SSSD from the Fedora Project provides NSS and PAM mechanisms for cached network credentials (Notebook users can still login when disconnected). SSSD is available in the main repos for both Fedora and Ubuntu.
The following sssd.conf worked for our environment. (Making it work with FreeIPA or Open LDAP and Kerberos is far less fiddly).
[sssd] domains = MYDOMAIN services = nss, pam config_file_version = 2 sbus_timeout = 30 [pam] offline_credentials_expiration = 0 [domain/MYDOMAIN] description = MYDOMAIN AD Server #debug_level = 9 enumerate = true ldap_referrals = false min_id = 1000 access_provider = permit id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://my.ldap.server ldap_search_base = dc=my,dc=ad,dc=domain ldap_id_use_start_tls = False # TLS/SSL is supported # If you do not have anonymous binds enabled # User that can read from AD, any normal user should work. Update as necessary ldap_default_bind_dn = firstname.lastname@example.org # Leave this as password ldap_default_authtok_type = password # The ldap users actual password, update as necessary ldap_default_authtok = password # This is the important stuff for making AD LDAP work ldap_schema = rfc2307bis ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_force_upper_case_realm = True # I love this setting override_homedir = /home/%u # kerberos config auth_provider = krb5 krb5_server = dc.my.ad.domain krb5_realm = MY.AD.DOMAIN # This will probably not work for changing passwords krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 cache_credentials = True