Custom PAM module to use in Samba

Rowland Penny rpenny at
Mon Jul 9 13:46:09 UTC 2018

On Mon, 9 Jul 2018 14:31:04 +0100
Daniel Iwan <iwan.daniel at> wrote:

> I have a backend service which stores user account and passwords.

What is this backend service ?

> It allows authentication of the users provided login & plain password.
> Passwords are stored as strongly hashed with salt so no easy way for
> reverse them.

Hmm, I 'think' when you say 'plain' password, you mean a normal login
i.e. the user just types their password and if correct, they are logged

> I would like those accounts, or at least some of them to have access
> to Samba shares.
> For that reason I was thinking of using custom PAM module which would
> send credentials (login,pwd) over secure connection to my
> authentication service.

Which is ?

> Issue here is using that PAM module in Samba, and compatibility with
> NTLM or older versions of protocols.

If you are still using anything older than NTLMv2, then can I suggest
you find a way to use a more secure authentication method.

> Also by the look of it Samba is not really PAM compliant due to
> incompatibility between PAM and SMB protocol.
> Windbind works probably because LDAP or AD stores passwords NT Hash
> (I'm assuming here).

Samba and PAM do work, you just have to set them up correctly.

> Would it be possible to hook into winbind somehow to hand of
> authentication part to my service?

Very probably, but we don't know what your backend service is.


More information about the samba-technical mailing list