important

client and servers should have the correct time and should resolv A and PTR record on dns

ssh-server

modification /etc/ssh/sshd_config

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

generate a keytab-file

net ads keytab create -U administrator

ssh-client

modification /etc/ssh/ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDNS yes

required in smb.conf

kerberos method = secrets and keytab

create /etc/security/pam_winbind.conf

krb5_auth = yes
krb5_ccache_type = FILE

• https://wiki.samba.org/index.php/Authenticating_other_services_against_AD
• http://trabauer.com/?p=383