[Samba] pam_ldap authentication

John H Terpstra jht at samba.org
Tue May 6 00:28:12 GMT 2003

On Mon, 5 May 2003, Schelstraete Bart wrote:

> Hello,
> I have a -maybe stupid question regardin pam_ldap and Samba,and I really
> hope that somebody can help me.
> I currently using pam_ldap so that users can login on the Unix machine
> with their LDAP userid/password.
> Now I want to configure Samba so that he also uses that pam_ldap for
> that authentication. But please note that I only want to authenticate
> tru the LDAP, so nothing else is stored in the LDAP server.
> Do somebody know if this is possible. If so , can somebody point me in
> the correct direction (what do I need to modify in smb.conf and
> pam.conf)? I already searched the whole internet for more information
> regarding this, but I could find anything similar which could help me.

What you are asking IS possible, but VERY definitely NOT advisable.

To do it you need to disable use of encrypted passwords in Samba and on
ALL your MS Windows clients. You do NOT need to set any LDAP configs in
Samba's smb.conf, you need to configure it to use plain text passwords.
You do need to configure the PAM options in smb.conf. Please check the
smb.conf man page for details.

You then need to configure your Linux system PAM file:

That is used by Samba, to use your pam_ldap.so as it's back end.

Be forewarned: Doing this will cause you problems with MS Windows clients.

1. Your samba server can NOT be a domain controller - that requires MS
encrypted passwords. Your LDAP server will not have them in it's database.

2. Your MS Windows clients will drop drive connections that are idle for
too long (5-15 mintues) and when the user or application tried to
reconnect the reconnect will fail because MS Windows will have cached only
the encrypted password (even though you disabled encrypted passwords).

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list