PBIS可以很方便的加域然后使用域认证，比起winbind+samba方便多了。这东西原来叫LikeWise，现在换了这个名字，有开源版本，功能上也够用了。

#1：下载
https://github.com/BeyondTrust/pbis-open/releases

#2：安装,默认设置即可
shpbis-open-8.5.4.334.linux.x86_64.deb.sh

#3：加域
domainjoin-clijointest.netadmin

#4：可能用得到的自定义设置
/opt/pbis/bin/configHomeDirTemplate'%H/%D/%U'
/opt/pbis/bin/configLoginShellTemplate/bin/bash
/opt/pbis/bin/configHomeDirUmask077
/opt/pbis/bin/configUserDomainPrefixtest.net
/opt/pbis/bin/configAssumeDefaultDomaintrue
#/opt/pbis/bin/configRequiremembershipoftest\\LinuxUsertest\\new#允许LinuxUser用户组及new用户登录

#允许用户组为sudoer
%test\\LinuxAdminsALL=(ALL:ALL)ALL

如果用来使用的是winbind+samba认证

1：先退出域

netadsleave-Utest.netadministrator

2：把原来/etc/pam.d/ 下面的winbind相关项删除，还有/etc/nsswitch.conf 里面的winbind删除

cat/etc/pam.d/common-account
account	[success=oknew_authtok_reqd=okdefault=ignore]		pam_lsass.sounknown_ok
account	[success=2new_authtok_reqd=donedefault=ignore]	pam_lsass.so
account	[success=1new_authtok_reqd=donedefault=ignore]	pam_unix.so
account	requisite			pam_deny.so
account	required			pam_permit.so
#--------------------------------------------------
cat/etc/pam.d/common-auth
auth	[success=2default=ignore]	pam_lsass.so
auth	[success=1default=ignore]	pam_unix.sonullok_securetry_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
#--------------------------------------------------
cat/etc/pam.d/common-password
password	[success=2default=ignore]	pam_lsass.so
password	[success=1default=ignore]	pam_unix.soobscuretry_first_passsha512
password	requisite			pam_deny.so
password	required			pam_permit.so
#--------------------------------------------------
cat/etc/pam.d/common-session
session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
sessionoptional			pam_umask.so
session	optional	pam_lsass.so
session	required	pam_unix.so
session	optional	pam_systemd.so
#--------------------------------------------------
cat/etc/pam.d/common-session-noninteractive
session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
sessionoptional			pam_umask.so
session	optional	pam_lsass.so
session	required	pam_unix.so
#--------------------------------------------------
cat/etc/nsswitch.conf
passwd:compatlsass
group:compatlsass
shadow:compat
gshadow:files

hosts:filesdns
networks:files

protocols:dbfiles
services:dbfiles
ethers:dbfiles
rpc:dbfiles

netgroup:nis

3：如果还要使用samba，可以删除winbind（用不到了）。

netcacheflush#不执行此操作，samba还是使用原来winbind的UID
#--------------------------------------------------
cat/etc/samba/smb.conf
[global]
serverstring=%hserver(Samba,Ubuntu)
security=ads
workgroup=TEST
realm=TEST.NET
clientntlmv2auth=yes
encryptpasswords=yes
logfile=/var/log/samba/log.%m
maxlogsize=1000
panicaction=/usr/share/samba/panic-action%d
machinepasswordtimeout=0

[homes]
comment=HomeDirectories
browseable=no
readonly=no
createmask=0700
directorymask=0700

/opt/pbis/bin/samba-interop-install--install#这样就可以使用pbis认证samba了

另外bash提示符是 test\username 这样的格式，然后为了美观把格式改为 username 这样

sed-i"58s#^.*\$#&\nmodify_username()\n{\necho\$USER|awk-F\\\\\\\\'{print\$NF}'\n}\n#;s#\\\\u#\$(modify_username)#g"/etc/skel/.bashrc

#samba出现这样的错误

#Badtallocmagicvalue-accessafterfree
apt-getinstalllibtalloc2

#加域时出现

#Error:ERROR_GEN_FAILURE[code0x0000001f]
apt-getremoveavahi-daemon