adrian.liu at vstecs.com
2026-Jan-30 09:17 UTC
[Samba] 回复: Configure samba with pam authorization
Add attachments
adrian.liu at vstecs.com
???? adrian.liu--- via samba
????? 2026-01-30 14:39
???? samba
??? [Samba] Configure samba with pam authorization
Hi samba experts:
I have been struggling with a samba configuration problem, and I could not find
a solution which I might need your help : )
VersionInfo
OS Version: ubuntu-24.04.3
Samba Version: Version 4.19.5-Ubuntu
Requirement
1. A group of users will need to access Linux (Ubuntu) shared folder
(/opt/shared) via Window desktop.
2. Each of the user will use their own username/password, and the backend
userinfo was stored in a OpenLDAP server.
3. The OpenLDAP server was maintained by a central user management team, and the
team only offered a readonly LDAP account (the userinfo followed RFC2307 LDAP
Schema).
Problem
Because we only have readonly LDAP account, we could not add samba-specific
attributes to LDAP, such as sambaSamAccount/sambaNTPassword/sambaSID/etc to the
existing LDAP server. Therefore, we could not make samba to access to OpenLDAP
directly, by below config:
[global]
workgroup = WORKGROUP
netbios name = SAMBA-LDAP
server string = Samba Server Direct LDAP
passdb backend = ldapsam:ldap://192.168.31.131:389
ldap suffix = dc=sas,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=sas,dc=com
ldap passwd sync = yes
ldap ssl = start_tls
ldap tls cacert = /etc/ssl/certs/ca-certificates.crt
......
?It required to add samba-specific attributes
(sambaSamAccount?sambaSID?sambaNTPassword?to user info, which I cannot do)
We were pursuing a way to delegate the authentication and authorization process
to PAM/NSS, therefore we choose the solution of: Samba -> PAM/NSS -> SSSD
-> OpenLdap, which seemed to be very feasible.
I have attached the my current configuration file:
/etc/samba/smb.conf
/etc/pam.d/samba
/etc/nsswitch.conf
/etc/sssd/sssd.conf
And I have done below tests:
1. Find a test user sas1 with password sas111 in OpenLDAP
2. Execute: getent passwd sas1 and id sas1, the command worked successfully,
which meant NSS -> SSSD -> OpenLdap configured currectly
3. Execute: su - sas1 with password sas111, the command worked successfully,
which meant PAM -> SSSD -> OpenLdap configured currectly
4. Execute: pamtester samba sas1 authenticate with password sas111, the command
worked successfully, which also meant PAM -> SSSD -> OpenLdap configured
currectly
5. Create the user sas1 in samba passdb with command pdbedit -a -u sas1 -N,
setting the password to blank. If using PAM in samba, it required to create the
users in samba passdb as placeholder.
When I tried to execute command: smbclient //localhost/shared -U sas1%sas111, it
generate a NT_STATUS_LOGON_FAILURE error.
From /var/log/samba/log.127.0.0.1, we could see that it was caused by - it never
used PAM to do authorization, and it still try to authorize the in local passdb.
Based on the document, it said if we set passdb backend = tdbsam -- if passdb
failed to authorize, it would use PAM instead of passdb.
Could you help me check why samba failed to authorize with PAM and how to make
it work correctly ?
adrian.liu at vstecs.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Fri, 30 Jan 2026 17:17:05 +0800 "adrian.liu--- via samba" <samba at lists.samba.org> wrote:> Add attachmentsSorry, but this list strips attachments.> > > > adrian.liu at vstecs.com > > ???? adrian.liu--- via samba > ????? 2026-01-30 14:39 > ???? samba > ??? [Samba] Configure samba with pam authorization > Hi samba experts: > > I have been struggling with a samba configuration problem, and I > could not find a solution which I might need your help : ) > VersionInfo > OS Version: ubuntu-24.04.3 > Samba Version: Version 4.19.5-Ubuntu > > Requirement > 1. A group of users will need to access Linux (Ubuntu) shared folder > (/opt/shared) via Window desktop. 2. Each of the user will use their > own username/password, and the backend userinfo was stored in a > OpenLDAP server.From the vstechs.com website: 'solutions using cutting edge technologies' Again, I am sorry, but you cannot describe using Samba with openldap as a 'cutting edge technology', especially as Samba is actively advising anyone not to use openldap, it is really a legacy method. You may be better off using the idmap_nss backend, but this will require you to create all the users on the file server. Is there no AD server available ? Rowland