apt-get install krb5-user libpam-krb5 krb5-config samba winbind smbclient libnss-winbind libpam-winbind

# cat krb5.conf
[libdefaults]
default_realm = MONDOMAINE

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
MONDOMAINE = {
kdc = monad
admin_server = monad
}
[domain_realm]
.domensai.ecole = monad.MONDOMAINE

[login]
krb4_convert = true
krb4_get_tickets = false

# kinit brichard
Password for brichard@MONDOMAINE:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: brichard@MONDOMAINE

Valid starting Expires Service principal
19/11/2014 11:17:38 19/11/2014 21:17:38 krbtgt/MONDOMAINE@MONDOMAINE
renew until 20/11/2014 11:17:32

[...]
security = ads
realm = domensai.ecole
encrypt passwords = true
obey pam restrictions = yes

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /staff/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
[...]

# systemctl stop winbind
# systemctl restart smbd
# systemctl start winbind

net ads join -U 'un_compte_admin_du_domaine'

net ads testjoin
Join is OK

wbinfo -g

wbinfo -u

wbinfo -a usertest
Enter usertest's password:
plaintext password authentication succeeded
Enterusertest's password:
challenge/response password authentication succeeded

ntlm_auth --request-nt-key --domain=MONDOMAINE --username=compte_de_domaine
Password:
NT_STATUS_OK: Success (0x0)

[...]
passwd: compat winbind
group: compat winbind
shadow: compat
[...]

getent passwd

getent group

idmap config * : backend = rid
idmap config * : range = 20000000-29999999

kernel oplocks = No
fake oplocks = No
oplocks = No

testparm -s

# wbinfo -i user1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user user1

idmap config * : backend = rid

idmap config * : backend = tdb