These are the packages that need to be installed
winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
As far as identity mapping goes, tdb handles machine-local users, rid handles domain users for consistency between different UNIX hosts. If consistency between hosts is not needed or if multiple domain must be able to log in, use the autorid backend. If you took pains to ensure RFC2307 compatibility, feel free to use the ad backend.
In /etc/samba/smb.conf :
kerberos method = secrets and keytab
realm = DOMAIN.TLD
workgroup = DOMAIN
security = ads
winbind enum groups = Yes
winbind enum users = Yes
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-19999
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
Then, to join the domain:
Restart winbind:
To check that all is well:
# getent group
# getent passwd
See if domain users and groups show up.
If they don't, check /etc/nsswitch.conf, it should look like this:
passwd: files systemd winbind
group: files systemd winbind
Some quality of life improvements
The below section creates automatically home directory for users (in /home/<domain>/<sam account name>)
To automatically create home folders for users that log in, in /etc/pam.d/common-session, append:
Ensure the host knows its FQDN and is able to resolve/search the domain:
In /etc/hosts:
In /etc/resolv.conf:
To add the Domain Admins group to sudoers, append the following in visudo:
/etc/security/access.conf.Thanks to the excellent documentation of the folks at https://www.server-world.info/!