How to build samba PDC with Openldap

PDC server:

    OS: CentOS5.4


All characters after // mean a description, just for you to understand why need do this.

All xxx mean’s you need change or check to your server version

The red color is command out put or in a file you need add or modify

Line only ‘…’ mean here several lines skip

Any error about samba or domain, you can check the log file /var/log/samba/smbd.log, this is very important


1.       Package install

You need install below package, all this can find in CentOS iso or CD







You need download below package and install











2.       Modify hostname

#vim /etc/sysconfig/network     //modify HOSTNAME

HOSTNAME=ldapdomain           //you can use any name you like, I used ldapdomain

#vim /etc/hosts                         //if you have DNS server, you can add in DNS, I don’t have DNS server, so modify hosts localhost.localdomain localhost ldapdomain fedora12     // the linux client xp        //the windows client

#service network restart        //restart network, make the changes working

Close all terminal and open new one check the name is the same as HOSTNAME you setting


3.       Setup Openldap

#cp /usr/share/doc/samba-xxx/LDAP/samba.schema  /etc/openldap/schema    //copy samba.schama to openldap

#slappasswd         //create a password with SSHA encrypt, it will ask you to input the password. Here I use “secret123”, you can change to what you like, then it will show the SSHA encrypt password


#vim /etc/openldap/slapd.conf    //modify slapd.conf

include                 /etc/openldap/schema/core.schema

include                 /etc/openldap/schema/cosine.schema

include                 /etc/openldap/schema/inetorgperson.schema

include                 /etc/openldap/schema/nis.schema

include                 /etc/openldap/schema/samba.schema                      //add this line

access to attrs=userPassword,sambaLMPassword,sambaNTPassword      //add access method

                by self write

                by anonymous auth

                by * none

access to *

                by * read

database             bdb                                // the database ldap using

suffix                     "dc=esa,dc=com"                //I use as domain, you can change to other

rootdn                  "cn=Manager,dc=esa,dc=com"    //the rootdn, you can change to other

rootpw                 {SSHA}5G5g4xyAfrKrOPzRU7tUiXBHSRttiMhD    //the password which using SSHA create, here you also can use “rootpw secret123” though it is not security


#vim /etc/openldap/ldap.conf     //modify ldap.conf

BASE dc=esa,dc=com

URI ldap://

#TLS_CACERTDIR /etc/openldap/cacerts    //here disable TLS

#vim /etc/ldap.conf


base dc=esa,dc=com                     

rootbinddn cn=Manager,dc=esa,dc=com

nss_base_passwd                           ou=Users,dc=esa,dc=com?one    //the ou will create by smbldap

nss_base_passwd                           ou=Computers,dc=esa,dc=com?one

nss_base_shadow                          ou=Users,dc=esa,dc=com?one

nss_base_group                              ou=Groups,dc=esa,dc=com?one

uri ldap://

ssl no

#tls_cacertdir /etc/openldap/cacerts

 pam_password md5


#echo secret123 > /etc/ldap.secret              //add ldap.secret

#chmod 600 /etc/ldap.secret                    //modify authority about ldap.secret

#service ldap start

# telnet localhost 389                    //test ldap port


Connected to localhost.localdomain (

Escape character is '^]'.

^]                                 //inport  ctrl +  ]   

telnet> quit

Connection closed.


4 Setup samba

#vim /etc/samba/smb.conf

[global]                                                 //delete all other setting in global, only remain or add below

                workgroup =            

                server string = ldap and domain server

                netbios name = domainserver

                security = user

                encrypt passwords = Yes

                passdb backend = ldapsam:ldap://

                ldap suffix = dc=esa,dc=com

                ldap machine suffix = ou=Computers

                ldap user suffix = ou=Users

                ldap group suffix = ou=Groups

                ldap admin dn = cn=Manager,dc=esa,dc=com

                add user script = /usr/sbin/smbldap-useradd -m "%u"

                add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"

                add group script = /usr/sbin/smbldap-groupadd -p "%g"

                add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

                delete user script = /usr/sbin/smbldap-userdel "%u"

                delete group script = /usr/sbin/smbldap-groupdel "%g"

                delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

                idmap uid = 10000-20000

                idmap gid = 10000-20000

                template shell = /bin/false

                ldap passwd sync = yes

                domain master = yes

                domain logons = yes

                preferred master = yes

                ldap ssl = off

                winbind use default domain = yes

                winbind nested groups = no

 [public]                  //create a  share fold for future, If you don’t need, also can delete this session

                comment = Public Stuff

                path = /home/samba

                public = yes

                writable = yes

                printable = no

#mkdir /home/samba             //create the share fold, if you don’t set in smb.conf, ignore this

#chmod 777 /home/samba   //chmod the share fold, if you don’t set in smb.conf, ignore this

# testparm                //test smb.conf

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[printers]"

Processing section "[public]"

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC                 //here mean you are a PDC server

Press enter to see a dump of your service definitions       //press enter

#service smb restart

#smbpasswd -w secret123   //set smb dn admin password, need the same as rootpw in sldap.conf , here is secret123

# net getlocalsid                  //make sure you can get sid

SID for domain DOMAINSERVER is: S-1-5-21-3456266429-2160885202-3924598192

#tdbdump   /etc/samba/secrets.tdb    //you can use this command check the key exsit


4.       Create ldap data using smbldap-tool

# /usr/share/doc/smbldap-tools-0.9.5/

Use of $# is deprecated at ./ line 314.


       smbldap-tools script configuration


Before starting, check

 . if your samba controller is up and running.

 . if the domain SID is defined (you can get it with the 'net getlocalsid')


 . you can leave the configuration using the Crtl-c key combination

 . empty value can be set with the "." character


Looking for configuration files...


Samba Configuration File Path [/etc/samba/smb.conf] >                // press Enter


The default directory in which the smbldap configuration files are stored is shown.

If you need to change this, enter the full directory path, then press enter to continue.

Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >    // press Enter


Let's start configuring the smbldap-tools scripts ...


. workgroup name: name of the domain Samba act as a PDC

  workgroup name [] >            // press Enter

. netbios name: netbios name of the samba controler

  netbios name [domainserver] >           // press Enter

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'

  logon drive [] > Z:                 //input Z: or you can input '.' ignore

. logon home: home directory location (for Win95/98 or NT Workstation).

  (use %U as username) Ex:'//ldapdomain/%U'

  logon home (press the "." character if you don't want homeDirectory) [//ldapdomain/%U] > //ldapdomain/public  //the samba share fold, you can change to your setting

. logon path: directory where roaming profiles are stored. Ex:'//ldapdomain/profiles/%U'

  logon path (press the "." character if you don't want roaming profile) [//ldapdomain/profiles/%U] > .      //I don't set profile so input '.' ignore

. home directory prefix (use %U as username) [/home/%U] >       // press Enter

. default users' homeDirectory mode [700] >         //press Enter

. default user netlogon script (use %U as username) [] >         //press Enter

  default password validation time (time in days) [45] >   //press Enter

. ldap suffix [dc=esa,dc=com] >      // press Enter

. ldap group suffix [ou=Groups] >   // press Enter

. ldap user suffix [ou=Users] >  // press Enter

. ldap machine suffix [ou=Computers] >  // press Enter

. Idmap suffix [ou=Idmap] >  // press Enter

. sambaUnixIdPooldn: object where you want to store the next uidNumber

  and gidNumber available for new users and groups

  sambaUnixIdPooldn object (relative to ${suffix}) [] >   // press Enter

. ldap master server: IP adress or DNS name of the master (writable) ldap server

  ldap master server [] >  // press Enter

. ldap master port [389] >     // press Enter

. ldap master bind dn [cn=Manager,dc=esa,dc=com] >  // press Enter

. ldap master bind password [] >   Warning: You really need to set this parameter...

  ldap master bind password [] > secret123       //the rootpw in slapd.conf

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one

  ldap slave server [] >       // press Enter

. ldap slave port [389] >             // press Enter

. ldap slave bind dn [cn=Manager,dc=esa,dc=com] >    // press Enter

. ldap slave bind password [] >secret123     //the rootpw in sldap.conf, I used the same server as master and slave, if you have slave, you many change

. ldap tls support (1/0) [0] >     //press Enter

. SID for domain SID of the domain (can be obtained with 'net getlocalsid domainserver')

  SID for domain [S-1-5-21-3456266429-2160885202-3924598192] > // press Enter, check the sid is the same as "net getlocalsid"

. unix password encryption: encryption used for unix passwords

  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >        // press Enter

. default user gidNumber [513] >  // press Enter

. default computer gidNumber [515] > // press Enter

. default login shell [/bin/bash] > // press Enter

. default skeleton directory [/etc/skel] > // press Enter

. default domain name to append to mail adress [] > // press Enter


Use of uninitialized value in concatenation (.) or string at ./ line 314, <STDIN> line 34.

backup old configuration files:



writing new configuration file:

  /etc/smbldap-tools/smbldap.conf done.

  /etc/smbldap-tools/smbldap_bind.conf done.


# smbldap-populate   // use this tool to modify ldap data

Populating LDAP directory for domain (S-1-5-21-3192196383-2887643535-4176574845)

(using builtin directory structure)


adding new entry: dc=esa,dc=com

adding new entry: ou=Users,dc=esa,dc=com

adding new entry: ou=Groups,dc=esa,dc=com

adding new entry: ou=Computers,dc=esa,dc=com

adding new entry: ou=Idmap,dc=esa,dc=com

adding new entry: uid=root,ou=Users,dc=esa,dc=com

adding new entry: uid=nobody,ou=Users,dc=esa,dc=com

adding new entry: cn=Domain Admins,ou=Groups,dc=esa,dc=com

adding new entry: cn=Domain Users,ou=Groups,dc=esa,dc=com

adding new entry: cn=Domain Guests,ou=Groups,dc=esa,dc=com

adding new entry: cn=Domain Computers,ou=Groups,dc=esa,dc=com

adding new entry: cn=Administrators,ou=Groups,dc=esa,dc=com

adding new entry: cn=Account Operators,ou=Groups,dc=esa,dc=com

adding new entry: cn=Print Operators,ou=Groups,dc=esa,dc=com

adding new entry: cn=Backup Operators,ou=Groups,dc=esa,dc=com

adding new entry: cn=Replicators,ou=Groups,dc=esa,dc=com

adding new entry:,dc=esa,dc=com


Please provide a password for the domain root:

Changing UNIX and samba passwords for root

New password:123456                  //input the password for domain root, here I use 123456

Retype new password:123456   //again

#smbclient –L //localhost –U test1   //check the user can access

# chkconfig ldap on

# chkconfig smb on

#smbldap-useradd -a -m test1   // add a use, -a mean for windows, -m mean create home fold

#smbldap-passwd test1  // set password for test1

#pdbedit -Lw             // check the user info, system will auto add root, the root password is set at smbldap-popule


Then you can add a client for test, e.g. join the domain and using test1 to login…

7. Other

Issue help:

When run usr/share/doc/smbldap-tools-0.9.5/ show “Samba need to be started first!” and stop. Check samba log /var/log/samba/smbd.log, see below info


svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)


ERROR: failed to setup guest info.

Fix link:

modify /etc/samba/smb.conf, add below in global

winbind nested groups = no


Userfull link:

个人分类: Linux system service
想对作者说点什么? 我来说一句