In the second part of setting up a Samba PDC using LDAP we'll update the LDAP schema to allow for Samba objects, then we'll install and configure Samba. After that's all done we'll have a working Samba domain controller.

Updating the LDAP schema

In order for LDAP to function with Samba we have to include a schema in the configuration so it knows how the objects are defined. For this we're going to get samba, samba-common-bin, and smbldap-tools installed and out of the way.

sudo apt-get install samba samba-common-bin smbldap-tools

After that's done we need to copy the Samba schema from the examples folder into the LDAP configuration folder.

sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema
sudo gunzip /etc/ldap/schema/samba.schema.gz

With that in place we now need to create a file that we'll use to generate the config file that slapd needs. Put the following into a samba.conf somewhere, location isn't important.

include          /etc/ldap/schema/core.schema
include          /etc/ldap/schema/cosine.schema
include          /etc/ldap/schema/nis.schema
include          /etc/ldap/schema/inetorgperson.schema
include          /etc/ldap/schema/samba.schema

With that file we're going to run the following commands which will generate the appropriate file and then we'll move it into place and restart slapd.

mkdir /tmp/slapd.d
slaptest -f samba.conf -F /tmp/slapd.d/
cd /tmp/slapd.d/cn\=config/cn\=schema/
sudo cp cn\=\{4\}samba.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
sudo chown openldap:openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/cn\=\{4\}samba.ldif
sudo service slapd restart

As long as you didn't encounter any errors along the way LDAP should now be configured for handling Samba objects.

Samba Installation and Configuration

Technically at this point we've got Samba installed but we still need to get it configured for LDAP. Thankfully smbldap-tools provides files to make this process relatively simple. In the following commands we're going to move the default Samba configuration and copy over a template for setting up a PDC with LDAP.

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/smb.conf

Now with a text editor we need to open /etc/samba/smb.conf and make some changes. Only the following settings in this file need to be modified.

workgroup = DUCKY-PONDLAN
passdb backend = ldapsam:"ldap://localhost/"
ldap ssl = off
ldap admin dn = cn=admin,dc=ducky-pond,dc=lan
ldap suffix = dc=ducky-pond,dc=lan

Once that's done we need to restart samba and then we'll need to run smbpasswd with the -W switch, this is where you need to give Samba the password for your LDAP admin user. This will allow Samba to bind to the LDAP server. After it's got the password we restart samba one more time. At this point Samba will connect to LDAP and create an object in LDAP representing your domain.

sudo service samba restart
sudo smbpasswd -W
sudo service samba restart

And then if I login to LAM and look at the Samba domains I should see the entry for my domain as below.

Samba domain

We're almost there, all that's left is to populate LDAP with the standard groups and a couple users. First we need to copy a couple of template configuration files in to place.

sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
sudo gunzip /etc/smbldap-tools/smbldap.conf.gz

Now let's open /etc/smbldap-tools/smbldap_bind.conf in a text editor and modify the following values. Here slavePw and masterPw are whatever you previously set your LDAP admin password to.


Next we need to open /etc/smbldap-tools/smbldap.conf and modify the following values. For the SID you need to run the command sudo net getlocalsid prior to this and copy that value into that field.


With those changes everything should be set, so let's run the command to populate the Samba objects. During the process it will ask you to provide a password for the domain root user. This is the default domain administrator account so I would suggest giving this a complex password. This is generally the account you'll use when you join a computer to the domain.

sudo smbldap-populate

You should see the following error pop-up during this process, it's nothing to worry about. Just continue typing the password and it will proceed without any issues.

smbldap-populate error

After that's done, everything should now be set for and you should have a functioning Samba PDC with LDAP. If we log back into LAM you should see the root and nobody users as well as the standard domain groups.

Domain users

Domain groups

At this point the tutorial is technically done and you can now join machines to the domain and authenticate users against it using the DUCKY-PONDLAN\ prefix like DUCKY-PONDLAN\user. However, in the next section I'll briefly describe how to create a basic user and setup a file share.

Creating a user and sharing a folder

To create a user on our PDC we need to login to LAM and on the Users tab click New User. First fill out information on the Personal tab, then proceed to the Unix tab. There isn't much you really need to configure here but let's go ahead and set the Primary Group to Domain Users. After that click the Samba 3 tab and hit Add Samba 3 extension. Everything should be set here by default, the Windows Group should be set to Domain Users. Now finally, click Set Password and enter a password for the account. Once that's done hit the Save button and the user will be created.

Now in the /home/pi directory let's create a directory that the user will be able to access and a test file.

sudo mkdir /home/pi/share
sudo chown user:"Domain Users" /home/pi/share
sudo sh -c 'echo "Hello World" > /home/pi/share/hello.txt'

Then let's open /etc/samba/smb.conf and add the following lines to the end. This will setup the share.

        path = /home/pi/share
        browseable = yes
        valid users = user

Lastly, restart Samba by doing sudo service samba restart. After that you should be able to navigate to \\PDC-SRV\share and then enter DUCKY-PONDLAN\user with the password and you should be able to see the hello.txt file we created.

That's the basics of sharing a folder to a user. If you want to share with a group instead of a user then in valid users just prefix the name of the group you want with a @.


comments powered by Disqus