How to setup a Samba Primary Domain Controller on Raspberry Pi: Part 1

Ever since I did the LDAP tutorial I’ve been wanting to do a follow up for showing full integration with Samba. In this tutorial I’ll once again show you how to set up LDAP but this time we’re aiming create a primary domain controller with Samba so that our login information is centralized. Once you’ve got a PDC setup you just join any subsequent server to the domain and then share files and what not by authenticating against the Samba LDAP directory rather than each server having to maintain its own set of users/credentials.

Coming up with the information for this tutorial actually took me a while to do. This is mainly because there aren’t a lot of clear cut examples for setting up Samba with LDAP, I found some while looking but most were dated or were too messy. Now that I’ve got the steps down I think I can help people make a lot more sense of how to set it up.

LDAP Install

The first thing we want to do is actually install slapd which provides the LDAP serving and ldap-utils which is a set of tools for testing and connecting to LDAP.

sudo apt-get install slapd ldap-utils

Here put in the password you want for your LDAP administrator account.

LDAP administrator password

Re-enter it again.

Confirm administrator password

Unfortunately, since slapd doesn’t ask you for the domain we have to manually run the setup to set it. We can do this with the following command.

sudo dpkg-reconfigure slapd

At the first screen select No because we want to change the configuration.

Change the LDAP configuration

Next enter the name of your domain (this can be whatever you want, it’s not a real domain that you have to own or anything).

Domain name

Type in your organization name.

Organization name

Enter the password you want for your administrator account.

Administrator password

Re-enter the password.

Confirm password

Here we’ll just select HDB for the database as that’s what Debian recommends.

LDAP database type

When asked if we want to purge the database we’ll say No.

Purge database

Select Yes here because we need to move the old database that Debian setup during the install.

Move the old database

And here we can say No because LDAPv2 is obsolete.

Disable LDAPv2

Now that we’ve got LDAP running on a basic level, we’ll go ahead and setup our web interface for managing it. In my previous LDAP tutorial I used phpLDAPAdmin as the tool for administration. However, since then I’ve found that there’s another web-based tool in the Debian repositories that’s much friendlier and operates a lot faster on the Raspberry Pi’s limited hardware. It’s called LDAP Account Manager. I’d recommend this tool for any LDAP server you setup even if you aren’t using Samba. I found that with current version of phpldapadmin in Debian there’s a bug where you can’t add Samba Group Mappings. There’s a hack to work around it (or you can install the latest version) but I really want to stay within the scope of the Debian repositories. So let’s get PHP, Nginx, and LDAP Account Manager installed.

sudo apt-get install php5-fpm php5 php5-ldap php-apc php5-gd php-fpdf ldap-account-manager nginx

Now we’re first going to disable the default Nginx virtual host configuration.

sudo unlink /etc/nginx/sites-enabled/default

Next start a new file at /etc/nginx/sites-available/ldap-account-manager and let’s the put the following in it.

server {

        root /usr/share/ldap-account-manager;
        index index.php index.html index.htm;

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;


And after we’ve done that we just need to enable our new virtual host configuration and restart Nginx.

sudo ln -s /etc/nginx/sites-available/ldap-account-manager /etc/nginx/sites-enabled/ldap-account-manager
sudo service nginx restart

Now point your browser to the server’s IP and you should be presented with the login screen for LAM.

LAM login screen

Before we can do anything we need to go to LAM Configuration and then to Edit Server Profiles. Enter lam as the password and then you should wind up at the following page.

LAM server profile

Here we need to change the Tree Suffix to dc=ducky-pond,dc=lan. And then in the List of Valid Users we want to erase what’s there and put in cn=admin,dc=ducky-pond,dc=lan. This is the user that we set the password for during the LDAP installation and it will be used when we login into the LAM interface.

Now on the Account Types page we need to change LDAP Suffix for Users, Hosts, Groups, and Samba domains. These are the OUs where LAM will look for these objects, and later these will created/populated by Samba. Their respective values should be as follows.

  • Users: ou=Users,dc=ducky-pond,dc=lan
  • Groups: ou=Groups,dc=ducky-pond,dc=lan
  • Hosts: ou=Computers,dc=ducky-pond,dc=lan
  • Samba domains: dc=ducky-pond,dc=lan

After that’s done go ahead and hit Save. At this point you can go back to the login page and we should be able to login to LAM using the LDAP admin password. The screen should look like the following but at this point we don’t need to do anything with it.

LAM user management

LDAP Authentication Setup

For the PDC to actually authenticate against the domain we need to install LDAP authentication since we can’t join it to the domain it serves. This is vital if you want to host file shares on the PDC or have domain users login to the PDC.

The process of setting up a client for LDAP authentication used to be more manual, thankfully it’s lot easier to do. We’ll need to run the command below to install two packages which will get things going.

sudo apt-get install libpam-ldapd libnss-ldapd

At the first screen we need to enter the LDAP server address (port is optional). Since I’m doing this on the LDAP server I’m using the localhost address.

LDAP server address

Tell it the base DN where it needs to search for users and groups.

DN for users and groups

Here we need to tell the system what we should use LDAP for, it’s safe to go ahead and select everything for now.

NSS groups

This concludes the first part of the setup. In part two we’ll update the LDAP schema for Samba and then proceed to installing and configuring Samba.

  • Ian Oliver

    OK, I’m stumped. I can get as far as entering the admin account ( cn=admin,dc=xxx,dc=yyy ) into the server configuration of the lam, update the ldap suffixes etc. Going back to the login page and trying to login with admin and the chosen ldap admin password (from the earlier dpkg-reconfigure slapd) does not work. The error is “Wrong password/user name combination. Please try again.”

    I’ve reinstalled, reconfigured etc etc…same every time….any ideas?

    • Sepp

      I have got the same problem, have you found a solution?

    • George Martinez

      I ran into this issue as well after successfully running it all in a VM. I think the issue was that the keyboard layout was defaulted to UK. I’m in the US and used a special character in the original setup. On a UK keyboard this character is not in the same place, since the password was starred out it wasn’t apparent. Changing the keyboard layout on original install seems to fix it. (Though I also removed it entirely on the second install)

  • pawel

    what is missing in article is that to change LAM config man shall go to:
    and login as lam/lam

    • pawel

      newver mind – the link wa in top-right corner.

  • Ron Morgan

    im getting a 502 Bad Gateway at:

    Now point your browser to the server’s IP and you should be presented with the login screen for LAM.

    I have never used nginx.

    • Ben Hanna

      That sounds like you have an issue with your Nginx configuration for PHP.

      • Ron Morgan

        took me a while as I have no experence with nginx.. but I all I had to do was change the ldap-account-manager server to

        server {

        root /usr/share/ldap-account-manager;

        index index.php index.html index.htm;

        location ~ .php$ {


        fastcgi_index index.php;

        include fastcgi_params;



        • Colin Bitterfield

          I had to add this:
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          server {

          root /usr/share/ldap-account-manager;
          index index.php index.html index.htm;

          location ~ .php$ {
          fastcgi_pass unix:/var/run/php5-fpm.sock;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          include fastcgi_params;


  • j_kubik

    You have forgotten to mention tcp_wrappers – in order to access ldap you need to add matching slapd: ALL (or to taste 😉 line to hosts.allow file.

    • Ben Hanna

      Hmm, working from a clean install of Raspbian I didn’t have to do that.

  • Ian Oliver

    Starting with a clean latest installation of Rasbpian and then following the instructions above to the letter the admin password as entered during the reconfiguration does not resolve. LAM reports Wrong password/user name combination. Please try again.and from the command line either an invalid object (32) and failed to bind (49) error from ldap itself.

    Most of the instructions elsewhere talk about modifying slapd.conf but OpenLDAP it appears has changed to a different format (cn=config directory structure). The suggestion about chaining the keyboard layout and modifying the LAM settings to correct a browser bug don’t work either.

    I have also noticed that the reconfigure doesn’t seem to update the various config files correctly. At least the organisation name, incorrectly spelt on the first configuration, does not change

  • Ian Oliver

    This works…there is a bug in Debian that when the reconfigure takes place, if there are any previous backups in /var/backups then the whole reconfigure will fail:

    rm -r /var/backups/unknown* <- there might be a few directories of this name which contain ldap backups, check!!!
    dpkg-reconfigure slapd

    (both lines above as root/sudo and check what you're deleting before issuing rm, especially as root!!!)

  • Brad

    When I try to log in with the ‘admin’ account I get:

    LDAP error, server says:

    (2) Protocol error

    Any ideas?

  • Pingback: Pi als PDC | Achter 't raam()