diff options
Diffstat (limited to 'upstream/archlinux/man5/pam_winbind.conf.5')
| -rw-r--r-- | upstream/archlinux/man5/pam_winbind.conf.5 | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/upstream/archlinux/man5/pam_winbind.conf.5 b/upstream/archlinux/man5/pam_winbind.conf.5 new file mode 100644 index 00000000..2506b70c --- /dev/null +++ b/upstream/archlinux/man5/pam_winbind.conf.5 @@ -0,0 +1,161 @@ +'\" t +.\" Title: pam_winbind.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 02/19/2024 +.\" Manual: 5 +.\" Source: Samba 4.19.5 +.\" Language: English +.\" +.TH "PAM_WINBIND\&.CONF" "5" "02/19/2024" "Samba 4\&.19\&.5" "5" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_winbind.conf \- Configuration file of PAM module for Winbind +.SH "DESCRIPTION" +.PP +This configuration file is part of the +\fBsamba\fR(7) +suite\&. +.PP +pam_winbind\&.conf is the configuration file for the pam_winbind PAM module\&. See +\fBpam_winbind\fR(8) +for further details\&. +.SH "SYNOPSIS" +.PP +The pam_winbind\&.conf configuration file is a classic ini\-style configuration file\&. There is only one section (global) where various options are defined\&. +.SH "OPTIONS" +.PP +pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at +/etc/security/pam_winbind\&.conf\&. Options from the PAM configuration file take precedence to those from the pam_winbind\&.conf configuration file\&. +.PP +debug = yes|no +.RS 4 +Gives debugging output to syslog\&. Defaults to "no"\&. +.RE +.PP +debug_state = yes|no +.RS 4 +Gives detailed PAM state debugging output to syslog\&. Defaults to "no"\&. +.RE +.PP +require_membership_of = [SID or NAME] +.RS 4 +If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME\&. A SID can be either a group\-SID, an alias\-SID or even an user\-SID\&. It is also possible to give a NAME instead of the SID\&. That name must have the form: +\fIMYDOMAIN\emygroup\fR +or +\fIMYDOMAIN\emyuser\fR +(where \*(Aq\e\*(Aq character corresponds to the value of +\fIwinbind separator\fR +parameter)\&. It is also possible to use a UPN in the form +\fIuser@REALM\fR +or +\fIgroup@REALM\fR\&. pam_winbind will, in that case, lookup the SID internally\&. Note that NAME may not contain any spaces\&. It is thus recommended to only use SIDs\&. You can verify the list of SIDs a user is a member of with +wbinfo \-\-user\-sids=SID\&. This setting is empty by default\&. +.sp +This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key\-based login)\&. +.RE +.PP +try_first_pass = yes|no +.RS 4 +By default, pam_winbind tries to get the authentication token from a previous module\&. If no token is available it asks the user for the old password\&. With this option, pam_winbind aborts with an error if no authentication token from a previous module is available\&. If a primary password is not valid, PAM will prompt for a password\&. Default to "no"\&. +.RE +.PP +krb5_auth = yes|no +.RS 4 +pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller\&. Kerberos authentication must be enabled with this parameter\&. When Kerberos authentication can not succeed (e\&.g\&. due to clock skew), winbindd will fallback to samlogon authentication over MSRPC\&. When this parameter is used in conjunction with +\fIwinbind refresh tickets\fR, winbind will keep your Ticket Granting Ticket (TGT) up\-to\-date by refreshing it whenever necessary\&. Defaults to "no"\&. +.RE +.PP +krb5_ccache_type = [type] +.RS 4 +When pam_winbind is configured to try kerberos authentication by enabling the +\fIkrb5_auth\fR +option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache\&. The type of credential cache can be controlled with this option\&. The supported values are: +\fIKCM\fR +or +\fIKEYRING\fR +(when supported by the system\*(Aqs Kerberos library and operating system), +\fIFILE\fR +and +\fIDIR\fR +(when the DIR type is supported by the system\*(Aqs Kerberos library)\&. In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created \- in case of DIR you NEED to specify a directory\&. UID is replaced with the numeric user id\&. The UID directory is being created\&. The path up to the directory should already exist\&. Check the details of the Kerberos implementation\&. +.sp +When using the KEYRING type, the supported mechanism is +\(lqKEYRING:persistent:UID\(rq, which uses the Linux kernel keyring to store credentials on a per\-UID basis\&. The KEYRING has its limitations\&. As it is secure kernel memory, for example bulk sorage of credentils is for not possible\&. +.sp +When using th KCM type, the supported mechanism is +\(lqKCM:UID\(rq, which uses a Kerberos credential manaager to store credentials on a per\-UID basis similar to KEYRING\&. This is the recommended choice on latest Linux distributions, offering a Kerberos Credential Manager\&. If not we suggest to use KEYRING as those are the most secure and predictable method\&. +.sp +It is also possible to define custom filepaths and use the "%u" pattern in order to substitute the numeric user id\&. Examples: +.PP +krb5_ccache_type = DIR:/run/user/%u/krb5cc +.RS 4 +This will create a credential cache file in the specified directory\&. +.RE +.PP +krb5_ccache_type = FILE:/tmp/krb5cc_%u +.RS 4 +This will create a credential cache file\&. +.RE +.sp +Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded\&. This setting is empty by default\&. +.RE +.PP +cached_login = yes|no +.RS 4 +Winbind allows one to logon using cached credentials when +\fIwinbind offline logon\fR +is enabled\&. To use this feature from the PAM module this option must be set\&. Defaults to "no"\&. +.RE +.PP +silent = yes|no +.RS 4 +Do not emit any messages\&. Defaults to "no"\&. +.RE +.PP +mkhomedir = yes|no +.RS 4 +Create homedirectory for a user on\-the\-fly, option is valid in PAM session block\&. Defaults to "no"\&. +.RE +.PP +warn_pwd_expire = days +.RS 4 +Defines number of days before pam_winbind starts to warn about passwords that are going to expire\&. Defaults to 14 days\&. +.RE +.PP +pwd_change_prompt = yes|no +.RS 4 +Generate prompt for changing an expired password\&. Defaults to "no"\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_winbind\fR(8), +\fBwbinfo\fR(1), +\fBwinbindd\fR(8), +\fBsmb.conf\fR(5) +.SH "VERSION" +.PP +This man page is part of version 4\&.19\&.5 of Samba\&. +.SH "AUTHOR" +.PP +The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. +.PP +This manpage was written by Jelmer Vernooij and Guenther Deschner\&. |