source: vendor/3.5.7/docs/manpages/pam_winbind.8

.\"     Title: pam_winbind
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
.\"      Date: 06/18/2010
.\"    Manual: 8
.\"    Source: Samba 3.5
.\"  Language: English
.\"
.TH "PAM_WINBIND" "8" "06/18/2010" "Samba 3\&.5" "8"
.\" -----------------------------------------------------------------
.\" * (re)Define some macros
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" toupper - uppercase a string (locale-aware)
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de toupper
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
\\$*
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH-xref - format a cross-reference to an SH section
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de SH-xref
.ie n \{\
.\}
.toupper \\$*
.el \{\
\\$*
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH - level-one heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SH
.\" put an extra blank line of space above the head in non-TTY output
.if t \{\
.sp 1
.\}
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[an-margin]u
.ti 0
.HTML-TAG ".NH \\n[an-level]"
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
\." make the size of the head bigger
.ps +3
.ft B
.ne (2v + 1u)
.ie n \{\
.\" if n (TTY output), use uppercase
.toupper \\$*
.\}
.el \{\
.nr an-break-flag 0
.\" if not n (not TTY), use normal case (not uppercase)
\\$1
.in \\n[an-margin]u
.ti 0
.\" if not n (not TTY), put a border/line under subheading
.sp -.6
\l'\n(.lu'
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SS - level-two heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SS
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[IN]u
.ti \\n[SN]u
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.ps \\n[PS-SS]u
\." make the size of the head bigger
.ps +2
.ft B
.ne (2v + 1u)
.if \\n[.$] \&\\$*
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BB/BE - put background/screen (filled box) around block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BB
.if t \{\
.sp -.5
.br
.in +2n
.ll -2n
.gcolor red
.di BX
.\}
..
.de EB
.if t \{\
.if "\\$2"adjust-for-leading-newline" \{\
.sp -1
.\}
.br
.di
.in
.ll
.gcolor
.nr BW \\n(.lu-\\n(.i
.nr BH \\n(dn+.5v
.ne \\n(BHu+.5v
.ie "\\$2"adjust-for-leading-newline" \{\
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.el \{\
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.in 0
.sp -.5v
.nf
.BX
.in
.sp .5v
.fi
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BM/EM - put colored marker in margin next to block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BM
.if t \{\
.br
.ll -2n
.gcolor red
.di BX
.\}
..
.de EM
.if t \{\
.br
.di
.ll
.gcolor
.nr BH \\n(dn
.ne \\n(BHu
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
.in 0
.nf
.BX
.in
.fi
.\}
..
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "Name"
pam_winbind \- PAM module for Winbind
.SH "DESCRIPTION"
.PP
This tool is part of the
\fBsamba\fR(7)
suite\&.
.PP
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon\&.
.SH "SYNOPSIS"
.PP
Edit the PAM system config /etc/pam\&.d/service and modify it as the following example shows:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.if t \{\
.sp -1
.\}
.BB lightgray adjust-for-leading-newline
.sp -1

                            \&.\&.\&.
                            auth      required        pam_env\&.so
                            auth      sufficient      pam_unix2\&.so
                        +++ auth      required        pam_winbind\&.so  use_first_pass
                            account   requisite       pam_unix2\&.so
                        +++ account   required        pam_winbind\&.so  use_first_pass
                        +++ password  sufficient      pam_winbind\&.so
                            password  requisite       pam_pwcheck\&.so  cracklib
                            password  required        pam_unix2\&.so    use_authtok
                            session   required        pam_unix2\&.so
                        +++ session   required        pam_winbind\&.so
                            \&.\&.\&.
                
.EB lightgray adjust-for-leading-newline
.if t \{\
.sp 1
.\}
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
Make sure that pam_winbind is one of the first modules in the session part\&. It may retrieve kerberos tickets which are needed by other modules\&.
.SH "OPTIONS"
.PP
pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at
\FC/etc/security/pam_winbind\&.conf\F[]\&. Options from the PAM configuration file take precedence to those from the configuration file\&. See
\fBpam_winbind.conf\fR(5)
for further details\&.
.PP
debug
.RS 4
Gives debugging output to syslog\&.
.RE
.PP
debug_state
.RS 4
Gives detailed PAM state debugging output to syslog\&.
.RE
.PP
require_membership_of=[SID or NAME]
.RS 4
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME\&. A SID can be either a group\-SID, an alias\-SID or even an user\-SID\&. It is also possible to give a NAME instead of the SID\&. That name must have the form:
\fIMYDOMAIN\e\emygroup\fR
or
\fIMYDOMAIN\e\emyuser\fR\&. pam_winbind will, in that case, lookup the SID internally\&. Note that NAME may not contain any spaces\&. It is thus recommended to only use SIDs\&. You can verify the list of SIDs a user is a member of with
\FCwbinfo \-\-user\-sids=SID\F[]\&.
.RE
.PP
use_first_pass
.RS 4
By default, pam_winbind tries to get the authentication token from a previous module\&. If no token is available it asks the user for the old password\&. With this option, pam_winbind aborts with an error if no authentication token from a previous module is available\&.
.RE
.PP
try_first_pass
.RS 4
Same as the use_first_pass option (previous item), except that if the primary password is not valid, PAM will prompt for a password\&.
.RE
.PP
use_authtok
.RS 4
Set the new password to the one provided by the previously stacked password module\&. If this option is not set pam_winbind will ask the user for the new password\&.
.RE
.PP
krb5_auth
.RS 4
pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller\&. Kerberos authentication must be enabled with this parameter\&. When Kerberos authentication can not succeed (e\&.g\&. due to clock skew), winbindd will fallback to samlogon authentication over MSRPC\&. When this parameter is used in conjunction with
\fIwinbind refresh tickets\fR, winbind will keep your Ticket Granting Ticket (TGT) uptodate by refreshing it whenever necessary\&.
.RE
.PP
krb5_ccache_type=[type]
.RS 4
When pam_winbind is configured to try kerberos authentication by enabling the
\fIkrb5_auth\fR
option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache\&. The type of credential cache can be set with this option\&. Currently the only supported value is:
\fIFILE\fR\&. In that case a credential cache in the form of /tmp/krb5cc_UID will be created, where UID is replaced with the numeric user id\&. Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded\&.
.RE
.PP
cached_login
.RS 4
Winbind allows to logon using cached credentials when
\fIwinbind offline logon\fR
is enabled\&. To use this feature from the PAM module this option must be set\&.
.RE
.PP
silent
.RS 4
Do not emit any messages\&.
.RE
.PP
mkhomedir
.RS 4
Create homedirectory for a user on\-the\-fly, option is valid in PAM session block\&.
.RE
.PP
warn_pwd_expire
.RS 4
Defines number of days before pam_winbind starts to warn about passwords that are going to expire\&. Defaults to 14 days\&.
.RE
.SH "PAM DATA EXPORTS"
.PP
This section describes the data exported in the PAM stack which could be used in other PAM modules\&.
.PP
PAM_WINBIND_HOMEDIR
.RS 4
This is the Windows Home Directory set in the profile tab in the user settings on the Active Directory Server\&. This could be a local path or a directory on a share mapped to a drive\&.
.RE
.PP
PAM_WINBIND_LOGONSCRIPT
.RS 4
The path to the logon script which should be executed if a user logs in\&. This is normally a relative path to the script stored on the server\&.
.RE
.PP
PAM_WINBIND_LOGONSERVER
.RS 4
This exports the Active Directory server we are authenticating against\&. This can be used as a variable later\&.
.RE
.PP
PAM_WINBIND_PROFILEPATH
.RS 4
This is the profile path set in the profile tab in the user settings\&. Normally the home directory is synced with this directory on a share\&.
.RE
.SH "SEE ALSO"
.PP
\fBpam_winbind.conf\fR(5),
\fBwbinfo\fR(1),
\fBwinbindd\fR(8),
\fBsmb.conf\fR(5)
.SH "VERSION"
.PP
This man page is correct for version 3 of Samba\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
.PP
This manpage was written by Jelmer Vernooij and Guenther Deschner\&.