[Samba] Configure samba with pam authorization

Mon Feb 2 04:11:36 UTC 2026

Hi Stefan,

Thanks for your help.

It's really a good idea to use OpenLDAP Proxy. I will try this solution today.

adrian.liu at vstecs.com

From: Stefan Kania via samba
Date: 2026-01-30 17:36
To: samba
Subject: Re: [Samba] Configure samba with pam authorization
Did you try to setup a OpenLDAP Proxy with rwm-overlay to rewrite the names of your needed attributes

Am 30.01.26 um 07:39 schrieb adrian.liu--- via samba:
> Hi samba experts:
> 
> I have been struggling with a samba configuration problem, and I could not find a solution which I might need your help : )
> 
> VersionInfo
> OS Version: ubuntu-24.04.3
> Samba Version: Version 4.19.5-Ubuntu
> 
> Requirement
> 1. A group of users will need to access Linux (Ubuntu) shared folder (/opt/shared) via Window desktop.
> 2. Each of the user will use their own username/password, and the backend userinfo was stored in a OpenLDAP server.
> 3. The OpenLDAP server was maintained by a central user management team, and the team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP Schema).
> 
> Problem
> Because we only have readonly LDAP account, we could not add samba-specific attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the existing LDAP server. Therefore, we could not make samba to access to OpenLDAP directly, by below config:
> [global]
>      workgroup = WORKGROUP
>      netbios name = SAMBA-LDAP
>      server string = Samba Server Direct LDAP
> 
>      passdb backend = ldapsam:ldap://192.168.31.131:389
>      ldap suffix = dc=sas,dc=com
>      ldap user suffix = ou=People
>      ldap group suffix = ou=Groups
>      ldap admin dn = cn=admin,dc=sas,dc=com
>      ldap passwd sync = yes
>      ldap ssl = start_tls
>      ldap tls cacert = /etc/ssl/certs/ca-certificates.crt
> 
> ......
> （It required to add samba-specific attributes (sambaSamAccount、sambaSID、sambaNTPassword）to user info, which I cannot do)
> 
> We were pursuing a way to delegate the authentication and authorization process to PAM/NSS, therefore we choose the solution of:  Samba -> PAM/NSS -> SSSD -> OpenLdap, which seemed to be very feasible.
> 
> I have attached the my current configuration file:
> /etc/samba/smb.conf
> /etc/pam.d/samba
> /etc/nsswitch.conf
> /etc/sssd/sssd.conf
> 
> And I have done below tests:
> 1. Find a test user sas1 with password sas111 in OpenLDAP
> 2. Execute: getent passwd sas1 and id sas1, the command worked successfully, which meant NSS -> SSSD -> OpenLdap configured currectly
> 3. Execute: su - sas1 with password sas111, the command worked successfully, which meant PAM -> SSSD -> OpenLdap configured currectly
> 4. Execute: pamtester samba sas1 authenticate with password sas111, the command worked successfully, which also meant PAM -> SSSD -> OpenLdap configured currectly
> 5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N, setting the password to blank. If using PAM in samba, it required to create the users in samba passdb as placeholder.
> 
> When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it generate a NT_STATUS_LOGON_FAILURE error.
> 
>  From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never used PAM to do authorization, and it still try to authorize the in local passdb.
> 
> Based on the document, it said if we set passdb backend = tdbsam --  if passdb failed to authorize, it would use PAM instead of passdb.
> 
> Could you help me check why samba failed to authorize with PAM and how to make it work correctly ?
> 
> 
> 
> adrian.liu at vstecs.com

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba