passdb backend = ldapsam:ldap://127.0.0.1/
#Specifies the base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=examples,dc=com
ldap ssl = off
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap delete dn = no
ldap admin dn = cn=manager,dc=examples,dc=com
# You will need to give samba the password for this dn, by
# running 'smbpasswd -w mypassword'
Then run testparm to make sure the smb.conf file is OK. New Samba users can be added to the LDAP directory by running the command "pdbedit -a -u username" if username exists in the system (e.g. /etc/passwd). Otherwise run "useradd username" first.
At the LDAP server, there's an entry sambaDomainName=XXX,dc=examples,dc=com created by pdbedit. Note XXX must be the netbios name of the Samba server. It has an attribute sambaSID=S-YYY which is required. The Samba user entry created by pdbedit has the following attributes:
sambaAcctFlags: [U ]
Note the sambaPwdLastSet attritube is required for the windows client to authenticate properly. Otherwise net use would report the following error:
If the pwdInHistory attribute of the Password policy under cn=default,ou=password policies is set and a user is trying to change his password to one stored in history in windows, he'll receive an error message like the following:
System error 1907 has occurred.
The user's password must be changed before logging on the first time.
Your password must be at least x characters; cannot repeat any of your previous x passwords; must contain capitals, numerals or punctuation; and cannot contain your account or full name. Please type a different password. Type a password which meets these requirements in both text boxes.
The required attributes can be easily added to all the user account entries with the perl module Net::LDAP