yum install openldap openldap-clients openldap-servers migrationtools samba

 cp /usr/share/doc/samba-4.7./LDAP/samba.ldif  /etc/openldap/schema/

 cp /usr/share/openldap-servers/slapd.ldif  /home/

 [root@ldap-pdc ~]# slappasswd

 New password:

 Re-enter new password:

 {SSHA}sGQJ/b8qamHOmbbBxdxUldfxm3R6ODIj

 #

 # See slapd-config() for details on configuration options.

 # This file should NOT be world readable.

 #

 dn: cn=config

 objectClass: olcGlobal

 cn: config

 olcArgsFile: /var/run/openldap/slapd.args

 olcPidFile: /var/run/openldap/slapd.pid

 #

 # TLS settings

 #

 olcTLSCACertificatePath: /etc/openldap/certs

 olcTLSCertificateFile: "OpenLDAP Server"

 olcTLSCertificateKeyFile: /etc/openldap/certs/password

 #

 # Do not enable referrals until AFTER you have a working directory

 # service AND an understanding of referrals.

 #

 #olcReferral: ldap://root.openldap.org

 #

 # Sample security restrictions

 #       Require integrity protection (prevent hijacking)

 #       Require -bit (3DES or better) encryption for updates

 #       Require -bit encryption for simple bind

 #

 #olcSecurity: ssf= update_ssf= simple_bind=

 #

 # Load dynamic backend modules:

 # - modulepath is architecture dependent value (/-bit system)

 # - back_sql.la backend requires openldap-servers-sql package

 # - dyngroup.la and dynlist.la cannot be used at the same time

 #

 #dn: cn=module,cn=config

 #objectClass: olcModuleList

 #cn: module

 #olcModulepath: /usr/lib/openldap

 #olcModulepath: /usr/lib64/openldap

 #olcModuleload: accesslog.la

 #olcModuleload: auditlog.la

 #olcModuleload: back_dnssrv.la

 #olcModuleload: back_ldap.la

 #olcModuleload: back_mdb.la

 #olcModuleload: back_meta.la

 #olcModuleload: back_null.la

 #olcModuleload: back_passwd.la

 #olcModuleload: back_relay.la

 #olcModuleload: back_shell.la

 #olcModuleload: back_sock.la

 #olcModuleload: collect.la

 #olcModuleload: constraint.la

 #olcModuleload: dds.la

 #olcModuleload: deref.la

 #olcModuleload: dyngroup.la

 #olcModuleload: dynlist.la

 #olcModuleload: memberof.la

 #olcModuleload: pcache.la

 #olcModuleload: ppolicy.la

 #olcModuleload: refint.la

 #olcModuleload: retcode.la

 #olcModuleload: rwm.la

 #olcModuleload: seqmod.la

 #olcModuleload: smbk5pwd.la

 #olcModuleload: sssvlv.la

 #olcModuleload: syncprov.la

 #olcModuleload: translucent.la

 #olcModuleload: unique.la

 #olcModuleload: valsort.la

 #

 # Schema settings

 #

 dn: cn=schema,cn=config

 objectClass: olcSchemaConfig

 cn: schema

 81 include: file:///etc/openldap/schema/core.ldif

 82 include: file:///etc/openldap/schema/corba.ldif

 83 include: file:///etc/openldap/schema/cosine.ldif

 84 include: file:///etc/openldap/schema/duaconf.ldif

 85 include: file:///etc/openldap/schema/dyngroup.ldif

 86 include: file:///etc/openldap/schema/inetorgperson.ldif

 87 include: file:///etc/openldap/schema/java.ldif

 88 include: file:///etc/openldap/schema/misc.ldif

 89 include: file:///etc/openldap/schema/nis.ldif

 90 include: file:///etc/openldap/schema/openldap.ldif

 91 include: file:///etc/openldap/schema/ppolicy.ldif

 92 include: file:///etc/openldap/schema/collective.ldif

 93 include: file:///etc/openldap/schema/samba.ldif

 #

 # Frontend settings

 #

 dn: olcDatabase=frontend,cn=config

 objectClass: olcDatabaseConfig

 objectClass: olcFrontendConfig

 olcDatabase: frontend

 #

 # Sample global access control policy:

 #       Root DSE: allow anyone to read it

 #       Subschema (sub)entry DSE: allow anyone to read it

 #       Other DSEs:

 #               Allow self write access

 #               Allow authenticated users read access

 #               Allow anonymous users to authenticate

 #

 #olcAccess: to dn.base="" by * read

 #olcAccess: to dn.base="cn=Subschema" by * read

 #olcAccess: to *

 #       by self write

 #       by users read

 #       by anonymous auth

 #

 # if no access controls are present, the default policy

 # allows anyone and everyone to read anything but restricts

 # updates to rootdn.  (e.g., "access to * by * read")

 #

 # rootdn can always read and write EVERYTHING!

 #

 #

 # Configuration database

 #

 dn: olcDatabase=config,cn=config

 objectClass: olcDatabaseConfig

 olcDatabase: config

 olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c

  n=auth" manage by * none

 #

 # Server status monitoring

 #

 dn: olcDatabase=monitor,cn=config

 objectClass: olcDatabaseConfig

 olcDatabase: monitor

 olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c

  n=auth" read by dn.base="cn=Manager,dc=ldap-pdc,dc=com" read by * none

 #

 # Backend database definitions

 #

 dn: olcDatabase=hdb,cn=config

 objectClass: olcDatabaseConfig

 objectClass: olcHdbConfig

 olcDatabase: hdb

155 olcSuffix: dc=ldap-pdc,dc=com

156 olcRootDN: cn=Manager,dc=ldap-pdc,dc=com

 olcDbDirectory: /var/lib/ldap

158 olcDbIndex: objectClass eq,pres

159 olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

160 olcRootPW:      {SSHA}CC+i80oqumZigXsWtKf4PJFHEfmyUtTd     #密码前边是TAB贱，注意不要留空格

 rm -rf /etc/openldap/slapd.d/*

 slapadd -F /etc/openldap/slapd.d/ -n 0 -l /home/slapd.ldif

 slaptest -u -F /etc/openldap/slapd.d/

 [root@ldap-pdc home]# slaptest -u -F /etc/openldap/slapd.d/

 config file testing succeeded

 [root@ldap-pdc home]# 

 chown -Rv ldap.ldap /etc/openldap/slapd.d

 cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

 chown -Rv ldap.ldap /var/lib/ldap/DB_CONFIG

 systemctl start slapd.service

 [root@ldap-pdc home]# systemctl status slapd.service

 ● slapd.service - OpenLDAP Server Daemon

    Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)

    Active: active (running) since Wed -- :: CST;  day 8h ago

      Docs: man:slapd

            man:slapd-config

            man:slapd-hdb

            man:slapd-mdb

            file:///usr/share/doc/openldap-servers/guide.html

   Process:  ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=/SUCCESS)

   Process:  ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=/SUCCESS)

  Main PID:  (slapd)

    CGroup: /system.slice/slapd.service

            └─ /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

 vim /usr/share/migrationtools/migrate_common.ph

 # Default DNS domain

 $DEFAULT_MAIL_DOMAIN = "ldap-pdc.com";

 # Default base

 $DEFAULT_BASE = "dc=ldap-pdc,dc=com";

 chmod +x /usr/share/migrationtools/migrate_common.ph

 /usr/share/migrationtools/migrate_base.pl > /root/base.ldif

 /usr/share/migrationtools/migrate_passwd.pl /etc/passwd /root/user.ldif

 /usr/share/migrationtools/migrate_group.pl /etc/group /root/group.ldif

 ldapadd -D "cn=Manager,dc=ldap-pdc,dc=com" -W -x -f base.ldif

 ldapadd -D "cn=Manager,dc=ldap-pdc,dc=com" -W -x -f group.ldif

 ldapadd -D "cn=Manager,dc=ldap-pdc,dc=com" -W -x -f user.ldif

 vi /etc/rsyslog.conf

 local4.*    /var/log/ldap.log    #尾部添加

 touch /var/log/ldap.log         #创建日志文件

 systemctl restart rsyslog.service   重启服务

 yum  install nss-pam-ldapd samba-winbind sssd-ldap perl perl-LDAP.noarch epel-release smbldap-tools.noarch   sssd* pam_ldap openldap-clients

 cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

 cp /usr/share/doc/smbldap-tools-0.9./smb.conf.example /etc/samba/smb.conf

 vim /etc/samba/smb.conf

 [global]

         workgroup = ldap-pdc

         netbios name = PDC-SRV

         deadtime = 

         log level =

         log file = /var/log/samba/log.%m

         max log size =

         debug pid = yes

         debug uid = yes

         utmp = yes

         security = user

         domain logons = yes

         os level =

         logon path =

         logon home =

         logon drive =

         logon script =

         passdb backend = ldapsam:"ldap://10.2.48.125"

         ldap ssl = no

         ldap admin dn = cn=Manager,dc=ldap-pdc,dc=com

         ldap delete dn = no

         ## Sync UNIX password with Samba password

         ## Method :

         unix password sync = no

         ldap password sync = yes

         ## Method :

         ;ldap password sync = no

         ;unix password sync = yes

         ;passwd program = /usr/sbin/smbldap-passwd -u '%u'

         ;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

         ldap suffix = dc=ldap-pdc,dc=com

         ldap user suffix = ou=Users

         ldap group suffix = ou=Groups

         ldap machine suffix = ou=Computers

         ldap idmap suffix = ou=Idmap

         add user script = /usr/sbin/smbldap-useradd -m '%u' -t

         rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'

         delete user script = /usr/sbin/smbldap-userdel '%u'

         set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

         add group script = /usr/sbin/smbldap-groupadd -p '%g'

         delete group script = /usr/sbin/smbldap-groupdel '%g'

         add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'

         delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'

         add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 

 [NETLOGON]

         path = /var/lib/samba/netlogon

         browseable = no

 [PROFILES]

         path = /var/lib/samba/profiles

         browseable = no

         writeable = yes

         create mask =

         directory mask =

         csc policy = disable

         map system = yes

         map hidden = yes

 systemctl startt smb

 smbldap-config

 smbldap-populate

 # To use db, put the "db" in front of "files" for entries you want to be

 # looked up first in the databases

 #

 # Example:

 #passwd:    db files nisplus nis

 #shadow:    db files nisplus nis

 #group:     db files nisplus nis

 9 passwd:     files ldap

10 shadow:     files ldap

11 group:      files ldap

 #initgroups: files sss

 #hosts:     db files nisplus nis dns

 hosts:      files ldap myhostname

 # Example - obey only what nisplus tells us...

 #services:   nisplus [NOTFOUND=return] files

 #networks:   nisplus [NOTFOUND=return] files

 #protocols:  nisplus [NOTFOUND=return] files

 #rpc:        nisplus [NOTFOUND=return] files

 #ethers:     nisplus [NOTFOUND=return] files

 #netmasks:   nisplus [NOTFOUND=return] files     

 bootparams: nisplus [NOTFOUND=return] files

 ethers:     files

 netmasks:   files

 networks:   files

 protocols:  files

 rpc:        files

 services:   files sss

 netgroup:   files  ldap

 publickey:  nisplus

 automount:  files ldap

 aliases:    files nisplus

 # This is the configuration file for the LDAP nameservice

 # switch library's nslcd daemon. It configures the mapping

 # between NSS names (see /etc/nsswitch.conf) and LDAP

 # information in the directory.

 # See the manual page nslcd.conf() for more information.

 # The user and group nslcd should run as.

 uid nslcd

 gid ldap

 # The uri pointing to the LDAP server to use for name lookups.

 # Multiple entries may be specified. The address that is used

 # here should be resolvable without using LDAP (obviously).

 #uri ldap://127.0.0.1/

 #uri ldaps://127.0.0.1/

 #uri ldapi://%2fvar%2frun%2fldapi_sock/

 # Note: %2f encodes the '/' used as directory separator

 18 uri ldap://10.2.48.125/

 # The LDAP version to use (defaults to

 # if supported by client library)

 #ldap_version 

 # The distinguished name of the search base.

 25 base dc=ldap-pdc,dc=com

 # The distinguished name to bind to the server with.

 # Optional: default is to bind anonymously.

 #binddn cn=proxyuser,dc=example,dc=com

 # The credentials to bind with.

 # Optional: default is no credentials.

 # Note that if you set a bindpw you should check the permissions of this file.

 #bindpw secret

 # The distinguished name to perform password modifications by root by.

 #rootpwmoddn cn=admin,dc=example,dc=com

 # The default search scope.

 #scope sub

 #scope one

 #scope base

 # Customize certain database lookups.

 #base   group  ou=Groups,dc=example,dc=com

 #base   passwd ou=People,dc=example,dc=com

 #base   shadow ou=People,dc=example,dc=com

 #scope  group  onelevel

 #scope  hosts  sub

 # Bind/connect timelimit.

 #bind_timelimit 

 # Search timelimit.

 #timelimit 

 # Idle timelimit. nslcd will close connections if the

 # server has not been contacted for the number of seconds.

 #idle_timelimit 

 # Use StartTLS without verifying the server certificate.

 #ssl start_tls

 #tls_reqcert never

 # CA certificates for server certificate verification

 #tls_cacertdir /etc/ssl/certs

 #tls_cacertfile /etc/ssl/ca.cert

 # Seed the PRNG if /dev/urandom is not provided

 #tls_randfile /var/run/egd-pool

 # SSL cipher suite

 # See man ciphers for syntax

 #tls_ciphers TLSv1

 # Client certificate and key

 # Use these, if your server requires client authentication.

 #tls_cert

 #tls_key

 # Mappings for Services for UNIX 3.5

 #filter passwd (objectClass=User)

 #map    passwd uid              msSFU30Name

 #map    passwd userPassword     msSFU30Password

 #map    passwd homeDirectory    msSFU30HomeDirectory

 #map    passwd homeDirectory    msSFUHomeDirectory

 #filter shadow (objectClass=User)

 #map    shadow uid              msSFU30Name

 #map    shadow userPassword     msSFU30Password

 #filter group  (objectClass=Group)

 #map    group  member           msSFU30PosixMember

 # Mappings for Services for UNIX 2.0

 #filter passwd (objectClass=User)

 #map    passwd uid              msSFUName

 #map    passwd userPassword     msSFUPassword

 #map    passwd homeDirectory    msSFUHomeDirectory

 #map    passwd gecos            msSFUName

 #filter shadow (objectClass=User)

 #map    shadow uid              msSFUName

 #map    shadow userPassword     msSFUPassword

 #map    shadow shadowLastChange pwdLastSet

 #filter group  (objectClass=Group)

 #map    group  member           posixMember

 # Mappings for Active Directory

 #pagesize

 #referrals off

 #idle_timelimit

 #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

 #map    passwd uid              sAMAccountName

 #map    passwd homeDirectory    unixHomeDirectory

 #map    passwd gecos            displayName

 #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

 #map    shadow uid              sAMAccountName

 #map    shadow shadowLastChange pwdLastSet

 #filter group  (objectClass=group)

 # Alternative mappings for Active Directory

 # (replace the SIDs in the objectSid mappings with the value for your domain)

 #pagesize

 #referrals off

 #idle_timelimit

 #filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))

 #map    passwd uid           cn

 #map    passwd uidNumber     objectSid:S------

 #map    passwd gidNumber     objectSid:S------

 #map    passwd homeDirectory "/home/$cn"

 #map    passwd gecos         displayName

 #map    passwd loginShell    "/bin/bash"

 #filter group (|(objectClass=group)(objectClass=person))

 #map    group gidNumber      objectSid:S------

 # Mappings for AIX SecureWay

 #filter passwd (objectClass=aixAccount)

 #map    passwd uid              userName

 #map    passwd userPassword     passwordChar

 #map    passwd uidNumber        uid

 #map    passwd gidNumber        gid

 #filter group  (objectClass=aixAccessGroup)

 #map    group  cn               groupName

 #map    group  gidNumber        gid

 # This comment prevents repeated auto-migration of settings.

 ssl no

 tls_cacertdir /etc/openldap/cacerts

#

# LDAP Defaults

#

# See ldap.conf() for details

# This file should be world readable but not world writable.

#SIZELIMIT

#TIMELIMIT

#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts

# Turning this off breaks GSSAPI used with krb5 when rdns = false

SASL_NOCANON    on

URI ldap://10.2.48.125/

BASE dc=ldap-pdc,dc=com

systemctl restart slapd

systemctl restart smb

systemctl restart nmb

systemctl restart nslcd

systemctl restart nscd

systemctl restart winbind.service

 net rpc join -U root%

 net rpc testjoin

 [root@ldap-pdc etc]# net rpc testjoin

 Join to 'LDAP-PDC' is OK

 [root@ldap-pdc etc]# 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\services\LanmanWorkstation\

Parameters]

“DomainCompatibilityMode”=dword:

“DNSNameResolutionRequired”=dword: