Ubuntu - LDAP - Samba

Configuring the PDC based on LDAP (Minor Part option omitted):

smb.conf
[global]
   workgroup = EXAMPLE
 
   security = user
   encrypt passwords = yes
 
   obey pam restrictions = yes
 
   local master = yes
   os level = 33
   domain master = yes 
   preferred master = yes
   domain logons = yes
 
   passdb backend = ldapsam:"ldapi:// ldaps://ldap2.example.com"
   idmap backend = ldapsam:"ldapi:// ldaps://ldap2.example.com"
   ldap admin dn = uid=samba,ou=System,dc=example,dc=com
   ldap suffix = dc=example,dc=com
   ldap machine suffix = ou=Hosts
   ldap user suffix = ou=People
   ldap group suffix = ou=Group
   ldap idmap suffix = ou=Idmap
 
   ldap passwd sync = only
   ldap delete dn = yes
 
;   ldapsam:trusted = yes
;   ldapsam:editposix = yes
 
;   add user script = /usr/sbin/smbldap-useradd '%u'
   delete user script = /usr/sbin/smbldap-userdel '%u'
;   add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
;   delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
;   set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
;   add group script = /usr/sbin/smbldap-groupadd '%g' && /usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
;   delete group script = /usr/sbin/smbldap-userdel '%g'
   add machine script = /usr/sbin/smbldap-useradd -W -d /dev/null -g Machines -c 'Machine Account' -s /bin/false '%u'
   # for renaming machines
#   rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'

Selected options from /etc/smbldap-tools/smbldap.conf

/etc/smbldap-tools/smbldap.conf
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="none"
 
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Machines,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
 
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"