How to setup a Samba Primary Domain Controller on Raspberry Pi: Part 2

In the second part of setting up a Samba PDC using LDAP we’ll update the LDAP schema to allow for Samba objects, then we’ll install and configure Samba. After that’s all done we’ll have a working Samba domain controller.

Updating the LDAP schema

In order for LDAP to function with Samba we have to include a schema in the configuration so it knows how the objects are defined. For this we’re going to get samba, samba-common-bin, and smbldap-tools installed and out of the way.

sudo apt-get install samba samba-common-bin smbldap-tools

After that’s done we need to copy the Samba schema from the examples folder into the LDAP configuration folder.

sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema
sudo gunzip /etc/ldap/schema/samba.schema.gz

With that in place we now need to create a file that we’ll use to generate the config file that slapd needs. Put the following into a samba.conf somewhere, location isn’t important.

include          /etc/ldap/schema/core.schema
include          /etc/ldap/schema/cosine.schema
include          /etc/ldap/schema/nis.schema
include          /etc/ldap/schema/inetorgperson.schema
include          /etc/ldap/schema/samba.schema

With that file we’re going to run the following commands which will generate the appropriate file and then we’ll move it into place and restart slapd.

mkdir /tmp/slapd.d
slaptest -f samba.conf -F /tmp/slapd.d/
cd /tmp/slapd.d/cn\=config/cn\=schema/
sudo cp cn\=\{4\}samba.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
sudo chown openldap:openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/cn\=\{4\}samba.ldif
sudo service slapd restart

As long as you didn’t encounter any errors along the way LDAP should now be configured for handling Samba objects.

Samba Installation and Configuration

Technically at this point we’ve got Samba installed but we still need to get it configured for LDAP. Thankfully smbldap-toolsprovides files to make this process relatively simple. In the following commands we’re going to move the default Samba configuration and copy over a template for setting up a PDC with LDAP.

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/smb.conf

Now with a text editor we need to open /etc/samba/smb.conf and make some changes. Only the following settings in this file need to be modified.

workgroup = DUCKY-PONDLAN
passdb backend = ldapsam:"ldap://localhost/"
ldap ssl = off
ldap admin dn = cn=admin,dc=ducky-pond,dc=lan
ldap suffix = dc=ducky-pond,dc=lan

Once that’s done we need to restart samba and then we’ll need to run smbpasswd with the -W switch, this is where you need to give Samba the password for your LDAP admin user. This will allow Samba to bind to the LDAP server. After it’s got the password we restart samba one more time. At this point Samba will connect to LDAP and create an object in LDAP representing your domain.

sudo service samba restart
sudo smbpasswd -W
sudo service samba restart

And then if I login to LAM and look at the Samba domains I should see the entry for my domain as below.


We’re almost there, all that’s left is to populate LDAP with the standard groups and a couple users. First we need to copy a couple of template configuration files in to place.

sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
sudo gunzip /etc/smbldap-tools/smbldap.conf.gz

Now let’s open /etc/smbldap-tools/smbldap_bind.conf in a text editor and modify the following values. Here slavePw andmasterPw are whatever you previously set your LDAP admin password to.


Next we need to open /etc/smbldap-tools/smbldap.conf and modify the following values. For the SID you need to run the command sudo net getlocalsid prior to this and copy that value into that field.


With those changes everything should be set, so let’s run the command to populate the Samba objects. During the process it will ask you to provide a password for the domain root user. This is the default domain administrator account so I would suggest giving this a complex password. This is generally the account you’ll use when you join a computer to the domain.

sudo smbldap-populate

You should see the following error pop-up during this process, it’s nothing to worry about. Just continue typing the password and it will proceed without any issues.


After that’s done, everything should now be set for and you should have a functioning Samba PDC with LDAP. If we log back into LAM you should see the root and nobody users as well as the standard domain groups.



At this point the tutorial is technically done and you can now join machines to the domain and authenticate users against it using the DUCKY-PONDLAN\ prefix like DUCKY-PONDLAN\user. However, in the next section I’ll briefly describe how to create a basic user and setup a file share.

Creating a user and sharing a folder

To create a user on our PDC we need to login to LAM and on the Users tab click New User. First fill out information on thePersonal tab, then proceed to the Unix tab. There isn’t much you really need to configure here but let’s go ahead and set thePrimary Group to Domain Users. After that click the Samba 3 tab and hit Add Samba 3 extension. Everything should be set here by default, the Windows Group should be set to Domain Users. Now finally, click Set Password and enter a password for the account. Once that’s done hit the Save button and the user will be created.

Now in the /home/pi directory let’s create a directory that the user will be able to access and a test file.

sudo mkdir /home/pi/share
sudo chown user:"Domain Users" /home/pi/share
sudo sh -c 'echo "Hello World" > /home/pi/share/hello.txt'

Then let’s open /etc/samba/smb.conf and add the following lines to the end. This will setup the share.

        path = /home/pi/share
        browseable = yes
        valid users = user

Lastly, restart Samba by doing sudo service samba restart. After that you should be able to navigate to \\PDC-SRV\share and then enter DUCKY-PONDLAN\user with the password and you should be able to see the hello.txt file we created.

That’s the basics of sharing a folder to a user. If you want to share with a group instead of a user then in valid users just prefix the name of the group you want with a @.

Hungry for more Pi?

For more project ideas be sure to check out our other Raspberry Pi Guides.

  • sam

    Hi Guys,
    I have problem with this step, not sure if i have missed anything… i was following all the steps carefully. I got stuck when i have to look for samba.conf, i was not able to find this file… i see there is file smb.conf instead /etc/samba/smb.conf so i have copied the following (step-3) in there.

    include /etc/ldap/schema/core.schema
    include /etc/ldap/schema/cosine.schema
    include /etc/ldap/schema/nis.schema
    include /etc/ldap/schema/inetorgperson.schema
    include /etc/ldap/schema/samba.schema

    now after this step i am stuck on the next step….

    mkdir /tmp/slapd.d
    slaptest -f samba.conf -F /tmp/slapd.d/
    cd /tmp/slapd.d/cn=config/cn=schema/
    sudo cp cn={4}samba.ldif /etc/ldap/slapd.d/cn=config/cn=schema/
    sudo chown openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema/cn={4}samba.ldif
    sudo service slapd restart

    After i make directory /tmp/slap.d

    slaptest -f samba.conf -F /tmp/slapd.d/ —> this step is not working.

    root@samdc1:/tmp# slaptest -f samba.conf -F /tmp/slapd.d/
    55e8f8cd could not stat config file “samba.conf”: No such file or directory (2)
    slaptest: bad configuration directory!
    root@samdc1:/tmp# cd /etc/samba/
    root@samdc1:/etc/samba# slaptest -f samba.conf -F /tmp/slapd.d/
    55e8f8ff could not stat config file “samba.conf”: No such file or directory (2)
    slaptest: bad configuration directory!
    root@samdc1:/etc/samba# slaptest -f smb.conf -F /tmp/slapd.d/
    55e8f90c smb.conf: line 33: unknown directive outside backend info and database definitions.
    slaptest: bad configuration directory!

    I am not able to figure out why this step is not working… Can you please help.

    best regards,


    • Conor Walshe

      Any luck with this? This fails on the “unknown directive ” for me too.

      • Andrew Lowery

        He means make a file called samba.conf and append these lines

        include /etc/ldap/schema/core.schema
        include /etc/ldap/schema/cosine.schema
        include /etc/ldap/schema/nis.schema
        include /etc/ldap/schema/inetorgperson.schema
        include /etc/ldap/schema/samba.schema

        not change the smb.conf file……. Badly worded!!!!

  • sam

    Anyone would like to help me, please!!!
    I just want to see this Samba DC working

    • sam

      Able to figure out my previous problem….. now new problem 🙂
      Not not able to join the domain, username/password failing…. root/my password
      any idea why?

  • Sander van der Straaten

    Everything worked out great until I try to add a Windows 10 Pro PC to the domain for a created user. I try to Add the PC to the domain by entering domain name username and password and then I receive the errormessage domain cannot be found.
    Can someone help me adding the PC to the domain?

  • Morphius

    chown: invalid user: `manoahj:Domain Users’

    I’ve made the account with the LDAP Account Manager set the password and added the group “Domain Users” and saved it.

    I got a succes responce

    But when i do

    sudo chown manoahj:”Domain Users” /home/pi/share/mjurcka


    chown: invalid user: `manoahj:Domain Users’

    online i find many people with the same problem, but no solution

    please please tell me what is going wrong

  • James Graham

    Open the smbldap_bind.conf


    slavePw=”Put the actual password in here”


    masterPw=” Put the actual password in here”

  • Don Gill

    OK, Hereś where I am stuck. When I attempt to log on to the newly created domain using a created username and password, it gives me a Bad Username/Password error for every account I create. However, I CAN log on as root with my password- it just creates a temp profile on the windows computer.

    In LDAP Account Manager, the user I am creating appears to be sound.

    I am open to suggestions- I would really like to get this working.

  • Arshad Farooqui

    Excellent tutorial. All done. But, When I try to connect a windows 10 pro machine to the domain, the machine is unable to find the domain. My DNS is configured to the WIFI router. How do I force windows to treat the AD controller Rasp-pi ipaddress as the domain controller?