[Samba] 回复: Configure samba with pam authorization

adrian.liu at vstecs.com adrian.liu at vstecs.com
Fri Jan 30 09:17:05 UTC 2026 

Add attachments



adrian.liu at vstecs.com
 
发件人: adrian.liu--- via samba
发送时间: 2026-01-30 14:39
收件人: samba
主题: [Samba] Configure samba with pam authorization
Hi samba experts:
 
I have been struggling with a samba configuration problem, and I could not find a solution which I might need your help : )
 
VersionInfo
OS Version: ubuntu-24.04.3
Samba Version: Version 4.19.5-Ubuntu
 
Requirement
1. A group of users will need to access Linux (Ubuntu) shared folder (/opt/shared) via Window desktop. 
2. Each of the user will use their own username/password, and the backend userinfo was stored in a OpenLDAP server.
3. The OpenLDAP server was maintained by a central user management team, and the team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP Schema). 
 
Problem
Because we only have readonly LDAP account, we could not add samba-specific attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the existing LDAP server. Therefore, we could not make samba to access to OpenLDAP directly, by below config:
[global]
    workgroup = WORKGROUP
    netbios name = SAMBA-LDAP
    server string = Samba Server Direct LDAP
 
    passdb backend = ldapsam:ldap://192.168.31.131:389
    ldap suffix = dc=sas,dc=com
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap admin dn = cn=admin,dc=sas,dc=com
    ldap passwd sync = yes
    ldap ssl = start_tls
    ldap tls cacert = /etc/ssl/certs/ca-certificates.crt 
 
......
(It required to add samba-specific attributes (sambaSamAccount、sambaSID、sambaNTPassword)to user info, which I cannot do)
 
We were pursuing a way to delegate the authentication and authorization process to PAM/NSS, therefore we choose the solution of:  Samba -> PAM/NSS -> SSSD -> OpenLdap, which seemed to be very feasible.
 
I have attached the my current configuration file:
/etc/samba/smb.conf
/etc/pam.d/samba
/etc/nsswitch.conf
/etc/sssd/sssd.conf
 
And I have done below tests:
1. Find a test user sas1 with password sas111 in OpenLDAP
2. Execute: getent passwd sas1 and id sas1, the command worked successfully, which meant NSS -> SSSD -> OpenLdap configured currectly
3. Execute: su - sas1 with password sas111, the command worked successfully, which meant PAM -> SSSD -> OpenLdap configured currectly
4. Execute: pamtester samba sas1 authenticate with password sas111, the command worked successfully, which also meant PAM -> SSSD -> OpenLdap configured currectly
5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N, setting the password to blank. If using PAM in samba, it required to create the users in samba passdb as placeholder.
 
When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it generate a NT_STATUS_LOGON_FAILURE error.  
 
From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never used PAM to do authorization, and it still try to authorize the in local passdb.
 
Based on the document, it said if we set passdb backend = tdbsam --  if passdb failed to authorize, it would use PAM instead of passdb.
 
Could you help me check why samba failed to authorize with PAM and how to make it work correctly ?
 
 
 
adrian.liu at vstecs.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list