Build a Samba PDC with LDAP backend

General Information

Build a Samba PDC on FreeBSD with a ldap backend. This will not let you authenticate ssh users just a plain samba server for your windows clients.


Shell access is assumed. You should perform the following as root.


First we going to install all the required ports so make sure your ports tree is up to date.

The name of the server is serv01

The domain name is doublel.local

So the FQDN is serv01.smbdomain.local

Thus my /etc/hosts file looks like this

::1                     localhost localhost.smbdomain.local               localhost localhost.smbdomain.local          serv01.smbdomain.local serv01          serv01.smbdomain.local.

We need to install the following ports:

  1. /net/openldap24-server
  2. /net/samba3 (should work with samba32-devel also)
  3. /net/nss_ldap
  4. /net/smbldap-tools

Openldap backend server

You can accept the default selected options

# cd /usr/ports/net/openldap24-server
# make install clean


# cd /usr/ports/net/samba3
# make install clean

Select the setting below

|                   Options for samba 3.0.32_1,1                     |
| +----------------------------------------------------------------+ |
| |  [X] LDAP         With LDAP support                            | |
| |  [X] ADS          With Active Directory support                | |
| |  [X] CUPS         With CUPS printing support                   | |
| |  [X] WINBIND      With WinBIND support                         | |
| |  [X] ACL_SUPPORT  With ACL support                             | |
| |  [X] AIO_SUPPORT  With Asyncronous IO support                  | |
| |  [ ] FAM_SUPPORT  With File Alteration Monitor                 | |
| |  [X] SYSLOG       With Syslog support                          | |
| |  [X] QUOTAS       With Disk quota support                      | |
| |  [X] UTMP         With UTMP accounting support                 | |
| |  [ ] PAM_SMBPASS  With PAM authentication vs passdb backends   | |
| |  [ ] CLUSTER      With experimental cluster support            | |
| |  [ ] DNSUPDATE    With dynamic DNS update(require ADS)         | |
| |  [ ] EXP_MODULES  With experimental modules                    | |
| |  [X] POPT         With system-wide POPT library                | |
| |  [X] PCH          With precompiled headers optimization        | |
| |  [ ] MAX_DEBUG    With maximum debugging                       | |
| |  [ ] SMBTORTURE   With smbtorture                              | |
|                       [  OK  ]       Cancel                        |

Install nss_ldap

# cd /usr/ports/net/nss_ldap/
# make install clean

Install smbldap-tools

# cd /usr/ports/net/smbldap-tools
# make install clean


Prepare the openldap config file (/usr/local/etc/openldap/slapd.conf)

First we need to create a password for the openldap server

# slappasswd -s very-secure-password

Note: Copy the output!!

Open the /usr/local/etc/openldap/slapd.conf file and make sure it looks like the following

# vi /usr/local/etc/openldap/slapd.conf

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/samba.schema

loglevel 256

pidfile         /var/run/openldap/
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

# BDB database definitions

database        bdb
suffix          "dc=smbdomain,dc=local"
rootdn          "cn=Manager,dc=smbdomain,dc=local"
#rootpw = very-secure-password
rootpw          {SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e

directory       /usr/local/var/db/openldap-data

# Indices to maintain
index   objectClass     eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber               eq
index   gidNumber               eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub

Now we need to create and copy some files. First, we want to create the database dir of openldap. In this case this is /usr/local/var/db/openldap-data. If you want another location change the directory directive in the slapd.conf file. Also we set the right permissions on the directory and files of openldap.

# mkdir -p /usr/local/var/db/openldap-data
# cp /usr/local/etc/openldap/DB_CONFIG.example /usr/local/var/db/openldap-data/DB_CONFIG
# chown -R ldap:ldap /usr/local/var/db/openldap-data
# chown -R ldap:ldap /usr/local/etc/openldap/
# chmod -R 0700 /usr/local/var/db/openldap-data
# chmod 0400 /usr/local/etc/openldap/slapd.conf

Also we need to copy the samba schema to the final directory.

# cp /usr/local/share/examples/samba/LDAP/samba.schema /usr/local/etc/openldap/schema/

Then we want to make sure slapd logs to syslog. Add the lines to the file /etc/syslog.conf

# vi /etc/syslog.conf

*.*                             /var/log/slapd.log

Now we create the log file and restart the syslog deamon

# touch /var/log/slapd.log
# /etc/rc.d/syslogd restart


Make sure the file /usr/local/etc/nss_ldap.conf looks like the following

# vi /usr/local/etc/nss_ldap.conf

base dc=smbdomain,dc=local

bind_policy soft
bind_timelimit 10

host localhost
idle_timelimit 3600
ldap_version 3

nss_base_group  ou=Groups,dc=smbdomain,dc=local?one
nss_base_passwd ou=People,dc=smbdomain,dc=local?one
nss_base_passwd ou=Computers,dc=smbdomain,dc=local?one
nss_base_shadow ou=People,dc=smbdomain,dc=local?one

nss_connect_policy persist
nss_paged_results yes

pagesize 1000
port 389
scope one
timelimit 30

Now we link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf

# rm -/usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf

To make sure the slapd deamon (the openldap server) starts at a reboot we need to edit the /etc/rc.conf file.

# echo "#enable slapd"  >>/etc/rc.conf
# echo slapd_enable=\"YES\" >>/etc/rc.conf
# echo slapd_flags='-h \"ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:// ldap://\"' >>/etc/rc.conf
# echo slapd_sockets=\"/var/run/openldap/ldapi\" >>/etc/rc.conf

And we try to start it!

# /usr/local/etc/rc.d/slapd start
Starting slapd.
# ps ax | grep slap
11383  ??  Ss     0:00,01 /usr/local/libexec/slapd -h ldapi://%2fvar
11385  p2  S+     0:00,00 grep slap


Edit the /etc/nsswitch file and make sure to edit the group: and passwd: line, so change compat to files ldap. The file looks like this after editing

group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files


All my data (shares) and other samba related files like username are in /usr/local/samba. So first we create that dir

# mkdir /usr/local/samba

We also create a usermap file named usermap

# vi /usr/local/samba/usermap

root = administrator

To create the following /usr/local/etc/smb.conf file, you must remove or empty the original one. Make sure you replace fxp0 for your own network interface, or comment out the line interfaces = and bind interfaces only =

# rm /usr/local/etc/smb.conf
# vi /usr/local/etc/smb.conf

# Global parameters
      workgroup = SMBDOMAIN
      server string = Samba Server
      netbios name = serv01
      hosts allow = 192.168.50. 127. 10.0.1.
      interfaces = fxp0, lo
      bind interfaces only = Yes

# passwd backend
      encrypt passwords = yes
      passdb backend   = ldapsam:ldap://serv01.smbdomain.local/
      enable privileges = yes
      pam password change= Yes
      passwd program = /usr/bin/passwd %u
      passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn * passwd:*all*authentication*tokens*updated*successfully*
      unix password sync = Yes

# Log options
      log level = 1
      log file = /var/log/samba/%m
      max log size = 50
      syslog = 0

# Name resolution
      name resolve order = wins bcast host

# misc
      timeserver = Yes
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      use sendfile = yes
      veto files = /*.eml/*.nws/*.{*}/
      veto oplock files = /*.doc/*.xls/*.mdb/
      deadtime         = 120

# Dos-Attribute
      map hidden = No
      map system = No
      map archive = No
      map read only = No
      store dos attributes = Yes

# printers - configured to use CUPS and automatically load them
      load printers = Yes
      printcap name = CUPS
      printing = cups
      cups options = Raw
      show add printer wizard = No

# scripts invoked by samba
      add user script               = /usr/local/sbin/smbldap-useradd -m %u
      delete user script            = /usr/local/sbin/smbldap-userdel %u
      add group script              = /usr/local/sbin/smbldap-groupadd -p %g
      delete group script           = /usr/local/sbin/smbldap-groupdel %g
      add user to group script      = /usr/local/sbin/smbldap-groupmod -m %u %g
      delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
      set primary group script      = /usr/local/sbin/smbldap-usermod -g %g %u
> add machine script            = /usr/local/sbin/smbldap-useradd -w %m

# LDAP-iConfiguration
      ldap delete dn                = Yes
      ldap ssl                      = off
      ldap passwd sync              = Yes
      ldap suffix                   = dc=smbdomain,dc=local
      ldap machine suffix           = ou=Computers
      ldap user suffix              = ou=People
      ldap group suffix             = ou=Groups
      ldap idmap suffix             = ou=Idmap
      ldap admin dn                 = cn=Manager,dc=smbdomain,dc=local
      idmap backend                 = ldap:ldap://serv01.smbdomain.local
      idmap uid                     = 10000-20000
      idmap gid                     = 10000-20000

# logon options
      logon script = logon.bat
      logon path = \%Lprofiles%u
      logon path =
      logon home = \%L%U
      logon drive = H:

# setting up as domain controller
      username map = /usr/local/samba/usermap
      preferred master = Yes
      wins support = Yes
      domain logons = Yes
      domain master = Yes
      local master = Yes
      os level = 64
      map acl inherit = Yes
      unix charset     = UTF8

#============================ Share Definitions ==============================

      comment = Network Logon Service
      path = /usr/local/etc/samba/netlogon
      guest ok = yes
      locking = no

      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No

      comment = Network Profiles Service
      path = /usr/local/etc/samba/profiles
      read only = No
      profile acls = yes
      hide files = /desktop.ini/ntuser.ini/NTUSER.*/
      profile acls = Yes

      comment = All Printers
      path = /var/spool/samba
      browseable = No
      guest ok = Yes
      printable = Yes
      use client driver = Yes
      default devmode = Yes

      comment = Printer Drivers
      path = /usr/local/samba/printer-drivers
      browseable = yes
      guest ok = no
      read only = yes
      write list = root

      comment = Data Directory
      path = /home/data
      write list = @smbdomain
      read only = No
      create mask = 0777
      directory mask = 0777

Create the following directories: netlogon, profiles, printer-drivers and the share data, and give them proper permissions.

# mkdir /usr/local/samba/netlogon
# mkdir /usr/local/samba/profiles
# mkdir /usr/local/samba/printer-drivers
# mkdir /usr/local/samba/data
# chmod 777 /usr/local/samba/profiles

Check the smb.conf file by doing a testparm

# testparm /usr/local/etc/smb.conf

You should see the following without errors

Load smb config files from /usr/local/etc/smb.conf
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

We need to store the password from the ldap server in the secret.tdb file of samba. First we stop the openldap server(also for later when we import the data)

# /usr/local/etc/rc.d/slapd stop
Stopping slapd.
Waiting for PIDS: 49851.
# smbpasswd ñw very-secure-password
Setting stored password for "cn=Manager,dc=smbdomain,dc=local" in secrets.tdb

Make sure samba can start and will restart after a reboot

# echo "#enable Samba" >>/etc/rc.conf
# echo nmbd_enable="YES" >>/etc/rc.conf
# echo smbd_enable="YES" >>/etc/rc.conf
# echo winbindd_enable="YES" >>/etc/rc.conf
# echo cupsd_enable="YES" >>/etc/rc.conf

Now we start samba

# /usr/local/etc/rc.d/samba start
Removing stale Samba tdb files: ....... done
Starting nmbd.
Starting smbd.
Starting winbindd.

Test if samba has started.

# ps -ax | grep mdb
1093  ??  Ss     0:00.03 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1095  ??  I      0:00.00 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1100  ??  Ss     0:00.01 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf

To make sure samba starts after the ldap server starts we need to edit the startup scrpit of samba. So we put slapd after cupsd at the second line starting with # REQUIRE:

# vi /usr/local/etc/rc.d/samba

PROVIDE: nmbd smbd
PROVIDE: winbindd
REQUIRE: cupsd slapd
KEYWORD: shutdown


If you run the script you must answer a few questions. I put [HIT ENTER] after the lines that need no change, behind the others I put [<--- NEEDS CHANGE]

After the question ldap tls support (1/0) [0] there is a little timeout, now the script try’s to get the SID and this can take a few seconds!

# /usr/local/share/examples/smbldap-tools/
Use of $# is deprecated at /usr/local/share/examples/smbldap-tools/ line 314.
       smbldap-tools script configuration
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
Looking for configuration files...

Samba Configuration File Path [/usr/local/etc/smb.conf]  [HIT ENTER]

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/opt/IDEALX/smbldap-tools/] /usr/local/etc/smbldap-tools [<--- NEEDS CHANGE]
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba act as a PDC
  workgroup name [smbdomain] [HIT ENTER]
. netbios name: netbios name of the samba controler
  netbios name [serv01] [HIT ENTER]
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
  logon drive [H:] [HIT ENTER]
. logon home: home directory location (for Win95/98 or NT Workstation).
  (use %U as username) Ex:'\serv01%U'
  logon home (press the "." character if you don't want homeDirectory) [\%L%U] [HIT ENTER]
. logon path: directory where roaming profiles are stored. Ex:'\serv01profiles%U'
  logon path (press the "." character if you don't want roaming profile) [\serv01profiles%U] [HIT ENTER]
. home directory prefix (use %U as username) [/home/%U] [HIT ENTER]
. default users' homeDirectory mode [700] [HIT ENTER]
. default user netlogon script (use %U as username) [logon.bat] [HIT ENTER]
  default password validation time (time in days) [45] 100000  [<--- NEEDS CHANGE]  
. ldap suffix [dc=smbdomain,dc=local] [HIT ENTER]
. ldap group suffix [ou=Groups] [HIT ENTER]
. ldap user suffix [ou=People] [HIT ENTER]
. ldap machine suffix [ou=Computers] [HIT ENTER]
. Idmap suffix [ou=Idmap] [HIT ENTER]
. sambaUnixIdPooldn: object where you want to store the next uidNumber
  and gidNumber available for new users and groups
  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=smbdomain] [HIT ENTER]
. ldap master server: IP adress or DNS name of the master (writable) ldap server
  ldap master server [serv01.smbdomain.local] [HIT ENTER]
. ldap master port [389] [HIT ENTER]
. ldap master bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER]
  ldap master bind password [] very-secure-password
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
  ldap slave server [serv01.smbdomain.local] [HIT ENTER]
. ldap slave port [389] [HIT ENTER]
. ldap slave bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER]
. ldap slave bind password [] very-secure-password
. ldap tls support (1/0) [0] [HIT ENTER]
. SID for domain smbdomain: SID of the domain (can be obtained with 'net getlocalsid serv01')
  SID for domain smbdomain [S-1-5-21-2609998211-36760486-3473504348] [HIT ENTER]
. unix password encryption: encryption used for unix passwords
  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] [HIT ENTER]
. default user gidNumber [513] [HIT ENTER]
. default computer gidNumber [515] [HIT ENTER]
. default login shell [/bin/sh] [HIT ENTER]
. default skeleton directory [/etc/skel] [HIT ENTER]
. default domain name to append to mail adress [] [HIT ENTER]
Use of uninitialized value in concatenation (.) or string at /usr/local/share/examples/smbldap-tools/ line 314, /usr/local/etc/smbldap-tools/smbldap.conf.old
writing new configuration file:
  /usr/local/etc/smbldap-tools/smbldap.conf done.
  /usr/local/etc/smbldap-tools/smbldap_bind.conf done.

Now we start the ldap server again

# /usr/local/etc/rc.d/slapd start

And we populate the database

# smbldap-populate -u 10000 -g 10000 -r 10000
Populating LDAP directory for domain smbdomain (S-1-5-21-2609998211-36760486-3473504348)
(using builtin directory structure)

adding new entry: dc=smbdomain,dc=local
adding new entry: ou=People,dc=smbdomain,dc=local
adding new entry: ou=Groups,dc=smbdomain,dc=local
adding new entry: ou=Computers,dc=smbdomain,dc=local
adding new entry: ou=Idmap,dc=smbdomain,dc=local
adding new entry: uid=root,ou=People,dc=smbdomain,dc=local
adding new entry: uid=nobody,ou=People,dc=smbdomain,dc=local
adding new entry: cn=Domain Admins,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Domain Users,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Domain Guests,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Domain Computers,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Administrators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Account Operators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Print Operators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Backup Operators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Replicators,ou=Groups,dc=smbdomain,dc=local
adding new entry: sambaDomainName=smbdomain,dc=smbdomain,dc=local

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:

The password can be any password and does not have to be the ldap password ( very-secure-password). It is the root (administrator) password for samba. Now we need to configure winbind:

# net rpc join -S serv01 -Uroot
joined domain smbdomain

For the administration of the server you can use USERMGR.exe from Microsoft. That is it!

Speak Your Mind