[Samba] 回复: Configure samba with pam authorization

adrian.liu at vstecs.com adrian.liu at vstecs.com
Mon Feb 2 01:37:44 UTC 2026 

Hi Rowland,

Thanks for your help : )

To answer your questions "Is there no AD server available". 

The fact's that - There was an existing system (let's call it System A) using OpenLDAP as userinfo storage, and it had been running for long time. Recently, the customer wanted to share several System A's backend system files (on Linux) to Windows Users, and each user could access the Linux files that they have permission (using samba) with their own System A's account and password. Assuming to use AD server, it means we should upgrade System A to change OpenLDAP to AD as user storage first and then use samba to share files. It's a huge workload which It's not possible both timely and economically and even System A is not allowed to be modified.

Sorry that, the mailbox seemed automatically remove the attachment, I will post it below:

[/etc/nsswitch.conf]
passwd:         files systemd sss ldap winbind
group:          files systemd sss ldap winbind
shadow:         files systemd sss ldap
gshadow:        files systemd
hosts:          files mdns4_minimal [NOTFOUND=return] dns ldap
networks:       files
protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files
netgroup:       nis sss ldap
automount:      sss

[/etc/sssd/sssd.conf]
[sssd]
config_file_version = 2
#services = nss, pam
domains = LDAP

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://192.168.31.131:389
ldap_search_base = dc=sas,dc=com
ldap_default_bind_dn = cn=viewer,dc=sas,dc=com
ldap_default_authtok = sas123
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = False
ldap_auth_disable_tls_never_use_in_production = True
ldap_user_search_base = ou=People,dc=sas,dc=com
ldap_group_search_base = ou=Groups,dc=sas,dc=com
ldap_user_object_class = posixAccount
ldap_group_object_class = posixGroup
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_group_gid_number = gidNumber

[/etc/pam.d/samba]
auth        required    pam_sss.so
account     required    pam_sss.so
password    required    pam_sss.so
session     required    pam_sss.so

[/etc/samba/smb.conf]
[global]
workgroup = WORKGROUP
server string = Samba Server with LDAP Auth
netbios name = SAMBA-LDAP
passdb backend = tdbsam

log file = /var/log/samba/log.%m
max log size = 1000
logging = file
log level = 3 auth:5 pam:5
panic action = /usr/share/samba/panic-action %d

server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

pam password change = yes
map to guest = never
security = user

[shared]
    comment = Shared folder for Windows
    path = /opt/shared
    browseable = yes
    writable = yes
    guest ok = no
    valid users = @sas
    create mask = 0755
    directory mask = 0755



adrian.liu at vstecs.com
 
发件人: Rowland Penny via samba
发送时间: 2026-01-30 18:36
收件人: samba
抄送: Rowland Penny
主题: Re: [Samba]回复: Configure samba with pam authorization
On Fri, 30 Jan 2026 17:17:05 +0800
"adrian.liu--- via samba" <samba at lists.samba.org> wrote:
 
> Add attachments
 
Sorry, but this list strips attachments.
 
> 
> 
> 
> adrian.liu at vstecs.com
>  
> 发件人: adrian.liu--- via samba
> 发送时间: 2026-01-30 14:39
> 收件人: samba
> 主题: [Samba] Configure samba with pam authorization
> Hi samba experts:
>  
> I have been struggling with a samba configuration problem, and I
> could not find a solution which I might need your help : ) 
> VersionInfo
> OS Version: ubuntu-24.04.3
> Samba Version: Version 4.19.5-Ubuntu
>  
> Requirement
> 1. A group of users will need to access Linux (Ubuntu) shared folder
> (/opt/shared) via Window desktop. 2. Each of the user will use their
> own username/password, and the backend userinfo was stored in a
> OpenLDAP server. 
 
From the vstechs.com website:
 
'solutions using cutting edge technologies'
 
Again, I am sorry, but you cannot describe using Samba with openldap as
a 'cutting edge technology', especially as Samba is actively
advising anyone not to use openldap, it is really a legacy method.
 
You may be better off using the idmap_nss backend, but this will
require you to create all the users on the file server.
 
Is there no AD server available ?
 
Rowland
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list