1AUTHCONFIG(8)               System Manager's Manual              AUTHCONFIG(8)
2
3
4

NAME

6       authconfig,  authconfig-tui  -  an  interface  for  configuring  system
7       authentication resources
8

SYNOPSIS

10       authconfig
11              [options]   {--update|--updateall|--test|--probe|--restorebackup
12              <name>|--savebackup <name>|--restorelastbackup}
13

DESCRIPTION

15       authconfig  provides a simple method of configuring /etc/sysconfig/net‐
16       work to handle NIS, as well as /etc/passwd and /etc/shadow,  the  files
17       used  for shadow password support.  Basic LDAP, Kerberos 5, and Winbind
18       client configuration is also provided.
19
20       If --test action is specified, the authconfig just  reads  the  current
21       settings  from the various configuration files and prints their values.
22       If --update action is specified, authconfig must be  run  by  root  and
23       configuration changes are saved. Only the files affected by the config‐
24       uration changes are overwritten.  If --updateall action  is  specified,
25       authconfig must be run by root and all configuration files are written.
26       The --probe action instructs authconfig to use DNS and other  means  to
27       guess  at  configuration  information  for  the current host, print its
28       guesses if it finds them, to standard output, and exit.
29
30       The --restorebackup, --savebackup, and --restorelastbackup actions pro‐
31       vide  a possibility to save and later restore a backup of configuration
32       files which authconfig modifies. Authconfig  also  saves  an  automatic
33       backup  of  configuration files before every configuration change. This
34       special backup can be restored by the --restorelastbackup action.
35
36       If --nostart is specified (which is what  the  install  program  does),
37       ypbind or other daemons will not be started or stopped immediately fol‐
38       lowing program execution, but only enabled to start  or  stop  at  boot
39       time.
40
41       The  --enablenis,  --enableldap,  --enablewinbind,  and  --enablehesiod
42       options are used to configure user information  services  in  /etc/nss‐
43       witch.conf,  the  --enablecache option is used to configure naming ser‐
44       vices caching, and the --enableshadow, --enableldapauth,  --enablekrb5,
45       and  --enablewinbindauth  options  are used to configure authentication
46       functions via /etc/pam.d/system-auth.  Each  --enable  has  a  matching
47       --disable  option  that  disables the service if it is already enabled.
48       The respective services have parameters which  configure  their  server
49       names etc.
50
51       The  algorithm used for storing new password hashes can be specified by
52       the --passalgo option which takes one of the following possible  values
53       as a parameter: descrypt, bigcrypt, md5, sha256, and sha512.
54
55       The  --enablelocauthorize  option  allows  to  bypass  checking network
56       authentication services for authorization  and  the  --enablesysnetauth
57       allows authentication of system accounts (with uid < 500) by these ser‐
58       vices.
59
60       When the configuration settings allow use of SSSD for user  information
61       services and authentication, SSSD will be automatically used instead of
62       the legacy services and the SSSD configuration will be set up so  there
63       is a default domain populated with the settings required to connect the
64       services. The --enablesssd and --enablesssdauth  options  force  adding
65       SSSD  to /etc/nsswitch.conf and /etc/pam.d/system-auth, but they do not
66       set up the domain in the SSSD configuration files. The SSSD  configura‐
67       tion  has  to be set up manually. The allowed configuration of services
68       for SSSD are: LDAP for user information (--enableldap) and either  LDAP
69       (--enableldapauth),  or  Kerberos  (--enablekrb5)  for  authentication.
70       Please note that even though these options alone  do  not  trigger  any
71       change in SSSD configuration files this may not be true if any of these
72       options is used in conjunction with other options such as  --enableldap
73       or --updateall.
74
75       In  case SSSD does not support some feature of the legacy services that
76       are required for the site configuration, the use of the legacy services
77       can be forced by setting FORCELEGACY=yes in /etc/sysconfig/authconfig.
78
79       The  list  of  options mentioned here in the manual page is not exhaus‐
80       tive, please refer to authconfig --help for the complete  list  of  the
81       options.
82
83       For  namelist  you may substitute either a single name or a comma-sepa‐
84       rated list of names.
85

NOTES

87       The SSSD service is enabled and possibly started by authconfig when  at
88       least two of the following three conditions are met:
89       1)  /etc/sssd/sssd.conf  file exists (or is configured via the implicit
90       SSSD support)
91       2) SSSD authentication is enabled (pam_sss.so is used in PAM configura‐
92       tion)
93       3) SSSD is enabled for user identity (nsswitch.conf contains sss)
94
95       When --update action is used the enablement or disablement and possible
96       restart of services happens only  in  case  the  changed  configuration
97       options  affect  the  service  to  be restarted. This means that if for
98       example the ypbind service is enabled with authconfig  --update  --nos‐
99       tart  --enablenis  but not started and you run the same command without
100       the --nostart later the ypbind service will not be started  because  no
101       configuration change affecting ypbind happened.
102

RETURN CODES

104       authconfig returns 0 on success, 1 on backup operation errors, 2 if not
105       running with sufficient privileges, 3 if unknown  password  hash  algo‐
106       rithm  is  specified  or incorrect values are set for password strength
107       checking (this error is non fatal), 4 if  download  of  CA  certificate
108       fails,  5 if writing configuration files fails on --updateall action, 6
109       if writing fails on --update action, 7 if Winbind domain join fails.
110
111

FILES

113       /etc/sysconfig/authconfig
114              Used to track whether or  not  particular  authentication
115              mechanisms  are  enabled.   Currently  includes variables
116              named  USESHADOW,   USEMD5,   USEKERBEROS,   USELDAPAUTH,
117              USEWINBIND, USEWINBINDAUTH, USENIS, USELDAP, and others.
118       /etc/passwd
119       /etc/shadow
120              Used for shadow password support.
121       /etc/yp.conf
122              Configuration file for NIS support.
123       /etc/sysconfig/network
124              Another configuration file for NIS support.
125       /etc/ldap.conf
126       /etc/nss_ldap.conf
127       /etc/pam_ldap.conf
128       /etc/nslcd.conf
129       /etc/openldap/ldap.conf
130              Used  to  configure  nss_ldap,  pam_ldap,  nslcd, and the
131              OpenLDAP library. Only the files already existing on  the
132              system are modified.
133       /etc/krb5.conf
134              Used to configure Kerberos 5.
135       /etc/samba/smb.conf
136              Used to configure winbind authentication.
137       /etc/nsswitch.conf
138              Used to configure user information services.
139       /etc/login.defs
140              Used  to  configure  parameters of user accounts (minimum
141              UID of a regular user, password hashing algorithm).
142       /etc/pam.d/system-auth
143              Common  PAM  configuration  for  system  services   which
144              include  it using the include directive. It is created as
145              symlink and not relinked if it points to another file.
146       /etc/pam.d/system-auth-ac
147              Contains the actual PAM configuration for system services
148              and  is  the default target of the /etc/pam.d/system-auth
149              symlink. If a local configuration of PAM is created  (and
150              symlinked   from  system-auth  file)  this  file  can  be
151              included there.
152
153

SEE ALSO

155       authconfig-gtk(8),  system-auth-ac(5),   passwd(5),   shadow(5),
156       pwconv(1),     domainname(1),    ypbind(8),    nsswitch.conf(5),
157       smb.conf(5), sssd(8)
158
159

AUTHORS

161       Nalin Dahyabhai <nalin@redhat.com>, Preston Brown <pbrown@redhat.com>,
162       Matt Wilson <msw@redhat.com>, Tomas Mraz <tmraz@redhat.com>
163
164
165
166Red Hat, Inc.                    22 July 2011                    AUTHCONFIG(8)
Impressum