... a single point of ...

© 2010, 2011, 2012 Dennis Leeuw dleeuw at made-it dot com
With a big Thanks! to Eric Toirkens for his help with the Windows section.
License: GPLv2 or later


    1. Introduction
    2. Assumptions
    3. SAMBA setup
      1. When a user logs in
      2. A PDC example file
      3. Change LDAP from SAMBA
      4. Tests


This section will describe the setup of SAMBA as a PDC with the use of LDAP. The idea is that LDAP will be our single point of configuration, meaning everything related to SAMBA will be present in LDAP.

Another important note is that SAMBA needs a POSIX account for every SAMBA account. In this document we assume that an entry in LDAP will hold all details related to that entry, meaning that the POSIX and SAMBA account attributes are all located in the same object.


The basic accounts, groups and groupmappings as described in the Samba LDAP Accounts document should be present.

SAMBA setup

The idea is that the DAS tools and/or webinterface is used to create the basic account stuff, while SAMBA only maintains the user and machine passwords.

To be able to e.g. add machines to the domain we also need an account that is able to act as a domain administrator. We are using the admin account for that, which is a POSIX account which is part of the Domain Administrators group.

 WorkstationConnection GreenSamba ServerConnection RedLDAP Server
NamesWS42 PDC
Account admin cn=manager,dc=example,dc=com 

When a user logs in

When a user signs in into a domain the user is first connected with its profile and additionally a netlogon script can be executed on the workstation. For this process to work there are several settings in SAMBA that need to be set.

The logon home entry in the smb.conf file is a definition for the Home-drive mapping, and the logon path is for the Profile-mapping. This can easy be viewed by using:

rpcclient -c "queryuser <User RID>" -U administrator%password
which outputs on my system, when I use my RID:
User Name   : dleeuw
Full Name   : D Leeuw
Home Drive  : \\PDC\dleeuw
Dir Drive   : z:
Profile Path: \\PDC\dleeuw\profile
Logon Script: logon.bat
Description :
Comment     :
Remote Dial :

The place where your Homes and your Profiles reside can be configured in the [global] sectin of your smb.conf file like this:

logon home   = \\\%U
logon path   = \\\%U\%a

NOTE There is on exception to the above rule. If logon path is not set and logon home is, the Profile path is the home path plus \profile.

The logon home can be mapped to a drive letter by SAMBA. To make SAMBA tell the client which drive letter to use add logon drive to your smb.conf like this:

logon drive  = z:
logon home   = \\%N\%U
logon path   = \\%N\%U\profile
which is the configuration of our server.

The last part of the log in of a user is the connection to the [netlogon] share, which should be present on any PDC and BDC. After the connect a script is started that is defined in the logon script setting. To finish off our definition of the user log in in the [global] section add:

logon drive  = z:
logon home   = \\%N\%U
logon path   = \\%N\%U\profile
logon script = logon.bat
where logon.bat can of course be anything you want, as log as it is executable by Microsoft Windows.

A PDC example file

    # Who are we
    workgroup       = EXAMPLE
    server string   = "Example PDC"
    netbios name    = pdc
    netbios aliases =
    os level        = 65

    # How do we find others
    name resolve order = lmhosts wins host bcast

    # WINS support: You have two options you can make
    # the server do WINS, or you can use another WINS server
    # If you are not the WINS server set:
    # wins support     = no
    # wins server      =
    # If you want to be your own WINS server set:
    # wins support     = yes
    # and remove the 'wins server' line.

    # DNS support
    dns proxy          = no

    # What do we provide to whom
    smb ports            = 445 139
    hosts allow          = 192.168.
    interfaces           = lo, eth0
    bind interfaces only = yes

    # Where do we write what we do
    log file     = /var/log/samba/%m.log
    log level    = 1
    max log size = 500
    syslog       = 0

    # What is our role
    local master     = yes
    domain master    = yes
    preferred master = yes
    domain logons    = yes

    # How do we handle UIDs and GIDs
    map to guest = bad user

    # How must users login
    encrypt passwords = yes
    security          = user
    password server   =

    # Tell our users where their stuff is
    logon drive  = z:
    logon home   = \\\%U
    logon path   = \\\%U\profile
    logon script = logon.bat

    # Printing
    load printers = no

    # Some optimizations
    oplocks        = no
    level2 oplocks = no
    socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768
    # dead time Default is 0
    dead time      = 15
    getwd cache    = yes

    # Backend setup
    passdb backend      = ldapsam:ldap://
    ldap ssl            = off
    ldap admin dn       = cn=manager,dc=example,dc=com
    ldap suffix         = dc=example,dc=com
    ldap user suffix    = ou=People
    ldap group suffix   = ou=Groups
    ldap machine suffix = ou=Devices
    idmap backend       = ldap:ldap://
    ldap idmap suffix   = ou=idmap
    ldap delete dn      = no
    ldapsam:trusted     = yes
    ldap passwd sync    = yes

   # Each PDC and BDC must provide the netlogon share
   comment     = Network Logon Service
   path        = /data/netlogon
   browseable  = no
   guest ok    = yes
   read only   = yes

NOTE 1: We made a PDC that does only the bare minimum, meaning our Home shares and Profiles are located on another server ( We chose to provide the profile directory to be part of the users Home share. This means that when the user logs in through SSHFS, they can also access the documents on their "Desktop".
NOTE 2: Because we want the PDC to do the bare minimum, it will also not support printing.

Change LDAP from SAMBA

Give SAMBA access to LDAP by providing the LDAP cn=manager password:

smbpasswd -w <password>


net sam list users
net sam list workstations
net sam list groups

Test the group mapping functionality

net groupmap list
Esp. note the mappings for Domain Admins, Domain Users, Domain Guests and Domain Computers.