Samba and Default Pam Restrictions

By hernil

obey pam restrictions = yes

I don’t know exactly why this particular line in a Samba config messes up with file permissions but it sure does. It is set by default in a new Ubuntu (server) install as of 22.04 at least and cost me fair few hours to get to the bottom of.

The Samba docs are not exactly crystal clear on what this setting implies but it looks like it’s supposed to be set to no.

When Samba 3.0 is configured to enable PAM support (i.e. –with-pam), this parameter will control whether or not Samba should obey PAM’s account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.

Default: obey pam restrictions = no

Toggled to yes the setting messes up create mask, directory mask, force create mode and force directory mode - or at least combinations of them to a point where it was seemingly impossible to understand how these settings interacted.


Simply setting seems to remove the ghosts in the system and I have not found any adverse effects as of yet.

obey pam restrictions = no


Input or feedback to this content?
Reply via email!
Related Articles