[Samba] 回复: Configure samba with pam authorization

Wed Feb 11 07:38:49 UTC 2026

Hi Adrian,
maybe idmap_nss is what you are looking for:

https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html

You would still need to create all the users on the Samba side but I see 
no other option. Rowland also mentioned this.

Regards

Christian

Am 11.02.26 um 02:28 schrieb adrian.liu--- via samba:
> Hi Rowland and other samba experts,
> 
> Since I haven't got any new feedbacks.
> 
> To briefly summarize our request:
> (1) Samba was used to integrate with a lagecy system, the lagecy system used openldap (version 2.6.7) as user and password storage. End users should input exact the same username/password with the lagecy system to login Samba and upload/download files, witch meant Samba should authenticate and authorize with the backend openldap 2.6.7.  Openldap 2.6.7 was not replaceable, because it will cause the entire lagecy system to be rebuild first.
> (2) The openldap is not editable, because adding or removing any user attributes may have potential risk to cause the lagency system crashed. The system administrator only offered us a readonly account for Samba to search userinfo do authentication and authorization. Therefore, the attributes such as sambaNTPassword could not be used.
> (3) Our preliminary thought was that -- Configuring Samba with PAM (Pluggable Authentication Modules) on Linux (os: Ubuntu 24.04.3). Samba didn't contact with openldap, it just delegated the authentication and authorization work to PAM, and then make PAM to contact with openldap.  However, we failed to fulfill that, because we tried:
>     a.  there was no parameter such as  "passdb backend = pam" to do that.
>     b.  I found a internet instruction indicated that -- samba indeed support the feature of integrating with PAM using "passdb backend = tdbsam".  I've tried, if I set so, it will always try to authorize in local passdb, and never pass the request to PAM.
> (4) Someone suggested that we could setup a openldap proxy, but it still difficult. I am working on this and haven't succeed.
> 
>   Could you help us to check if integrating Samba with PAM solution is feasible ? And it not, what's the best solution for our circumstance ?
> 
> 
> 
> adrian.liu at vstecs.com
>   
> 发件人： adrian.liu at vstecs.com
> 发送时间： 2026-02-02 09:37
> 收件人： samba
> 抄送： Rowland Penny
> 主题： Re: Re: [Samba]回复: Configure samba with pam authorization
> Hi Rowland,
> 
> Thanks for your help : )
> 
> To answer your questions "Is there no AD server available".
> 
> The fact's that - There was an existing system (let's call it System A) using OpenLDAP as userinfo storage, and it had been running for long time. Recently, the customer wanted to share several System A's backend system files (on Linux) to Windows Users, and each user could access the Linux files that they have permission (using samba) with their own System A's account and password. Assuming to use AD server, it means we should upgrade System A to change OpenLDAP to AD as user storage first and then use samba to share files. It's a huge workload which It's not possible both timely and economically and even System A is not allowed to be modified.
> 
> Sorry that, the mailbox seemed automatically remove the attachment, I will post it below:
> 
> [/etc/nsswitch.conf]
> passwd:         files systemd sss ldap winbind
> group:          files systemd sss ldap winbind
> shadow:         files systemd sss ldap
> gshadow:        files systemd
> hosts:          files mdns4_minimal [NOTFOUND=return] dns ldap
> networks:       files
> protocols:      db files
> services:       db files sss
> ethers:         db files
> rpc:            db files
> netgroup:       nis sss ldap
> automount:      sss
> 
> [/etc/sssd/sssd.conf]
> [sssd]
> config_file_version = 2
> #services = nss, pam
> domains = LDAP
> 
> [domain/LDAP]
> id_provider = ldap
> auth_provider = ldap
> ldap_uri = ldap://192.168.31.131:389
> ldap_search_base = dc=sas,dc=com
> ldap_default_bind_dn = cn=viewer,dc=sas,dc=com
> ldap_default_authtok = sas123
> ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
> ldap_id_use_start_tls = False
> ldap_auth_disable_tls_never_use_in_production = True
> ldap_user_search_base = ou=People,dc=sas,dc=com
> ldap_group_search_base = ou=Groups,dc=sas,dc=com
> ldap_user_object_class = posixAccount
> ldap_group_object_class = posixGroup
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_home_directory = homeDirectory
> ldap_user_shell = loginShell
> ldap_group_gid_number = gidNumber
> 
> [/etc/pam.d/samba]
> auth        required    pam_sss.so
> account     required    pam_sss.so
> password    required    pam_sss.so
> session     required    pam_sss.so
> 
> [/etc/samba/smb.conf]
> [global]
> workgroup = WORKGROUP
> server string = Samba Server with LDAP Auth
> netbios name = SAMBA-LDAP
> passdb backend = tdbsam
> 
> log file = /var/log/samba/log.%m
> max log size = 1000
> logging = file
> log level = 3 auth:5 pam:5
> panic action = /usr/share/samba/panic-action %d
> 
> server role = standalone server
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> 
> pam password change = yes
> map to guest = never
> security = user
> 
> [shared]
>      comment = Shared folder for Windows
>      path = /opt/shared
>      browseable = yes
>      writable = yes
>      guest ok = no
>      valid users = @sas
>      create mask = 0755
>      directory mask = 0755
> 
> 
> 
> adrian.liu at vstecs.com
>   
> 发件人： Rowland Penny via samba
> 发送时间： 2026-01-30 18:36
> 收件人： samba
> 抄送： Rowland Penny
> 主题： Re: [Samba]回复: Configure samba with pam authorization
> On Fri, 30 Jan 2026 17:17:05 +0800
> "adrian.liu--- via samba" <samba at lists.samba.org> wrote:
>   
>> Add attachments
>   
> Sorry, but this list strips attachments.
>   
>>
>>
>>
>> adrian.liu at vstecs.com
>>   
>> 发件人： adrian.liu--- via samba
>> 发送时间： 2026-01-30 14:39
>> 收件人： samba
>> 主题： [Samba] Configure samba with pam authorization
>> Hi samba experts:
>>   
>> I have been struggling with a samba configuration problem, and I
>> could not find a solution which I might need your help : )
>> VersionInfo
>> OS Version: ubuntu-24.04.3
>> Samba Version: Version 4.19.5-Ubuntu
>>   
>> Requirement
>> 1. A group of users will need to access Linux (Ubuntu) shared folder
>> (/opt/shared) via Window desktop. 2. Each of the user will use their
>> own username/password, and the backend userinfo was stored in a
>> OpenLDAP server.
>   
>  From the vstechs.com website:
>   
> 'solutions using cutting edge technologies'
>   
> Again, I am sorry, but you cannot describe using Samba with openldap as
> a 'cutting edge technology', especially as Samba is actively
> advising anyone not to use openldap, it is really a legacy method.
>   
> You may be better off using the idmap_nss backend, but this will
> require you to create all the users on the file server.
>   
> Is there no AD server available ?
>   
> Rowland
>   
>   