OpenLDAP and SSSD via PAM. It’s - well - let’s leave it at not very nice to put in place. It does the job once there however.
I am fairly convinced that Redhat, Novel and Oracle probably have a nice interface on top of it all to make it manageable and therefore have a vested interested in keeping it as awful as possible for the rest of the world.
Using ‘ldap+kerberos’ is like saying your api is ‘rest+tls’. It is a protocol/format. The value in AD is how the format is used and its impact on systems and users.
So yes, Samba sounds more sensible.
When I played with it I stayed away from self-managing something like it for linux-only systems and for mixed/cloud/online systems I use Entra Id
I am fairly convinced that Redhat, Novel and Oracle probably have a nice interface on top of it all to make it manageable and therefore have a vested interested in keeping it as awful as possible for the rest of the world.