From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- docs-xml/manpages/pam_winbind.8.xml | 319 ++++++++++++++++++++++++++++++++++++ 1 file changed, 319 insertions(+) create mode 100644 docs-xml/manpages/pam_winbind.8.xml (limited to 'docs-xml/manpages/pam_winbind.8.xml') diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml new file mode 100644 index 0000000..171bb40 --- /dev/null +++ b/docs-xml/manpages/pam_winbind.8.xml @@ -0,0 +1,319 @@ + + + + + + pam_winbind + 8 + Samba + 8 + &doc.version; + + + + + pam_winbind + PAM module for Winbind + + + + DESCRIPTION + + This tool is part of the samba + 7 suite. + + + pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon. + + + + + + SYNOPSIS + + + Edit the PAM system config /etc/pam.d/service and modify it as the following example shows: + + ... + auth required pam_env.so + auth sufficient pam_unix2.so + +++ auth required pam_winbind.so use_first_pass + account requisite pam_unix2.so + +++ account required pam_winbind.so use_first_pass + +++ password sufficient pam_winbind.so + password requisite pam_pwcheck.so cracklib + password required pam_unix2.so use_authtok + session required pam_unix2.so + +++ session required pam_winbind.so + ... + + + Make sure that pam_winbind is one of the first modules in the session part. It may retrieve + kerberos tickets which are needed by other modules. + + + + + OPTIONS + + + pam_winbind supports several options which can either be set in + the PAM configuration files or in the pam_winbind configuration + file situated at + /etc/security/pam_winbind.conf. Options + from the PAM configuration file take precedence to those from + the configuration file. See + pam_winbind.conf5 + for further details. + + + + + debug + Gives debugging output to syslog. + + + + debug_state + Gives detailed PAM state debugging output to syslog. + + + + require_membership_of=[SID or NAME] + + If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID + can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the + SID. That name must have the form: MYDOMAIN\mygroup or + MYDOMAIN\myuser (where '\' character corresponds to the value of + winbind separator parameter). It is also possible to use a UPN in the form + user@REALM or group@REALM. pam_winbind will, in that case, lookup + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can + verify the list of SIDs a user is a member of with wbinfo --user-sids=SID. + + + + This option must only be specified on a auth + module declaration, as it only operates in conjunction + with password authentication. + + + + + + use_first_pass + + By default, pam_winbind tries to get the authentication token from a previous module. If no token is available + it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication + token from a previous module is available. + + + + + try_first_pass + + Same as the use_first_pass option (previous item), except that if the primary password is not + valid, PAM will prompt for a password. + + + + + use_authtok + + Set the new password to the one provided by the previously stacked password module. If this option is not set + pam_winbind will ask the user for the new password. + + + + + try_authtok + + Same as the use_authtok option (previous item), except that if the new password is not + valid, PAM will prompt for a password. + + + + + krb5_auth + + + pam_winbind can authenticate using Kerberos when winbindd is + talking to an Active Directory domain controller. Kerberos + authentication must be enabled with this parameter. When + Kerberos authentication can not succeed (e.g. due to clock + skew), winbindd will fallback to samlogon authentication over + MSRPC. When this parameter is used in conjunction with + winbind refresh tickets, winbind will + keep your Ticket Granting Ticket (TGT) up-to-date by refreshing + it whenever necessary. + + + + + + krb5_ccache_type=[type] + + + When pam_winbind is configured to try kerberos authentication + by enabling the krb5_auth option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be + controlled with this option. The supported values are: + KCM or KEYRING + (when supported by the system's Kerberos library and + operating system), + FILE and DIR + (when the DIR type is supported by the system's Kerberos + library). In case of FILE a credential cache in the form of + /tmp/krb5cc_UID will be created - in case of DIR you NEED + to specify a directory which must exist, the UID directory + will be created in the specified directory. + In all cases UID is replaced with the numeric user id. + Check the details of the Kerberos implementation. + + When using the KEYRING type, the supported mechanism is + KEYRING:persistent:UID, which uses the Linux + kernel keyring to store credentials on a per-UID basis. + KEYRING has limitations. For example, it is secure kernel memory, + so bulk storage of credentials is not possible. + + When using the KCM type, the supported mechanism is + KCM:UID, which uses a Kerberos credential + manager to store credentials on a per-UID basis similar to + KEYRING. This is the recommended choice on latest Linux + distributions that offer a Kerberos Credential Manager. If not, + we suggest to use KEYRING, as those are the most secure and + predictable method. + + It is also possible to define custom filepaths and use the "%u" + pattern in order to substitute the numeric user id. + Examples: + + + + krb5_ccache_type = DIR:/run/user/%u/krb5cc + This will create a credential cache file in the specified directory. + + + krb5_ccache_type = FILE:/tmp/krb5cc_%u + This will create a credential cache file. + + + + Leave empty to just do kerberos authentication without + having a ticket cache after the logon has succeeded. + This setting is empty by default. + + + + + cached_login + + Winbind allows one to logon using cached credentials when winbind offline logon is enabled. To use this feature from the PAM module this option must be set. + + + + + silent + + Do not emit any messages. + + + + + mkhomedir + + Create homedirectory for a user on-the-fly, option is valid in + PAM session block. + + + + + warn_pwd_expire + + Defines number of days before pam_winbind starts to warn about passwords that are + going to expire. Defaults to 14 days. + + + + + + + + + + + PAM DATA EXPORTS + + This section describes the data exported in the PAM stack which could be used in other PAM modules. + + + PAM_WINBIND_HOMEDIR + + + This is the Windows Home Directory set in the profile tab in the user settings + on the Active Directory Server. This could be a local path or a directory on a + share mapped to a drive. + + + + + PAM_WINBIND_LOGONSCRIPT + + + The path to the logon script which should be executed if a user logs in. This is + normally a relative path to the script stored on the server. + + + + + PAM_WINBIND_LOGONSERVER + + + This exports the Active Directory server we are authenticating against. This can be + used as a variable later. + + + + + PAM_WINBIND_PROFILEPATH + + + This is the profile path set in the profile tab in the user settings. Normally + the home directory is synced with this directory on a share. + + + + + + + SEE ALSO + + pam_winbind.conf + 5, + wbinfo + 1, + winbindd + 8, + smb.conf + 5 + + + + VERSION + + This man page is part of version &doc.version; of Samba. + + + + AUTHOR + + + The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by + the Samba Team as an Open Source project similar to the way the Linux kernel is developed. + + + This manpage was written by Jelmer Vernooij and Guenther Deschner. + + + + -- cgit v1.2.3