Samba with OpenLDAP Authentication Ubuntu 12.04 LTS

Index > Help Tutorials > Samba with OpenLDAP Authentication Ubuntu 12.04 LTS

With the assumption that Ubuntu 12.04 LTS Server is already installed, it should work with any other version with some changes if any. No assurance that it will work for your setup, worked for me so I am sharing it

I am assuming that ldap is already installed and configured correctly, see this guide if you need to install and configure ldap up
My domain/tree is dc=testlab,dc=dev and administrator account is cn=admin,dc=testlab,dc=dev and administrator password is test please change it if to yours

Let start by install the following packages

sudo apt-get install samba samba-doc libpam-smbpass smbclient smbldap-tools -y

Copy zipped ldif file containing samba schema, there are two places, essentially they both have same file

sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.ldif.gz ~

sudo cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz ~

Unzip ldif samba schema

sudo gzip -d ~/samba.ldif.gz

Now add the ldif data to ldap database

sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif

there would not be any errors, if there are then check your configuration over
Lets verify the new schema

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

it should be there, mine was and so should be yours
Add some samba indices

nano smb_indices.ldif

and paste the following, your indices may vary since I have some of them already added, cannot add them twice

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

Add above indices

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smb_indices.ldif

Verify new indices

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex

So far so good, lets move forward, copy these two files

cp /usr/share/doc/smbldap-tools/examples/{smbldap.conf.gz,smbldap_bind.conf} /etc/smbldap-tools/

Unzip the smbldap.conf file

gzip -d /etc/smbldap-tools/smbldap.conf.gz

Edit the files, lets start with

nano /etc/smbldap-tools/smbldap_bind.conf

and change the administrator distinguish name and secret for master and slave ldap

slaveDN="cn=admin,dc=testlab,dc=dev"
slavePw="test"
masterDN="cn=admin,dc=testlab,dc=dev"
masterPw="test"

Get samba sid for your system and save it somewhere, this will go in smbldap.conf file

sudo net getlocalsid

Now edit the smbldap.conf file

nano /etc/smbldap-tools/smbldap.conf

and make sure of the following at least, you SID will/should be different

SID="S-1-5-21-2252255531-4061614174-2474224977"
sambaDomain="TESTLAB"
slaveLDAP="127.0.0.1"
masterLDAP="127.0.0.1"
ldapTLS="0"
suffix="dc=testlab,dc=dev"
userHome="/profiles/%U"

Restart OpenLDAP just be on safe side

service slapd restart

Configure samba

nano /etc/samba/smb.conf

file is pretty big and self explanatory, so go through it and answer/modify carefully, or just copy the example file came with samba package and modify it to your needs

cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/

Now backup the original file

cp /etc/samba/smb.conf /etc/samba/smb.conf.bk

Rename the example samba configuration file

mv /etc/samba/smb.conf.example /etc/samba/smb.conf

edit samba configuration

nano /etc/samba/smb.conf

and make changes like following

[global]
        workgroup = TESTLAB
        netbios name = %h server (Samba, Ubuntu)

        deadtime = 10

        log level = 1
        log file = /var/log/samba/log.%m
        max log size = 5000
        debug pid = yes
        debug uid = yes
        syslog = 0
        utmp = yes

        security = user
        domain logons = yes
        os level = 64
        logon path =
        logon home =
        logon drive =
        logon script =

        passdb backend = ldapsam:"ldap://127.0.0.1/"
        ldap ssl = no
        ldap admin dn = cn=admin,dc=testlab,dc=dev
        ldap delete dn = no

        ## Sync UNIX password with Samba password
        ## Method 1:
        ldap password sync = yes
        ## Method 2:
        ;ldap password sync = no
        ;unix password sync = yes
        ;passwd program = /usr/sbin/smbldap-passwd -u '%u'
        ;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

        ldap suffix = dc=testlab,dc=dev
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap

        add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
        rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        add group script = /usr/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
        add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1

[NETLOGON]
        path = /netlogon
        browseable = no
        share modes = no

[PROFILES]
        path = /profiles
        browseable = no
        writeable = yes
        create mask = 0611
        directory mask = 0700
        profile acls = yes
        csc policy = disable
        map system = yes
        map hidden = yes

Restart both ldap and samba

service slapd restart
service smbd restart
service nmbd restart

Inform samba about the ldap administrator by setting samba password for ldap administrator, my password is test, change yours

sudo smbpasswd -w test

Now let populate samba users and groups to ldap database, optionally export the population to ldif first for review, you will also know if there is/are any error(s), it will just create ldif file and will not add anything to database

sudo smbldap-populate -e samba.ldif

Now populate in real

sudo smbldap-populate -u 30000 -g 30000

You might get one error about perl, if that is the only error then it can be ignored
You can try following to suppress that error, it might or might not work for your but worked for me

nano /usr/share/perl5/smbldap_tools.pm

and fine following, line number should be told in error message, mine was 1423

qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU)

and replace with

(qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU))

Lets add profiles and netlogon directories

mkdir /profiles /netlogon

Now lets create a test user

sudo smbldap-useradd -a -m -N 'Ryaz' -S 'Khan' rkhan

Set password for Ryaz Khan

sudo smbldap-passwd rkhan

Lets make rkhan domain administrator as well so he can join machines

sudo smbldap-groupmod -m 'rkhan' 'Domain Admins'

Restart all services or just reboot the system just to be on safe side

sudo reboot

Now go to xp or w7 machine and try joining them to your newly configured samba domain !
I was able to join w7 machine to domain at the point !

Lets login to the freshly joined workstation using Ryaz Khan's credentials

Feel free to email me if you have any question(s)

Did my efforts worked for you ? want to say thank you ?
Below is most loved way to say thanks, I would appreciate that !