[Samba] pam authentication needs smbpasswd to lookup login

Claudinei Matos claudineimatos at hospedevip.com.br
Tue Mar 27 17:33:15 GMT 2007

Hi guys,

I'm trying to setup a PostgreSQL authentication database in my network 
and I already get NSS and PAM working.
Well, as PAM is well configured I can login on my box, change password 
and other things, but now I want to be able to use this same pair of 
login/password to connect to a share on this box  via a windows machine.
I've changed smb.conf to use plain text passwords since PAM doesn't work 
with crypted passwords and also tried to enable/disable "obey pam 

My /etc/pam.d/samba looks like the follow:

auth    include      system-auth
account    include      system-auth
session    include      system-auth
password    include      system-auth

and my system-auth:

auth       required     pam_env.so
auth       sufficient   pam_pgsql.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_pgsql.so
account    sufficient   pam_unix.so
account    required     pam_deny.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 
ocredit=2 retry=3
password   sufficient   pam_pgsql.so
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so

The problem is that if I try to authenticate using the user on 
PostgreSQL or even a user of passwd, I can't do it since samba always 
give me this message: "session setup failed: NT_STATUS_LOGON_FAILURE".
If I do add the specified login to smbpasswd with any password, I can 
authenticate but using the password of pam_pgsql/pam_unix and not with 
the password specified at smbpasswd.

So as I can see even with the account subscribed to PostgreSQL or passwd 
I still need to have the user subscribed to smbpasswd file, but the 
password used is the one of the pam module.

Even that there's not exactly a problem to have the user subscribed to 
both mechanisms since I can use the password of my authentication 
database it's not good practice to have to add the user in 2 different 

I know I can also use PostgreSQL as a PDB backend for Samba but it's not 
supported on the official  release anymore since it doesn't have 
maintainers and I don't want to use something that could not exist in 
the future.

So my question is if is there anyway to use just PAM to authenticate my 
users? I already can check password via samba but smbpasswd is still 
need to provide the account information.

Thanks for all the help,

Claudinei Matos

More information about the samba mailing list