This solution will enable users running Linux to authenticate using pam_ldap and users running Windows (NT and up) authenticate against a Samba Domain Controller. Linux users can also join their machines on the Samba domain, and create shares accessible to other users known by the Domain Controller.
This setup caused me a second headache, since the Samba server running on Ubuntu Hardy could not join the Samba Domain Controller running on Etch. This is because there is a compatibility issue between Samba 3.0.28a (Hardy) and Samba 3.0.24a (Etch). I had to fetch some more recent source packages here and compile and build them on Etch. This is not a procedure for the faint of heart, so if you haven't upgraded to Lenny yet, now is the time (at the time of this writing, Lenny has Samba 3.2.5).
I was planning on providing a step by step procedure to install and configure all of the necessary stuff, but apparently, someone already did. Following these instructions to the letter, will get you up and running in no time. The only thing you have to do is add these lines to libnss-ldap.conf:
This is necessary, because otherwise the machine will try forever finding accounts in the LDAP server when it boots and is populating /dev. Populating /dev happens very early in the boot stage when no network or LDAP server is started yet.
I also created an additional LDAP user (next to the admin user) that is only capable of reading entries (instead of reading _and_ writing) as suggested here. This user is called nss and is used to configure pam_ldap on the client Linux machines.
My pam configuration file are also a bit different, so here they are for completeness:
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_ldap.so
password required pam_passwdqc.so
password sufficient pam_ldap.so
password required pam_unix_passwd.so use_first_pass md5 shadow
account sufficient pam_ldap.so
account required pam_unix_acct.so
auth sufficient pam_ldap.so
auth required pam_unix_auth.so use_first_pass
Please note that messing with pam modules could be dangerous and could lead to a system where you're unable to login. The above configuration definitely works, but it's always safe to have backups of your original pam files and have a bootable medium (CD, DVD, floppy, USB) at hand.
If you want to have a graphical user interface to be able to browse the LDAP you can use Apache Directory Studio (advanced but heavyweight application) or LDAP Browser (basic lightweight application). Both are Java based, so should run on anything that provides a Sun JDK or JRE.
If you find errors in this post, in fact, if you find errors in any post, please leave a comment or send me a mail.