Since this setup automatically creates a home directory for a user as soon as they access the machine (via samba, ssh, console), I noticed some directories being created for computer accounts. To prevent this, I have added a line that only “Domain Users” are allowed to authenticate. To add this:
wbinfo -n "Domain Users"
It will spit out the SID for the Domain Users group. Something like this:
S-1-5-21-((some number))-((some number))-((some number)) Domain Group (2)
Take that number and change the Pam_winbind.so line in /etc/pam.d/common-session to look like this:
session sufficient pam_winbind.so require_membership_of=S-1-5-21-((some number))-((some number))-((some number)