The Winbind service is the engine of this operation. It handles all communication with the Active Directory domain controller and manages the Windows-to-Unix translations that must occur.
You configure this service in /etc/samba/smb.conf. The following lines should be added to its global section:
realm = REALMNAME workgroup = DOMAINNAME security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yes
Replace REALMNAME with the name of the Kerberos realm you configured in the previous section. DOMAINNAME is the shortened version of the domain name.
The idmap lines list the range of ID's that Winbind will use when translating Windows users and groups to Unix.
Template shell and template homedir list the user's login shell and home directory. The %D translates to the workgroup (DOMAINNAME) while the %U translates to the current user. Of course, you could leave out the %D and choose a more traditional location, such as /home/%U, if you wish. Just make sure that the parent directory of your Winbind home directories (in our case /home/%D) exists before attempting to login as a Windows user.[1]
The winbind use default domain option modifies the representation of Windows usernames. By default, Windows users must login by prefixing their username with workgroup followed by a '\' (DOMAINNAME\battista). As a convenience for users, you can set winbind use default domain to yes so that they no longer need to include this prefix. Just be wary of conflicts with existing local accounts.
| [1] | If it does not, the system will be unable to create home directories for the Windows users, which will prevent them from logging in. |