1AUTHCONFIG(8) System Manager's Manual AUTHCONFIG(8)
2
6 authconfig, authconfig-tui - an interface for configuring system
7 authentication resources
8
10 authconfig
11 [options] {--update|--updateall|--test|--probe|--restorebackup
12 <name>|--savebackup <name>|--restorelastbackup}
13
15 authconfig provides a simple method of configuring /etc/sysconfig/net‐
16 work to handle NIS, as well as /etc/passwd and /etc/shadow, the files
17 used for shadow password support. Basic LDAP, Kerberos 5, and Winbind
18 client configuration is also provided.
19 If --test action is specified, the authconfig just reads the current
21 settings from the various configuration files and prints their values.
22 If --update action is specified, authconfig must be run by root (or
23 through console helper), and configuration changes are saved. Only the
24 files affected by the configuration changes are overwritten. If
25 --updateall action is specified, authconfig must be run by root (or
26 through console helper), and all configuration files are written. The
27 --probe action instructs authconfig to use DNS and other means to guess
28 at configuration information for the current host, print its guesses if
29 it finds them, to standard output, and exit.
30 The --restorebackup, --savebackup, and --restorelastbackup actions pro‐
32 vide a possibility to save and later restore a backup of configuration
33 files which authconfig modifies. Authconfig also saves an automatic
34 backup of configuration files before every configuration change. This
35 special backup can be restored by the --restorelastbackup action.
36 If --nostart is specified (which is what the install program does),
38 ypbind or other daemons will not be started or stopped immediately fol‐
39 lowing program execution, but only enabled to start or stop at boot
40 time.
41 The --enablenis, --enableldap, --enablewinbind, and --enablehesiod
43 options are used to configure user information services in /etc/nss‐
44 witch.conf, the --enablecache option is used to configure naming ser‐
45 vices caching, and the --enableshadow, --enableldapauth, --enablekrb5,
46 and --enablewinbindauth options are used to configure authentication
47 functions via /etc/pam.d/system-auth. Each --enable has a matching
48 --disable option that disables the service if it is already enabled.
49 The respective services have parameters which configure their server
50 names etc.
51 The algorithm used for storing new password hashes can be specified by
53 the --passalgo option which takes one of the following possible values
54 as a parameter: descrypt, bigcrypt, md5, sha256, and sha512.
55 The --enablelocauthorize option allows to bypass checking network
57 authentication services for authorization and the --enablesysnetauth
58 allows authentication of system accounts (with uid < 500) by these ser‐
59 vices.
60 When the configuration settings allow use of SSSD for user information
62 services and authentication, SSSD will be automatically used instead of
63 the legacy services and the SSSD configuration will be set up so there
64 is a default domain populated with the settings required to connect the
65 services. The --enablesssd and --enablesssdauth options force adding
66 SSSD to /etc/nsswitch.conf and /etc/pam.d/system-auth, but they do not
67 set up the domain in the SSSD configuration files. The SSSD configura‐
68 tion has to be set up manually. The allowed configuration of services
69 for SSSD are: LDAP for user information (--enableldap) and either LDAP
70 (--enableldapauth), or Kerberos (--enablekrb5) for authentication.
71 Please note that even though these options alone do not trigger any
72 change in SSSD configuration files this may not be true if any of these
73 options is used in conjunction with other options such as --enableldap
74 or --updateall.
75 In case SSSD does not support some feature of the legacy services that
77 are required for the site configuration, the use of the legacy services
78 can be forced by setting FORCELEGACY=yes in /etc/sysconfig/authconfig.
79 The list of options mentioned here in the manual page is not exhaus‐
81 tive, please refer to authconfig --help for the complete list of the
82 options.
83 The authconfig-tui supports all options of authconfig but it implies
85 --update as the default action. Its window contains a Cancel button by
86 default. If --back option is specified at run time, a Back button is
87 presented instead. If --kickstart is specified, no interactive screens
88 will be seen. The values the program will use will be those specified
89 by the other options (--passalgo, --enableshadow, etc.).
90 For namelist you may substitute either a single name or a comma-sepa‐
92 rated list of names.
93
95 The authconfig-tui is deprecated. No new configuration settings will be
96 supported by its text user interface. Use system-config-authentication
97 GUI application or the command line options instead.
98 The /usr/bin/authconfig uses the consolehelper to authenticate as the
100 system user before it starts up. If you want to run it directly without
101 the authentication as the system user, run the /usr/sbin/authconfig
102 command.
103 The SSSD service is enabled and possibly started by authconfig when at
105 least two of the following three conditions are met:
106 1) /etc/sssd/sssd.conf file exists (or is configured via the implicit
107 SSSD support)
108 2) SSSD authentication is enabled (pam_sss.so is used in PAM configura‐
109 tion)
110 3) SSSD is enabled for user identity (nsswitch.conf contains sss)
111 When --update action is used the enablement or disablement and possible
113 restart of services happens only in case the changed configuration
114 options affect the service to be restarted. This means that if for
115 example the ypbind service is enabled with authconfig --update --nos‐
116 tart --enablenis but not started and you run the same command without
117 the --nostart later the ypbind service will not be started because no
118 configuration change affecting ypbind happened.
119
121 authconfig returns 0 on success, 1 on backup operation errors, 2 if not
122 running with sufficient privileges, 3 if unknown password hash algo‐
123 rithm is specified or incorrect values are set for password strength
124 checking (this error is non fatal), 4 if download of CA certificate
125 fails, 5 if writing configuration files fails on --updateall action, 6
126 if writing fails on --update action, 7 if Winbind or IPA domain join
127 fails.
128 authconfig-tui returns 0 on success, 2 on error, and 1 if the user can‐
131 celled the program (by using either the Cancel or Back button). It can
132 also return the same codes as authconfig.
133
136 /etc/sysconfig/authconfig
137 Used to track whether or not particular authentication
138 mechanisms are enabled. Currently includes variables
139 named USESHADOW, USEMD5, USEKERBEROS, USELDAPAUTH, USESM‐
140 BAUTH, USEWINBIND, USEWINBINDAUTH, USEHESIOD, USENIS,
141 USELDAP, and others.
142 /etc/passwd
143 /etc/shadow
144 Used for shadow password support.
145 /etc/yp.conf
146 Configuration file for NIS support.
147 /etc/sysconfig/network
148 Another configuration file for NIS support.
149 /etc/ldap.conf
150 /etc/nss_ldap.conf
151 /etc/pam_ldap.conf
152 /etc/nslcd.conf
153 /etc/openldap/ldap.conf
154 Used to configure nss_ldap, pam_ldap, nslcd, and the
155 OpenLDAP library. Only the files already existing on the
156 system are modified.
157 /etc/krb5.conf
158 Used to configure Kerberos 5.
159 /etc/hesiod.conf
160 Used to configure Hesiod.
161 /etc/samba/smb.conf
162 Used to configure winbind authentication.
163 /etc/nsswitch.conf
164 Used to configure user information services.
165 /etc/login.defs
166 Used to configure parameters of user accounts (minimum
167 UID of a regular user, password hashing algorithm).
168 /etc/pam.d/system-auth
169 Common PAM configuration for system services which
170 include it using the include directive. It is created as
171 symlink and not relinked if it points to another file.
172 /etc/pam.d/system-auth-ac
173 Contains the actual PAM configuration for system services
174 and is the default target of the /etc/pam.d/system-auth
175 symlink. If a local configuration of PAM is created (and
176 symlinked from system-auth file) this file can be
177 included there.
178
181 authconfig-gtk(8), system-auth-ac(5), passwd(5), shadow(5),
182 pwconv(1), domainname(1), ypbind(8), nsswitch.conf(5),
183 smb.conf(5), sssd(8)
184
187 Nalin Dahyabhai <nalin@redhat.com>, Preston Brown <pbrown@redhat.com>,
188 Matt Wilson <msw@redhat.com>, Tomas Mraz <tmraz@redhat.com>
189Red Hat, Inc. 22 July 2011 AUTHCONFIG(8)