I’ve set up my own Active Directory domain using Samba 4 as the primary domain controller. The steps below is how I’ve been able to join client machines into that service. There’s another method using SSSD as well, which I’ll post next. However, as far as I understand, the winbind solution is required for Samba to be able to share folders to AD users. I might be wrong though.
apt update apt upgrade apt install vim samba libnss-winbind libpam-winbind mv /etc/samba/smb.conf /etc/samba/old_smb.conf cat <<EOT >/etc/samba/smb.conf #======================= Global Settings ======================= [global] log file = /var/log/samba/%m.log log level = 1 workgroup = XX security = ADS realm = XX.EXAMPLE.ORG #winbind refresh tickets = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # Allow login within specifying domain winbind use default domain = yes # For testing purposes only (remove for production), add these lines: winbind enum users = yes winbind enum groups = yes # Disable printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # Active Directory ID mapping idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config XX: unix_nss_info = yes idmap config XX: backend = ad idmap config XX: schema_mode = rfc2307 idmap config XX: range = 10000-999999 idmap config XX: unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes EOT cat <<EOT >/etc/krb5.conf [libdefaults] default_realm = XX.EXAMPLE.ORG kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true dns_lookup_realm = false dns_lookup_kdc = true EOT vim /etc/nsswitch.conf # Add 'winbind' at the end of passwd and group entries # Like: passwd: files systemd winbind group: files systemd winbind # Join the client to AD net ads join -U administrator # Enable smbd to host files systemctl enable smbd systemctl start smbd # Enable winbind to take care of authentication systemctl enable winbind systemctl start winbind # getent should list all AD-users and groups with these commands. getent passwd getent group # Allow sudo for Domain Administrators echo '%domain\ admins ALL=(ALL) ALL' >>/etc/sudoers