1AUTHCONFIG(8)               System Manager's Manual              AUTHCONFIG(8)
2
3
4

NAME

6       authconfig,  authconfig-tui  -  an  interface  for  configuring  system
7       authentication resources
8

SYNOPSIS

10       authconfig
11              [options]   {--update|--updateall|--test|--probe|--restorebackup
12              <name>|--savebackup <name>|--restorelastbackup}
13

DESCRIPTION

15       authconfig  provides a simple method of configuring /etc/sysconfig/net‐
16       work to handle NIS, as well as /etc/passwd and /etc/shadow,  the  files
17       used  for shadow password support.  Basic LDAP, Kerberos 5, and Winbind
18       client configuration is also provided.
19
20       If --test action is specified, authconfig can be  run  by  users  other
21       then  root,  and  any  configuration  changes are not saved but printed
22       instead.  If --update action is specified, authconfig must  be  run  by
23       root  (or through console helper), and configuration changes are saved.
24       Only the files affected by the configuration changes  are  overwritten.
25       If  --updateall action is specified, authconfig must be run by root (or
26       through console helper), and all configuration files are written.   The
27       --probe action instructs authconfig to use DNS and other means to guess
28       at configuration information for the current host, print its guesses if
29       it finds them to standard output, and exit.
30
31       The --restorebackup, --savebackup, and --restorelastbackup actions pro‐
32       vide a possibility to save and later restore a backup of  configuration
33       files  which  authconfig  modifies.  Authconfig also saves an automatic
34       backup of configuration files before every configuration  change.  This
35       special backup can be restored by the --restorelastbackup action.
36
37       If  --nostart  is  specified  (which is what the install program does),
38       ypbind or other daemons will not be started or stopped immediately fol‐
39       lowing  program  execution,  but  only enabled to start or stop at boot
40       time.
41
42       The  --enablenis,  --enableldap,  --enablewinbind,  and  --enablehesiod
43       options  are  used  to configure user information services in /etc/nss‐
44       witch.conf, the --enablecache option is used to configure  naming  ser‐
45       vices  caching, and the --enableshadow, --enableldapauth, --enablekrb5,
46       and --enablewinbindauth options are used  to  configure  authentication
47       functions  via  /etc/pam.d/system-auth.   Each  --enable has a matching
48       --disable option that disables the service if it  is  already  enabled.
49       The  respective  services  have parameters which configure their server
50       names etc.
51
52       The algorithm used for storing new password hashes can be specified  by
53       the  --passalgo option which takes one of the following possible values
54       as a parameter: descrypt, bigcrypt, md5, sha256, and sha512.
55
56       The --enablelocauthorize  option  allows  to  bypass  checking  network
57       authentication  services  for  authorization and the --enablesysnetauth
58       allows authentication of system accounts (with uid < 500) by these ser‐
59       vices.
60
61       When  the configuration settings allow use of SSSD for user information
62       services and authentication, SSSD will be automatically used instead of
63       the  legacy services and the SSSD configuration will be set up so there
64       is a default domain populated with the settings required to connect the
65       services.  The  --enablesssd  and --enablesssdauth options force adding
66       SSSD to /etc/nsswitch.conf and /etc/pam.d/system-auth, but they do  not
67       set  up the domain in the SSSD configuration files. The SSSD configura‐
68       tion has to be set up manually. The allowed configuration  of  services
69       for  SSSD are: LDAP for user information (--enableldap) and either LDAP
70       (--enableldapauth), or Kerberos (--enablekrb5) for authentication.
71
72       In case SSSD does not support some feature of the legacy services  that
73       are required for the site configuration, the use of the legacy services
74       can be forced by setting FORCELEGACY=yes in /etc/sysconfig/authconfig.
75
76       The list of options mentioned here in the manual page  is  not  exhaus‐
77       tive,  please  refer  to authconfig --help for the complete list of the
78       options.
79
80       The authconfig-tui supports all options of authconfig  but  it  implies
81       --update  as the default action. Its window contains a Cancel button by
82       default. If --back option is specified at run time, a  Back  button  is
83       presented  instead. If --kickstart is specified, no interactive screens
84       will be seen. The values the program will use will be  those  specified
85       by the other options (--passalgo, --enableshadow, etc.).
86
87       For  namelist  you may substitute either a single name or a comma-sepa‐
88       rated list of names.
89

NOTES

91       The authconfig-tui is deprecated. No new configuration settings will be
92       supported  by its text user interface. Use system-config-authentication
93       GUI application or the command line options instead.
94
95       The SSSD service is enabled and possibly started by authconfig when  at
96       least two of the following three conditions are met:
97       1)  /etc/sssd/sssd.conf  file exists (or is configured via the implicit
98       SSSD support)
99       2) SSSD authentication is enabled (pam_sss.so is used in PAM configura‐
100       tion)
101       3) SSSD is enabled for user identity (nsswitch.conf contains sss)
102
103       When --update action is used the enablement or disablement and possible
104       restart of services happens only  in  case  the  changed  configuration
105       options  affect  the  service  to  be restarted. This means that if for
106       example the ypbind service is enabled with authconfig  --update  --nos‐
107       tart  --enablenis  but not started and you run the same command without
108       the --nostart later the ypbind service will not be started  because  no
109       configuration change affecting ypbind happened.
110
111

RETURN CODES

113       authconfig returns 0 on success, 2 on error.
114
115       authconfig-tui returns 0 on success, 2 on error, and 1 if the user can‐
116       celled the program (by using either the Cancel or Back button).
117
118

FILES

120       /etc/sysconfig/authconfig
121              Used to track whether or  not  particular  authentication
122              mechanisms  are  enabled.   Currently  includes variables
123              named USESHADOW, USEMD5, USEKERBEROS, USELDAPAUTH, USESM‐
124              BAUTH,  USEWINBIND,  USEWINBINDAUTH,  USEHESIOD,  USENIS,
125              USELDAP, and others.
126       /etc/passwd
127       /etc/shadow
128              Used for shadow password support.
129       /etc/yp.conf
130              Configuration file for NIS support.
131       /etc/sysconfig/network
132              Another configuration file for NIS support.
133       /etc/ldap.conf
134       /etc/nss_ldap.conf
135       /etc/pam_ldap.conf
136       /etc/nslcd.conf
137       /etc/openldap/ldap.conf
138              Used to configure  nss_ldap,  pam_ldap,  nslcd,  and  the
139              OpenLDAP  library. Only the files already existing on the
140              system are modified.
141       /etc/krb5.conf
142              Used to configure Kerberos 5.
143       /etc/hesiod.conf
144              Used to configure Hesiod.
145       /etc/samba/smb.conf
146              Used to configure winbind authentication.
147       /etc/nsswitch.conf
148              Used to configure user information services.
149       /etc/login.defs
150              Used to configure parameters of  user  accounts  (minimum
151              UID of a regular user, password hashing algorithm).
152       /etc/pam.d/system-auth
153              Common   PAM  configuration  for  system  services  which
154              include it using the include directive. It is created  as
155              symlink and not relinked if it points to another file.
156       /etc/pam.d/system-auth-ac
157              Contains the actual PAM configuration for system services
158              and is the default target of  the  /etc/pam.d/system-auth
159              symlink.  If a local configuration of PAM is created (and
160              symlinked  from  system-auth  file)  this  file  can   be
161              included there.
162
163

SEE ALSO

165       authconfig-gtk(8),   system-auth-ac(5),   passwd(5),  shadow(5),
166       pwconv(1),    domainname(1),    ypbind(8),     nsswitch.conf(5),
167       smb.conf(5), sssd(8)
168
169

AUTHORS

171       Nalin Dahyabhai <nalin@redhat.com>, Preston Brown <pbrown@redhat.com>,
172       Matt Wilson <msw@redhat.com>, Tomas Mraz <tmraz@redhat.com>
173
174
175
176Red Hat, Inc.                    22 July 2011                    AUTHCONFIG(8)
Impressum