Samba as a Domain Controller with OpenLDAP

Samba combined with OpenLDAP can be used to allow PEAP and TTLS authentication with free tools.  This provides an alternative to Microsoft's Active Directory for institutions wishing to support PEAP natively under Windows without the use of Secure-W2.

Before getting Started

There are several things to consider before implementing OpenLDAP as the Identity Provider (IdP) for eduroam-US at your institution.  The first is that if you already have an existing directory service (AD, LDAP, etc...) then trying to interface Samba with that server will be more difficult than simply implementing a Domain Controller in Samba as is described below.  If you happen to be using OpenLDAP as your IdP Samba does provide tools to convert your existing LDAP schema into the format required for it to operate as an PDC.  This process should be undertaken with care and is not described within this document.

Setting up OpenLDAP

The first step in the process is to install OpenLDAP.  Depending on your underlying platform the specific steps may vary.  We recommend the following links for Ubuntu (Debian should be extremely similar) and RedHat Linux distributions.  We welcome recommendations for further reference sites to configure other Linux distributions, various BSDs, or other *NIX variants (See the references for several).

Configure Samba as a Primary Domain Controller (PDC)

We assume Samba is installed and configured but not acting as a PDC.  Add the following to your smb.conf (generally /etc/samba/smb.conf) to configure Samba as a PDC:

workgroup = institution.edu
security = user
domain logons = yes
domain master = yes #for a secondary (backup PDC) set this to no

To allow Windows machines to join the domain you also need to setup the following

logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script  = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

Setup Shares

For Samba to act as a PDC we must also setup various shares including [homes], [netlogon], and [profiles]

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S

[netlogon]
   comment = Network Logon Service
   path = /srv/samba/netlogon
   guest ok = yes
   read only = yes
   share modes = no

[profiles]
   comment = Users profiles
   path = /srv/samba/profiles
   guest ok = no
   browseable = no
   create mask = 0600
   directory mask = 0700

Other useful Samba options may be found in the Domain Control section of the Samba documentation. Some potentially useful options may be found below:

wins support        = no  #disable WINS (WINS is needed for pre-Win2k machines)

unix password sync  = yes #keep the UNIX passwords the same
pam password change = yes #with the above, use PAM and not a passwd(1) program

#Ensure that samba will remain the master browser
local master     = yes
preferred master = yes
os level = 33

#disable printing
load printers = no
printing =

Testing your Configuration

To test your configuration you should use the ntlm_auth(1) tool on the command-line.  This tool acts as an intermediary between a domain controller (Samba or ActiveDirectory) and UNIX applications.  An example command-line would be:  ntlm_auth --domain=INSTITUTION --username=eduroam_tester

References