Install Samba on Etch

This document describe my work on setting up a Samba Domain with LDAP on Debian Etch. This installation is started with a fresh Debian install, with only the standard system.

This openLdap install is much more a test installation than a definitive installation. I started with the idea that I should have a Samba domain with some Web application using credentials from the domain to login. I also wanted an address book for every users of the domain.

I, later, plan to integrate an DNS based on my LDAP, why not a DHCP, a Radius server and, by the way, Checkpoint VPN on this LDAP. But first try to work out my Samba domain.

We begin our setup by installing slapd and make sure that LDAP is not running :

 
 tchetch@debian:~#  aptitude install slapd
 ...
 tchetch@debian:~#  /etc/init.d/slapd stop
 

Then you'll get some question to answer :

• Admin password : <secret phrase>
• Confirm password : <secret phrase>

The configuration of slapd happen in the file /etc/ldap/slapd.conf.

You'll need the samba schema for LDAP, it can be found in samba-doc

 
 tchetch@debian:~#  aptitude install samba-doc
 

I won't go into details on “How would you structure your ldap directory”, this document is purely technical, but before starting you should decide how you ldap tree will look like.

For this case, I decided that my ldap tree like this :

                         o=iro
                           |
   +-----------+-----------+--------------+--------------+
   |           |           |              |              |
ou=Users   ou=Groups   ou=Machines   ou=Contacts   ou=Applications

This did not come out from the sky so I'll explain why : I want a Samba domain. If you look at the Samba documentation, you'll see that you need to specify an OU for users, groups and machines. Here are our three first OU.

Then I wanted an address book for all my users. This address book aims to provide name of person outside the organization that everyone may need to contact, so I have my OU contacts. This address book is writable by every users of my Samba domain.

Finally I have some web application that would interact with the LDAP tree, read-only or read-write access, those applications would have a user account on LDAP only, so here is my OU applications.

First we need to install to copy the the LDAP schema of samba¹⁾ in /etc/ldap/schema/ :

 
 tchetch@debian:~#  zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz  > /etc/ldap/schema/samba.schema
 

So configuration is in /etc/ldap/slapd.conf. So before opening this file we just need to generate a password for the LDAP admin :

 
 tchetch@debian:~#  slappasswd
 New password: <secret phrase>
 Re-enter new password: <secret phrase>
 {SSHA}r7biKnm7opoxiarJaE2sMZvFJaRDA0nr
 

We open the file /etc/ldap/slapd.conf and start to modify our directory. You should find a set of directive like this :

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=iro"

So edit the suffix and set it to the root entry of your LDAP, for me :

# The base of your directory in database #1
suffix          "o=iro"

After that you should find something similar to :

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn          "cn=admin,dc=iro"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

This is where we set the LDAP admin :

rootdn          "cn=admin,o=iro"
rootpw          {SSHA}r7biKnm7opoxiarJaE2sMZvFJaRDA0nr

And I'd like to store my DB files into /srv/ldap/db :

directory       "/srv/ldap/db"

Then just change ACL set here :

  
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=iro" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=iro" write
        by * read

to match your rootdn :

# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,o=iro" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,o=iro" write
        by * read

You can now add the samba schema, near the beginning of the file you have the following :

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

Just add the line include /etc/ldap/schema/samba.schema.

Your LDAP server is now ready to be populated. In order to populate your whole, you need to prepare your structure.

The LDAP structure has already be described before, so we just go into creating our LDIF for initiating the tree. In this file we just add the cn=admin,o=iro and all the OU previously defined.

# Organization, Root
dn: o=iro
objectclass: organization
o: iro
l: Sion
st: Valais
postalcode: 1950
postofficebox: 4168
street: Avenue de Grand-Champsec 64
facsimiletelephonenumber: +41272057901
telephonenumber: +41272057900
description: Institut de Recherche en Opthalmologie

# Admin
dn: cn=admin,o=iro
objectclass: person
cn: admin
sn: LDAP Administrator
userPassword: {SSHA}r7biKnm7opoxiarJaE2sMZvFJaRDA0nr

# OUs

dn: ou=Applications,o=iro
objectclass: organizationalunit
ou: Applications

dn: ou=Contacts,o=iro
objectclass: organizationalunit
ou: Contacts

dn: ou=Groups,o=iro
objectclass: organizationalunit
ou: Groups

dn: ou=Machines,o=iro
objectclass: organizationalunit
ou: Machines

dn: ou=Users,o=iro
objectclass: organizationalunit
ou: Users

We now create our database directory, if it's not already done, and then fill our database with our file and finally start our LDAP server :

 
 tchetch@debian:~#  mkdir /srv/ldap
 tchetch@debian:~#  mkdir /srv/ldap/db
 tchetch@debian:~#  slapadd -l init.ldif  # Init ldap database
 tchetch@debian:~#  /etc/init.d/slapd start
 

When reading the documentation I found the module smbk5pwd. This module would make my password change better. LDAP has a method defined to change password, but this method doesn't include samba password. The smb5kpwd change this behavior by making the LDAP method able to change samba password, see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2586078 (near the end).

The problem is that this module is not available under Debian, but we really, really want it. So we compile it. So first we need some Debian package :

• libdb4.4-dev
• libldap2-dev
• libssl-dev

Then we need the openLDAP, we use the same version as the one provided by Debian (at the time of writing it's 2.3.30) :

 
 tchetch@debian:/tmp/#  wget ftp://openldap.org/pub/OpenLDAP/openldap-release/openldap-2.3.30.tgz
 

In order to compile the module, we need to compile the whole openLDAP pacakge because this will build all the tools needed to compile the module. But be careful, we don't install anything.

The openLDAP compilation is straightforward as we won't keep it :

 
 tchetch@debian:/tmp/#  tar xzf openldap-2.3.30.tgz
 tchetch@debian:/tmp/#  cd openldap-2.3.30
 tchetch@debian:/tmp/openldap-2.3.30#  ./configure
 tchetch@debian:/tmp/openldap-2.3.30#  make
 

No make install at all.

Then goes to contrib/slapd-modules/smbk5pwd :

 
 tchetch@debian:/tmp/openldap-2.3.30#  cd contrib/slapd-modules/smbk5pwd
 

and edit the Makefile, change the line :

• DEFS=-DDO_KRB5 -DDO_SAMBA to DEFS=-DDO_SAMBA
• HEIMDAL_INC=-I/usr/heimdal/include to HEIMDAL_INC=
• HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv to HEIMDAL_LIB=

We can now go on and compile our little module :

 
 tchetch@debian:/tmp/openldap-2.3.30/contrib/slapd-modules/smbk5pwd#  make
 

Now we install our new module, but we want to respect the FHS http://www.pathname.com/fhs/pub/fhs-2.3.html#USRLOCALLOCALHIERARCHY so we do :

 
 tchetch@debian:/tmp/openldap-2.3.30/contrib/slapd-modules/smbk5pwd#  mkdir -p /usr/local/lib/ldap
 tchetch@debian:/tmp/openldap-2.3.30/contrib/slapd-modules/smbk5pwd#  cp -a .libs/* /usr/local/lib/ldap
 tchetch@debian:/tmp/openldap-2.3.30/contrib/slapd-modules/smbk5pwd#  cp -a smbk5pwd.la /usr/local/lib/
 

Then you add the directive to load the module in /etc/ldap/slapd.conf :

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      smbk5pwd # Load our new module

We now want a nice interface to our LDAP tree. There's a good tools for that which is phpldapadmin. This document does not aim to describe how to configure in details, but just how to use it as quick as possible. As I stated before, we're working on a pristine system, only a base system install.

So to get phpldapadmin working, you just need to aptitude install phpldapadmin and then open your browser to http://debian/phpldapadmin !

That's all I've to say about phpldapadmin.

Samba installation will be done in two phase. First we start by a simple configuration without roaming profile, we want to have a working domain where computer can join automatically. Later we will configure shares, logon scripts, roaming profile and all the nice features we want.

To install samba, it's quit simple :

 
 tchetch@debian:~#  aptitude install samba
 

Then answer the questions asked by debconf :

Workgroup/Domain name : IRO
Modify smb.conf to use WINS settings from DHCP : <No>

Then stop samba :

 
 tchetch@debian:~#  /etc/init.d/samba stop
 

We now modify the configuration of Samba to use our brand new LDAP server. For that, open the file /etc/samba/smb.conf and find the line, in the global configuration, about Samba backend :

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsa

And change it to match your LDAP configuration :

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
#   passdb backend = tdbsam
   passdb backend = ldapsam:ldap://debian
   ldap suffix = o=iro
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Machines
   ldap group suffix = ou=Groups
   ldap admin dn = cn=admin,o=iro
   ldap delete dn = no

Then activate domain logon and privileges. This line is originally commented out :

# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
;   domain logons = yes

This must be changed to :

# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
   domain logons = yes
   enable privileges = yes

Then we add the script to make computer can join the domain, new add user script :

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

The machine GID is 515 :

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
     add machine script = /usr/sbin/smbldap-useradd -g "515" -w "%u" -c "%u"

Now we just configure the password to access LDAP from Samba and start Samba :

 
 tchetch@debian:~#  smbpasswd -w <secret phrase>
 Setting stored password for "cn=admin,o=iro" in secrets.tdb
 tchetch@debian:~#  /etc/init.d/samba start
 

If you go to the phpldapamin interface, you should see a sambaDomainName=IRO added in your LDAP tree. That means that your Samba is working with your LDAP server.

This is a set of tools that help to work with Samba and LDAP. We use it to populate the LDAP tree with well configured Samba account. Install smbldap-tools :

 
 tchetch@debian:~#  aptitude install smbldap-tools
 

Configuration of smbldap-tools is done in the file /etc/smbldap-tools/smbldap.conf. This file does not exist after the installation, you need to create it. But before that we create the file /etc/smbldap-tools/smbldap_bind.conf which contains the credentials to access the LDAP server.

In the file /etc/smbldap-tools/smbldap_bind.conf, add :

slaveDN="cn=admin,o=iro"
slavePw="<secret phrase>"
masterDN="cn=admin,o=iro"
masterPw="<secret phrase>"

Then in the file /etc/smbldap-tools/smbldap.conf, add :

SID="<YOUR SAMBA SID>"
suffix="o=iro"
ldapTLS="0"
sambaDomain="IRO"
usersdn="ou=Users,${suffix}"
computersdn="ou=Machines,${suffix}"
groupsdn="ou=Groups,${suffix}"
sambaUnixIdPool="sambaDomainName=IRO,${suffix}"
hash_encrypt="MD5"
userHome="/home/%U"
scope="sub"
defaultUserGid="513"

Where it is set <YOUR SAMBA SID>, you need to get the sid generated by samba. This value is found in the attribute sambaSID in the entry sambaDomainName=IRO,o=iro in your LDAP tree.

You can now run the tools smbldap-populate which will add all the default group needed for working with Samba and LDAP. We set the “Administrator” name with the -a option, the user id start value with -u option and the group id start value with -g option :

 
 tchetch@debian:~#  smbldap-populate -u 10000 -g 20000 -a Administrator
 Populating LDAP directory for domain IRO2 (S-1-5-21-2106538532-2980791215-551378581)
 (using builtin directory structure)
 Use of uninitialized value in string ne at /usr/sbin/smbldap-populate line 166.
 Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 171.
 entry o=iro already exist. 
 entry ou=Users,o=iro already exist. 
 entry ou=Groups,o=iro already exist. 
 entry ou=Machines,o=iro already exist. 
 adding new entry: uid=root,ou=Users,o=iro
 adding new entry: uid=nobody,ou=Users,o=iro
 adding new entry: cn=Domain Admins,ou=Groups,o=iro
 adding new entry: cn=Domain Users,ou=Groups,o=iro
 adding new entry: cn=Domain Guests,ou=Groups,o=iro
 adding new entry: cn=Domain Computers,ou=Groups,o=iro
 adding new entry: cn=Administrators,ou=Groups,o=iro
 adding new entry: cn=Account Operators,ou=Groups,o=iro
 adding new entry: cn=Print Operators,ou=Groups,o=iro
 adding new entry: cn=Backup Operators,ou=Groups,o=iro
 adding new entry: cn=Replicators,ou=Groups,o=iro
 entry sambaDomainName=IRO2,o=iro already exist. Updating it...
 Please provide a password for the domain Administrator: 
 Changing UNIX and samba passwords for Administrator
 New password: <admin password>
 Retype new password: <admin password>
 

<admin password> is the password you want to use for IRO\Administrator. You can define another name for IRO\Administrator by changing the -a option of smblap-populate.

Now it's time to make our Samba account and users available to Unix authentication. For that we need two packages, libpam-ldap and libnss-ldap.

 
 tchetch@debian:~#  aptitude install libpnss-ldap libpam-ldap
 

Then answer to the questions :

LDAP server Uniform Resource Identifier : ldap://debian/
Distinguished name of the search base : o=iro
LDAP version to use : 3
LDAP account for root : cn=admin,o=iro
LDAP root account password : <secret phrase>
Make local root Databse admin : Yes
Does the LDAP database require login : <No>
LDAP account for root : cn=admin,o=iro
LDAP root account password : <secret phrase>

Now we go on configuring NSS to use LDAP as backend, to do so edit /etc/nsswitch.conf and change :

passwd:         compat
group:          compat
shadow:         compat

to

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Next we configure PAM to use LDAP as authentication backend, first edit /etc/pam.d/common-account from :

account required        pam_unix.so

to

account sufficient      pam_ldap.so
account required        pam_unix.so try_first_pass

Then edit /etc/pam.d/common-auth from :

auth    required        pam_unix.so nullok_secure

to

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass

And /etc/pam.d/common-password form :

# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   required   pam_unix.so nullok obscure min=4 max=8 md5

to

# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password        sufficient      pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

If you want to check if your configuration is right just ask for users list or group list from getent. This will show the standard passwd users and the ldap users (or groups) :

 
 tchetch@debian:~#  getent group
 video:x:44:
 sasl:x:45:
 plugdev:x:46:
 staff:x:50:
 games:x:60:
 users:x:100:
 nogroup:x:65534:
 crontab:x:101:
 Debian-exim:x:102:
 ssh:x:103:
 openldap:x:104:
 Domain Admins:*:512:Administrator
 Domain Users:*:513:
 Domain Guests:*:514:
 Domain Computers:*:515:
 Administrators:*:544:
 Account Operators:*:548:
 Print Operators:*:550:
 Backup Operators:*:551:
 Replicators:*:552:
 

Now add a computer in the domain (from the computer itself) and list users list. You'll see your computer added in the unix users database :

 
 tchetch@debian:~#  getent passwd
 Administrator:x:0:0:Netbios Domain Administrator:/home/Administrator:/bin/false
 nobody:x:999:514:nobody:/dev/null:/bin/false
 iro007$:*:10000:515:Computer:/dev/null:/bin/false
 

The first phase of Samba configuration is done.

At boot time, udev will complain if you leave it like this. Indeed you need to setup some system group :

1. rdma
2. fuse
3. kvm
4. tss
5. nvram

with the command addgroup –system :

 
 $  sudo addgroup --system rdma
 $  sudo addgroup --system fuse
 $  sudo addgroup --system kvm
 $  sudo addgroup --system tss
 $  sudo addgroup --system nvram
 $  sudo addgroup --system scanner
 

This list may be not complete, but you'll find all the groups needed by udev in the file /etc/udev/rules.d/91-permissions.rules. Look for directives GROUP and OWNER.

Then add similar users :

 
 $  sudo adduser --no-create-home --system rdma --group
 $  sudo adduser --no-create-home --system fuse --group
 $  sudo adduser --no-create-home --system kvm --group
 $  sudo adduser --no-create-home --system tss --group
 $  sudo adduser --no-create-home --system nvram --group
 

It's time to configure Samba in order to create our domain. In this configuration, we assume we have Windows XP client only. The idea is to provide default profile with default configuration. We want to have the same configuration when login on Windows or on Linux when we could.

So we use software that run on Linux and Windows as much as possible. Here is the list of software we're using for some task :

• Default (and only) mail client is Mozilla Thunderbird.
• Net browser is IE 6 on Windows and Firefox on Windows and Linux. The choice belong to the user, but only Firefox has the same configuration on Linux and Windows.
• There's OpenOffice 2 and MS Office 2007. Same case as the internet browser.

Must important things, at that time, is Thunderbird. We want to keep our mail available on Linux and Windows even when we use POP3, we want that users can use a private e-mail address, even in POP3 and a private address book.

We want to delete profile without losing this configuration, files stored on the Windows (and Linux) Desktop and we want to have the same desktop between Linux and Windows.

Finally we want to add a user without any needed for users or for us (IT Service) to spend more than 1 minute (about) for all those nice functionalities.

On the server side, we use XFS as file system. This means that we have ACL (acl) and Extended Attributes (attr). The directory structure is pretty simple :

Here is a short example. We have user pmettan. This user have, on the server, right to following directories :

• /srv/profiles/pmettan where his Windows profile will be kept.
• /home/pmettan where his data will be kept (My Documents on Windows), and the Windows and Linux Desktop.

Others share does not impact the way our domain works. You can map any other share to any drive.

We need to add some options in the global configuration (headed by [global] in /etc/samba/smb.con). We just add those directives :

# ...

# Configuration for IRO network
map acl inherit = yes # Need Extended Attributes on the local file system
nt acl support = yes
store dos attribute = yes # Need Extended Attributes on the local file system
hide files = /desktop.ini/

# ...

We also want to set some information for path to the profile and path to the home directory. This is done with logon directive set like this in the default install :

# The following required a [profiles] share to be setup on the
# samba server (see below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
;   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
;   logon home = \\%N\%U

You need to change it to :

# The following required a [profiles] share to be setup on the
# samba server (see below)
   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
;   logon path = \\%N\%U\

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
   logon drive = H:
   logon home = \\%N\%U

This configuration is done under the section [homes]. Originally set like this :

[homes]
   comment = Home Directories
   browseable = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
   writable = no

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# Restrict access to home directories 
# to the one of the authenticated user
# This might need tweaking when using external authentication schemes
   valid users = %S

Is changed that way :

[homes]
   comment = Home Directories
   browseable = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
   writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# Restrict access to home directories 
# to the one of the authenticated user
# This might need tweaking when using external authentication schemes
   valid users = %S

The only thing we changed is that we made the home directory writable.

This is the most important share for roaming profile. So it's original configuration is :

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

Is edited to :

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
[profiles]
   comment = Users profiles
   path = /srv/profiles
   guest ok = no
   browseable = no
   create mask = 0600
   directory mask = 0700
   read only = no
   profile acls = yes

We added profile acls = yes this make Samba add some rights that can be understand by the system when the computer is not connected. We might remove this options, but actually it's set and it's work. We also made this share writable (read only = no).

Netlogon configuration is kept as orginal, we only changed the path to match our directory structure on the server side and uncommented the rest :

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
   comment = Network Logon Service
   path = /srv/netlogon
   guest ok = yes
   writable = no
   share modes = no

We have done our share configuration.

To make your system able to change password for Windows Domain and Unix account, you need to change the original configuration from :

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

to :

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
;   passwd program = /usr/bin/passwd %u
;   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

   passwd program = /usr/sbin/smbldap-passwd %u
   passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"

It's now time to create a generic profile for all our users. This profile will be used for each new user and will contain basic configuration for desktop, shortcut, …

All you need here is a computer fully installed and configured (and it must have join the domain) as your client will be. In this case we have a Windows XP with a set of software. We are not going to create all the configuration for our software now, only the basic profile things.

In order to create this profile, you need a standard domain user. To create this user we use smbldap-useradd as follow :

 
 tchetch@debian:~#  smbldap-useradd -a -A 1 -s /bin/false -c "Tchetch test" tchetch2
 tchetch@debian:~#  smbldap-passwd tchetch2
 Changing UNIX and samba passwords for tchetch2
 New password: <tchetch's password>
 Retype new password: <tchetch's password>
 

This brand new user needs a home directory and a profile directory, so :

 
 tchetch@debian:~#  mkdir /home/tchetch2
 tchetch@debian:~#  chown tchetch:Domain\ Users /home/tchetch2
 tchetch@debian:~#  chmod 0700 /home/tchetch2
 tchetch@debian:~#  mkdir /srv/profiles/tchetch2
 tchetch@debian:~#  chown tchetch:Domain\ Users /srv/profiles/tchetch2
 tchetch@debian:~#  chmod 0700 /srv/profiles/tchetch2
 

It's time to log on to your computer with the user tchetch2. When you log on, Windows will create a profile from the default local profile. Then you can take your time to make your profile as you want, like adding icons in the quick launch, setting a different background or removing (adding) icon on our desktop.

Be careful because some programs add their icons in Documents And Settings\All Users\Desktop. Those icons can be deleted only by the local Administrator, so if you got an “Access denied” when deleting icons, you know where to look.

Your profile is ready to use, let's go export this profile for all our users. Right click on My Computer, select Properties, tab Advanced, in User Profiles click Settings. In the list, select your current profile and hit the button Change Type. In the new window select Local profile and accept the change and log off. This operation has saved our profile on the local computer and will be available after we logoff.

Now log on with the administrator account and go to the same place we were just before, but now you can select the profile and you have a button Copy To. Click on this, you can enter the path where to copy your profile and who is permitted to use this profile. Change permitted to use to Everyone and copy the path to the server (in your home directory for example).

You have now a generic profile ready to use for every users. Just copy it to /srv/profiles/%username% and change the rights on it.