Active_Directory

Introduction

Follow these steps to configure your Gentoo system so you can log into it through ssh using your Active Directory credentials.

Step ONE - Requisites

Let's make sure we compile our cute openssh daemon with PAM support

# echo net-misc/openssh pam >> /etc/portage/packages.use
# emerge -av --update --newuse --deep openssh

Step TWO - Installation

Emerge samba with winbind support

# echo net-fs/samba winbind ldap >> /etc/portage/package.use
# emerge -av samba

Step THREE - Configuration

Winbind

If you don't need to share any folders on the Linux side, set the daemon_list option in /etc/conf.d/samba to winbind, otherwise to smbd nmbd winbind.

Samba

Now create a home directory for your domain with mkdir /home/<YOUR_DOMAIN> and edit /etc/samba/smb.conf:

 workgroup = <YOUR_DOMAIN_NAME>
 server string = Gentoo
 security = DOMAIN
 encrypt passwords = true
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 template shell = /bin/bash
 netbios name = <YOUR_LINUX_HOSTNAME>
 winbind separator = /

Join the Domain

Run net join -S <YOUR_DC> -U <AD_ADMIN_USER>

NSS

You need to add winbind to NSS to make things work. To do so, edit /etc/nsswitch.conf:

 passwd:  compat '''winbind'''
 shadow:  compat '''winbind'''
 group:   compat '''winbind'''

 hosts:   files '''wins''' dns

PAM

Edit /etc/pam.d/system-auth:

 #%PAM-1.0
 auth       required     pam_env.so
 '''auth       sufficient   pam_winbind.so'''
 auth       sufficient   pam_unix.so '''use_first_pass''' likeauth nullok
 auth       required     pam_deny.so
 account    required     pam_unix.so
 password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 password   sufficient   pam_unix.so nullok md5 shadow use_authtok
 password   required     pam_deny.so
 session    required     pam_limits.so
 session    required     pam_unix.so
 '''session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077'''

Step FOUR - Finishing

# /etc/init.d/ssh restart
# /etc/init.d/samba restart