monline

Most guides on this topic assume that you'll want to authenticate OS users and groups of your Debian server against the Active Directory server too. That's not absolutely necessary. You can keep your own user pool on the linux server (authenticate from /etc/passwd or from OpenLDAP ... or whatever source you choose) and only authenticate Samba access against AD.

1. First set up Samba:
   
   apt-get install samba
2. Edit your /etc/samba/smb.conf to something like this:
   
   [global]
log file = /var/log/samba/log.%m
log level = 1
ldap ssl = no
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n *password\supdated\ssuccessfully* .
obey pam restrictions = Yes
domain master = No
realm = YOUR-DOMAIN.COM
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
dns proxy = No
netbios name = YOUR-SERVER
server string = %h
# note: "invalid users" _has_ a default value, it contains "root"
# (however according to manpage it should not have a default)
invalid users =
password server = your-server.your-domain.com
default =
workgroup = YOUR-DOMAIN
os level = 20
auto services =
security = domain
syslog = 0
panic action = /usr/share/samba/panic-action %d
preferred master = no
max log size = 1000
browseable = yes
browse list = yes
guest account = nobody
map to guest = Bad User
hide dot files = no
wins support = no
available = yes

[www]
path = /var/www
valid users = @some-group
public = no
writable = yes
create mode = 0664
directory mode = 0775
force user = www-data
force group = www-data
   
   You should note that the AD server in the example is your-server.your-domain.com and the domain name is YOUR-DOMAIN.
   
   The [www] share in this example config allows for users in the some-group group access to the /var/www directory (the default root of Apache).
3. Install packages needed for Kerberos:
   
   apt-get install krb5-config krb5-user libkadm55
   You'll be asked by debconf to enter "Kerberos servers for your realm". You should enter your AD server here. The same should go into "Administrative server for your Kerberos realm".
4. Adjust the /etc/krb.conf settings to match the above domain controller. Thus in the [realms] section have something like this:
   
           YOUR-DOMAIN.COM = {
                kdc = your-server.your-domain.com
                admin_server = your-server.your-domain.com
        }
   In the [domain_realm] section have something like this:
   
           .your-domain.com = YOUR-DOMAIN.COM
        your-domain.com = YOUR-DOMAIN.COM
5. Initiate the Kerberos ticket:
   
   kinit Administrator@YOUR-DOMAIN.COM
   Use the Administrator password of your domain controller here.
6. Join the Debian server to the domain:
   
   net join ads
7. Clean up by removing the Kerberos packages, Samba won't need them for authentication:
   
   apt-get --purge remove krb5-config krb5-user libkadm55

Of course you should consider very carefully whether this is really what you want, since authentication from th AD is not enough, filesystem permission must be set up in sync with the Samba settings too.