I'm trying to configure Samba (apt-get install samba) to authenticate users using a RADIUS server and i cannot find anything useful. Is it possible ?
I tought i could set Samba to use the PAM authentification and then configure PAM to use the RADIUS server. But i found on Samba File Server + PAM + Berkeley DB or Samba + PAM
Samba can not use PAM because the SMB protocol specific a (set of) incompatible hashes which can not be used with PAM (which requires the cleartext password, or certain hashed versions of the password).
OS : Debian 7.8 x64
RADIUS : FreeRadius 2.1.12
Package samba: 2:4.1.17+dfsg-2
Best Answer
The text you found is correct, SMB requires ntlm auth which isn't compatible with PAM.
The problem with PAM is it requires the user (or an agent acting on the users behalf, as the samba server would be) to submit the user's plaintext password, which the Samba server never knows, because the SMB client never sends it.
The SMB client instead, sends the MD4 hash of the 16bit little endian unicode of the users password, hashed with a challenge from the Samba server.
In real world setups Samba generally authenticates against AD, and RADIUS also authenticates against AD (via winbindd), and that's how you achieve synchronised credentials.
Samba also authenticates against plain LDAP, so you could, alternatively, use that as your common credential store.