Many client applications now support LDAP (including Microsoft's Active
Directory), and there are a number of servers available. The most popular
implementation for Unix is from the University of Michigan; its
homepage is at
Information in an LDAP tree always comes in
The following is an example of a Samba user entry:
uid=jbloggs, dc=samba, dc=org objectclass=sambaAccount uid=jbloggs cn=Joe Bloggs description=Samba User uidNumber=500 gidNumber=500 rid=2000 grouprid=2001 lmPassword=46E389809F8D55BB78A48108148AD508 ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4 pwdLastSet=35C11F1B smbHome=\\samba1\jbloggs homeDrive=Z script=logon.bat profile=\\samba1\jbloggs\profile workstations=JOE
Note that the top line is a special set of attributes called a
distinguished name which identifies the location of this entry beneath
the directory's root node. Recent Internet standards suggest the use of
domain-based naming using
dc attributes (for instance, a microsoft.com
directory should have a root node of
dc=microsoft, dc=com), although
this is not strictly necessary for isolated servers.
There are a number of LDAP-related FAQ's on the internet, although generally the best source of information is the documentation for the individual servers.
Using an LDAP directory allows Samba to store user and group information more reliably and flexibly than the current combination of smbpasswd, smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges for extra user information to be stored, this can easily be added without loss of backwards compatibility.
In addition, the Samba LDAP schema is compatible with RFC2307, allowing Unix password database information to be stored in the same entries. This provides a single, consistent repository for both Unix and Windows user information.
./configure --with-ldap make clean; make install
This parameter specifies the node of the LDAP tree beneath which Samba should store its information. This parameter MUST be provided when using LDAP with Samba.
ldap suffix = "dc=mydomain, dc=org"
This parameter specifies the entity to bind to an LDAP directory as. Usually it should be safe to use the LDAP root account; for larger installations it may be preferable to restrict Samba's access.
none (bind anonymously)
ldap bind as = "uid=root, dc=mydomain, dc=org"
This parameter specifies a file containing the password with which Samba should bind to an LDAP server. For obvious security reasons this file must be set to mode 700 or less.
none (bind anonymously)
ldap passwd file = /usr/local/samba/private/ldappasswd
This parameter specifies the DNS name of the LDAP server to use when storing and retrieving information about Samba users and groups.
ldap server = localhost
This parameter specifies the TCP port number of the LDAP server.
ldap port = 389
The Samba LDAP code was designed to utilise RFC2307-compliant directory
entries if available. RFC2307 is a proposed standard for LDAP user
information which has been adopted by a number of vendors. Further
information is available at
Of particular interest is Luke Howard's nameservice switch module (nss_ldap) and PAM module (pam_ldap) implementing this standard, providing LDAP-based password databases for Unix. If you are setting up a server to provide integrated Unix/NT services than these are worth investigating.
The current implementation is not designed to be used with Microsoft Active Directory, although compatibility may be added in the future.