LDAP Samba PDC

Build and install Samba

First make sure that a samba rpm is not installed on your system.

root@ldap > rpm -qa | grep samba

This should come back as a blank line. If there is an installation, uninstall it. You may want to make a copy of smb.conf just in case something goes horribly wrong :-).

root@ldap > rpm -e samba

Download the latest version of Samba (2.2.8a) from http://www.samba.org/.

Then install it. Ensure that gcc is installed and correctly configured on your machine.

root@ldap > gunzip samba-2.2.8a.tar.gz
root@ldap > tar -xvf samba-2.2.8a.tar
root@ldap > cd samba-2.2.8a/source/
root@ldap > ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --with-ldapsam --with-ssl --with-pam --with-pam_smbpass
root@ldap > make
root@ldap > make install

NOTE: If you need to go back and do this again, remove config.cache. It may save you some headaches.

Set your LDAP administrator's password

The samba PDC requires write access to your LDAP server (for example to create trust accounts). The encrypted password is held in the file secrets.tdb To place your password in the file (after you have configure your LDAP administrator in smb.conf - see below) as root type in:

root@ldap > smbpasswd -w your_password

Configure smb.conf

smb.conf is located in lib directory of your samba installation e.g. /usr/local/samba/lib/smb.conf. This requires some careful configuration to get things to work. Let's consider some of the essential settings.

Global Settings

[global]
workgroup = workgroupname 
server string = LDAP server running samba %v
netbios name = directory

# Windows administrators
# You can add users or groups (prefix groups with a '@')
domain admin group = l.rathbone c.evans @domadm

# SAMBA-LDAP declarations
ldap suffix = dc=your,dc=site,dc=com
# User with write access to the LDAP directory
ldap admin dn = uid=root,cn=users,dc=your,dc=site,dc=com
ldap port = 389
ldap server = ldap.your.site.com
ldap ssl = start tls

# Create machine trust accounts automatically 
add user script = /usr/local/sbin/smbldap-useradd.pl -w %u

# this tells Samba to use a separate log file for each machine
# that connects
log file = /usr/local/samba/var/log.%m
# How much information do you want to see in the logs?
# default (1) is only to log critical messages
log level = 2

# Put a capping on the size of the log files (in Kb).
max log size = 50

# MUST be security = user for PDC
security = user

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value (20) should be reasonable
os level = 90

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes

# I have stuck this in because it was in a HOWTO but I have no idea what it does - but it does not sound good
null passwords = Yes

# You MUST use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
encrypt passwords = yes

passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u

# When using encrypted passwords, Samba can synchronize the local
# UNIX password as well.  You will also need the "passwd chat" parameters
unix password sync = yes

# how should smbd talk to the local system when changing a UNIX
# password?  See smb.conf(5) for details
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*

# Enable this if you want Samba act as a domain controller.
domain logons = yes

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# This refers to the [profiles] share below
# The permissions on the profiles directory should be 
# chmod 1757 /usr/local/samba/profiles
# drwxr-xrwt    5 root     root         4096 May  1 08:43 profiles
logon path = \\%L\profiles\%u

# UNC path specifying the network location of the user's home directory
# only used when acting as a DC for WinNT/2k/XP.  Ignored by Win9x clients
logon home = \\%L\%U

# What drive should the "logon home" be mounted at upon login ?
# only used when acting as a DC for WinNT/2k/XP.  Ignored by Win9x clients
logon drive = Z:

Share Definitions

[homes]
     comment = Home Directories
     browseable = no
     writable = yes
     valid users = %S

 [netlogon]
;    comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
read only = yes
write list = ntadmin
locking = no
guest ok = yes
;    writable = no
;    share modes = no


# Provide a specific roving profile share
# the default is to use the user's home directory
# The permissions on the profiles directory should be 
# chmod 1757 /usr/local/samba/profiles
# drwxr-xrwt    5 root     root         4096 May  1 08:43 profiles
[profiles]
path = /usr/local/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
writable = yes
;    browseable = no
;    guest ok = yes

Install Samba-LDAP tools

IDEALX (http://www.idealx.org/index.en.html) provide some very useful perl scripts that can be configured to suit your set up. The current file smbldap-tools-0.7.tgz can be downloaded from http://www.idealx.org/prj/samba/index.en.html

These need to be unpacked and copied to /usr/local/sbin

I had difficulty with one of the functions in this suite - add_samba_machine_mkntpwd. This is used to set up trust accounts between the PDC and the client windows machine. This function throws an error unless you make some changes. The simplest solution is to edit the file smbldap_tools.pm. Go to the function add_samba_machine_mkntpwd. The variable $tmpldif needs, in addition to the attributes supplied, objectClass: person and sn: Computer. (The value for sn could be anything you want.)


Author: Lance Rathbone
Last modified: Wednesday June 18, 2008

Home