====== samba ======

  apt install -y samba winbind krb5-config libnss-winbind acl krb5-user

  systemctl enable --now {smbd,nmbd}

<code bash>
cat << EOF > /etc/krb5.conf
[libdefaults]
 default_realm = AUGIN.RU

 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true

[realms]
 DC.AUGIN.RU = {
  kdc = dc.augin.ru
  admin_server = dc.augin.ru
 }

 AUGIN.RU = {
  kdc = dc.augin.ru
 }

[domain_realm]
 dc.augin.ru = DC.AUGIN.RU
 .dc.augin.ru = DC.AUGIN.RU
EOF

cat << EOF > /etc/samba/smb.conf
[global]
   workgroup = AUGIN
   security = ads
   kerberos method = secrets and keytab
   realm = AUGIN.RU
   winbind use default domain = true
   winbind enum groups = Yes
   winbind enum users = Yes
   idmap config * : range = 16777216-33554431
   idmap config * : backend = autorid
   winbind offline logon = false

   vfs objects = acl_xattr
   nt acl support = yes
   inherit acls = yes
   inherit owner = yes
   inherit permissions = yes
   map acl inherit = yes
   unix extensions = no

   map hidden = no
   map system = no
   map archive = no
   store dos attributes = Yes

[home\$]
   comment = Home folder
   path = /home
   public = yes
   writable = yes
EOF

cat << EOF > /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
EOF

</code>
  net ads join -U Administrator

  systemctl restart smbd nmbd winbind
  setfacl -R -m g:"domain admins":rwx /home
  setfacl -R -d -m g:"domain admins":rwx /home