* '''samba'''
 apt install -y samba winbind krb5-config libnss-winbind acl krb5-user

 systemctl enable --now {smbd,nmbd}

<pre>
cat << EOF > /etc/krb5.conf
[libdefaults]
 default_realm = AUGIN.RU

 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true

[realms]
 DC1.AUGIN.RU = {
  kdc = dc1.augin.ru
  admin_server = dc1.augin.ru
 }

 AUGIN.RU = {
  kdc = dc1.augin.ru
 }

[domain_realm]
 dc1.augin.ru = DC1.AUGIN.RU
 .dc1.augin.ru = DC1.AUGIN.RU
EOF

cat << EOF > /etc/samba/smb.conf
[global]
   workgroup = AUGIN
   security = ads
   kerberos method = secrets and keytab
   realm = AUGIN.RU
   winbind use default domain = true
   winbind enum groups = Yes
   winbind enum users = Yes
   idmap config * : range = 16777216-33554431
   idmap config * : backend = autorid
   winbind offline logon = false

   vfs objects = acl_xattr
   nt acl support = yes
   inherit acls = yes
   inherit owner = yes
   inherit permissions = yes
   map acl inherit = yes
   unix extensions = no

   map hidden = no
   map system = no
   map archive = no
   store dos attributes = Yes

[exchange\$]
   comment = exchange folder
   path = /home/exchange
   public = yes
   writable = yes
EOF

cat << EOF > /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
EOF

mkdir /home/exchange

</pre>
 net ads join -U Administrator

 systemctl restart smbd nmbd winbind
 setfacl -R -m g:"domain admins":rwx /home
 setfacl -R -d -m g:"domain admins":rwx /home