1. 实验环境
windows server 2012 R2 (192.168.33.138)
centos 7.5 (192.168.33.151)
freeradius 3.0.13
samba 4.10.16
2. 基础配置
安装centos7.5, 关闭防火墙和selinux
[root@localhost ~]# systemctl stop firewalld //关闭防火墙
[root@localhost ~]# systemctl disable firewalld //关闭防火墙自启
[root@localhost ~]# setenforce 0 //关闭selinux
[root@localhost ~]# sed -i '7s/enforcing/disabled/' /etc/selinux/config //关闭Selinux自启
计算机名改为centos后重启
在/etc/hosts 中配置下面的IP
192.168.33.151 centos.test.com centos
192.168.33.138 WIN-VB396MF1ULA.test.com
3. 安装应用程序SAMBA及KRB5
安装samba, 配置/etc/samba/smb.conf
[root@centos ~]# yum install samba.x86_64 -y
[root@centos ~]# vim /etc/samba/smb.conf
安装KRB5,配置/etc/krb5.conf
[root@centos ~]# yum install krb5-server.x86_64 -y
[root@centos ~]# vim /etc/krb5.conf
/var/kerberos/krb5kdc/kdc.conf 配置
[root@centos ~]# vim /var/kerberos/krb5kdc/kdc.conf
4. 安装FREERADIUS 和WINBIND
[root@centos ~]# yum install freeradius freeradius-utils samba-winbind krb5-server krb5-workstation -y
配置 /etc/nsswitch.conf
[root@centos ~]# vim /etc/nsswitch.conf
可以用kerberos 测试一下我们的账号, 注意后缀需要大写
将CENTOS 加入我们的域TEST.COM中
net ads join -U Administrator
安装 samba-winbind-clients.x86_64,测试域账号
[root@centos ~]#yum install -y samba-winbind-clients.x86_64
[root@centos ~]#ntlm_auth --request-nt-key --domain=TEST.COM --username=test222 --password=Password1
配置RADIUS
配置/etc/raddb/mods-enabled/ntlm_auth
[root@centos ~]# vim /etc/raddb/mods-enabled/ntlm_auth
配置/etc/raddb/sites-available/default 和/etc/raddb/sites-enabled/inner-tunnel
// authorize 中加入 ntdomain 取消#号注释即可
// authenticate 中 加入 ntlm_auth 示例如下
[root@centos ~]# vim /etc/raddb/sites-available/default
[root@centos ~]# vim /etc/raddb/sites-enabled/inner-tunnel
配置/etc/raddb/mods-config/files/authorize
[root@centos ~]# vim /etc/raddb/mods-config/files/authorize
DEFAULT Auth-Type = ntlm_auth
重启radius 服务之后,我们run 下面的命令:
[root@centos ~]# systemctl restart radiusd
[root@centos ~]# radtest test222 Password1 127.0.0.1 0 testing123