Custom PAM module to use in Samba

Daniel Iwan iwan.daniel at
Mon Jul 9 13:31:04 UTC 2018

I have a backend service which stores user account and passwords.
It allows authentication of the users provided login & plain password.
Passwords are stored as strongly hashed with salt so no easy way for
reverse them.

I would like those accounts, or at least some of them to have access to
Samba shares.
For that reason I was thinking of using custom PAM module which would send
credentials (login,pwd) over secure connection to my authentication service.

Issue here is using that PAM module in Samba, and compatibility with NTLM
or older versions of protocols.
Also by the look of it Samba is not really PAM compliant due to
incompatibility between PAM and SMB protocol.
Windbind works probably because LDAP or AD stores passwords NT Hash (I'm
assuming here).

Would it be possible to hook into winbind somehow to hand of authentication
part to my service?

Exploring possibilities at this stage.


On Mon, 9 Jul 2018 at 13:01, Rowland Penny via samba-technical <
samba-technical at> wrote:

> On Mon, 9 Jul 2018 12:39:49 +0100
> Daniel Iwan <iwan.daniel at> wrote:
> > Thanks Rowland :)
> >
> > Is creating linux accounts and setting up sync with smbpasswd a better
> > approach here?
> > This would force me to store passwords for user accounts in encrypted
> > (as oppose to hashed form) in my backend (another server)
> > LDAP on the backend is out of scope unfortunately.
> > Is there any better approach?
> >
> Anything is better than plain passwords.
> It might help if you could explain what you are trying to achieve.
> Rowland

More information about the samba-technical mailing list