[Samba] smbd to authenticate via pam modules

David Komanek david.komanek at natur.cuni.cz
Thu Sep 8 14:59:14 UTC 2016


I have a simple setup with pam modules to use kerberos authentication
(heimdal kdc) for various services, i.e. ssh/scp/sftp, ftp and others. I
would like to connect my standalone smbd (no AD membership) to this
system, but have problems to force smbd to use pam.

local smbpasswd works
spnego + kerberos works with a ticket
pam modules are not accessed at all

In my test setup, local samba password differs from the kerberos one, to
be sure, how I got authenticated. If I use
client use spnego = yes
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
kerberos ticket is verified and I get logged in. After removing those 4
lines, giving the kerberos password ends up with

session setup failed: NT_STATUS_LOGON_FAILURE

and there is nothing logged by pam libraries, so I suppose they are not
called at all (other services are using it successfully and logging
without problems). But as long as I am using plaintext passwords, it
should be going to pam libraries, shouldn't it ? Pam configuration is
working for other services, so I suppose the problem is in my samba setup.

It is samba 4.2.10-Debian on Jessie (Debian 8).

Hopefully it would be obvious to someone here what I am doing wrong.

Thanks in advance,




workgroup = WORKGROUP
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 4
panic action = /usr/share/samba/panic-action %d
server role = standalone server

#with the following 4 lines, kerberos ticket is verified and kerberos
authentication works, but this is not through PAM
client use spnego = yes
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab

encrypt passwords = no
security = user
client plaintext auth = yes
client ntlmv2 auth = no
client lanman auth = yes

obey pam restrictions = no

unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = no
map to guest = bad user
usershare allow guests = yes

   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S

   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

@include common-auth
@include common-account
@include common-session-noninteractive

or alternatively

auth    include common-auth
account include common-account
session include common-session-noninteractive

auth    sufficient      pam_krb5.so debug use_first_pass forwardable
auth    required        pam_unix.so nullok_secure use_first_pass

account sufficient      pam_krb5.so
account required        pam_unix.so

session required        pam_unix.so
session    required   pam_limits.so

More information about the samba mailing list