[Samba] pam_winbind vs. pam_ldap ?

Dr. Lars Hanke lars at lhanke.de
Tue Feb 3 02:13:19 MST 2015

Am 03.02.2015 um 03:54 schrieb Andrey Repin:
> Greetings, All!
> I'm using Samba 3.6 and OpenLDAP currently.
> The core configuration has been done eons ago, and I'm not quite sure it is
> actual any more. I see a number of PAM-related errors every time the system
> boot up. One concerning me is
> Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials)
> Is this a broken PDC configuration (how can I fix it, if yes?) or I can just
> remove libpam-ldap since I'm using libpam-winbind anyway?

Despite the credential issue should not occur, traditional pam_ldap for 
user authentication is a very bad idea. It sends plain text passwords 
over network, unless you force TLS, which of course requires to set up a 
PKI for your net.

If you do not want that and don't want to go for Kerberos, then winbind 
is a sensible option. However, using winbind for NSS also has its own 
potential to drive you nuts. ;)

Concerning the error message: pam_ldap tries to bind to LDAP using the 
DN shown and fails. The DN is configured as something like "rootDN" in 
the pam_ldap config. It could be that the password is alos in the config 
file, but better practice is to have it in a seperate file, usually 
casse *.secret. The file name should in turn be configured inthe PAM 
configuration. The description fits more to libnss-ldap, but I recall 
that it was not much different for pam-ldap.

  - lars.

More information about the samba mailing list