Friday, August 19, 2011

samba+ldap setup

After working around 2 years on samba+ldap setup, i can say it is stable and most useful , where we need linux based authentication server to authenticate windows users. Users, computers and group account get stored in ldap(openldap) format in samba+ldap setup, same as in windows Active Directory . My ideal setup that is functioning properly from last 2 years without any issues is as follows .

My smb.conf files content is as follows

workgroup = test server string = test1 netbios name = test1

ldap passwd sync = yes security = user passdb backend = ldapsam:ldap:// ldap suffix = dc=test,dc=com

ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap admin dn= "uid=root,ou=People,dc=test,dc=com"

domain master = yes domain logons = yes

logon path = add user script = /usr/sbin/smbldap-useradd "%u" add group script = /usr/sbin/smbldap-groupadd "%g" add machine script = /usr/sbin/smbldap-useradd -w "%u" delete user script = /usr/sbin/smbldap-userdel "%u" delete group script = /usr/sbin/smbldap-groupdel "%g"

local master = yes os level = 254 preferred master = yes wins support = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes writable = no share modes = no


My ldap server configuration is as follows

(content of slapd.conf file)


include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/samba.schema

include /etc/openldap/schema/inetorgperson.schema

allow bind_v2

pidfile /var/run/openldap/

argsfile /var/run/openldap/slapd.args

access to *

by self write

by users read

by anonymous read

database bdb

suffix "dc=test,dc=com"


rootpw {SSHA}oifg.ytugjhkk

directory /var/lib/ldap/

index uidNumber,gidNumber


Note: Ensure that samba.schema file

present is /etc/openldap/schema directory.

If not present, search samba.schema file on system

and copy that file in /etc/openldap/schema

Download & install smbldap tool from following link.