1. Kerberos

Let's assume that your Windows server has a VPN IP address, and we want it to mount user home folders from our CentOS server. Edit /etc/krb5.conf:

  kdc =
  admin_server =
  default_domain = ourdom.local

 .ourdom.local = OURDOM.LOCAL
 ourdom.local = OURDOM.LOCAL<


$ kinit [email protected]
Password: our_pass
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting     Expires            Service principal
05/12/08 23:22:52  05/13/08 09:24:00  krbtgt/[email protected]
              renew until 05/13/08 23:22:52
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
$ kdestroy<

2. Join domain

Edit /etc/samba/smb.conf using attached file< as a reference.

Start samba by default:

chkconfig smb on
service smb restart

chkconfig winbind on
service winbind restart

For samba 3.3 you will additionally need

chkconfig nmb on
service nmb restart<

Temporarily add winsrv.ourdom.local to /etc/hosts as (this is required by net join).

Join the domain:

$ kinit [email protected]
Password: our_pass
$ net ads join -Uwinadmin
winadmin's password: пароль
Using short domain name -- OURDOM
Joined 'SRV' to realm 'OURDOM.LOCAL'<

How to debug:

net -d9 ads info
net ads lookup<

If Windows and Samba are physically on different networks, samba should use UDP unicasts to announce its presence to Windows:

remote announce =
remote browse sync =<

3. Unix to Windows ID map

Edit nsswitch.conf:

passwd:  files ldap winbind
shadow:  files ldap winbind
group:   files ldap winbind<

Edit smb.conf:

winbind use default domain = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind separator = +
winbind nss info = rfc2307

idmap uid = 10000-30000
idmap gid = 10000-30000
winbind cache time = 10
idmap cache time = 10

idmap backend = ad
idmap config:default = yes
idmap config:schema_mode = rfc2307
idmap config:range = 10000-19999

idmap alloc backend = rid
idmap alloc config:range = 20000-29999
idmap alloc config:base_rid = 1000

winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes<

This will instruct winbind/samba to attempt to inquire AD for user ID (2K3 R2 schema), otherwise use rid to allocate a new ID.

See here< for details. It seems that only idmap_rid< provides for real user enumeration.

How to test:

wbinfo -u
wbinfo -g
wbinfo -i vandreev
wbinfo -i winadmin<

How to debug:

service winbind stop
winbindd -i -S -Y -d10 -n

See idmap.ad<, idmap.nss<, idmap.ldap<, idmap_alloc_backend<.