Custom PAM module to use in Samba

Daniel Iwan iwan.daniel at
Mon Jul 9 14:22:01 UTC 2018

Thanks for your reply Rowland

My answers inline

> > I have a backend service which stores user account and passwords.
> What is this backend service ?

Custom written software with (among other things) user management,
authentication, authorization functionality built-in.
API is exposed through REST and HTTPS

> > It allows authentication of the users provided login & plain password.
> > Passwords are stored as strongly hashed with salt so no easy way for
> > reverse them.
> Hmm, I 'think' when you say 'plain' password, you mean a normal login
> i.e. the user just types their password and if correct, they are logged
> in.

That is correct. User enters login & password. For my service, to be able
to authenticate
it needs to know login and that clear text form of a password rather than
it's hashed form.
Hash of the password is calculated and compared with stored in db.
I think clear password is never sent over the wire by SMB client to Samba
in the first place.

> Issue here is using that PAM module in Samba, and compatibility with
> > NTLM or older versions of protocols.
> If you are still using anything older than NTLMv2, then can I suggest
> you find a way to use a more secure authentication method.
> > Also by the look of it Samba is not really PAM compliant due to
> > incompatibility between PAM and SMB protocol.
> > Windbind works probably because LDAP or AD stores passwords NT Hash
> > (I'm assuming here).
> Samba and PAM do work, you just have to set them up correctly.

I think there is a setting

*encrypt passwords = yes*

which affect whether PAM auth is bypasswed or not

And another one
*obey pam restrictions = yes*

Which I'm not sure at the moment what restrictions it applies to.


More information about the samba-technical mailing list