ooba-samba — uses a Samba server to update the out of band authentication user list


ooba-samba [-d] [-p pidfile] [-t sec] [-s] [-a ca] [-c cert] [-k key] host port


Script ooba-samba provides communication between a Samba server and a http-proxy(8) acting as an out of band (OOB) authentication server. The script reads the list of users currently logged on the Samba server and passes them to the http-proxy. This way, users authenticated on the Samba server are seen as authenticated by proxies that use OOB authentication.

For each user logged on the Samba server, ooba-samba sends to the http-proxy the user name, the IP address of the user's machine, and the group the user belongs to. An updated list of users is sent to the http-proxy each time a user logs in or out of the Samba server. Additionally, updates are sent periodically (every 5 minutes by default) in order to synchronize the list in case of a failed login/logout update.



Prints some debugging information.

-p pidfile

Writes process id into pidfile.

-t sec

Sets the period (in seconds, the default is 5 minutes) of sending the user list to the OOB authentication server in addition to updates triggered by Samba preexec/postexec.


Use a secure connection (SSL/TLS) for communication with the OOB authentication server.

-a ca

A file containing a certificate of a trusted certification authority for verification of OOB authentication server certificate

-c cert

A file containing a certificate used for communication with the OOB authentication server

-k key

A file containing a private key for the certificate cert


Address of the OOB authentication server


Port of the OOB authentication server

Configuration of http-proxy

The http-proxy must be configured as an OOB authentication server using external method of authentication:

  • A section aproxy must exist, contain item oob-auth, and be referenced by a session-acl.

  • The section http-proxy must contain item oob-auth-srv that references a section oob-auth with method external.

  • Information about user membership in groups is also passed to http-proxy by ooba-samba. Alternatively, if oob-auth.method.ldap is set, http-proxy looks for group membership information in an LDAP database.

  • It is recommended to use SSL/TLS for communication between ooba-samba and the OOB authentication server.

Configuration of Samba Server

  • Script ooba-samba must be installed on the machine running the Samba server.

  • The script must be configured to run all the time Samba is running. The best method is to start it from a /etc/rc.d or /usr/local/etc/rc.d script.

  • The script must be configured to send the user list to the host and port where the http-proxy acting as an OOB authentication server listens.

  • The following lines must be added to smb4.conf to a section defining a share, to which all users connect:

    root preexec=kill -USR1 `cat pidfile`
    root postexec=kill -USR1 `cat pidfile`

    where pidfile is a file that contains ooba-samba process id, as set by option -p of ooba-samba.

See Also

http-proxy(8), http-proxy(5), http-proxy.cfg(5), auth(7)

Samba documentation at


This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.