[Samba] pam authentication needs smbpasswd to lookup login
claudineimatos at hospedevip.com.br
Tue Mar 27 17:33:15 GMT 2007
I'm trying to setup a PostgreSQL authentication database in my network
and I already get NSS and PAM working.
Well, as PAM is well configured I can login on my box, change password
and other things, but now I want to be able to use this same pair of
login/password to connect to a share on this box via a windows machine.
I've changed smb.conf to use plain text passwords since PAM doesn't work
with crypted passwords and also tried to enable/disable "obey pam
My /etc/pam.d/samba looks like the follow:
auth include system-auth
account include system-auth
session include system-auth
password include system-auth
and my system-auth:
auth required pam_env.so
auth sufficient pam_pgsql.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_pgsql.so
account sufficient pam_unix.so
account required pam_deny.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
password sufficient pam_pgsql.so
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
The problem is that if I try to authenticate using the user on
PostgreSQL or even a user of passwd, I can't do it since samba always
give me this message: "session setup failed: NT_STATUS_LOGON_FAILURE".
If I do add the specified login to smbpasswd with any password, I can
authenticate but using the password of pam_pgsql/pam_unix and not with
the password specified at smbpasswd.
So as I can see even with the account subscribed to PostgreSQL or passwd
I still need to have the user subscribed to smbpasswd file, but the
password used is the one of the pam module.
Even that there's not exactly a problem to have the user subscribed to
both mechanisms since I can use the password of my authentication
database it's not good practice to have to add the user in 2 different
I know I can also use PostgreSQL as a PDB backend for Samba but it's not
supported on the official release anymore since it doesn't have
maintainers and I don't want to use something that could not exist in
So my question is if is there anyway to use just PAM to authenticate my
users? I already can check password via samba but smbpasswd is still
need to provide the account information.
Thanks for all the help,
More information about the samba