mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
20c85cc1da
This change disables the prompt for the change of an expired password by default (using the PAM_RADIO_TYPE mechanism if present). BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184
242 lines
8.6 KiB
XML
242 lines
8.6 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<refentry id="pam_winbind.conf.5">
|
|
|
|
<refmeta>
|
|
<refentrytitle>pam_winbind.conf</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
<refmiscinfo class="source">Samba</refmiscinfo>
|
|
<refmiscinfo class="manual">5</refmiscinfo>
|
|
<refmiscinfo class="version">&doc.version;</refmiscinfo>
|
|
</refmeta>
|
|
|
|
|
|
<refnamediv>
|
|
<refname>pam_winbind.conf</refname>
|
|
<refpurpose>Configuration file of PAM module for Winbind</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
|
|
<para>This configuration file is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|
|
|
<para>
|
|
pam_winbind.conf is the configuration file for the pam_winbind PAM
|
|
module. See
|
|
<citerefentry><refentrytitle>pam_winbind</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
for further details.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>SYNOPSIS</title>
|
|
|
|
<para>
|
|
The pam_winbind.conf configuration file is a classic ini-style
|
|
configuration file. There is only one section (global) where
|
|
various options are defined.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
<para>
|
|
|
|
pam_winbind supports several options which can either be set in
|
|
the PAM configuration files or in the pam_winbind configuration
|
|
file situated at
|
|
<filename>/etc/security/pam_winbind.conf</filename>. Options
|
|
from the PAM configuration file take precedence to those from
|
|
the pam_winbind.conf configuration file.
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>debug = yes|no</term>
|
|
<listitem><para>Gives debugging output to syslog. Defaults to "no".</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>debug_state = yes|no</term>
|
|
<listitem><para>Gives detailed PAM state debugging output to syslog. Defaults to "no".</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>require_membership_of = [SID or NAME]</term>
|
|
<listitem><para>
|
|
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
|
|
can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
|
|
SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
|
|
<parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
|
|
<parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
|
|
<parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
|
|
the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
|
|
verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
|
|
This setting is empty by default.
|
|
</para>
|
|
<para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>try_first_pass = yes|no</term>
|
|
<listitem><para>
|
|
By default, pam_winbind tries to get the authentication token from a previous module. If no token is available
|
|
it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication
|
|
token from a previous module is available. If a primary password is not valid, PAM will prompt for a password.
|
|
Default to "no".
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>krb5_auth = yes|no</term>
|
|
<listitem><para>
|
|
|
|
pam_winbind can authenticate using Kerberos when winbindd is
|
|
talking to an Active Directory domain controller. Kerberos
|
|
authentication must be enabled with this parameter. When
|
|
Kerberos authentication can not succeed (e.g. due to clock
|
|
skew), winbindd will fallback to samlogon authentication over
|
|
MSRPC. When this parameter is used in conjunction with
|
|
<parameter>winbind refresh tickets</parameter>, winbind will
|
|
keep your Ticket Granting Ticket (TGT) up-to-date by refreshing
|
|
it whenever necessary. Defaults to "no".
|
|
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>krb5_ccache_type = [type]</term>
|
|
<listitem><para>
|
|
|
|
When pam_winbind is configured to try kerberos authentication
|
|
by enabling the <parameter>krb5_auth</parameter> option, it can
|
|
store the retrieved Ticket Granting Ticket (TGT) in a
|
|
credential cache. The type of credential cache can be
|
|
controlled with this option. The supported values are:
|
|
<parameter>KCM</parameter> or <parameter>KEYRING</parameter>
|
|
(when supported by the system's Kerberos library and
|
|
operating system),
|
|
<parameter>FILE</parameter> and <parameter>DIR</parameter>
|
|
(when the DIR type is supported by the system's Kerberos
|
|
library). In case of FILE a credential cache in the form of
|
|
/tmp/krb5cc_UID will be created - in case of DIR you NEED
|
|
to specify a directory. UID is replaced with the numeric
|
|
user id. The UID directory is being created. The path up to
|
|
the directory should already exist. Check the details of the
|
|
Kerberos implmentation.</para>
|
|
|
|
<para>When using the KEYRING type, the supported mechanism is
|
|
<quote>KEYRING:persistent:UID</quote>, which uses the Linux
|
|
kernel keyring to store credentials on a per-UID basis.
|
|
The KEYRING has its limitations. As it is secure kernel memory,
|
|
for example bulk sorage of credentils is for not possible.</para>
|
|
|
|
<para>When using th KCM type, the supported mechanism is
|
|
<quote>KCM:UID</quote>, which uses a Kerberos credential
|
|
manaager to store credentials on a per-UID basis similar to
|
|
KEYRING. This is the recommended choice on latest Linux
|
|
distributions, offering a Kerberos Credential Manager. If not
|
|
we suggest to use KEYRING as those are the most secure and
|
|
predictable method.</para>
|
|
|
|
<para>It is also possible to define custom filepaths and use the "%u"
|
|
pattern in order to substitute the numeric user id.
|
|
Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
|
|
<listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
|
|
<listitem><para>This will create a credential cache file.</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para> Leave empty to just do kerberos authentication without
|
|
having a ticket cache after the logon has succeeded.
|
|
This setting is empty by default.
|
|
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>cached_login = yes|no</term>
|
|
<listitem><para>
|
|
Winbind allows one to logon using cached credentials when <parameter>winbind offline logon</parameter> is enabled. To use this feature from the PAM module this option must be set. Defaults to "no".
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>silent = yes|no</term>
|
|
<listitem><para>
|
|
Do not emit any messages. Defaults to "no".
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>mkhomedir = yes|no</term>
|
|
<listitem><para>
|
|
Create homedirectory for a user on-the-fly, option is valid in
|
|
PAM session block. Defaults to "no".
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>warn_pwd_expire = days</term>
|
|
<listitem><para>
|
|
Defines number of days before pam_winbind starts to warn about passwords that are
|
|
going to expire. Defaults to 14 days.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>pwd_change_prompt = yes|no</term>
|
|
<listitem><para>
|
|
Generate prompt for changing an expired password. Defaults to "no".
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>SEE ALSO</title>
|
|
<para><citerefentry>
|
|
<refentrytitle>pam_winbind</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
|
|
<refentrytitle>wbinfo</refentrytitle>
|
|
<manvolnum>1</manvolnum></citerefentry>, <citerefentry>
|
|
<refentrytitle>winbindd</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
|
|
<refentrytitle>smb.conf</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry></para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>VERSION</title>
|
|
|
|
<para>This man page is part of version &doc.version; of Samba.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
|
|
<para>
|
|
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by
|
|
the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
|
|
</para>
|
|
|
|
<para>This manpage was written by Jelmer Vernooij and Guenther Deschner.</para>
|
|
|
|
</refsect1>
|
|
|
|
</refentry>
|