Similar to PAM password sync, Samba can use LDAP as a backend for managing users. This tutorial sumarizes the steps necessary to use OpenLDAP as an authentication backend.

The configuration uses a single OpenLDAP server to authenticate against and multiple classic primary domain controllers; this will allow managing domain assets using a central server and without the requirement for client machines to join the domain using Kerberos.

• A fully configured OpenLDAP server.
• smbldap-tools - can be installed in Debian with aptitude install smbldap-tools.

Copy the Samba LDAP schema (found in Debian at /usr/share/doc/samba/examples/LDAP/samba.schema.gz) to /etc/ldap/schema:

zcat /usr/share/doc/samba/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

Create a temporary file anywhere named samba.conf with the contents:

include          /etc/ldap/schema/core.schema
include          /etc/ldap/schema/cosine.schema
include          /etc/ldap/schema/nis.schema
include          /etc/ldap/schema/inetorgperson.schema
include          /etc/ldap/schema/samba.schema

then create a directory /tmp/slapd.d/ to hold the converted files:

mkdir -p /tmp/slapd.d

finally issue:

slaptest -f samba.conf -F /tmp/slapd.d/

If successful, the output should read:

config file testing succeeded

Next, copy the schema into the OpenLDAP configuration directory, adjust permissions and restart the server:

cp "/tmp/slapd.d/cn=config/cn=schema/cn={4}samba.ldif" "/etc/ldap/slapd.d/cn=config/cn=schema"
chown openldap:openldap "/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}samba.ldif"
/etc/init.d/openldap restart

To check that the schema is loaded, issue:

ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn

Amongst the listed object, there should be:

dn: cn={4}samba,cn=schema,cn=config

Install the samba LDAP tools by issuing:

aptitude install smbldap-tools

and create the directory /etc/smbldap-tools if it does not exist.

Next copy smbldap_bind.conf and smbldap.conf from the smbldap-tools package to /etc/smbldap-tools:

cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

The files can now be edited to suit the local configuration.

Edit /etc/smbldap_bind.conf and change the slaveDN, masterDN and passwords for both. If there is no backup OpenLDAP server, then the master DN will be used.

Edit /etc/smbldap-tools/smbldap.conf and change:

suffix="ou=samba,dc=example,dc=com"
SID="S-1-5-21-2252255531-4061614174-2474224977"

where:

• dc=example,dc=com is the base DN,
• samba is an organizational unit that must be created on the OpenLDAP server.
• SID is the local SID retrieved with the command net getlocalsid - the rest of the tutorial will assume that S-1-5-21-2252255531-4061614174-2474224977 is the configured SID.

The consequence of defining an additional out instead of the base DN is that all Samba related objects will be created as children of the samba organizational unit whilst letting the OpenLDAP server clean.

To create the samba organisational unit, issue:

cat >> sambaout.ldiff <<EOF
version: 1
 
# Entry 1: ou=samba,dc=example,dc=com
dn: ou=samba,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: samba
EOF

which should create the file sambaou.ldiff. After editing sambaou.ldiff and setting appropriate values for dn, the file can be imported by issuing:

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -H ldap://SERVER.TLD -f samba.ldiff

where:

• cn=admin,dc=example,dc=com is the administrative DN and,
• SERVER.TLD is the server name or IP of the OpenLDAP server.

Other interesting settings in /etc/smbldap-tools/smbldap.conf include:

• ldapTLS which should be set to 0 if not using TLS,
• masterLDAP and slaveLDAP should be changed to the local OpenLDAP server(s),

With the Samba LDAP tools configured, issue:

smbldap-populate

which, amongst other things, should print out the domain SID on the fist line and prompt for a root password.

An example template for configuring Samba is provided on the Samba templates page. The following configuration has to be added to the Global section of the Samba configuration:

    server role = classic primary domain controller
    passdb backend = ldapsam:ldap://example.com
    ldap suffix = ou=samba,dc=example,dc=com
    ldap admin dn = cn=admin,dc=example,dc=com
    ldap ssl = off
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Idmap
    ldap password sync = yes

With the configuration in place, restart Samba by issuing:

/etc/init.d/samba restart

Next, the password for the root DN of the OpenLDAP server:

smbpasswd -W

By issuing:

net getdomainsid

a domain SID is retrieved along the lines of S-1-5-21-2252255531-4061614174-2474224977. The domain SID S-1-5-21-2252255531-4061614174-2474224977 has to be the same for all machines so issue the command:

net setdomainsid S-1-5-21-2252255531-4061614174-2474224977

on all machines that want to use the same LDAP server for authentication.

Managing users and groups can be done with the smbldap-* commands of the smbldap-tools package. For instance, adding an user would require issuing:

smbldap-useradd -a -P -m test

where:

• -a instructs LDAP to create Windows objects in OpenLDAP,
• -P once the user is created, the smbldap-passwd command is issued to change the user's password,
• -m creates a home directory for the user,
• test is the user name

all created users will be part of the Domain Users LDAP group. To change the groups that the user belongs to the smbldap-usermod tool can be used.