From LDAP to Samba

While my days of system administration are mostly a thing of the past, from time to time I miss getting my hands “dirty” with some real’ Linux work. As was the case when I decided to upgrade my Ubuntu 12.04 LTS box to Samba domain controller. Mainly, I was interested in having a single login and password across a variety of client computers, so I decided to use LDAP as a backend.

Disclaimer: Large parts of this tutorial are based on a variety of guides, manuals, and how-tos. I found however most of these either lacking some aspects of configuring LDAP and Samba, or to be contain instructions that would not work using my exact version of Ubuntu (which is quite a feat for the OFFICIAL server guide!).

Throughout this text I will be referring to my domain and my server name For your own setup, please substitute the names accordingly.

To start make sure that the host name is set up correctly on your system, since that is what LDAP will base it’s distinguished name (DN) on.

$ cat /etc/hosts localhost ldap

Installing LDAP
Install the LDAP backend via apt-get, and enter a new password to be used for LDAP administration in the configuration dialog that follows:

$ sudo apt-get install slapd ldap-utils

At this point you should have a basic LDAP schema under /etc/ldap/. For testing purposes, it makes sense to increase the logging output LDAP produces. To do so, create a file called called logging.ldif with the following content:

dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats

Then, import the new setting using the following command

$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
$ sudo service slapd restart

Enable Authentication
Next, turn on using LDAP for authentication by installing libnss-ldap:

$ sudo apt-get install libnss-ldap

Chose the following options in the configuration dialog (adjust accordingly again):

LDAP server URL: ldap://
DN of the search base: dc=afqa123,dc=com
LDAP Version: 3
Make local root database admin: yes
Require login: no
LDAP account for root: cn=admin,dc=afqa123,dc=com
Password: repeat the administrative password from before

Then, set up the LDAP profile for NSS and inform your system to use it for authentication by selecting LDAP in the configuration dialog that follows:

$ sudo auth-client-config -t nss -p lac_ldap
$ sudo pam-auth-update

Install Samba
At this point you are ready to install Samba using apt-get:

$ sudo apt-get install samba samba-doc smbldap-tools

LDAP doesn’t come with schema information specific to Samba, so we need to manually import them:

$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.ldif.gz \ /etc/ldap/schema/
$ sudo gzip -d /etc/ldap/schema/samba.ldif.gz
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema \ /samba.ldif

Next, insert the following into a file called samba_indices.ldif:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

and import the file using:

$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

The smbldap-tools package should come with a script to automatically generate configuration files for you, but the current version (0.9.7) contains a bug which excludes said script. This means you have to copy the config scripts and edit them by hand:

$ sudo cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
$ sudo gzip -d /etc/smbldap-tools/smbldap.conf.gz

You will need to adjust the following keys:

  1. SID – find the value by running the following command: $ sudo net getlocalsid
  2. sambaDomain – a name for your domain like “SAMBA” or “MYDOMAIN”
  3. slaveLDAP – comment out using #
  4. slavePort – ditto
  5. masterLDAP – set to your host name, e.g.
  6. ldapTLS – set to 0, since we are not using TLS
  7. verify – set to none
  8. suffix – set to DN, e.g. dc=afqa123,dc=com

Finally, populate the LDAP database using:

$ sudo smbldap-populate

You should now be able to see the Samba groups:

$ sudo getent group
Domain Admins:*:512:
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:

Configuring LDAP Account Manager
While it is entirely possible to configure LDAP users from the command line, it is not very practical to do so. Let’s install the web-based LDAP account manager (LAM) to make our life a little easier:

$ apt-get install ldap-account-manager

LAM is available under http://localhost/lam/ at this point. You’ll first have to set up some things, so click on the LAM Configuration link at the top of the page, and select “Edit server profiles”. The default password for LAM is “lam”, which you should change eventually. Edit the “Tree suffix” to match your DN, and set the list of valid users to “cn=admin,dc=afqa123,dc=com”. Then, switch to the account types tab and update the LDAP suffixes for each type.

After saving the changes, you should be able to log into LAM using your administrative password. If all went well, you should see a couple of users (root, nobody), the Samba groups, as well as your Samba domain. At this point, create a new user for testing purposes and enable the Samba 3 extension.

Configure Samba
The final piece of the server configuration is Samba itself. You can copy the example config which comes with smbldap-tools:

$ sudo cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/smb.conf

There are a number lines from /etc/samba/smb.conf that need to be adjusted. Note that this maps your $HOME drive to Z:.

workgroup = SAMBA # your workgroup name
netbios name = LDAP # name for your samba server
wins support = Yes
wins proxy = No
;logon home =
logon drive = Z:
;logon script =
passdb backend = ldapsam:"ldap://"
ldap ssl = off
ldap admin dn = cn=admin,dc=afqa123,dc=com
ldap suffix = dc=afqa123,dc=com

comment = Home Directories
browseable = no
read only = no
create mask = 0775
directory mask = 0775
valid users = %S

Apply the new configuration, and supply the LDAP admin password:

$ sudo service smbd restart
$ sudo service nmbd restart
$ sudo smbpasswd -w {your password}

Joining clients to the domain
At this point, I was able to join the Samba domain using Windows XP clients, but in order to do the same on a Windows 7 machine, I had to update the following registry settings, as described in the Samba wiki:

DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0

Leave a Reply

Your email address will not be published.