[Samba] smbd to authenticate via pam modules

David Komanek david.komanek at natur.cuni.cz
Thu Sep 8 15:25:44 UTC 2016

On 09/08/2016 05:10 PM, Volker Lendecke wrote:
> On Thu, Sep 08, 2016 at 04:59:14PM +0200, David Komanek via samba wrote:
>> and there is nothing logged by pam libraries, so I suppose they are not
>> called at all (other services are using it successfully and logging
>> without problems). But as long as I am using plaintext passwords, it
>> should be going to pam libraries, shouldn't it ? Pam configuration is
>> working for other services, so I suppose the problem is in my samba setup.
> You're not using plaintext anymore. Even if you type in your pw into
> smbclient, it is using at least a challenge-response authentication.
> Using PAM for authentication is not possible with SMB. PAM wants to
> see the plain text password, which smbd never sees.
> Regards,
> Volker

Thanks for the quick response. The manpage for smb.conf of version
4.2.10 states that

obey pam restrictions (G)

           When Samba 3.0 is configured to enable PAM support (i.e.
--with-pam), this parameter will control whether or not Samba should
obey PAM's account and session management directives.
           The default behavior is to use PAM for clear text
authentication only and to ignore any account or session management.
Note that Samba always ignores PAM for authentication in the
           case of encrypt passwords = yes. The reason is that PAM
modules cannot support the challenge/response authentication mechanism
needed in the presence of SMB password encryption.

So was it just 3.0 version-specific and Samba 4 discontinued this
feature ? If so, what is the right way to authenticate against kerberos
or other external service at the backend (so that the user does not need
to issue a ticket in advance) ? I know there is a possibility to store
passwords in local database, but its just a duplication of information
and need for an extra orchestration in this case. Hopefuly there is some
simple way to achieve that without doing this or using the AD overhead.
I just spent whole day googling with no good solution at the end, so I
am probaly missing some terminology to produce well formulated questions.



More information about the samba mailing list