This is a simple walkthrough on making a Linux server act as a Windows Domain Controller. By using LDAP we can scale the server to a few hundred users rather than 50 – 100. This guide is very Distro specific – CentOS 5, REHL 5. This is just a first draft of the guide and I will be improving it over time.
Please note text appearing like this is either a command or text that needs to be added to a configuration file.
First we need to install all the packages we need for the server.
yum install samba samba-client openldap openldap-servers openldap-clients
Then we need to copy the schema for use in LDAP please note that you’ll need to change your command to fit the proper version you have installed.
#cp /usr/share/doc/samba-3.0.*/LDAP/samba.schema /etc/openldap/schema/samba.schema
Then we’ll need to edit a few lines in the LDAP configuration file. First add the following line to /etc/openldap/slapd.conf with the rest of the includes at the top of the file.
include /etc/openldap/schema/samba.schema
Add Access-Rights in slapd.conf in the appropriate section.
access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn.children=”ou=admin,dc=example,dc=com” write
by self write
by anonymous auth
by * none
access to *
by dn.children=”ou=admin,dc=example,dc=com” write
by * read
Then adjust suffix and rootdn in slapd.conf:
suffix “dc=example,dc=com”
rootdn “cn=Manager,dc=example,dc=com”
Use the command slappasswd to create password hash and add it to the slapd.conf file:
rootpw {SSHA}QL9L55wK/tOnsHs9flW+jJlWmws7aR6d
Enable indexing to improve speed
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
Next we needed to download the sambaldap tools from RPMForge. Instructions on enabling rpmforge are found here.
After installing the RPRForge Repository you’ll need to install smbldap-tools to be able to create accounts in LDAP.
#yum install smbldap-tools
Now you’ll need to get the SID of the server to do that run this command.
#net getlocalsid
Next you’ll need to edit /etc/smbldap-tools/smbldap.conf
add the SID to the config file like this.:
SID=”S-1-5-21-2716683063-1859637689-668750523″
Change the suffix, binddn to suit your domain name then change the LDAP TLS like below:
ldapTLS=”0″
There are other options in the config file to pay attention to, just read the documentation on each parameter and it’s pretty self explanatory.
Now edit /etc/smbldap-tools/smbldap_bind.conf
change Master/SlaveDN and Master/SlavePW to 127.0.0.1 and you ldap password respectively.
Start LDAP
#/etc/init.d/ldap start
or
#service ldap start
Create LDAP-Groups and -Users
#smbldap-populate
Create an Admin Account File (after entering your password the line will be blank, start entering the
dn: on this line. Be sure to hit return twice after each dn statement so that ldapadd will accept it.
#ldapadd -cxW -D “cn=Manager,dc=example,dc=com”
Password: securepassword
dn: ou=admin,dc=example,dc=com
objectclass: organizationalUnit
ou: admindn: cn=samba,ou=admin,dc=example,dc=com
objectclass: person
cn: samba
sn: Samba-Admin-User
userPassword: verysecure
use ctrl+c to exit ldapadd
Use Authconfig to add LDAP as both User and Password source
#authconfig –enableldap –enableldapauth –ldapserver=127.0.0.1 –ldapbasedn=dc=excample,dc=com –update
Adjust your smb.conf options
Worgroup=domainmname
Ldap admin dn=cn=samba,ou=admin,dc=example,dc=com
ldap suffix=dc=example,dc=com
Add the following options to smb.conf
Passdb backend=ldapsam:ldap://127.0.0.1/
Domain master=yes
Domain logon=yes
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap password change = yes
Edit the following
passwd program = /usr/sbin/smbldap-passwd %u
Comment Out this
#unix password sync = yes
Add the LDAP Admin password.
#smbpasswd -w securepassword
start samba
#/etc/init.d/smb start
or
#service smb start
By zee August 11, 2009 - 9:18 am
Hi,
When i run the command smbldap-populate, i get the following output for it.
Could not start_tls: unsupported extended operation at /usr/local/sbin//smbldap_tools.pm line 340.
surely there is some thing wrong. Can some one please let me know what is missing to configure.
Thanks,
Zee
By Zee August 13, 2009 - 1:36 am
The problem as described above “Could not start_tls: unsupported extended operation at /usr/local/sbin//smbldap_tools.pm line 340.” was solved by commenting out the line “allow bind_v2” from “/etc/openldap/slapd.conf” and restarting the ldap service.
Thanks,
Zee
By Jeremy Clark August 13, 2009 - 7:27 am
I’m glad you figured it out. That must have been in the CentOS openldap by default.
By Roberto Mason August 20, 2009 - 1:02 pm
I can’t even get there. I’ve got centos 5.3 running on a VM(ware) that is NAT’D. when I go to start the service LDAP, I get bad config file at line 84, the part where the access “access to trs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange….”. This is the first time I trying to config LDAP for samba. I’ve been run tdbsam with no problem, but I want to learn how to configure the LDAP for samba
By Alan August 24, 2009 - 12:56 pm
Roberto,
You said you had it as “access to trs=userPassword…” it should be “access to attrs=userPassword…”
By John October 11, 2009 - 2:53 am
There is comething wrong wioth this section here Im no expert but can not get it to bind with samba
but can with cn=Manager
#ldapadd -cxW -D “cn=Manager,dc=example,dc=comâ€
Password: securepassword
dn: ou=admin,dc=example,dc=com
objectclass: organizationalUnit
ou: admin
dn: cn=samba,ou=admin,dc=example,dc=com
objectclass: person
cn: samba
sn: Samba-Admin-User
userPassword: verysecure
By Jeremy Clark October 11, 2009 - 9:25 pm
Did you run the smbldap-populate command I’ve forgotten to do this many times and will always cause problems.
By John October 11, 2009 - 11:50 pm
Yes I have and all works fine
If I change all my bindings in slap.conf and smb.conf to cn=Manager
then I can get it working but not with this config of yours
By Chris December 4, 2009 - 3:49 pm
Is it possible to approximate this setup without turning the samba server into a PDC? I do not need pdc functionality although I do need to authenticate my windows users against LDAP.
By Martin May 17, 2011 - 11:11 am
I think I am going to wait for a while until the major releases package comes along and available in the market
By Whey Gold Standard August 1, 2011 - 9:24 am
I found your weblog web site on google and check a number of of your early posts. Continue to maintain up the excellent operate. I simply extra up your RSS feed to my MSN Information Reader. In search of ahead to reading extra from you in a while!…
By Shyfur August 11, 2011 - 1:06 pm
Hey Thanks for your wonderful tutorial, I am getting an error while adding my xp client, I need your help,
================================
Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain isrtdu.com:
The query was for the SRV record for _ldap._tcp.dc._msdcs.isrtdu.com
The following domain controllers were identified by the query:
ldap.isrtdu.com
Common causes of this error include:
– Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
– Domain controllers registered in DNS are not connected to the network or are not running.
For information about correcting this problem, click Help.
=========================
please help me, Here i like to mention I can ping and name can be resolve by nslookup.
tnx and rgds,
Shyfur
By Shyfur September 3, 2011 - 10:32 am
Solved …:)
By Josh September 12, 2011 - 11:19 am
How did you solve this? I am having the same problem.
Thanks.
By Victor Z December 8, 2011 - 1:18 pm
Me too… How to fix? Thank you!
By Shyfur December 8, 2011 - 1:32 pm
Configure the DNS well. Check your DNS srv record. I am gonna putting my srv here.
_ldap._tcp.XXX.local. SRV 0 0 389 ds.XXX.local.
_ldap._tcp.dc._msdcs.XXX.local. SRV 0 0 389 ds.XXX.local.
replace XXX with you domain name.
thanks.
//shyfur
By Victor Zucarino January 30, 2012 - 12:16 pm
Hello all, in fact the nmbd was stoped, then I added this on my /etc/init.d/smb:
echo -n $”Starting $KIND2 services: ”
daemon nmbd $SMBDOPTIONS
Thanks!
By loops April 23, 2012 - 2:15 pm
Woah this blog is wonderful i love studying your articles. Keep up the great work! You already know, lots of persons are searching round for this information, you can help them greatly.
By how to learn martial arts July 5, 2012 - 1:50 am
Howdy very cool blog!! Man .. Excellent .. Wonderful .. I will bookmark your web site and take the feeds also?I’m glad to seek out a lot of useful info right here in the post, we want develop extra techniques in this regard, thanks for sharing. . . . . .
By Eitan November 8, 2012 - 8:24 am
well, this didn’t help me … 🙁
I’m still getting the error:
“Could not start_tls: Operations error at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 345.”
I also commented out the line “allow bind_v2? from “/etc/openldap/slapd.conf” and restarted the ldap service
any other suggestions?
thanks
Eitan
By buy movie review March 23, 2019 - 8:17 am
buy movie review
Buy resume help. Edit cover latter services online.. Write cover latter online., Write movie reviews help..
By Winthruster Crack May 1, 2019 - 10:48 am
Winthruster Crack
buy cheap adobe creative suite buy cheap adobe creative suite. buy cheap adobe creative suite, buy cheap adobe creative suite.
By 2largesse January 12, 2022 - 7:54 pm
3america
By Aida206 July 13, 2025 - 8:03 am
Nice blog. Found this while searching through
By ? Notification; TRANSACTION 1.178980 bitcoin. Get =>> https://graph.org/Payout-from-Blockchaincom-06-26?hs=2226208fba3ca5462b0bf1f2e19b740d& ? July 14, 2025 - 1:40 pm
bphja2
By Adi206 July 14, 2025 - 3:53 pm
Wow! Such an amazing and helpful post this is. I really really love it. It’s so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also.
By ? ? Crypto Bonus: 0.25 BTC reserved. Claim today >> https://graph.org/WITHDRAW-YOUR-COINS-07-23?hs=2226208fba3ca5462b0bf1f2e19b740d& ? August 16, 2025 - 6:50 am
8k01hs
By ? System: Transfer 0.3 Bitcoin on hold. Authorize now › https://graph.org/OBTAIN-CRYPTO-07-23?hs=2226208fba3ca5462b0bf1f2e19b740d& ? August 18, 2025 - 12:26 pm
q2r7g2
By ? ? Special Deal - 1.25 BTC bonus available. Claim now > https://graph.org/Get-your-BTC-09-04?hs=2226208fba3ca5462b0bf1f2e19b740d& ? September 12, 2025 - 4:41 am
fwhthx
By ? ? Security Pending: 1.3 BTC transfer on hold. Resolve now > https://graph.org/Get-your-BTC-09-11?hs=2226208fba3ca5462b0bf1f2e19b740d& ? September 23, 2025 - 2:09 am
cgy2b3
By ? ? Bitcoin Credit: 0.42 bitcoin added. Claim here ? https://graph.org/Get-your-BTC-09-04?hs=2226208fba3ca5462b0bf1f2e19b740d& ? September 26, 2025 - 5:57 am
nyfpyp
By ? ? Portfolio Update: +1.8 BTC detected. Check now > https://graph.org/Get-your-BTC-09-04?hs=2226208fba3ca5462b0bf1f2e19b740d& ? October 8, 2025 - 11:08 pm
boco0q
By ? ? Crypto Offer: 0.25 BTC reserved. Claim now >> https://graph.org/Get-your-BTC-09-04?hs=2226208fba3ca5462b0bf1f2e19b740d& ? October 16, 2025 - 3:59 pm
cu707c
By ? ? Important: 1.3 BTC transfer failed. Resend here >> https://graph.org/Get-your-BTC-09-04?hs=2226208fba3ca5462b0bf1f2e19b740d& ? October 20, 2025 - 4:45 am
fajw60
By ? ? Security Pending: 1.4 BTC transfer held. Proceed now > https://graph.org/Get-your-BTC-09-04?hs=2226208fba3ca5462b0bf1f2e19b740d& ? October 21, 2025 - 1:35 am
qeogmw
By ???? Dating for sex. Go >>> yandex.com/poll/LZW8GPQdJg3xe5C7gt95bD?hs=2226208fba3ca5462b0bf1f2e19b740d& ticket # 8568 ???? December 4, 2025 - 2:51 pm
aj639a
By droversointeru January 5, 2026 - 7:49 am
Whats up are using WordPress for your site platform? I’m new to the blog world but I’m trying to get started and set up my own. Do you need any coding expertise to make your own blog? Any help would be really appreciated!