SAMBA Member Server with LDAP

... coming home ...

© 2012 Dennis Leeuw dleeuw at made-it dot com
With a big Thanks! to Eric Toirkens for his help with the Windows section.
License: GPLv2 or later


    1. Introduction
    2. The setup
      1. A member server example configuration file
      2. Join the domain
      3. Give winbind a password
      4. Start the services


In the previous sections we built the ground work for our network, but the only share we had was the [netlogon] share. That is not what makes our users happy. With this member server we will provide them with their Home directory and give them the ability to use roaming profiles.

Of course this is an example setup that you should extend on. After you have this machine up and running, you can create more member servers providing more shares to your users, or you could extend one of the already available servers with more shares. We just wanted to give you and idea of what could be done.

The setup

A member server example configuration file

    # Who are we
    workgroup       = EXAMPLE
    server string   = "Example home server"
    netbios name    = fs03
    netbios aliases =
    os level        = 65

    # How do we find others
    name resolve order = lmhosts wins host bcast
    wins server        =
    dns proxy          = no

    # What do we provide to whom
    smb ports            = 445 139
    hosts allow          = 192.168.
    interfaces           = lo, eth0
    bind interfaces only = yes

    # Where do we write what we do 
    log file     = /var/log/samba/%m.log
    log level    = 3 passdb:5 auth:10 winbind:2
    max log size = 500

    # What is our role
    local master     = no
    domain master    = no
    preferred master = no
    domain logons    = no

    # How do we handle UIDs and GIDs
    map to guest = bad user

    # How must users login
    encrypt passwords = yes
    security          = domain
    password server   =

    # Tell our users where their stuff is
    logon drive  = z:
    logon home   = \\\%U
    logon path   = \\\%U\profile
    logon script = logon.bat

    # Printing
    load printers = no

    # Some optimizations
    oplocks        = no
    level2 oplocks = no
    socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768
    dead time      = 15
    getwd cache    = yes

    # Backend setup
    passdb backend      = ldapsam:ldap://
    ldap ssl            = off
    ldap admin dn       = cn=manager,dc=example,dc=com
    ldap suffix         = dc=example,dc=com
    ldap user suffix    = ou=People
    ldap group suffix   = ou=Groups
    ldap machine suffix = ou=Devices
    idmap backend       = ldap:ldap://
    ldap idmap suffix   = ou=idmap
    ldap delete dn      = no

   comment                       = Home Directories
   browseable                    = no
   writable                      = yes
   hosts allow                   = 192.168.
   inherit permissions           = yes
   inherit acls                  = yes
   security mask                 = 0660
   directory security mask       = 0770
   force security mode           = 0660
   force directory security mode = 0770

Join the domain

net rpc join -S -U domadmin%<password>

Give winbind a password

net idmap secret EXAMPLE <password>

Start the services

First start samba (smbd and nmbd) then start windbind (winbindd).