It's been a while since I've had to integrate a Windows AD deployment with Linux so I figured I'd take stock of the choices that seemed to be 'preferred' by folks these days. I remember reading about winbind years ago but going a different route (primarily pam_ldap) for authentication needs. Having a fresh pair of eyes on the situation, I thought I'd give it a shot.

To my surprise, I think the winbind route is actually much more straight-forward and provides deeper integration than simply using a pam_ldap integration. Below are my notes related to a deployment I did with [brackets] around items you need to configure for your specific deployment. I've tested these and now deployed to production, so hopefully they are quickly useful without too much of a headache.

Also, pay attention to capitalization, especially with respect to smb.conf, krb5.conf, and when you run the 'net join...' command.

Install Required Packages:
# yum install samba samba-winbind oddjob-mkhomedir

/etc/samba/smb.conf

[global]
log file = /var/log/samba/log.%m
max log size = 50
security = ads
netbios name = [NETBIOS NAME FOR HOST]
realm = [REALM.INTERNAL]
password server = [ad-host.realm.internal]
workgroup = [DOMAIN]
idmap uid = 10000-500000 
idmap gid = 10000-500000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

/etc/nsswitch.conf:
Change the following lines in your configuration to include winbind:

passwd:     files winbind
group:      files winbind

/etc/krb5.conf:
[libdefaults]
ticket_lifetime = 24000
default_realm = [REALM.INTERNAL]
[realms] 
[REALM.INTERNAL] = { 
kdc = [ad-host.realm.internal]
admin_server = [ad-host.realm.internal]
default_domain = [realm.internal]
} 
[domain_realm] 
.[realm.internal] = [REALM.INTERNAL] 
[realm.internal] = [REALM.INTERNAL]

Start Samba:
# service smb start; chkconfig smb on

Join Machine to Domain:
# net ads join -U [your AD account]@[REALM.INTERNAL]

Start winbind & Message Bus (DBUS):
# service winbind start; chkconfig winbind on
# service messagebus start; chkconfig messagebus on

/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel
session     required      pam_unix.so

/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf:
Change both lines like this to contain the new umask shown...
<helper exec="/usr/libexec/oddjob/mkhomedir -u 0077"

Start Oddjob Daemon:
# service oddjobd restart; chkconfig oddjobd on

You should now be able to authenticate using your Active Directory users if configured properly. Check /var/log/messages and /var/log/samba/* if you need to debug.