The Problem:
Integrating Debian(lenny) into an Active Directory(2008) forest with multiple trusted domains. We wanted to leverage AD for account management and Authentication including groups. One of the goals was to avoid modifing the accounts in AD. We did not want to enter unix attributes in AD for GID or UID.

The Solution:
Utilizing Samba's winbind, kerberos (krb5), nsswitch and pamd to leverage AD. Deployed and managed via puppet.

winbind
First this does not require a full installation of samba. We are going to only use the winbind portion of samba to make this work. Also I am using the backports version of winbind.
Information on using backports can be found here

Install the required packages for winbind:

apt-get install -t lenny-backports winbind samba-common-bin

Now we need to configure winbind. The file we will modify is /etc/samba/smb.conf. Below will work if you are just using winbind. There are other sections required if you will be using other features of samba.

 
/etc/samba/smb.conf
[global]
   workgroup = WORKGROUP1
   password server = ad1.domain1.com
   realm = DOMAIN1.COM
   security = ads
   template shell = /bin/bash
   winbind offline logon = false
   winbind separator = +

   kerberos method = secrets and keytab
   client ntlmv2 auth = yes
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind nss info = rfc2307
   idmap config DOMAIN1:backend = rid
   idmap config DOMAIN1:base_rid = 0
   idmap config DOMAIN1:range = 100000 - 199999

   idmap config DOMAIN2:backend = rid
   idmap config DOMAIN2:base_rid = 0
   idmap config DOMAIN2:range = 200000 - 299999


   # Map any users/groups that are not in the trusted domains to this:
   idmap backend = tdb
   idmap uid = 900000-950000
   idmap gid = 900000-950000

   # this is set by default (run testparm to see it)
   passdb backend = tdbsam

  # Refresh kerberos tickets
  winbind refresh tickets = yes

The reason the separator is changed in the above configuration is to allow for many of the unix tools to work with the domain accounts. The regular separator is "/" which do not work with toos such as ssh. If you only have one domain this is not strictly necessary.

kerberos
First install the required packages for kerberos to work. Note samba-common-bin required for "net" command, installed above.

apt-get install krb5-clients krb5-user ntp

Now we need to configure kerberos. This configuration is for a AD Forest with Multiple domains in a trust. If you only have one domain you can remove the parts for multiple domains

/etc/krb.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN1.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_keytab_name = FILE:/etc/krb5.keytab

[realms]
DOMAIN1.COM = {
  kdc = ad1.domain1.com:88
  kdc = ad2.domain1.com:88
  admin_server = ad1.domain1:749
  master_kdc = ad1.domain1.com
 }
DOMAIN2.COM = {
  kdc = ad1.domain2.com:88
}

[domain_realm]
 .domain1.com = DOMAIN1.COM
 domain1.com = DOMAIN1.COM
 .domain2.com = DOMAIN2.COM
 domain2.com = DOMAIN2.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Join your server to the domain:

 
net ads join member -U {administrator}

Test the join:

net ads testjoin

NTP:
ntp is included in the install of kerberos because kerberos is dependent on the time of the severs being correct. It should be pointed to the same ntp server as your AD servers. I'll be happy to be more verbose in the section if anyone has any questions.


nsswitch
nsswitch.conf is the System Databases and Name Service Switch configuration file, that is part of the base-files package in Debian (more information ).
The file /etc/nsswitch.conf needs to be changed to use winbind for passwd, group, and shadow:

 /etc/nsswitch.conf (snippet)
passwd:     files winbind 
group:      files winbind 
shadow:     files winbind 

pamd
pam is the Pluggable Authentication Modules for Linux (more information ).
There are several files we need to change in order to get authentication working with pam they are common-password common-session common-account common-auth. Need more details about each section and why they are changed to ...

common-password

 /etc/pam.d/common-passwd
password  sufficient   pam_unix.so nullok obscure md5
password  sufficient   pam_winbind.so use_first_pass 
password  required     pam_deny.so

common-session

 /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

common-account

 /etc/pam.d/common-account
account sufficient        pam_winbind.so 
account sufficient        pam_unix.so
account required          pam_deny.so

common-auth Need to explain this section, including why I am using sid as apposed to name or gid. Also how does one get the sid using getent.

 /etc/pam.d/common-auth
auth    sufficient       pam_winbind.so require_membership_of=S-x-x-xx-xxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-2777
auth    sufficient       pam_winbind.so require_membership_of=S-x-x-xx-xxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1190
auth    sufficient      pam_unix.so nullok_secure use_first_pass
auth    required        pam_deny.so

We are using the SID in common auth because it is a unique identifier as apposed to the rid or group name which are not guaranteed to be unique.

Overview
In order to test you can use getent (man) Using getent you should now be able to find a user on the primary domain "getent user | grep {user}". The results should looke something like below:

getent passwd | grep fugit
fugit:*:101234:100123:Fugit Fugit:/home/DOMAIN1/fugit:/bin/sh

You should be able to run the command "getent group | grep DOMAIN2" and see the AD groups for domain2. You can do the same for users with the command "getent passwd | grep {user}"

 
getent passwd | grep tempus
DOMAIN2+tempus:*:202132:200123:tempus:/home/DOMAIN2/tempus:/bin/bash

In the above section please notice the '+' after the domain. This is needed in order to allow common unix tools such as ssh to work. If you are seeing all of your users but ssh isn't working please ensure you are using a '+' instead of a '/' as the domain separator. Also some trouble shooting.

puppet
I am currently doing all of this via puppet except the "net ads join". I am hoping to be able to provide more details regarding handling this with puppet in the future.

Conclusion
I hope this was helpful to others trying to join linux servers to a Active Directory(2008) forest with multiple trusted domains.

References
battista article
Samba Guide