Wednesday, 27 June 2012

SAMBA with LDAP as domain controller with Windows 7 workstations

1.I assume that CENTOS 5.8 already installed and networking set up properly.

2.Install EPEL
#rpm -ivh

#yum update

4.Install necessary packages
#yum install ntp openldap-servers openldap-clients nss_ldap samba3x smbldap-tools ldapvi

5.Set server name
#vi /etc/hosts localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6 pdc

6.Set network parameters
#vi /etc/sysconfig/networkNETWORKING=yes

7.Disable selinix
In the file /etc/selinux/config change to

8.Generate a new password for LDAP
New password:
Re-enter new password:

9.Edit /etc/openldap/slapd.conf
#vi /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}U/vj8eB57pExVjRCwcRZiv2mQuhBW8hK
password-hash {SSHA}
directory /var/lib/ldap

index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass pres,eq
index default sub

Note: Don't forget to change rootpw the file above to your SSHA! (see 8.)

 10.Copy schema file to OpenLdap directory
 #cp /usr/share/doc/samba3x-3.5.4/LDAP/samba.schema /etc/openldap/schema/
11.Copy LDAP database config and change permission
#cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown ldap:ldap /var/lib/ldap/DB_CONFIG
#chmod 600 /var/lib/ldap/DB_CONFIG

12.Start OpenLdap
#service ldap start
#chkconfig ldap on

  13.Configure SAMBA
  #vi /etc/samba/smb.conf
#dos charset by default set to UTF8
workgroup = EXAMPLE
netbios name = PDC
server string = %h
map to guest = Wrong User
passdb backend = ldapsam:ldap://
encrypt passwords = yes
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
# I recommend to change logging to the less detail after tests
 log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = Z:
logon home = \\%L\%U
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=root,dc=example,dc=com
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=example,dc=com
ldap ssl = no
ldap user suffix = ou=Users
create mask = 0640
directory mask = 0750
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
comment = Home Directory of '%u'
read only = No
veto files = /.*/
hide files = /.*/
browseable = No

path = /var/lib/samba/netlogon/
browseable = No

path = /home/profiles
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable

comment = Network Printers
path = /home/spool/
guest ok = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
browseable = No

path = /home/printers
valid users = "@Print Operators"
write list = "@Print Operators"
create mask = 0664
directory mask = 0775

path = /tmp
read only = No
guest ok = Yes

comment = test share
path = /home/shares/share
admin users = "@Domain Admins"
read only = No
acl group control = Yes
inherit acls = Yes
map acl inherit = Yes
hide unreadable = Yes
dos filemode = Yes

14.Set SAMBA password for LDAP (same as in 8.)
#smbpasswd -w LDAP_PASSWORD
and get answer
Setting stored password for "cn=root,dc=example,dc=com" in secrets.tdb

15.Get a new domain SID
#net getlocalsidSID for domain PDC is:

16.Modify /etc/smbldap-tools/smbldap_bind.conf
#vi /etc/smbldap-tools/smbldap_bind.confmasterDN="cn=root,dc=example,dc=com"

17.Modify /etc/smbldap-tools/smbldap.conf
Note:Change SID to our own as per 15
.#vi /etc/smbldap-tools/smbldap.conf 
userGecos="System User"

18.Populate settings
#smbldap-populate -a Administrator  

You have to get something lake that:
Populating LDAP directory for domain EXAMPLE (S-1-5-21-2522091752-940788393-3997161620)
(using builtin directory structure)

adding new entry: dc=example,dc=com
adding new entry: ou=Users,dc=example,dc=com
adding new entry: ou=Groups,dc=example,dc=com
adding new entry: ou=Computers,dc=example,dc=com
adding new entry: ou=Idmap,dc=example,dc=com
adding new entry: uid=Administrator,ou=Users,dc=example,dc=com
adding new entry: uid=nobody,ou=Users,dc=example,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=example,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=example,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=example,dc=com
adding new entry: sambaDomainName=EXAMPLE,dc=example,dc=com

Please provide a password for the domain Administrator:
Changing UNIX and samba passwords for Administrator
New password:
Retype new password:

19.Change LDAP client configuration
#vi /etc/lapd.conf
base dc=example,dc=com
port 389
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
nss_base_passwd dc=example,dc=com?sub
nss_base_group ou=Groups,dc=example,dc=com?one
nss_base_shadow ou=Users,dc=example,dc=com?one
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,quota

20.Modify /etc/nswitch.conf to add LDAP
passwd: files ldap
shadow: files ldap
group: files ldap

21.–°heck the names of users and groups
#getent passwd
#getent group

22.Create the necessary folders and set permissions
#mkdir -p /home/shares /home/profiles /var/lib/samba/netlogon /home/shares/share /home/Administrator
#chown root:"Domain Users" /home/profiles
#chmod 0770 /home/profiles

23.Start samba and set it to autostart after reboot
#service smb start
#service nmb start
#chkconfig smb on
#chkconfig nmb on

24.Add all rights to "Domain Admins" group
#net rpc rights grant 'Domain Admins' SeMachineAccountPrivilege \
SeTakeOwnershipPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
SeDiskOperatorPrivilege -UAdministrator


Successfully granted rights.

25.Set up ntpd to sync workstations' time with domain controller
#vi /etc/ntpd.conf

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntpstats
restrict default ignore
restrict mask nomodify notrap nopeer
fudge stratum 3

26.Start ntp service
#service ntpd start
#chkconfig ntpd on

27.Create logon script
#vi /var/lib/samba/netlogon/logon.bat 
@echo off
w32tm /config /update

net use p: /delete
net use p: \\PDC\public
net use s: /delete
net use s: \\PDC\share

28.Restart server

29.You can use microsoft User Manager for Domains for users' accounts control

30.Allow users to control access to their network files and folders using ACLs
    To allow users to control access to files on the server there necessary to mount filesystem, which stored users' files with acl,user_xattr attributes.
#cat /etc/fstab
/dev/VolGroup00/LogVol00 / ext3 acl,user_xattr 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol01 swap swap defaults 0 0

31.Windows client installation and configuration
Note: I strongly recommend to set up the new DC as WINS server in the network settings on Windows clients. 

Now you can join Windows XP workstations to domain.

Unfortunately Windows 7  Professional workstations still can not be joined to domain. You have to perform the following:
Using regedit.exe add the following registry settings:

Check the following settings:

Reboot workstation and it can be easily joined to SAMBA domain.


sahil said...

When I try to add domain in Windows Xp, It ask for USERNAME and Password for domain, What is the user name and password in this case ???

Andrey Ivanov said...

Hi, sahil!
You have to enter Domain Administrator credentials which you set in step 18.

sysadmin win said...


getent passwd and getent group not showing the domain users and groups Can you please tell me how to resolve this issue

Andrey said...


Did you check that LDAP is working?
service ldap status
Does it process requests? You have to try to make authoritative ldapsearch request. I wrote the examples somewhere in the my blog.

Almost forgot,

sysadmin win said...

Thank you very much Andrey,

Finally i reconfigured my box with your instructions.Now it is working good.Windows machine can able to join the domain and also user can able to login in to the client machines.

But roaming profiles not working.

For you info I share my config file on below link.

Thank you very much.

Andrey said...

Hi, sysadmin win!

What is wrong with the roaming profiles? By my opinion it is a simplest thing and it's easy to troublesoot...
Did you see it using smbclient command? Check access rights for the Profiles share. Then folders permissions on file system. Ffrom the Windows client try to connect to user's folder and create file or folder.


sysadmin win said...

Hi Andrey,

I resolved the roaming profile issue.Your document is perfect.
The issue is with client side only.I modified the below setting on windows 7 that's it.

Computer Configuration\Administrative Templates\System\User Profiles
Enable the below
Do not check for user Ownership of Roaming Profile Folders

Thank you very much your co-opration.

Likith Jogi said...

Hi Andrey,

i have configured everything according to your webpage. but i am getting the below mentioned error.

/usr/sbin/smbldap-passwd: user Administrator doesn't exist

Please help me, i have centos 6.4 running.


Andrey Ivanov said...


Did yiu check step 18 for errors? Iit seems that in your case smbldap-populate did not performed correctly.

Hope it helps,

Likith Jogi said...

Thanks a lot Andrey,

My server is up running.
But i have small problem, after adding machine to domain. the machine seems to be very slow.

i had followed this below steps, but didn't work.

Computer Configuration\Administrative Templates\System\User Profiles
Enable the below
Do not check for user Ownership of Roaming Profile Folders

could u please give some advice.


Andrey Ivanov said...


If your Windows PC has Windows 7 operating system you can try the following:
Windows 7 slow network performance.

thanga said...

Our LDAP server is working fine, but the problem is the shared folder for roaming profile is full. How to empty to make space.
Note: Still the folder's are there in share drive of who resigned their job from the company.

Roaming Profile will saves in network share drive?

Andrey Ivanov said...

Hi, thanga!
I don't clearly understand your question: are your looking for solution how to limit roaming profile size or something else?

Roaming profiles - special type of the users' profiles which stored somewhere on a file server and "follow" users when they logon to different workstations. You can exclude some directories, for example "My Video" from the profiles or disable roaming profiles at all.

thanga said...

Hi Andrey!

Sorry i was not written the description well in the previews comment, but i had resolved the issue.

I have question that,how to change the phpldap admin (webLogin) password?