diff --git a/roles/winbind/defaults/main.yml b/roles/winbind/defaults/main.yml
new file mode 100644
index 0000000..a006cfa
--- /dev/null
+++ b/roles/winbind/defaults/main.yml
@@ -0,0 +1,6 @@
+winbind_idmap_range: 16777216-33554431
+winbind_nss_info: rfc2307
+winbind_use_default_domain: true
+winbind_offline_login: true
+winbind_kerberos_method: secrets and keytab
+winbind_refresh_tickets: false
diff --git a/roles/winbind/files/winbind.p-use b/roles/winbind/files/winbind.p-use
new file mode 100644
index 0000000..7c896d2
--- /dev/null
+++ b/roles/winbind/files/winbind.p-use
@@ -0,0 +1,14 @@
+# vim: set ft=gentoo-package-use :
+
+# Dustin C. Hatch <dustin@hatch.name> (29 Oct 2017)
+# Required for Active Directory support in Samba 4
+net-dns/bind-tools gssapi
+net-fs/cifs-utils ads upcall
+net-fs/samba ads addns ldap winbind
+net-fs/samba gnutls
+net-nds/openldap minimal
+net-nds/openldap sasl
+sys-libs/ntdb python
+sys-libs/talloc python
+sys-libs/tdb python
+sys-libs/tevent python
diff --git a/roles/winbind/handlers/main.yml b/roles/winbind/handlers/main.yml
new file mode 100644
index 0000000..c1763db
--- /dev/null
+++ b/roles/winbind/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart winbind
+  service:
+    name={{ winbind_svc }}
+    state=restarted
diff --git a/roles/winbind/meta/main.yml b/roles/winbind/meta/main.yml
new file mode 100644
index 0000000..ae1ac13
--- /dev/null
+++ b/roles/winbind/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- samba
diff --git a/roles/winbind/tasks/main.yml b/roles/winbind/tasks/main.yml
new file mode 100644
index 0000000..1f4f9ea
--- /dev/null
+++ b/roles/winbind/tasks/main.yml
@@ -0,0 +1,38 @@
+- name: ensure winbind use flags are set
+  copy:
+    src=winbind.p-use
+    dest=/etc/portage/package.use/samba-winbind
+    mode=0644
+  when: ansible_distribution == 'Gentoo'
+  tags:
+  - portage-config
+- name: ensure winbind package is installed
+  package:
+    name={{ winbind_pkg }}
+    state=present
+  tags:
+  - install
+
+- name: ensure winbind is configured
+  template:
+    src=winbind.conf.j2
+    dest=/etc/samba/winbind.conf
+    mode=0644
+    owner=root
+    group=root
+  notify: restart winbind
+
+- name: ensure winbind service starts at boot
+  service:
+    name={{ winbind_svc }}
+    enabled=yes
+
+- name: ensure krb5.conf.d directory exists
+  file:
+    path=/etc/krb5.conf.d
+    mode=0755
+    state=directory
+- name: ensure default kerberos realm is configured
+  template:
+    src=default-realm.krb5.conf.j2
+    dest=/etc/krb5.conf.d/default-realm.conf
diff --git a/roles/winbind/templates/default-realm.krb5.conf.j2 b/roles/winbind/templates/default-realm.krb5.conf.j2
new file mode 100644
index 0000000..93833bb
--- /dev/null
+++ b/roles/winbind/templates/default-realm.krb5.conf.j2
@@ -0,0 +1,2 @@
+[libdefaults]
+default_realm = {{ krb5_realm }}
diff --git a/roles/winbind/templates/pam_winbind.conf.j2 b/roles/winbind/templates/pam_winbind.conf.j2
new file mode 100644
index 0000000..dbb9354
--- /dev/null
+++ b/roles/winbind/templates/pam_winbind.conf.j2
@@ -0,0 +1,43 @@
+{#- vim: set ft=jinja : -#}
+#
+# pam_winbind configuration file
+#
+# /etc/security/pam_winbind.conf
+#
+
+[global]
+
+# turn on debugging
+;debug = no
+
+# turn on extended PAM state debugging
+;debug_state = no
+
+# request a cached login if possible
+# (needs "winbind offline logon = yes" in smb.conf)
+cached_login = yes
+
+# authenticate using kerberos
+krb5_auth = {{ 'yes' if winbind_krb5_auth else 'no' }}
+
+# when using kerberos, request a "FILE" krb5 credential cache type
+# (leave empty to just do krb5 authentication but not have a ticket
+# afterwards)
+{% if winbind_krb5_auth %}
+krb5_ccache_type = FILE
+{% else %}
+;krb5_ccache_type = FILE
+{% endif %}
+
+# make successful authentication dependend on membership of one SID
+# (can also take a name)
+;require_membership_of =
+
+# password expiry warning period in days
+;warn_pwd_expire = 14
+
+# omit pam conversations
+silent = yes
+
+# create homedirectory on the fly
+;mkhomedir = no
diff --git a/roles/winbind/templates/winbind.conf.j2 b/roles/winbind/templates/winbind.conf.j2
new file mode 100644
index 0000000..2414332
--- /dev/null
+++ b/roles/winbind/templates/winbind.conf.j2
@@ -0,0 +1,26 @@
+template homedir = /home/%U
+template shell = /bin/bash
+
+{% if winbind_idmap_backend is defined %}
+idmap backend = {{ winbind_idmap_backend }}
+idmap config * : backend = {{ winbind_idmap_backend }}
+{% endif %}
+idmap config * : range = {{ winbind_idmap_range }}
+
+kerberos method = {{ winbind_kerberos_method }}
+
+winbind nss info = {{ winbind_nss_info }}
+winbind use default domain = {{ 'yes' if winbind_use_default_domain else 'no' }}
+winbind offline logon = {{ 'yes' if winbind_offline_login else 'no' }}
+winbind refresh tickets = {{ 'yes' if winbind_refresh_tickets else 'no' }}
+{% if winbind_ignore_domains|d %}
+winbind:ignore domains = {{ winbind_ignore_domains|join(' ') }}
+{% endif %}
+
+client ldap sasl wrapping = seal
+
+dns proxy = no
+domain master = no
+local master = no
+preferred master = no
+os level = 0
diff --git a/roles/winbind/vars/main.yml b/roles/winbind/vars/main.yml
new file mode 100644
index 0000000..b7bfe9f
--- /dev/null
+++ b/roles/winbind/vars/main.yml
@@ -0,0 +1,2 @@
+samba_use_winbind: true
+samba_security: ads