With Kerberos and Winbind configured, you're now ready to join your Debian workstation to the Windows Active Directory domain.
Before you do, check the hostname of your Debian workstation. Due to restrictions in the NetBIOS protocol, the hostname must contain no more than 15 characters. If you see a STATUS_BUFFER_OVERFLOW message in the winbind log, odds are the hostname is invalid. Now would also be a good time to clear whatever cache files, if any, Winbind had previously generated. The Winbind cache is located in /var/lib/samba/. Backup this directory to /var/lib/samba.bak/ and delete all the files in the original.
With these housekeeping items taken care of, try joining the domain:
sudo net ads join -U "DOMAINADMIN"[1]Replace DOMAINADMIN with the name of a user that has privileges to add computers to the domain. If all goes well, you should receive a short message stating that you have successfully joined the domain[2]. If this step fails, chances are that a firewall is restricting access to one or more of the following ports: 88/TCP, 88/UDP, 389/TCP, 464/UDP. Create exceptions for these ports and try again.
| [1] | Many of the articles I read about this procedure suggested to run kinit before joining the domain. I found that this step is unnecessary when net ads is specified. |
| [2] | This message may be accompanied by Kerberos preauthentication errors. These may be safely ignored. |