summaryrefslogtreecommitdiffstats
path: root/docs-xml/manpages/pam_winbind.conf.5.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/manpages/pam_winbind.conf.5.xml')
-rw-r--r--docs-xml/manpages/pam_winbind.conf.5.xml241
1 files changed, 241 insertions, 0 deletions
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
new file mode 100644
index 0000000..3d9cb49
--- /dev/null
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -0,0 +1,241 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="pam_winbind.conf.5">
+
+<refmeta>
+ <refentrytitle>pam_winbind.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">5</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>pam_winbind.conf</refname>
+ <refpurpose>Configuration file of PAM module for Winbind</refpurpose>
+</refnamediv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This configuration file is part of the <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.</para>
+
+ <para>
+ pam_winbind.conf is the configuration file for the pam_winbind PAM
+ module. See
+ <citerefentry><refentrytitle>pam_winbind</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for further details.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>SYNOPSIS</title>
+
+ <para>
+ The pam_winbind.conf configuration file is a classic ini-style
+ configuration file. There is only one section (global) where
+ various options are defined.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+ <para>
+
+ pam_winbind supports several options which can either be set in
+ the PAM configuration files or in the pam_winbind configuration
+ file situated at
+ <filename>/etc/security/pam_winbind.conf</filename>. Options
+ from the PAM configuration file take precedence to those from
+ the pam_winbind.conf configuration file.
+
+ <variablelist>
+
+ <varlistentry>
+ <term>debug = yes|no</term>
+ <listitem><para>Gives debugging output to syslog. Defaults to "no".</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>debug_state = yes|no</term>
+ <listitem><para>Gives detailed PAM state debugging output to syslog. Defaults to "no".</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>require_membership_of = [SID or NAME]</term>
+ <listitem><para>
+ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
+ can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
+ SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
+ <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
+ <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
+ <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
+ the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
+ verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
+ This setting is empty by default.
+ </para>
+ <para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>try_first_pass = yes|no</term>
+ <listitem><para>
+ By default, pam_winbind tries to get the authentication token from a previous module. If no token is available
+ it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication
+ token from a previous module is available. If a primary password is not valid, PAM will prompt for a password.
+ Default to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_auth = yes|no</term>
+ <listitem><para>
+
+ pam_winbind can authenticate using Kerberos when winbindd is
+ talking to an Active Directory domain controller. Kerberos
+ authentication must be enabled with this parameter. When
+ Kerberos authentication can not succeed (e.g. due to clock
+ skew), winbindd will fallback to samlogon authentication over
+ MSRPC. When this parameter is used in conjunction with
+ <parameter>winbind refresh tickets</parameter>, winbind will
+ keep your Ticket Granting Ticket (TGT) up-to-date by refreshing
+ it whenever necessary. Defaults to "no".
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccache_type = [type]</term>
+ <listitem><para>
+
+ When pam_winbind is configured to try kerberos authentication
+ by enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a
+ credential cache. The type of credential cache can be
+ controlled with this option. The supported values are:
+ <parameter>KCM</parameter> or <parameter>KEYRING</parameter>
+ (when supported by the system's Kerberos library and
+ operating system),
+ <parameter>FILE</parameter> and <parameter>DIR</parameter>
+ (when the DIR type is supported by the system's Kerberos
+ library). In case of FILE a credential cache in the form of
+ /tmp/krb5cc_UID will be created - in case of DIR you NEED
+ to specify a directory. UID is replaced with the numeric
+ user id. The UID directory is being created. The path up to
+ the directory should already exist. Check the details of the
+ Kerberos implementation.</para>
+
+ <para>When using the KEYRING type, the supported mechanism is
+ <quote>KEYRING:persistent:UID</quote>, which uses the Linux
+ kernel keyring to store credentials on a per-UID basis.
+ The KEYRING has its limitations. As it is secure kernel memory,
+ for example bulk storage of credentials is not possible.</para>
+
+ <para>When using the KCM type, the supported mechanism is
+ <quote>KCM:UID</quote>, which uses a Kerberos credential
+ manager to store credentials on a per-UID basis similar to
+ KEYRING. This is the recommended choice on latest Linux
+ distributions, offering a Kerberos Credential Manager. If not
+ we suggest to use KEYRING as that is the most secure and
+ predictable method.</para>
+
+ <para>It is also possible to define custom filepaths and use the "%u"
+ pattern in order to substitute the numeric user id.
+ Examples:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+ <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+ <listitem><para>This will create a credential cache file.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para> Leave empty to just do kerberos authentication without
+ having a ticket cache after the logon has succeeded.
+ This setting is empty by default.
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>cached_login = yes|no</term>
+ <listitem><para>
+ Winbind allows one to logon using cached credentials when <parameter>winbind offline logon</parameter> is enabled. To use this feature from the PAM module this option must be set. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>silent = yes|no</term>
+ <listitem><para>
+ Do not emit any messages. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>mkhomedir = yes|no</term>
+ <listitem><para>
+ Create homedirectory for a user on-the-fly, option is valid in
+ PAM session block. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>warn_pwd_expire = days</term>
+ <listitem><para>
+ Defines number of days before pam_winbind starts to warn about passwords that are
+ going to expire. Defaults to 14 days.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>pwd_change_prompt = yes|no</term>
+ <listitem><para>
+ Generate prompt for changing an expired password. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </para>
+
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>pam_winbind</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>wbinfo</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry></para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is part of version &doc.version; of Samba.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by
+ the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
+ </para>
+
+ <para>This manpage was written by Jelmer Vernooij and Guenther Deschner.</para>
+
+</refsect1>
+
+</refentry>
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-27 09:47:56 +0000