This documentation regards samba 2 and samba 3 running samba2-compatibility-mode. We used to configure samba like so, however nowadays this part of the documentation is obsolete and non-maintained!
Install the software
apt-get install samba samba-doc
/etc/samba/smb.conf
[global] ldap suffix = dc=intra,dc=example,dc=com ldap admin dn = cn=admin,dc=intra,dc=example,dc=com ldap ssl = start_tls ldap passwd sync = yes ldap delete dn = no ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers workgroup = hannibal server string = %h server (Samba %v) netbios name = fileserver wins support = yes dns proxy = yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://ldap.intra.example.com obey pam restrictions = no guest account = nobody invalid users = root unix password sync = yes passwd program = "/opt/ldapmin/sambaldapscripts/smbldap-passwd.pl -o %u" passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . add machine script = "/opt/ldapmin/sambaldapscripts/smbldap-useradd.pl -w -d /dev/null -s /bin/false %u ; sleep 5" load printers = yes printcap name = /etc/printcap socket options = TCP_NODELAY local master = yes os level = 255 domain master = yes preferred master = yes domain logons = yes logon path = [netlogon] comment = Network Logon Service path = /home/system/netlogon guest ok = yes writable = no share modes = no [print$] comment = Network Printer Drivers path = /home/system/printers write list = @"Domain Admins" force group = "Domain Users" create mode = 660 directory mode = 770 browsable = yes read only = yes guest ok = yes [homes] comment = Home Directories browseable = yes writable = yes valid users = %S create mode = 0664 directory mode = 0775
Specify the password to be used with the ldap admin dn. Note that the password is stored in /var/lib/samba/secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well.
smbpasswd -w rootdnpasswordhere
Restart the Samba-server
/etc/init.d/samba restart
We use these tools in order to manage users and groups in LDAP. The samba-doc package (which we already installed) provides the smbldap-tools.
The directory from where we want to run the scripts
mkdir -p /opt/ldapmin/sambaldapscripts cd /opt/ldapmin/sambaldapscripts cp -a /usr/share/doc/samba-doc/examples/LDAP/smbldap-tools/* . gunzip *.gz
These perl-modules should be in the perl module include path.
ln -s /opt/ldapmin/sambaldapscripts/smbldap_conf.pm /usr/share/perl5/smbldap_conf.pm ln -s /opt/ldapmin/sambaldapscripts/smbldap_tools.pm /usr/share/perl5/smbldap_tools.pm
Build mkntpwd from the sources within the smbldap-tools (we do this on our development machine).
cd mkntpwd gunzip *.gz make cp mkntpwd /opt/ldapmin/sambaldapscripts
The smbldap-tools have no execute rights by default. And we want to be able to add users via Samba Smbldap_conf.pm contains the ldap admin dn password!
chmod 750 smbldap_conf.pm *.pl chgrp 512 smbldap_conf.pm *.pl # (512 = 0x200 = Domain Admins)
Modify /opt/ldapmin/sambaldapscripts/smbldap_conf.pm to your environment
(parts of) /opt/ldapmin/sambaldapscripts/smbldap_conf.pm
.... $UID_START = 1000; $GID_START = 1000; # Put your own SID # to obtain this number do: "net getlocalsid" $SID='S-1-5-21-3097403303-883171153-4164530297'; $slaveLDAP = "ldap.intra.example.com"; $slavePort = "389"; $masterLDAP = "ldap.intra.example.com"; $masterPort = "389"; $ldapSSL = "1"; $suffix = "dc=intra,dc=example,dc=com"; $usersou = q(People); $usersdn = "ou=$usersou,$suffix"; $computersou = q(Computers); $computersdn = "ou=$computersou,$suffix"; $groupsou = q(Groups); $groupsdn = "ou=$groupsou,$suffix"; $scope = "sub"; $hash_encrypt="SMD5"; $binddn = "cn=admin,$suffix"; $bindpasswd = "rootdnpassword"; .... $_userLoginShell = q(/bin/false); $_userHomePrefix = q(/home); $_userGecos = q(Hannibal User); $_defaultUserGid = 513; $_defaultComputerGid = 553; .... $_userSmbHome = q(\\\\fileserver\\homes); $_userProfile = q(\\\\fileserver\\profiles\\); $_userHomeDrive = q(P:); .... $with_smbpasswd = 0; $smbpasswd = "/usr/bin/smbpasswd"; $mk_ntpasswd = "/opt/ldapmin/sambaldapscripts/mkntpwd"; ....
Don't forget to put your machine's SID in smbldap_conf.pm!!! The samba package needs to be installed for this to work properly as the samba package provides the 'net' command.
Put the result of this command in $SID
net rpc info net getlocalsid
Add perl LDAP and perl SSL stuff in order for smbldap-tools to connect.
apt-get install libnet-ldap-perl libnet-ssleay-perl libio-socket-ssl-perl
Populate the LDAP-database
cd /opt/ldapmin/sambaldapscripts ./smbldap-populate.pl
Use this account in order to add machineaccounts to your domain
./smbldap-useradd.pl -d /dev/null -s /bin/false admsamba ./smbldap-usermod.pl -g 0 -u 0 admsamba ./smbldap-passwd.pl admsamba
Accounts for your users can be added like so
./smbldap-useradd.pl -a -d /home/firstuser -m -s /bin/bash firstuser ./smbldap-passwd.pl firstuser
Note: if you use the -P option of the smbldap-tools in order to automatically endup at smbldap-passwd while adding or modifying a user, you have to change the default path to smbldap-passwd. At this moment the authors of the smbldap-tools hardcoded the path to /usr/local/sbin.