一、实验环境：
windows AD server：windows server 2003
samba：centos 4.7

AD server的hostname和IP地址：
pdc     192.168.0.240
samba的hostname和IP地址：
server       192.168.0.249

Domain name：test.com
DNS：192.168.0.240

二，安装NTP时间验证套件,再来与AD server校准时间

# ntpdate 192.168.0.240
# hwclock -w

三，安装Samba服务器软件需求：
krb5-workstation-1.2.7-19
pam_krb5-1.70-1
krb5-devel-1.2.7-19
krb5-libs-1.2.7-19
samba-3.0.5-2
当然我在这里偷了下懒，我直接用yum进行的安装，毕竟只是了解下这个实验的思路，所以就不用管安全性了。
#yum -y install samba
安装完后，如果你要确认samba安装成功没有可以用下述命令来检查samba包的基础库支持，一般用yum安装或RPM安装是不会有问题的。
# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...
# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...
# smbd -b | grep ADS
WITH_ADS
WITH_ADS
# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND

三，二、编辑设定档
1、krb5配置
#vi /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 TEST.COM = {
  kdc = 192.168.0.240:88
  admin_server = 192.168.0.240:749
  default_domain = test.com
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

以上红色部分是要注意的位置。

连接AD server
kinit
Kerberos 的 kinit 命令将测试服务器间的通信，后面的域名TEST.COM 是你的活动目录的域名，必须大写，否则会收到错误信息：
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.

如果通信正常，你会提示输入口令，口令正确的话，就返回 bash 提示符，如果错误则报告：
kinit(v5): Preauthentication failed while getting initial credentials.
這一步代表了已经可以和AD server做沟通了，但并不代表Samba Server已经加入域了。

smb.conf配置

vi /etc/samba/smb.conf

[global]
        workgroup = TEST
        netbios name = server
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        realm = TEST.COM
        winbind use default domain = yes
        winbind enum groups = yes
        winbind enum users  = yes
        winbind separator   = %
        template homedir = /home/%D/%U
        template shell   = /bin/bash
        security = ads
        encrypt passwords = yes
        password server = 192.168.0.240
[homes]
        path = /home/%D/%U
        browseable = no
        writable = yes
        valid users = test.com/%U
        create mode = 0777
        directory mode = 0777

配置nsswitch.conf
#vi /etc/nsswitch.conf
修改以下位置
passwd:     files winbind
shadow:     files winbind
group:      files winbind

启用samba和winbind服务
#service smb start
#service winbind start
5、加入AD域
[root@server ~]# net rpc join -S pdc.test.com -U administrator
Password:
Joined domain TEST.

6、验证加入是否成功
[root@server ~]# net rpc testjoin
Join to 'TEST' is OK
[root@server ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@server ~]# wbinfo -u

TEST/administrator
TEST/guest
TEST/krbtgt
TEST/zbhdpx

[root@server ~]# wbinfo -g

TEST/domain computers
TEST/domain controllers
TEST/schema admins
TEST/enterprise admins
TEST/domain admins
TEST/domain users
TEST/domain guests
TEST/group policy creator owners
TEST/dnsupdateproxy

[root@server ~]#getent passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync

[root@server ~]#getent group

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm

7、做完这些，就可以到AD server上的活动目录中看到该机器了

参考了:

http://blog.sina.com.cn/s/blog_596dc5a30100bzwy.html