First, you should register straight and revert DNS record for new linux servers. Register this in windows domain.
Second, in Linux servers point DNS resolver to Windows, and modify /etc/hosts in linux for properly fields
Third, you must install Kerberos5 and winbind apps/modules/libraries
Fourth, configure /etc/krb5.conf with:
[libdefaults]
default_realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
[realms]
YOUR.FULL.DOMAIN.WITH.UPPER.CHARS = {
kdc = list of IPs windows domain servers
admin_server = one ip for master domain server
}
[domain_realm]
your.full.comain.with.lover.chars = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
[logging]
#example logging
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
Fifth, configure /etc/samba/smb.conf:
[global]
workgroup = YOUR.SHORT.DOMAIN.WITH.UPPER.CASE
netbios name = YOUR.SERVER.NAME.WITH.UPPER.CASE.WITHOUT.DOMAIN
realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
security = ads
password server = windows.ip.server.what.allows.password.change
wins server = as.above.supports.wins.messages
wins proxy = no
kerberos method = system keytab
dedicated keytab file = /etc/krb5.keytab
server string = write what you want using %h as host name
dns proxy = no
idmap config * : backend = rid
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
inherit acls = Yes
map acl inherit = Yes
acl group control
Sixsth, verify you are able to connect using temporarly any user:
wbinfo -t #test only
net getdomainsid #should print local and domain identifier
wbinfo -u #domain user list, may take long time for many users
wbinfo -g #domain group list
Seventh, create technical user account that password never expires and cannot be changed. Others leave default. Collect that user in separate AD directory :)
Eighth, generate keytab:
net ads keytab create -U your.technical.user@YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
then check /etc/krb5.keytab exists
At now you can configure other services, specially using ntlm helper. You can test for connection using:
ntlm_auth --username UPPER.CASE.SHORTNAME.DOMAIN+your.technical.username
write password and you should see status:
NT_STATUS_OK: Success (0x0)
At now you can configure PAM for authenticate many services, but I didn't do this. I succesfully use that config with apache2.2 ntlm authentication. I saw pam config for ssh and Xsession.
The main idea is, only winbind authenticates to Active Directory. All other services authenticates locally to winbind by any way. Winbind is part of samba. If you don't need samba, install only winbind, this installs some samba libraries.
Sometimes when you configure connection, wbinfo fails to connect. You must then wait for a moment, 5 or more minutes for domain info propagation.
Of course, time on all mashines should be in sync. Configure NTP for this.
I'm using debian, but ubuntu makes all similar to debian :) good luck.
Best Answer
I had the same problem, I had several problems with the red hat 5.3, lots of flashing, sometimes works and sometimes not.
Get download packet bin msktutil in http://packages.sw.be/msktutil/ , I had better results, but unsatisfactory.
I did a test in debian lenny and the results were more positive.