Hi All, I've been trying for quite some time now, but feel that there's just that one situation that doesn't work, and that's probably the one thing I'd like to use. I've got a simple samba server (3.0.23c) on RHEL5 that only has one large share. That share is to be used by a certain number of users, that can exchange large amounts of data using that share, but not everybody is allowed access to that share. The most simple way to set that up is to use the /etc/samba/smbpasswd and add the users locally. That would be fine, but the number of users is just large enought to cause a probable overhead of work when they need to change their password. I have a LDAP server running, without the Samba schema. I don't want to add the samba schema to that directory, just for about 30 users. (total userbase is 40.000). The next best thing would be to use PAM together with pam_ldap.so. pam_ldap.so works fine, cause we use that only to authenticate unix users for ssh or tty access. (User accounts exist in /etc/passwd, only the password is not used in /etc/shadow) When a user logs in via ssh his password is checked in LDAP using pam_ldap.so. That all works like a charm. I thought I could use the same trick for authenticating the samba users, but that seems to be a lot more difficult than I thought... conf files always help a lot: my smb.conf: [global] workgroup = OFFICE netbios name = MIDDLEEARTH server string = Middleearth Samba Server security = share obey pam restrictions = yes encrypt passwords = no [share] path = /share valid users = jan,jeff,joe,john,alice read only = No force user = nobody force create mode = 0660 browseable = No guest ok = No my /etc/pam.d/samba: #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth and my /etc/pam.d/system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so All I want is to have a local user that exists either in /etc/passwd or in /etc/samba/smbpasswd, but that the password that is checked is retrieved from my LDAP server, in (just about) the same way for my sshd service with pam_ldap.so. I haven't found a success story on any list/website... Does someone have a suggestion what I can try next? Thanks in advance, Br. Dennis