[Samba] 回复: Configure samba with pam authorization

Wed Feb 11 01:28:24 UTC 2026

Hi Rowland and other samba experts,

Since I haven't got any new feedbacks.

To briefly summarize our request:
(1) Samba was used to integrate with a lagecy system, the lagecy system used openldap (version 2.6.7) as user and password storage. End users should input exact the same username/password with the lagecy system to login Samba and upload/download files, witch meant Samba should authenticate and authorize with the backend openldap 2.6.7.  Openldap 2.6.7 was not replaceable, because it will cause the entire lagecy system to be rebuild first.
(2) The openldap is not editable, because adding or removing any user attributes may have potential risk to cause the lagency system crashed. The system administrator only offered us a readonly account for Samba to search userinfo do authentication and authorization. Therefore, the attributes such as sambaNTPassword could not be used.
(3) Our preliminary thought was that -- Configuring Samba with PAM (Pluggable Authentication Modules) on Linux (os: Ubuntu 24.04.3). Samba didn't contact with openldap, it just delegated the authentication and authorization work to PAM, and then make PAM to contact with openldap.  However, we failed to fulfill that, because we tried:
   a.  there was no parameter such as  "passdb backend = pam" to do that.  
   b.  I found a internet instruction indicated that -- samba indeed support the feature of integrating with PAM using "passdb backend = tdbsam".  I've tried, if I set so, it will always try to authorize in local passdb, and never pass the request to PAM.
(4) Someone suggested that we could setup a openldap proxy, but it still difficult. I am working on this and haven't succeed.

 Could you help us to check if integrating Samba with PAM solution is feasible ? And it not, what's the best solution for our circumstance ?

adrian.liu at vstecs.com

发件人： adrian.liu at vstecs.com
发送时间： 2026-02-02 09:37
收件人： samba
抄送： Rowland Penny
主题： Re: Re: [Samba]回复: Configure samba with pam authorization
Hi Rowland,

Thanks for your help : )

To answer your questions "Is there no AD server available". 

The fact's that - There was an existing system (let's call it System A) using OpenLDAP as userinfo storage, and it had been running for long time. Recently, the customer wanted to share several System A's backend system files (on Linux) to Windows Users, and each user could access the Linux files that they have permission (using samba) with their own System A's account and password. Assuming to use AD server, it means we should upgrade System A to change OpenLDAP to AD as user storage first and then use samba to share files. It's a huge workload which It's not possible both timely and economically and even System A is not allowed to be modified.

Sorry that, the mailbox seemed automatically remove the attachment, I will post it below:

[/etc/nsswitch.conf]
passwd:         files systemd sss ldap winbind
group:          files systemd sss ldap winbind
shadow:         files systemd sss ldap
gshadow:        files systemd
hosts:          files mdns4_minimal [NOTFOUND=return] dns ldap
networks:       files
protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files
netgroup:       nis sss ldap
automount:      sss

[/etc/sssd/sssd.conf]
[sssd]
config_file_version = 2
#services = nss, pam
domains = LDAP

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://192.168.31.131:389
ldap_search_base = dc=sas,dc=com
ldap_default_bind_dn = cn=viewer,dc=sas,dc=com
ldap_default_authtok = sas123
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = False
ldap_auth_disable_tls_never_use_in_production = True
ldap_user_search_base = ou=People,dc=sas,dc=com
ldap_group_search_base = ou=Groups,dc=sas,dc=com
ldap_user_object_class = posixAccount
ldap_group_object_class = posixGroup
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_group_gid_number = gidNumber

[/etc/pam.d/samba]
auth        required    pam_sss.so
account     required    pam_sss.so
password    required    pam_sss.so
session     required    pam_sss.so

[/etc/samba/smb.conf]
[global]
workgroup = WORKGROUP
server string = Samba Server with LDAP Auth
netbios name = SAMBA-LDAP
passdb backend = tdbsam

log file = /var/log/samba/log.%m
max log size = 1000
logging = file
log level = 3 auth:5 pam:5
panic action = /usr/share/samba/panic-action %d

server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

pam password change = yes
map to guest = never
security = user

[shared]
    comment = Shared folder for Windows
    path = /opt/shared
    browseable = yes
    writable = yes
    guest ok = no
    valid users = @sas
    create mask = 0755
    directory mask = 0755

adrian.liu at vstecs.com

发件人： Rowland Penny via samba
发送时间： 2026-01-30 18:36
收件人： samba
抄送： Rowland Penny
主题： Re: [Samba]回复: Configure samba with pam authorization
On Fri, 30 Jan 2026 17:17:05 +0800
"adrian.liu--- via samba" <samba at lists.samba.org> wrote:

> Add attachments

Sorry, but this list strips attachments.

> 
> 
> 
> adrian.liu at vstecs.com
>  
> 发件人： adrian.liu--- via samba
> 发送时间： 2026-01-30 14:39
> 收件人： samba
> 主题： [Samba] Configure samba with pam authorization
> Hi samba experts:
>  
> I have been struggling with a samba configuration problem, and I
> could not find a solution which I might need your help : ) 
> VersionInfo
> OS Version: ubuntu-24.04.3
> Samba Version: Version 4.19.5-Ubuntu
>  
> Requirement
> 1. A group of users will need to access Linux (Ubuntu) shared folder
> (/opt/shared) via Window desktop. 2. Each of the user will use their
> own username/password, and the backend userinfo was stored in a
> OpenLDAP server. 

From the vstechs.com website:

'solutions using cutting edge technologies'

Again, I am sorry, but you cannot describe using Samba with openldap as
a 'cutting edge technology', especially as Samba is actively
advising anyone not to use openldap, it is really a legacy method.

You may be better off using the idmap_nss backend, but this will
require you to create all the users on the file server.

Is there no AD server available ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba 

-------------------------------------------------------------------------------------------------------------

Hi samba experts:

I have been struggling with a samba configuration problem, and I could not find a solution which I might need your help : )

VersionInfo
OS Version: ubuntu-24.04.3
Samba Version: Version 4.19.5-Ubuntu

Requirement
1. A group of users will need to access Linux (Ubuntu) shared folder (/opt/shared) via Window desktop.
2. Each of the user will use their own username/password, and the backend userinfo was stored in a OpenLDAP server.
3. The OpenLDAP server was maintained by a central user management team, and the team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP Schema).

Problem
Because we only have readonly LDAP account, we could not add samba-specific attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the existing LDAP server. Therefore, we could not make samba to access to OpenLDAP directly, by below config:
[global]
    workgroup = WORKGROUP
    netbios name = SAMBA-LDAP
    server string = Samba Server Direct LDAP

    passdb backend = ldapsam:ldap://192.168.31.131:389
    ldap suffix = dc=sas,dc=com
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap admin dn = cn=admin,dc=sas,dc=com
    ldap passwd sync = yes
    ldap ssl = start_tls
    ldap tls cacert = /etc/ssl/certs/ca-certificates.crt

......
（It required to add samba-specific attributes (sambaSamAccount、sambaSID、sambaNTPassword）to user info, which I cannot do)

We were pursuing a way to delegate the authentication and authorization process to PAM/NSS, therefore we choose the solution of:  Samba -> PAM/NSS -> SSSD -> OpenLdap, which seemed to be very feasible.

I have attached the my current configuration file:
/etc/samba/smb.conf
/etc/pam.d/samba
/etc/nsswitch.conf
/etc/sssd/sssd.conf

And I have done below tests:
1. Find a test user sas1 with password sas111 in OpenLDAP
2. Execute: getent passwd sas1 and id sas1, the command worked successfully, which meant NSS -> SSSD -> OpenLdap configured currectly
3. Execute: su - sas1 with password sas111, the command worked successfully, which meant PAM -> SSSD -> OpenLdap configured currectly
4. Execute: pamtester samba sas1 authenticate with password sas111, the command worked successfully, which also meant PAM -> SSSD -> OpenLdap configured currectly
5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N, setting the password to blank. If using PAM in samba, it required to create the users in samba passdb as placeholder.

When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it generate a NT_STATUS_LOGON_FAILURE error. 

From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never used PAM to do authorization, and it still try to authorize the in local passdb.

Based on the document, it said if we set passdb backend = tdbsam --  if passdb failed to authorize, it would use PAM instead of passdb.

Could you help me check why samba failed to authorize with PAM and how to make it work correctly ?