Integrate PrivacyIDEA PAM with Samba4

Hi Everyone,

I’m currently running Samba4 AD on an AWS EC2 machine. Users are able to log in with their Samba4 AD User on their Ubuntu computers and I am trying to add 2FA (TOTP) after they input their passwords.

I have successfully installed PrivacyIDEA and added a REALM that can read all of my user objects. Additionally, I assigned a token to one user.

However, I am having difficulty understanding how to install the PAM Module and what needs to be configured in the SSSD.conf file (on the client end). Also, I’m unsure if I need to configure anything in the DC itself to force the users to authenticate against the AD & PrivacyIDEA PAM.

I would be grateful for your help.


With PAM you should not use this one.

It is totally oudated due not no longer maintained dependencies.

The new privacyIDEA PAM is not officially released ,yet:

So currently I would recommend using pam-radius, which ships with your distribution.


Thank you for answering promptly.

So the unofficial release is this?

Do you know when it’s expected to be ready? Can I maybe test it?

Regarding pam-radius, what will happen when there will be no available internet connection? Will they be able to login to their account without TOTP due to the offline credentials that are locally saved (I set it to 1 day)?