Pam auth via winbind, howto map primary group for users

Make sure the winbind service is running.

Set up in your /etc/pam.d/samba:

account     [default=bad success=ok user_unknown=ignore]  pam_winbind.so
account     required      pam_permit.so

password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
session     required      pam_limits.so

auth       required pam_nologin.so
auth sufficient pam_winbind.so use_first_pass
auth required   pam_deny.so

Pam changes sometimes require a winbind restart. Shouldn't, but practical experience says do it anyway.

In smb.conf you also need:

realm = YOURKERBEROSREALMNAME
password server = the host or IP of your ADC
idmap backend = rid:DOMAIN=5000-100000000
idmap uid = 10000-10000000
idmap gid = 10000-10000000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes

Where DOMAIN is your workgroup or domain name and realm matches what is in your krb5.conf

Restart samba services after the changes in smb.conf

The problem is likely due to Finder bugs in the way it handles resource forks as extended attributes.

I would try:

ea support = no

This may result in ._ files but until Apple cares enough to make their file manager interoperable, this is what you have to deal with.

Edit: I just noticed you actually did try disabling them. That is where I have ran into all the Finder issues. After some brief searching it looks like turning off unix extensions is the only reported fix.