1AUTHCONFIG(8) System Manager's Manual AUTHCONFIG(8)
2
3
4
6 authconfig, authconfig-tui - an interface for configuring system
7 authentication resources
8
10 authconfig
11 [options] {--update|--updateall|--test|--probe|--restorebackup
12 <name>|--savebackup <name>|--restorelastbackup}
13
15 authconfig provides a simple method of configuring /etc/sysconfig/net‐
16 work to handle NIS, as well as /etc/passwd and /etc/shadow, the files
17 used for shadow password support. Basic LDAP, Kerberos 5, and Winbind
18 client configuration is also provided.
19
20 If --test action is specified, the authconfig just reads the current
21 settings from the various configuration files and prints their values.
22 If --update action is specified, authconfig must be run by root and
23 configuration changes are saved. Only the files affected by the config‐
24 uration changes are overwritten. If --updateall action is specified,
25 authconfig must be run by root and all configuration files are written.
26 The --probe action instructs authconfig to use DNS and other means to
27 guess at configuration information for the current host, print its
28 guesses if it finds them, to standard output, and exit.
29
30 The --restorebackup, --savebackup, and --restorelastbackup actions pro‐
31 vide a possibility to save and later restore a backup of configuration
32 files which authconfig modifies. Authconfig also saves an automatic
33 backup of configuration files before every configuration change. This
34 special backup can be restored by the --restorelastbackup action.
35
36 If --nostart is specified (which is what the install program does),
37 ypbind or other daemons will not be started or stopped immediately fol‐
38 lowing program execution, but only enabled to start or stop at boot
39 time.
40
41 The --enablenis, --enableldap, --enablewinbind, and --enablehesiod
42 options are used to configure user information services in /etc/nss‐
43 witch.conf, the --enablecache option is used to configure naming ser‐
44 vices caching, and the --enableshadow, --enableldapauth, --enablekrb5,
45 and --enablewinbindauth options are used to configure authentication
46 functions via /etc/pam.d/system-auth. Each --enable has a matching
47 --disable option that disables the service if it is already enabled.
48 The respective services have parameters which configure their server
49 names etc.
50
51 The algorithm used for storing new password hashes can be specified by
52 the --passalgo option which takes one of the following possible values
53 as a parameter: descrypt, bigcrypt, md5, sha256, and sha512.
54
55 The --enablelocauthorize option allows to bypass checking network
56 authentication services for authorization and the --enablesysnetauth
57 allows authentication of system accounts (with uid < 500) by these ser‐
58 vices.
59
60 When the configuration settings allow use of SSSD for user information
61 services and authentication, SSSD will be automatically used instead of
62 the legacy services and the SSSD configuration will be set up so there
63 is a default domain populated with the settings required to connect the
64 services. The --enablesssd and --enablesssdauth options force adding
65 SSSD to /etc/nsswitch.conf and /etc/pam.d/system-auth, but they do not
66 set up the domain in the SSSD configuration files. The SSSD configura‐
67 tion has to be set up manually. The allowed configuration of services
68 for SSSD are: LDAP for user information (--enableldap) and either LDAP
69 (--enableldapauth), or Kerberos (--enablekrb5) for authentication.
70 Please note that even though these options alone do not trigger any
71 change in SSSD configuration files this may not be true if any of these
72 options is used in conjunction with other options such as --enableldap
73 or --updateall.
74
75 In case SSSD does not support some feature of the legacy services that
76 are required for the site configuration, the use of the legacy services
77 can be forced by setting FORCELEGACY=yes in /etc/sysconfig/authconfig.
78
79 The list of options mentioned here in the manual page is not exhaus‐
80 tive, please refer to authconfig --help for the complete list of the
81 options.
82
83 For namelist you may substitute either a single name or a comma-sepa‐
84 rated list of names.
85
87 The SSSD service is enabled and possibly started by authconfig when at
88 least two of the following three conditions are met:
89 1) /etc/sssd/sssd.conf file exists (or is configured via the implicit
90 SSSD support)
91 2) SSSD authentication is enabled (pam_sss.so is used in PAM configura‐
92 tion)
93 3) SSSD is enabled for user identity (nsswitch.conf contains sss)
94
95 When --update action is used the enablement or disablement and possible
96 restart of services happens only in case the changed configuration
97 options affect the service to be restarted. This means that if for
98 example the ypbind service is enabled with authconfig --update --nos‐
99 tart --enablenis but not started and you run the same command without
100 the --nostart later the ypbind service will not be started because no
101 configuration change affecting ypbind happened.
102
104 authconfig returns 0 on success, 1 on backup operation errors, 2 if not
105 running with sufficient privileges, 3 if unknown password hash algo‐
106 rithm is specified or incorrect values are set for password strength
107 checking (this error is non fatal), 4 if download of CA certificate
108 fails, 5 if writing configuration files fails on --updateall action, 6
109 if writing fails on --update action, 7 if Winbind domain join fails.
110
111
113 /etc/sysconfig/authconfig
114 Used to track whether or not particular authentication
115 mechanisms are enabled. Currently includes variables
116 named USESHADOW, USEMD5, USEKERBEROS, USELDAPAUTH,
117 USEWINBIND, USEWINBINDAUTH, USENIS, USELDAP, and others.
118 /etc/passwd
119 /etc/shadow
120 Used for shadow password support.
121 /etc/yp.conf
122 Configuration file for NIS support.
123 /etc/sysconfig/network
124 Another configuration file for NIS support.
125 /etc/ldap.conf
126 /etc/nss_ldap.conf
127 /etc/pam_ldap.conf
128 /etc/nslcd.conf
129 /etc/openldap/ldap.conf
130 Used to configure nss_ldap, pam_ldap, nslcd, and the
131 OpenLDAP library. Only the files already existing on the
132 system are modified.
133 /etc/krb5.conf
134 Used to configure Kerberos 5.
135 /etc/samba/smb.conf
136 Used to configure winbind authentication.
137 /etc/nsswitch.conf
138 Used to configure user information services.
139 /etc/login.defs
140 Used to configure parameters of user accounts (minimum
141 UID of a regular user, password hashing algorithm).
142 /etc/pam.d/system-auth
143 Common PAM configuration for system services which
144 include it using the include directive. It is created as
145 symlink and not relinked if it points to another file.
146 /etc/pam.d/system-auth-ac
147 Contains the actual PAM configuration for system services
148 and is the default target of the /etc/pam.d/system-auth
149 symlink. If a local configuration of PAM is created (and
150 symlinked from system-auth file) this file can be
151 included there.
152
153
155 authconfig-gtk(8), system-auth-ac(5), passwd(5), shadow(5),
156 pwconv(1), domainname(1), ypbind(8), nsswitch.conf(5),
157 smb.conf(5), sssd(8)
158
159
161 Nalin Dahyabhai <nalin@redhat.com>, Preston Brown <pbrown@redhat.com>,
162 Matt Wilson <msw@redhat.com>, Tomas Mraz <tmraz@redhat.com>
163
164
165
166Red Hat, Inc. 22 July 2011 AUTHCONFIG(8)