。 Client virtual private network connection test (skip the configuration process here, some test pictures above):

Through the virtual private network connection, you can connect the network disk and PING the DC host.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.