Ultimate goal:
1. Allow Windows/Mac users to map drives to Debian fileshares.
2. Allow Windows/Mac users to ssh into same Debian box.
Near as I've been able to figure out (the web documentation seems to be all over the map), there are basically three ways of authenticating users for logging into a Debian box (at the console, or possibly via ssh, or possibly to access Samba fileshares):
1) the oldest and least-preferred method - LDAP and manual configuration of various files
2) the winbindd method - still supported, but perhaps on the road to deprecation in favor of sssd
3) the "modern" sssd method
(Kerberos also seems to be a method, but that may be wrapped up in one or the other above methods.)
It is my (possibly incorrect) understanding that the sssd method does not yet provide Samba filesharing capabilities, making winbindd the preferred choice.
I have found the realmd tool, which makes the setup of either winbindd or sssd for console-based logins pretty easy. I can get console-based logins to work with either of theses two methods:
winbindd:
realm join --membership-software=samba --client-software=winbind -U [domain-add-capable user] [domain-name]
sssd:
realm join -U [domain-add-capable user] [domain-name]
With either of these two methods, I can log into the console with a login like:
user@domain
But with the sssd method, I could never get samba shares to work. With the winbind method, I can't get ssh to work. And a huge roadblock is that I've simply beeb unable to wrap my brain around what is needed; as mentioned, the web documentation is all over the map.
So with all that said, my basic question here: Is my understanding of the three methods, for joining an Active Directory domain, validating users from it for console logins, ssh logins, and mapping drives shared from the Debian box, close to correct?