Samba with PAM/LDAP

Gonzalo Servat gonzalo at
Mon Jan 15 04:10:27 GMT 2001

Hi All.

We're trying to get Samba (2.0.7 release) to authenticate via PAM.
Ideally we'd like to get Samba to authenticate directly via LDAP but
that would involve using an experimental branch and that's not
acceptable for this project.

If you do ./configure --with-ldap on the 2.07 release of samba it will
give you an error saying that ldap is not supported in this release (I
find it slightly more concerning that there is a --with-ldap flag on the
configure for openldap, but I digress).


checking whether to use PAM password database... yes
checking whether to use LDAP password database... yes
configure: error: LDAP password database not supported in this version.
[root at beast source]#

My situation at the moment is that I think the way to go is to get samba
to authenticate against PAM. There is a pam_ldap module which I'm using
on my development machine, and it works very well. Compiling with
--with-pam throws no errors. Looking at the symbols that are in the executables it
produces, it would appear that it has indeed been built into the server.

In fact, I've also been reading the source code of samba's password
checking code. I've found the function which does the pam authentication
and another function which claims to be the core of the password
checking code. That function is quite interesting. Take a look (from

static BOOL password_check(char *password)

#ifdef WITH_PAM
    /* ... comment which will be relevant if we ever get this working
    return (pam_auth(this_user,password));
#endif /* WITH_PAM */
/* ... */

and then there are a whole lot of other authentication methods. WITH_PAM
is defined. In fact, I put a #define at the start of the file to ensure
that it was, only to be informed by the compiler that it had already
done. Anyway, if pam is defined, the function should return right there.
Needless to say, this is not ocurring. I put in a few lines at the top
that function which basically opened a file and wrote a message to it.
message never got written.

I've found patches to the 2.2 tree to fix the configure to add pam
support, but nothing for the 2.0x series. Does anyone know anything
about this, or am I barking up the wrong tree entirely here?

Thanks in advance.


More information about the samba mailing list