Wednesday, November 15, 2006

First Post - Ubuntu Samba PDC/ OpenLDAP

Welcome to Partis Scientia. In case you haven't figured it out, that is Latin for sharing of skill/knowledge. Let's start with a Linux post:

After almost 2 months, I finally got a Samba PDC running with an LDAP directory... I used an Ubuntu 6.06LTS (Dapper) server. The most confusing thing about it is that you have like 4 possible superuser roles to understand:

root on the linuxbox (/etc/passwd file)
LDAP admin
Samba admin (better known as Windows "Administrator")
Samba root (same as above. Discussed in a bit)

Here's what I used for resources
The main howto that I followed was:

It basically covers it all. It made setting up the LDAP very straightforward (although there were many steps). Then I had some problems getting the Samba PDC it to work, so I used one or more of the below docs to figure out what I was doing.

Here's some other docs I found helpful to when I was completely lost:,_DYNDNS_and_CLAM

Snags I hit

One thing that really threw me was that the first howto claims you will have an account called "Administrator" as the domain admin. Well the version of smbldap-tools that I was using created an account "root" as the domain admin. I later found a posting somewhere that said this is a better idea anyway:

"Please note that a side effect of Administrator with UID=0 as well as root
with UID=0 is that login name to UID and login name to SID resolution is no
longer unambiguous. This will break winbindd big time in critical situations.

The best advice is to have just 'root' with UID=0 and use 'root' as the domain
administrator account. The new privileges capability can be used to delegate
some administrative functions, such as adding machines to the domain, to
accounts other than 'root'."

-Machines don't automatically get a machine account created by Samba when you join a new workstation to the domain. You have to do it manually, period. It's not hard, but just plan on it. smbldap-useradd -w machine_name$

-When joining a new computer to the domain, you have to log in the first time as the domain admin (on that computer), when prompted. A user account will come up as not found or access denied.

Things I plan on attacking next
-roaming profiles
-print serving