The discussion on LWN contains a lot of useful
"I personally find several advantages for using samba winbind over
straight Kerberos + LDAP.
"1. Samba joins AD as a regular host. If you want to use plain
Kerberos with pam authentication, you'll have to make
host/server@REALM users by hand in AD instead of machine accounts
and export a /etc/krb5.keytab file using Microsoft's ktpass tool
from the windows support tools. ktpass has a lot of weird
limitations and an uncertain future. I have done this, and it
works, but the samba way is easier.
"2. Winbind can use regular microsoft groups. Most Unix ->
LDAP solutions, regardless of what your LDAP server is (Microsoft?
Sun? Novell? IBM? OpenLDAP), use rfc2307 attributes for uid, gid,
home directory, shell, etc. There is a subtle but important
difference between rfc2307 and rfc2307bis: group members in rfc2307
were LDAP IA5string types (lists of usernames, compare /etc/group).
rfc2307bis also allows group members to be LDAP "distinguished
names". Microsoft groups in AD use DN's in the "member" attribute.
winbind lets you tap into the regular groups, including nested
group memberships. If you don't use winbind you may be spending a
lot of time mucking around in tools like adsiedit and using
different procedures to edit your unix groups than your windows
groups. Microsoft has extensions to their "active directory user
and computer" tool for "unix attributes" tabs, but those don't
include any decent editing support for group memberships. A plain
LDAP implementation is going to have more trouble in
/etc/nsswitch.conf with mapping groups."