apt install -y samba winbind krb5-config libnss-winbind acl krb5-user

systemctl enable --now {smbd,nmbd}

cat << EOF > /etc/krb5.conf
[libdefaults]
 default_realm = AUGIN.RU
 
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 
[realms]
 DC.AUGIN.RU = {
  kdc = dc.augin.ru
  admin_server = dc.augin.ru
 }
 
 AUGIN.RU = {
  kdc = dc.augin.ru
 }
 
[domain_realm]
 dc.augin.ru = DC.AUGIN.RU
 .dc.augin.ru = DC.AUGIN.RU
EOF
 
cat << EOF > /etc/samba/smb.conf
[global]
   workgroup = AUGIN
   security = ads
   kerberos method = secrets and keytab
   realm = AUGIN.RU
   winbind use default domain = true
   winbind enum groups = Yes
   winbind enum users = Yes
   idmap config * : range = 16777216-33554431
   idmap config * : backend = autorid
   winbind offline logon = false
 
   vfs objects = acl_xattr
   nt acl support = yes
   inherit acls = yes
   inherit owner = yes
   inherit permissions = yes
   map acl inherit = yes
   unix extensions = no
 
   map hidden = no
   map system = no
   map archive = no
   store dos attributes = Yes
 
[home\$]
   comment = Home folder
   path = /home
   public = yes
   writable = yes
EOF
 
cat << EOF > /etc/nsswitch.conf
passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis
EOF

net ads join -U Administrator

systemctl restart smbd nmbd winbind
setfacl -R -m g:"domain admins":rwx /home
setfacl -R -d -m g:"domain admins":rwx /home