HOWTO Use Samba as PDC using LDAP on Debian

This article was first written in October 2004 for the BeezNest technical
website (
Starting from Debian Sarge, the Samba version which ship with Debian is 3.0.x. This is the first real version to support well being a PDC while using LDAP as backend. Here is how to use Samba as PDC with LDAP backend for authentication on Debian.

Install the following packages, which are all part of Samba

  • samba: The server itself
  • samba-doc: The documentation (very complete)
  • smbclient: FTP-like client for SMB/CiFS
  • swat: Samba Web Administration Tool (web interface to configure Samba and access the full documentation through a browser, if installed)

Aside, we will install LDAP

  • slapd: the server itself
Some companies provide useful tools to help in the setting up of a Samba server with LDAP as PDC:
  • smbldap-tools: IDEALX tools for Samba use to ease installation and migration when using together with LDAP

Configure the Name Service Switch to use LDAP

Install package libnss-ldap and configure it according to the LDAP configuration [1]. Edit /etc/nsswitch.conf by adding a mention ldap to the end of the three following lines: passwd:, group:, shadow: and a mention wins to the end of the line hosts:.

Configure PAM to also use LDAP

Install package libpam-ldap and configure it according to the LDAP configuration. Edit /etc/pam.d/common-account and add the following line before the existing second line:
account  sufficient
account required
Edit /etc/pam.d/common-auth and add the following line before the existing second line:
auth    sufficient
auth    required nullok_secure
Edit /etc/pam.d/common-password and add the following line before the existing second line:
password   sufficient
password   required nullok obscure min=4 max=8 md5

Set the LDAP password in Samba

Samba stores its passwords in /var/lib/samba/secrets.tdb, and also stores there the LDAP admin password to use to connect to OpenLDAP. To set/change the password:
smbpasswd -w MySecretPassword
where MySecretPassword is LDAP's admin password. WARNING: with that configuration, it asks twice to type password to authenticate anyone! TODO

Add the Samba schema to OpenLDAP's list of schemas

An example that you can copy "as is" (well, you just need to unzip it first) is available in /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz in /etc/ldap/schemas and edit /etc/ldap/slapd.conf to use it. Configure /etc/ldap/ldap.conf and /etc/ldap/slapd.conf.

Tools to manage it afterwards

LDAP Account Manager (LAM) (web-based frontend to Samba accounts for machines, users and groups in LDAP) or phpLDAPadmin (which is not specific for managing Samba, but can also manage addressbooks, UNIX authentication, …).

Create your machines in the Domain

To be continued…
[1] it will configure /etc/libnss-ldap.conf