[Samba] Configure samba with pam authorization

adrian.liu at vstecs.com adrian.liu at vstecs.com
Fri Jan 30 06:39:40 UTC 2026 

Hi samba experts:

I have been struggling with a samba configuration problem, and I could not find a solution which I might need your help : )

VersionInfo
OS Version: ubuntu-24.04.3
Samba Version: Version 4.19.5-Ubuntu

Requirement
1. A group of users will need to access Linux (Ubuntu) shared folder (/opt/shared) via Window desktop. 
2. Each of the user will use their own username/password, and the backend userinfo was stored in a OpenLDAP server.
3. The OpenLDAP server was maintained by a central user management team, and the team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP Schema). 

Problem
Because we only have readonly LDAP account, we could not add samba-specific attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the existing LDAP server. Therefore, we could not make samba to access to OpenLDAP directly, by below config:
[global]
    workgroup = WORKGROUP
    netbios name = SAMBA-LDAP
    server string = Samba Server Direct LDAP

    passdb backend = ldapsam:ldap://192.168.31.131:389
    ldap suffix = dc=sas,dc=com
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap admin dn = cn=admin,dc=sas,dc=com
    ldap passwd sync = yes
    ldap ssl = start_tls
    ldap tls cacert = /etc/ssl/certs/ca-certificates.crt 

......
(It required to add samba-specific attributes (sambaSamAccount、sambaSID、sambaNTPassword)to user info, which I cannot do)

We were pursuing a way to delegate the authentication and authorization process to PAM/NSS, therefore we choose the solution of:  Samba -> PAM/NSS -> SSSD -> OpenLdap, which seemed to be very feasible.

I have attached the my current configuration file:
/etc/samba/smb.conf
/etc/pam.d/samba
/etc/nsswitch.conf
/etc/sssd/sssd.conf

And I have done below tests:
1. Find a test user sas1 with password sas111 in OpenLDAP
2. Execute: getent passwd sas1 and id sas1, the command worked successfully, which meant NSS -> SSSD -> OpenLdap configured currectly
3. Execute: su - sas1 with password sas111, the command worked successfully, which meant PAM -> SSSD -> OpenLdap configured currectly
4. Execute: pamtester samba sas1 authenticate with password sas111, the command worked successfully, which also meant PAM -> SSSD -> OpenLdap configured currectly
5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N, setting the password to blank. If using PAM in samba, it required to create the users in samba passdb as placeholder.

When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it generate a NT_STATUS_LOGON_FAILURE error.  

From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never used PAM to do authorization, and it still try to authorize the in local passdb.

Based on the document, it said if we set passdb backend = tdbsam --  if passdb failed to authorize, it would use PAM instead of passdb.

Could you help me check why samba failed to authorize with PAM and how to make it work correctly ?



adrian.liu at vstecs.com

More information about the samba mailing list