Twisted IT paired

Install samba and nss-ldap:

apt install samba libnss-ldap nscd

Configure the libnss so users/groups from ldap can be visible in unix.
During installations you will be asked question on the libnss-ldap setup.
I use ldap+tls. Here's my final /etc/libnss-ldap.conf (I have removed all commented options):
You also need to setup secret file as described in the admin line.

# The distinguished name of the search base.
base dc=example,dc=com

# Another way to specify your LDAP server is to provide an
uri ldap://ldap1.example.com/
ldap_version 3

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.
rootbinddn cn=admin,dc=example,dc=com

# Search timelimit in seconds (0 for indefinite; default 0)
timelimit 10
# Bind/connect timelimit (0 for indefinite; default 30)
bind_timelimit 30

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/ssl/certs/ldap1.ca.crt
tls_cacertdir /etc/ssl/certs

Then you setup your /etc/nsswitch.conf

passwd: files ldap
group: files ldap

Add users/groups in ldap and test if you see them:

#> getent passwd

#> getent group

After that you can start the caching daemon nscd so ldap don't get overloaded by queries.

#>systemctl start nscd

After that you can setup your samba to work with ldap:

# LDAP Settings
passdb backend = ldapsam:ldap://ldap1.example.com
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
# or off if TLS/SSL is not configured
ldap ssl = start tls
ldap passwd sync = yes

I've used LDAP Account Manager to manage my ldap.

in /etc/rsyslog.d/50-smbd_audit.conf tell rsyslogd to direct audit logs to a separate file:

if $programname == 'smbd_audit' then /var/log/samba/audit.log
if $programname == 'smbd_audit' then ~

in /etc/samba/smb.conf tell samba to audit file operations:

vfs object = full_audit
full_audit:prefix = %S|%u|%I|%m
full_audit:success = chdir mkdir open opendir read rename rmdir write link unlink
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice

and finally tell logrotate to archive the files daily – /etc/logrotate.d/smbd_audit

/var/log/samba/audit.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}

then just restart both samba and rsyslog and enjoy the logs:

#> service smbd restart
#> service rsyslogd restart
#> tail -f /var/log/samba/audit.log