[Samba] 回复: Configure samba with pam authorization

adrian.liu at vstecs.com adrian.liu at vstecs.com
Wed Feb 11 09:50:29 UTC 2026 

Hi Christian/Rowland,

I've noticed idmap_nss before, and there's no problem to create all the users on the Samba side (using smbpasswd -a username or pdbedit -a -u username, I supposed).

However, the problem's that -- if using smbpasswd/pdbedit to create users, it required to input password. The user passwords were classfied for lagecy system and they were encryped in openldap server with userPassword attribute. We were not allowed to know them. They only thing we could do was to set all user's password to blank in Samba side. 

The customer didn't want us to create a new password for each samba users, they just wanted all the users login samba shared folder with lagency system password. 

Thus, when end users open a samba shares folder in Windows Explorer, they input the lagency system's password, and samba pass the username/password to openldap for authentication, and openldap  might say "yes, it pass the userpassword check, you can continue", and then samba accept ldap's decision and allow the user to access.




adrian.liu at vstecs.com
 
From: Rowland Penny via samba
Date: 2026-02-11 16:03
To: samba
CC: Christian Naumer
Subject: Re: [Samba]回复: Configure samba with pam authorization
On Wed, 11 Feb 2026 08:38:49 +0100
Christian Naumer via samba <samba at lists.samba.org> wrote:
 
> Hi Adrian,
> maybe idmap_nss is what you are looking for:
> 
> https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html
> 
> You would still need to create all the users on the Samba side but I
> see no other option. Rowland also mentioned this.
> 
> Regards
> 
> Christian
> 
> 
 
I have thought about this and idmap_nss maps SIDs to local users, it
sounds like the OP doesn't have any SIDs, so they may be able to get
this working, or more likely, not.
 
I have two thoughts on this, either dump the users from the ldap and
recreate them on a Samba standalone server and then somehow script a
connection to the legacy system, or just accept that this is now 2026
and the legacy system needs to be replaced.
 
Rowland
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list