[Samba] authenticate using pam_ldap.so

Dennis Ortsen dortsen at gmail.com
Tue Nov 6 10:33:18 GMT 2007

Hi All,

I've been trying for quite some time now, but feel that there's just
that one situation that doesn't work, and that's probably the one
thing I'd like to use.

I've got a simple samba server (3.0.23c) on RHEL5 that only has one
large share. That share is to be used by a certain number of users,
that can exchange large amounts of data using that share, but not
everybody is allowed access to that share. The most simple way to set
that up is to use the /etc/samba/smbpasswd and add the users locally.
That would be fine, but the number of users is just large enought to
cause a probable overhead of work when they need to change their
password. I have a LDAP server running, without the Samba schema. I
don't want to add the samba schema to that directory, just for about
30 users. (total userbase is 40.000). The next best thing would be to
use PAM together with pam_ldap.so.

pam_ldap.so works fine, cause we use that only to authenticate unix
users for ssh or tty access. (User accounts exist in /etc/passwd, only
the password is not used in /etc/shadow) When a user logs in via ssh
his password is checked in LDAP using pam_ldap.so. That all works like
a charm. I thought I could use the same trick for authenticating the
samba users, but that seems to be a lot more difficult than I

conf files always help a lot:

my smb.conf:
        workgroup = OFFICE
        netbios name = MIDDLEEARTH
        server string = Middleearth Samba Server
        security = share
        obey pam restrictions = yes
        encrypt passwords = no

        path = /share
        valid users = jan,jeff,joe,john,alice
        read only = No
        force user = nobody
        force create mode = 0660
        browseable = No
        guest ok = No

my /etc/pam.d/samba:
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

and my /etc/pam.d/system-auth:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

All I want is to have a local user that exists either in /etc/passwd
or in /etc/samba/smbpasswd, but that the password that is checked is
retrieved from my LDAP server, in (just about) the same way for my
sshd service with pam_ldap.so.

I haven't found a success story on any list/website...

Does someone have a suggestion what I can try next?

Thanks in advance,



More information about the samba mailing list