2025-02-04 17:47:26 +03:00 · - · 81203dc95c
commit 81203dc95c
parent ab631b31fb
8 changed files with 226 additions and 187 deletions
--- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
+++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml
@ -3,27 +3,28 @@
 <chapterinfo>
 	<author>
 		<firstname>Jean François</firstname><surname>Micouleau</surname>
+		&person.jerry;
 	</author>
 </chapterinfo>

 <title>Configuring Group Mapping</title>

-<para> 
-Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
-current method (likely to change) to manage the groups is a new command called
-&smbgroupedit;.
+<para>
+Starting with Samba 3.0 alpha 2, new group mapping functionality
+is available to create associations between Windows SIDs and UNIX
+groups. The <parameter>groupmap</parameter> subcommand included with
+the <command>net</command> tool can be used to manage these associations.
 </para>

 <para>
-The first immediate reason to use the group mapping on a PDC, is that
-the <command>domain admin group</command> of &smb.conf; is 
-now gone. This parameter was used to give the listed users local admin rights 
-on their workstations. It was some magic stuff that simply worked but didn't
-scale very well for complex setups.
+The first immediate reason to use the group mapping on a Samba PDC, is that
+the <parameter>domain admin group</parameter> &smb.conf; has been removed.
+This parameter was used to give the listed users membership in the "Domain Admins"
+Windows group which gave local admin rights on their workstations (in
+default configurations).
 </para>

 <para>
-Let me explain how it works on NT/W2K, to have this magic fade away.
 When installing NT/W2K on a computer, the installer program creates some users
 and groups. Notably the 'Administrators' group, and gives to that group some
 privileges like the ability to change the date and time or to kill any process
@ -34,46 +35,70 @@ group privileges. If a 'joe' user is created and become a member of the
 </para>

 <para>
-When a NT/W2K machine is joined to a domain, during that phase, the "Domain
-Administrators' group of the PDC is added to the 'Administrators' group of the
-workstation. Every members of the 'Domain Administrators' group 'inherit' the
-rights of the 'Administrators' group when logging on the workstation.
+When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the
+PDC is added to the local 'Administrators' group of the workstation. Every
+member of the 'Domain Administrators' group 'inherit' the
+rights of the local 'Administrators' group when logging on the workstation.
 </para>

 <para>
-You are now wondering how to make some of your samba PDC users members of the
-'Domain Administrators' ? That's really easy.
+The following steps describe how to make samba PDC users members of the
+'Domain Admins' group?
 </para>

-<orderedlist> 
-<listitem><para>create a unix group (usually in <filename>/etc/group</filename>), let's call it domadm</para></listitem>
-<listitem><para>add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <filename>/etc/group</filename> will look like:</para>
+<orderedlist>
+<listitem><para>create a unix group (usually in <filename>/etc/group</filename>),
+  let's call it domadm</para></listitem>
+<listitem><para>add to this group the users that must be Administrators. For example
+  if you want joe,john and mary, your entry in <filename>/etc/group</filename> will
+  look like:</para>

-<para><programlisting>
-domadm:x:502:joe,john,mary
-</programlisting></para>
+  <para><programlisting>
+  domadm:x:502:joe,john,mary
+  </programlisting></para>

-</listitem>
+  </listitem>

-<listitem><para>Map this domadm group to the <command>domain admins</command> group by running the command:</para>
+<listitem><para>Map this domadm group to the "Domain Admins" group
+  by running the command:</para>

-<para><userinput>smbgroupedit -c "Domain Admins" -u domadm</userinput></para></listitem>
+  <para><prompt>root# </prompt><userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput></para>
+  
+  <para>The quotes around "Domain Admins" are necessary due to the space in the group name.  Also make
+  sure to leave no whitespace surrounding the equal character (=).</para>
+  </listitem>

 </orderedlist>

-<para>You're set, joe, john and mary are domain administrators !</para>
+<para>Now joe, john and mary are domain administrators!</para>

 <para>
-Like the Domain Admins group, you can map any arbitrary Unix group to any NT
-group. You can also make any Unix group a domain group. For example, on a domain
-member machine (an NT/W2K or a samba server running winbind), you would like to
-give access to a certain directory to some users who are member of a group on
-your samba PDC. Flag that group as a domain group by running:
+It is possible to map any arbitrary UNIX group to any Windows NT
+group as well as making any UNIX group a Windows domain group.
+For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a
+local file or printer on a domain member machine, you would flag
+that group as a domain group by running the following on the Samba PDC:
 </para>

-<para><userinput>smbgroupedit -a unixgroup -td</userinput></para>
+<para><prompt>root# </prompt><userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput></para>

-<para>You can list the various groups in the mapping database like this</para>
-<para><userinput>smbgroupedit -v</userinput></para>
+<para>Be aware that the rid parmeter is a unsigned 32 bit integer that should
+normally start at 1000.  However, this rid must not overlap with any RID assigned
+to a user.  Verifying this is done differently depending on on the passdb backend 
+you are using.  Future versions of the tools may perform the verification automatically,
+but for now the burden in on you.</para>
+
+<para>You can list the various groups in the mapping database by executing 
+<command>net groupmap list</command>.  Here is an example:</para>
+
+<para><programlisting><prompt>root# </prompt>net groupmap list
+System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
+Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
+Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
+Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
+</programlisting></para>
+
+<para>For complete details on <command>net groupmap</command>, refer to the 
+net(8) man page.</para>

 </chapter>
--- a/docs/docbook/projdoc/IntroSMB.sgml
+++ b/docs/docbook/projdoc/IntroSMB.sgml
@ -161,8 +161,8 @@ related to Samba: SMBFS and CIFS VFS.  These are both available in the Linux ker
 	name space), secure per-user session establishment, safe distributed caching (oplock), 
 	optional packet signing, Unicode and other internationalization improvements, and optional 
 	Winbind (nsswitch) integration.
-	</para></listitem>
-
+        </para></listitem>
+ 
 </itemizedlist>

 <para>
@ -170,6 +170,12 @@ Again, it's important to note that these are implementations for client filesyst
 nothing to do with acting as a file and print server for SMB/CIFS clients.
 </para>

+<para>
+There are other Open Source CIFS client implementations, such as the jCIFS project
+(jcifs.samba.org) which provides an SMB client toolkit written in Java.
+</para>
+
+
 </sect1>


--- a/docs/docbook/projdoc/NT4Migration.sgml
+++ b/docs/docbook/projdoc/NT4Migration.sgml
@ -79,19 +79,19 @@ What are the features that Samba-3 can NOT provide?

 <itemizedlist>
 <listitem>
-	<para>Active Directory Server<para>
+	<para>Active Directory Server</para>
 </listitem>
 <listitem>
-	<para>Group Policy Objects (in Active Direcrtory)<para>
+	<para>Group Policy Objects (in Active Direcrtory)</para>
 </listitem>
 <listitem>
-	<para>Machine Policy objects<para>
+	<para>Machine Policy objects</para>
 </listitem>
 <listitem>
-	<para>Logon Scripts in Active Directorty<para>
+	<para>Logon Scripts in Active Directorty</para>
 </listitem>
 <listitem>
-	<para>Software Application and Access Controls in Active Directory<para>
+	<para>Software Application and Access Controls in Active Directory</para>
 </listitem>
 </itemizedlist>

@ -309,7 +309,7 @@ Samba-3 set up as a DC with netlogon share, profile share, etc.

 	<step><para>initGrps.sh DOMNAME</para></step>

-	<step><para>smbgroupedit -v</para>
+	<step><para>net groupmap list</para>
 		<substeps><step><para>Now check that all groups are recognised</para></step></substeps>
 	</step>

@ -469,7 +469,7 @@ Logon Scripts (Know how they work)

 User and Group mapping to Unix/Linux
 	username map facility may be needed
-	Use smbgroupedit to connect NT4 groups to Unix groups
+	Use 'net groupmap' to connect NT4 groups to Unix groups
 	Use pdbedit to set/change user configuration
 NOTE:
 If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP
@ -489,7 +489,7 @@ Migration Tools
 	Profiles, Policies, Access Controls, Security

 Migration Tools
-	Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles
+	Samba: net, rpcclient, smbpasswd, pdbedit, profiles
 	Windows: NT4 Domain User Manager, Server Manager (NEXUS)

 Authentication
@ -497,6 +497,8 @@ Authentication
 </programlisting>
 </para>

+</sect2>
+
 </sect1>

 </chapter>
--- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
+++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
@ -244,7 +244,7 @@ Options recognized by this module are as follows:
                                password used for successful authentication.
        smbconf=&lt file &gt  -     specify an alternate path to the smb.conf
                                file.
-</programlisting><para>
+</programlisting></para>

 <para><programlisting>
 Thanks go to the following people:
--- a/docs/docbook/projdoc/PolicyMgmt.sgml
+++ b/docs/docbook/projdoc/PolicyMgmt.sgml
@ -310,7 +310,7 @@ Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC

 <para>
 With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
-<filename>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</filename>. The administrator should read the
+<filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the
 man pages for these tools and become familiar with their use.
 </para>

--- a/docs/docbook/projdoc/Portability.sgml
+++ b/docs/docbook/projdoc/Portability.sgml
@ -229,6 +229,7 @@ Nsswitch on Solaris 9 refuses to use the winbind nss module.  This behavior
 is fixed by Sun in patch 113476-05 which as of March 2003 is not in any
 roll-up packages.
 </para>
+</sect2>
 </sect1>

 </chapter>
--- a/docs/docbook/projdoc/SWAT.sgml
+++ b/docs/docbook/projdoc/SWAT.sgml
@ -134,7 +134,7 @@ Modifications to the swat setup are as following:
 	root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \
 	 	/usr/share/doc/packages/stunnel/stunnel.cnf \
 		-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
-	</programlisting><para></listitem>
+	</programlisting></para></listitem>

 	<listitem><para>
 	remove swat-entry from [x]inetd 
--- a/docs/docbook/projdoc/winbind.sgml
+++ b/docs/docbook/projdoc/winbind.sgml
@ -18,6 +18,7 @@
 		</affiliation>
 	</author>
 	&author.jelmer;
+	&author.jht;
 	</authorgroup>
 	<pubdate>27 June 2002</pubdate>
 </chapterinfo>
@ -643,12 +644,12 @@ your PDC.  For example, I get the following response:
 </para>

 <para><programlisting>
-CEO+Administrator
-CEO+burdell
-CEO+Guest
-CEO+jt-ad
-CEO+krbtgt
-CEO+TsInternetUser
+	CEO+Administrator
+	CEO+burdell
+	CEO+Guest
+	CEO+jt-ad
+	CEO+krbtgt
+	CEO+TsInternetUser
 </programlisting></para>

 <para>
@ -663,15 +664,15 @@ the PDC:

 <para><programlisting>
 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command>
-CEO+Domain Admins
-CEO+Domain Users
-CEO+Domain Guests
-CEO+Domain Computers
-CEO+Domain Controllers
-CEO+Cert Publishers
-CEO+Schema Admins
-CEO+Enterprise Admins
-CEO+Group Policy Creator Owners
+	CEO+Domain Admins
+	CEO+Domain Users
+	CEO+Domain Guests
+	CEO+Domain Computers
+	CEO+Domain Controllers
+	CEO+Cert Publishers
+	CEO+Schema Admins
+	CEO+Enterprise Admins
+	CEO+Group Policy Creator Owners
 </programlisting></para>

 <para>
@ -710,7 +711,8 @@ The same thing can be done for groups with the command
 <para>
 The <command>winbindd</command> daemon needs to start up after the 
 <command>smbd</command> and <command>nmbd</command> daemons are running.  
-To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in RedHat and 
+To accomplish this task, you need to modify the startup scripts of your system.
+They are located at <filename>/etc/init.d/smb</filename> in RedHat and 
 <filename>/etc/init.d/samba</filename> in Debian.
 script to add commands to invoke this daemon in the proper sequence.  My 
 startup script starts up <command>smbd</command>, 
@ -736,8 +738,8 @@ start() {
        daemon /usr/local/samba/bin/winbindd
        RETVAL3=$?
        echo
-        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; touch /var/lock/subsys/smb || \
-           RETVAL=1
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; \
+		touch /var/lock/subsys/smb || RETVAL=1
        return $RETVAL
 }
 </programlisting></para>
@ -776,7 +778,8 @@ stop() {
        echo -n $"Shutting down $KIND services: "
        killproc winbindd
        RETVAL3=$?
-        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; rm -f /var/lock/subsys/smb
+        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &amp;&amp; \
+		 rm -f /var/lock/subsys/smb
        echo ""
        return $RETVAL
 }
@ -796,63 +799,64 @@ the file could contains something like this:
 </para>

 <para><programlisting>
-##
-## samba.server
-##
+	##
+	## samba.server
+	##

-if [ ! -d /usr/bin ]
-then                    # /usr not mounted
-        exit
-fi
+	if [ ! -d /usr/bin ]
+	then                    # /usr not mounted
+		exit
+	fi

-killproc() {            # kill the named process(es)
-        pid=`/usr/bin/ps -e |
-             /usr/bin/grep -w $1 |
-             /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
-        [ "$pid" != "" ] &amp;&amp; kill $pid
-}
- 
-# Start/stop processes required for samba server
+	killproc() {            # kill the named process(es)
+		pid=`/usr/bin/ps -e |
+		     /usr/bin/grep -w $1 |
+		     /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
+		[ "$pid" != "" ] &amp;&amp; kill $pid
+	}
+	 
+	# Start/stop processes required for samba server

-case "$1" in
+	case "$1" in

-'start')
-#
-# Edit these lines to suit your installation (paths, workgroup, host)
-#
-echo Starting SMBD
-   /usr/local/samba/bin/smbd -D -s \
-	/usr/local/samba/smb.conf
+	'start')
+	#
+	# Edit these lines to suit your installation (paths, workgroup, host)
+	#
+	echo Starting SMBD
+	   /usr/local/samba/bin/smbd -D -s \
+		/usr/local/samba/smb.conf

-echo Starting NMBD
-   /usr/local/samba/bin/nmbd -D -l \
-	/usr/local/samba/var/log -s /usr/local/samba/smb.conf
+	echo Starting NMBD
+	   /usr/local/samba/bin/nmbd -D -l \
+		/usr/local/samba/var/log -s /usr/local/samba/smb.conf

-echo Starting Winbind Daemon
-   /usr/local/samba/bin/winbindd
-   ;;
+	echo Starting Winbind Daemon
+	   /usr/local/samba/bin/winbindd
+	   ;;

-'stop')
-   killproc nmbd
-   killproc smbd
-   killproc winbindd
-   ;;
+	'stop')
+	   killproc nmbd
+	   killproc smbd
+	   killproc winbindd
+	   ;;

-*)
-   echo "Usage: /etc/init.d/samba.server { start | stop }"
-   ;;
-esac
+	*)
+	   echo "Usage: /etc/init.d/samba.server { start | stop }"
+	   ;;
+	esac
 </programlisting></para>

-<para>Again, if you would like to run samba in dual daemon mode, replace 
+<para>
+Again, if you would like to run samba in dual daemon mode, replace 
 <programlisting>
-   /usr/local/samba/bin/winbindd
+	/usr/local/samba/bin/winbindd
 </programlisting>

 in the script above with:

 <programlisting>
-   /usr/local/samba/bin/winbindd -B
+	/usr/local/samba/bin/winbindd -B
 </programlisting>
 </para>

@ -912,8 +916,8 @@ just left this fileas it was:


 <para><programlisting>
-auth    required        /lib/security/pam_stack.so service=system-auth
-account required        /lib/security/pam_stack.so service=system-auth
+	auth    required        /lib/security/pam_stack.so service=system-auth
+	account required        /lib/security/pam_stack.so service=system-auth
 </programlisting></para>

 <para>
@ -928,7 +932,7 @@ and <filename>/etc/xinetd.d/wu-ftp</filename> from
 </para>

 <para><programlisting>
-enable = no
+	enable = no
 </programlisting></para>

 <para>
@ -936,7 +940,7 @@ to
 </para>

 <para><programlisting>
-enable = yes
+	enable = yes
 </programlisting></para>

 <para>	
@ -956,13 +960,14 @@ changed to look like this:
 </para>

 <para><programlisting>
-auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
-auth       sufficient   /lib/security/pam_winbind.so
-auth       required     /lib/security/pam_stack.so service=system-auth
-auth       required     /lib/security/pam_shells.so
-account    sufficient   /lib/security/pam_winbind.so
-account    required     /lib/security/pam_stack.so service=system-auth
-session    required     /lib/security/pam_stack.so service=system-auth
+	auth       required     /lib/security/pam_listfile.so item=user sense=deny \
+		 file=/etc/ftpusers onerr=succeed
+	auth       sufficient   /lib/security/pam_winbind.so
+	auth       required     /lib/security/pam_stack.so service=system-auth
+	auth       required     /lib/security/pam_shells.so
+	account    sufficient   /lib/security/pam_winbind.so
+	account    required     /lib/security/pam_stack.so service=system-auth
+	session    required     /lib/security/pam_stack.so service=system-auth
 </programlisting></para>

 <para>
@ -971,16 +976,16 @@ same way.  It now looks like this:
 </para>

 <para><programlisting>
-auth       required     /lib/security/pam_securetty.so
-auth       sufficient   /lib/security/pam_winbind.so
-auth       sufficient   /lib/security/pam_unix.so use_first_pass
-auth       required     /lib/security/pam_stack.so service=system-auth
-auth       required     /lib/security/pam_nologin.so
-account    sufficient   /lib/security/pam_winbind.so
-account    required     /lib/security/pam_stack.so service=system-auth
-password   required     /lib/security/pam_stack.so service=system-auth
-session    required     /lib/security/pam_stack.so service=system-auth
-session    optional     /lib/security/pam_console.so
+	auth       required     /lib/security/pam_securetty.so
+	auth       sufficient   /lib/security/pam_winbind.so
+	auth       sufficient   /lib/security/pam_unix.so use_first_pass
+	auth       required     /lib/security/pam_stack.so service=system-auth
+	auth       required     /lib/security/pam_nologin.so
+	account    sufficient   /lib/security/pam_winbind.so
+	account    required     /lib/security/pam_stack.so service=system-auth
+	password   required     /lib/security/pam_stack.so service=system-auth
+	session    required     /lib/security/pam_stack.so service=system-auth
+	session    optional     /lib/security/pam_console.so
 </programlisting></para>

 <para>
@ -1006,65 +1011,65 @@ nearly impossible to boot.
 </para>

 <para><programlisting>
-#
-#ident	"@(#)pam.conf	1.14	99/09/16 SMI"
-#
-# Copyright (c) 1996-1999, Sun Microsystems, Inc.
-# All Rights Reserved.
-#
-# PAM configuration
-#
-# Authentication management
-#
-login   auth required   /usr/lib/security/pam_winbind.so
-login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
-login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
-#
-rlogin  auth sufficient /usr/lib/security/pam_winbind.so
-rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
-rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-dtlogin auth sufficient /usr/lib/security/pam_winbind.so
-dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
-other   auth sufficient /usr/lib/security/pam_winbind.so
-other	auth required	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-# Account management
-#
-login   account sufficient      /usr/lib/security/pam_winbind.so
-login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-login	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-dtlogin account sufficient      /usr/lib/security/pam_winbind.so
-dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-other   account sufficient      /usr/lib/security/pam_winbind.so
-other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
-other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-# Session management
-#
-other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
-#
-# Password management
-#
-#other   password sufficient     /usr/lib/security/pam_winbind.so
-other	password required	/usr/lib/security/$ISA/pam_unix.so.1 
-dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
-#
-# Support for Kerberos V5 authentication (uncomment to use Kerberos)
-#
-#rlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#login	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#other	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin	account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	session optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other	password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#
+	#ident	"@(#)pam.conf	1.14	99/09/16 SMI"
+	#
+	# Copyright (c) 1996-1999, Sun Microsystems, Inc.
+	# All Rights Reserved.
+	#
+	# PAM configuration
+	#
+	# Authentication management
+	#
+	login   auth required   /usr/lib/security/pam_winbind.so
+	login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass 
+	login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass 
+	#
+	rlogin  auth sufficient /usr/lib/security/pam_winbind.so
+	rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
+	rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+	#
+	dtlogin auth sufficient /usr/lib/security/pam_winbind.so
+	dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+	#
+	rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
+	other   auth sufficient /usr/lib/security/pam_winbind.so
+	other	auth required	/usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
+	#
+	# Account management
+	#
+	login   account sufficient      /usr/lib/security/pam_winbind.so
+	login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+	login	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	dtlogin account sufficient      /usr/lib/security/pam_winbind.so
+	dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+	dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	other   account sufficient      /usr/lib/security/pam_winbind.so
+	other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1 
+	other	account required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	# Session management
+	#
+	other	session required	/usr/lib/security/$ISA/pam_unix.so.1 
+	#
+	# Password management
+	#
+	#other   password sufficient     /usr/lib/security/pam_winbind.so
+	other	password required	/usr/lib/security/$ISA/pam_unix.so.1 
+	dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
+	#
+	# Support for Kerberos V5 authentication (uncomment to use Kerberos)
+	#
+	#rlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#login	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#dtlogin	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#other	auth optional	/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+	#dtlogin	account optional /usr/lib/security/$ISA/pam_krb5.so.1
+	#other	account optional /usr/lib/security/$ISA/pam_krb5.so.1
+	#other	session optional /usr/lib/security/$ISA/pam_krb5.so.1
+	#other	password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
 </programlisting></para>

 <para>