adrian.liu at vstecs.com
2026-Jan-30 06:39 UTC
[Samba] Configure samba with pam authorization
Hi samba experts:
I have been struggling with a samba configuration problem, and I could not find
a solution which I might need your help : )
VersionInfo
OS Version: ubuntu-24.04.3
Samba Version: Version 4.19.5-Ubuntu
Requirement
1. A group of users will need to access Linux (Ubuntu) shared folder
(/opt/shared) via Window desktop.
2. Each of the user will use their own username/password, and the backend
userinfo was stored in a OpenLDAP server.
3. The OpenLDAP server was maintained by a central user management team, and the
team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP
Schema).
Problem
Because we only have readonly LDAP account, we could not add samba-specific
attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the
existing LDAP server. Therefore, we could not make samba to access to OpenLDAP
directly, by below config:
[global]
workgroup = WORKGROUP
netbios name = SAMBA-LDAP
server string = Samba Server Direct LDAP
passdb backend = ldapsam:ldap://192.168.31.131:389
ldap suffix = dc=sas,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=sas,dc=com
ldap passwd sync = yes
ldap ssl = start_tls
ldap tls cacert = /etc/ssl/certs/ca-certificates.crt
......
?It required to add samba-specific attributes
(sambaSamAccount?sambaSID?sambaNTPassword?to user info, which I cannot do)
We were pursuing a way to delegate the authentication and authorization process
to PAM/NSS, therefore we choose the solution of: Samba -> PAM/NSS -> SSSD
-> OpenLdap, which seemed to be very feasible.
I have attached the my current configuration file:
/etc/samba/smb.conf
/etc/pam.d/samba
/etc/nsswitch.conf
/etc/sssd/sssd.conf
And I have done below tests:
1. Find a test user sas1 with password sas111 in OpenLDAP
2. Execute: getent passwd sas1 and id sas1, the command worked successfully,
which meant NSS -> SSSD -> OpenLdap configured currectly
3. Execute: su - sas1 with password sas111, the command worked successfully,
which meant PAM -> SSSD -> OpenLdap configured currectly
4. Execute: pamtester samba sas1 authenticate with password sas111, the command
worked successfully, which also meant PAM -> SSSD -> OpenLdap configured
currectly
5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N,
setting the password to blank. If using PAM in samba, it required to create the
users in samba passdb as placeholder.
When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it
generate a NT_STATUS_LOGON_FAILURE error.
From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never
used PAM to do authorization, and it still try to authorize the in local passdb.
Based on the document, it said if we set passdb backend = tdbsam -- if passdb
failed to authorize, it would use PAM instead of passdb.
Could you help me check why samba failed to authorize with PAM and how to make
it work correctly ?
adrian.liu at vstecs.com
adrian.liu at vstecs.com
2026-Jan-30 09:17 UTC
[Samba] 回复: Configure samba with pam authorization
Add attachments
adrian.liu at vstecs.com
???? adrian.liu--- via samba
????? 2026-01-30 14:39
???? samba
??? [Samba] Configure samba with pam authorization
Hi samba experts:
I have been struggling with a samba configuration problem, and I could not find
a solution which I might need your help : )
VersionInfo
OS Version: ubuntu-24.04.3
Samba Version: Version 4.19.5-Ubuntu
Requirement
1. A group of users will need to access Linux (Ubuntu) shared folder
(/opt/shared) via Window desktop.
2. Each of the user will use their own username/password, and the backend
userinfo was stored in a OpenLDAP server.
3. The OpenLDAP server was maintained by a central user management team, and the
team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP
Schema).
Problem
Because we only have readonly LDAP account, we could not add samba-specific
attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the
existing LDAP server. Therefore, we could not make samba to access to OpenLDAP
directly, by below config:
[global]
workgroup = WORKGROUP
netbios name = SAMBA-LDAP
server string = Samba Server Direct LDAP
passdb backend = ldapsam:ldap://192.168.31.131:389
ldap suffix = dc=sas,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=sas,dc=com
ldap passwd sync = yes
ldap ssl = start_tls
ldap tls cacert = /etc/ssl/certs/ca-certificates.crt
......
?It required to add samba-specific attributes
(sambaSamAccount?sambaSID?sambaNTPassword?to user info, which I cannot do)
We were pursuing a way to delegate the authentication and authorization process
to PAM/NSS, therefore we choose the solution of: Samba -> PAM/NSS -> SSSD
-> OpenLdap, which seemed to be very feasible.
I have attached the my current configuration file:
/etc/samba/smb.conf
/etc/pam.d/samba
/etc/nsswitch.conf
/etc/sssd/sssd.conf
And I have done below tests:
1. Find a test user sas1 with password sas111 in OpenLDAP
2. Execute: getent passwd sas1 and id sas1, the command worked successfully,
which meant NSS -> SSSD -> OpenLdap configured currectly
3. Execute: su - sas1 with password sas111, the command worked successfully,
which meant PAM -> SSSD -> OpenLdap configured currectly
4. Execute: pamtester samba sas1 authenticate with password sas111, the command
worked successfully, which also meant PAM -> SSSD -> OpenLdap configured
currectly
5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N,
setting the password to blank. If using PAM in samba, it required to create the
users in samba passdb as placeholder.
When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it
generate a NT_STATUS_LOGON_FAILURE error.
From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never
used PAM to do authorization, and it still try to authorize the in local passdb.
Based on the document, it said if we set passdb backend = tdbsam -- if passdb
failed to authorize, it would use PAM instead of passdb.
Could you help me check why samba failed to authorize with PAM and how to make
it work correctly ?
adrian.liu at vstecs.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Did you try to setup a OpenLDAP Proxy with rwm-overlay to rewrite the names of your needed attributes Am 30.01.26 um 07:39 schrieb adrian.liu--- via samba:> Hi samba experts: > > I have been struggling with a samba configuration problem, and I could not find a solution which I might need your help : ) > > VersionInfo > OS Version: ubuntu-24.04.3 > Samba Version: Version 4.19.5-Ubuntu > > Requirement > 1. A group of users will need to access Linux (Ubuntu) shared folder (/opt/shared) via Window desktop. > 2. Each of the user will use their own username/password, and the backend userinfo was stored in a OpenLDAP server. > 3. The OpenLDAP server was maintained by a central user management team, and the team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP Schema). > > Problem > Because we only have readonly LDAP account, we could not add samba-specific attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the existing LDAP server. Therefore, we could not make samba to access to OpenLDAP directly, by below config: > [global] > workgroup = WORKGROUP > netbios name = SAMBA-LDAP > server string = Samba Server Direct LDAP > > passdb backend = ldapsam:ldap://192.168.31.131:389 > ldap suffix = dc=sas,dc=com > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap admin dn = cn=admin,dc=sas,dc=com > ldap passwd sync = yes > ldap ssl = start_tls > ldap tls cacert = /etc/ssl/certs/ca-certificates.crt > > ...... > ?It required to add samba-specific attributes (sambaSamAccount?sambaSID?sambaNTPassword?to user info, which I cannot do) > > We were pursuing a way to delegate the authentication and authorization process to PAM/NSS, therefore we choose the solution of: Samba -> PAM/NSS -> SSSD -> OpenLdap, which seemed to be very feasible. > > I have attached the my current configuration file: > /etc/samba/smb.conf > /etc/pam.d/samba > /etc/nsswitch.conf > /etc/sssd/sssd.conf > > And I have done below tests: > 1. Find a test user sas1 with password sas111 in OpenLDAP > 2. Execute: getent passwd sas1 and id sas1, the command worked successfully, which meant NSS -> SSSD -> OpenLdap configured currectly > 3. Execute: su - sas1 with password sas111, the command worked successfully, which meant PAM -> SSSD -> OpenLdap configured currectly > 4. Execute: pamtester samba sas1 authenticate with password sas111, the command worked successfully, which also meant PAM -> SSSD -> OpenLdap configured currectly > 5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N, setting the password to blank. If using PAM in samba, it required to create the users in samba passdb as placeholder. > > When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it generate a NT_STATUS_LOGON_FAILURE error. > > From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never used PAM to do authorization, and it still try to authorize the in local passdb. > > Based on the document, it said if we set passdb backend = tdbsam -- if passdb failed to authorize, it would use PAM instead of passdb. > > Could you help me check why samba failed to authorize with PAM and how to make it work correctly ? > > > > adrian.liu at vstecs.com-- Stefan Kania Landweg 13 25693 St. Michaelisdonn