===== LDAP + Samba setup
http://ubuntuforums.org/showthread.php?t=640760

apt-get install slapd ldap-utils migrationtools
----- dpkg-reconfigure slapd
No
DNS domain name: example.local
Name of your organization: example.local
Admin password: 12345
Confirm password: 12345
OK
BDB
No
Yes
No

===== Samba
apt-get install samba smbldap-tools smbclient samba-doc
----- /etc/ldap/slapd.conf
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword

restart service

----- /etc/samba/smb.conf
workgroup = EXAMPLE
security = user
passdb backend = ldapsam:ldap://localhost/
obey pam restrictions = no

#######################################################################
#COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO"
#######################################################################
#
#	Begin: Custom LDAP Entries
#
ldap admin dn = cn=admin,dc=example,dc=local
ldap suffix = dc=example, dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
; Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
#
#	End: Custom LDAP Entries
#

;invalid users = root <--- comment out!!!
; disables roaming profiles for Windows
logon path =
.....
smbpasswd -w 12345
net getlocalsid > myrecord
----- smbldap.conf
SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the same SID as when you ran "net getlocalsid"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=local"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}" ## Be careful with this section!!
userHome="/ldaphome/%U" ## This is found in the UNIX section.
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain="example.local"

===== Populate LDAP using smbldap-tools
smbldap-populate -u 30000 -g 30000
ldapsearch -x -b dc=example,dc=local | less
===== Add an LDAP User to the System
smbldap-useradd -a -m -M ricky -c "Richard M" ricky

-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access. PAM will be configured to automatically create a home
 directory.
-M sets up the username part of their email address
-c specifies their full name

smbldap-passwd ricky

===== Configure LDAP Authentication on the Server
apt-get install auth-client-config libpam-ldap libnss-ldap
Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldapi://127.0.0.1
Distinguished name of the search base: dc=example,dc=local
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=local
LDAP root account password: 12345

backup /etc/ldap.conf

----- /etc/ldap.conf
host 127.0.0.1
base dc=example,dc=local
uri ldap://127.0.0.1/
rootbinddn cn=admin,dc=example,dc=local
bind_policy soft

----- /etc/auth-client-config/profile.d/open_ldap
[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
pam_auth=auth       required     pam_env.so
 auth       sufficient   pam_unix.so likeauth nullok
 auth       sufficient   pam_ldap.so use_first_pass
 auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
 account    sufficient   pam_ldap.so
 account    required     pam_deny.so
pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok
 password   sufficient   pam_ldap.so use_first_pass
 password   required     pam_deny.so
pam_session=session    required     pam_limits.so
 session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077
 session    required     pam_unix.so
 session    optional     pam_ldap.so

run
auth-client-config -a -p open_ldap

===== client for LDAP Authentication
apt-get install auth-client-config libpam-ldap libnss-ldap

Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldapi://dc01-ubuntu.example.local
Distinguished name of the search base: dc=example,dc=local
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=local
LDAP root account password: 12345

----- /etc/ldap.conf
host dc01-ubuntu.example.local
base dc=example,dc=local
uri ldap://dc01-ubuntu.example.local/
rootbinddn cn=admin,dc=example,dc=local
bind_policy soft

cp /etc/ldap.conf /etc/ldap/ldap.conf
----- /etc/auth-client-config/profile.d/open_ldap
[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
pam_auth=auth       required     pam_env.so
 auth       sufficient   pam_unix.so likeauth nullok
 auth       sufficient   pam_ldap.so use_first_pass
 auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
 account    sufficient   pam_ldap.so
 account    required     pam_deny.so
pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok
 password   sufficient   pam_ldap.so use_first_pass
 password   required     pam_deny.so
pam_session=session    required     pam_limits.so
 session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077
 session    required     pam_unix.so
 session    optional     pam_ldap.so

auth-client-config -a -p open_ldap

----- /etc/samba/smb.conf
# LDAPHOME share definition
[ldaphome]
path = /ldaphome
writeable = yes
browseable = yes
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0

===== SAMBA - Enable the 'Netlogon' Share
mkdir /home/samba
mkdir /home/samba/netlogon

----- /etc/samba/smb.conf
[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   writable = no
   share modes = no

Change the line: ; logon script = logon.cmd
To: logon script = allusers.bat
Please note changed the name of the file.
Now when Windows clients log in to the domain the script will run. 

----- /home/samba/netlogon/allusers.bat
@echo off
REM    # SYNC THE TIME WITH THE SERVER
net time \\dc01-ubuntu.example.local /set /y
REM    # DELETE ALL MAPPED DRIVES
net use h: /delete
REM    # MAP ALL NECESSARY DRIVES
net use h: "\\dc01-ubuntu.example.local\ldaphome\%username%"

=====
----- Samba-3 release:

    * Samba-3 supports the use of a choice of backends that may be used in which user, group and machine accounts may be stored. Multiple passwd backends can be used in combination, either as additive backend data sets, or as fail-over data sets.

      An LDAP passdb backend confers the benefit that the account backend can be distributed and replicated, which is of great value because it confers scalability and provides a high degree of reliability.
    * Windows NT4 domain trusts. Samba-3 supports workstation and server (machine) trust accounts. It also supports Windows NT4 style interdomain trust accounts, which further assists in network scalability and interoperability.
    * Operation without NetBIOS over TCP/IP, rather using the raw SMB over TCP/IP. Note, this is feasible only when operating as a Microsoft active directory domain member server. When acting as a Samba domain controller the use of NetBIOS is necessary to provide network browsing support.
    * Samba-3 provides NetBIOS name services (WINS), NetBIOS over TCP/IP (TCP port 139) session services, SMB over TCP/IP (TCP port 445) session services, and Microsoft compatible ONC DCE RPC services (TCP port 135) services.
    * Management of users and groups via the User Manager for Domains. This can be done on any MS Windows client using the Nexus.exe toolkit for Windows 9x/Me, or using the SRVTOOLS.EXE package for MS Windows NT4/200x/XP platforms. These packages are available from Microsoft's Web site.
    * Implements full Unicode support. This simplifies cross-locale internationalization support. It also opens up the use of protocols that Samba-2.2.x had but could not use due to the need to fully support Unicode. 

----- not provided by Samba-3:

    * SAM replication with Windows NT4 domain controllers (i.e., a Samba PDC and a Windows NT BDC, or vice versa). This means Samba cannot operate as a BDC when the PDC is Microsoft-based Windows NT PDC. Samba-3 can not participate in replication of account data to Windows PDCs and BDCs.
    * Acting as a Windows 2000 active directory domain controller (i.e., Kerberos and Active Directory). In point of fact, Samba-3 does have some Active Directory domain control ability that is at this time purely experimental. Active directory domain control is one of the features that is being developed in Samba-4, the next generation Samba release. At this time there are no plans to enable active directory domain control support during the Samba-3 series life-cycle.
    * The Windows 200x/XP Microsoft Management Console (MMC) cannot be used to manage a Samba-3 server. For this you can use only the MS Windows NT4 Domain Server Manager and the MS Windows NT4 Domain User Manager. Both are part of the SVRTOOLS.EXE package mentioned later. 

----- necessary for configuring Samba-3 as an MS Windows NT4-style PDC for MS Windows NT4/200x/XP clients:

    * Configuration of basic TCP/IP and MS Windows networking.
    * Correct designation of the server role (security = user).
    * Consistent configuration of name resolution.[2]
    * Domain logons for Windows NT4/200x/XP Professional clients.
    * Configuration of roaming profiles or explicit configuration to force local profile usage.
    * Configuration of network/system policies.
    * Adding and managing domain user accounts.
    * Configuring MS Windows NT4/2000 Professional and Windows XP Professional client machines to become domain members.

----- smb.conf for PDC
[global]
passdb backend = tdbsam
os level = 33
preferred master = auto
domain master = yes
local master = yes
security = user
domain logons = yes
logon path = \\%N\profiles\%U
logon drive = H:
logon home = \\homeserver\%U\winprofile
logon script = logon.cmd
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700

passdb backend

    This contains all the user and group account information. Acceptable values for a PDC are: smbpasswd, tdbsam, and ldapsam. The ?guest? entry provides default accounts and is included by default; there is no need to add it explicitly.

    Where use of BDCs is intended, the only logical choice is to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files cannot effectively be distributed and therefore should not be used. 
Domain Control Parameters

    The parameters os level, preferred master, domain master, security, encrypt passwords, and domain logons play a central role in assuring domain control and network logon support.

    The os level must be set at or above a value of 32. A domain controller must be the DMB, must be set in user mode security, must support Microsoft-compatible encrypted passwords, and must provide the network logon service (domain logons). Encrypted passwords must be enabled. For more details on how to do this, refer to Account Information Databases. 
Environment Parameters

    The parameters logon path, logon home, logon drive, and logon script are environment support settings that help to facilitate client logon operations and that help to provide automated control facilities to ease network management overheads. Please refer to the man page information for these parameters. 
NETLOGON Share

    The NETLOGON share plays a central role in domain logon and domain membership support. This share is provided on all Microsoft domain controllers. It is used to provide logon scripts, to store group policy files (NTConfig.POL), as well as to locate other common tools that may be needed for logon processing. This is an essential share on a domain controller. 
PROFILE Share

    This share is used to store user desktop profiles. Each user must have a directory at the root of this share. This directory must be write-enabled for the user and must be globally read-enabled. Samba-3 has a VFS module called ?fake_permissions? that may be installed on this share. This will allow a Samba administrator to make the directory read-only to everyone. Of course this is useful only after the profile has been properly created.