1PAM_WINBIND(8)                         8                        PAM_WINBIND(8)
2
3
4

NAME

6       pam_winbind - PAM module for Winbind
7

DESCRIPTION

9       This tool is part of the samba(7) suite.
10
11       pam_winbind is a PAM module that can authenticate users against the
12       local domain by talking to the Winbind daemon.
13

SYNOPSIS

15       Edit the PAM system config /etc/pam.d/service and modify it as the
16       following example shows:
17
18                              ...
19                              auth      required        pam_env.so
20                              auth      sufficient      pam_unix2.so
21                          +++ auth      required        pam_winbind.so  use_first_pass
22                              account   requisite       pam_unix2.so
23                          +++ account   required        pam_winbind.so  use_first_pass
24                          +++ password  sufficient      pam_winbind.so
25                              password  requisite       pam_pwcheck.so  cracklib
26                              password  required        pam_unix2.so    use_authtok
27                              session   required        pam_unix2.so
28                          +++ session   required        pam_winbind.so
29                              ...
30
31
32       Make sure that pam_winbind is one of the first modules in the session
33       part. It may retrieve kerberos tickets which are needed by other
34       modules.
35

OPTIONS

37       pam_winbind supports several options which can either be set in the PAM
38       configuration files or in the pam_winbind configuration file situated
39       at /etc/security/pam_winbind.conf. Options from the PAM configuration
40       file take precedence to those from the configuration file. See
41       pam_winbind.conf(5) for further details.
42
43       debug
44           Gives debugging output to syslog.
45
46       debug_state
47           Gives detailed PAM state debugging output to syslog.
48
49       require_membership_of=[SID or NAME]
50           If this option is set, pam_winbind will only succeed if the user is
51           a member of the given SID or NAME. A SID can be either a group-SID,
52           an alias-SID or even an user-SID. It is also possible to give a
53           NAME instead of the SID. That name must have the form:
54           MYDOMAIN\\mygroup or MYDOMAIN\\myuser. pam_winbind will, in that
55           case, lookup the SID internally. Note that NAME may not contain any
56           spaces. It is thus recommended to only use SIDs. You can verify the
57           list of SIDs a user is a member of with wbinfo --user-sids=SID.
58
59           This option must only be specified on a auth module declaration, as
60           it only operates in conjunction with password authentication.
61
62       use_first_pass
63           By default, pam_winbind tries to get the authentication token from
64           a previous module. If no token is available it asks the user for
65           the old password. With this option, pam_winbind aborts with an
66           error if no authentication token from a previous module is
67           available.
68
69       try_first_pass
70           Same as the use_first_pass option (previous item), except that if
71           the primary password is not valid, PAM will prompt for a password.
72
73       use_authtok
74           Set the new password to the one provided by the previously stacked
75           password module. If this option is not set pam_winbind will ask the
76           user for the new password.
77
78       try_authtok
79           Same as the use_authtok option (previous item), except that if the
80           new password is not valid, PAM will prompt for a password.
81
82       krb5_auth
83           pam_winbind can authenticate using Kerberos when winbindd is
84           talking to an Active Directory domain controller. Kerberos
85           authentication must be enabled with this parameter. When Kerberos
86           authentication can not succeed (e.g. due to clock skew), winbindd
87           will fallback to samlogon authentication over MSRPC. When this
88           parameter is used in conjunction with winbind refresh tickets,
89           winbind will keep your Ticket Granting Ticket (TGT) up-to-date by
90           refreshing it whenever necessary.
91
92       krb5_ccache_type=[type]
93           When pam_winbind is configured to try kerberos authentication by
94           enabling the krb5_auth option, it can store the retrieved Ticket
95           Granting Ticket (TGT) in a credential cache. The type of credential
96           cache can be controlled with this option. The supported values are:
97           KCM or KEYRING (when supported by the system's Kerberos library and
98           operating system), FILE and DIR (when the DIR type is supported by
99           the system's Kerberos library). In case of FILE a credential cache
100           in the form of /tmp/krb5cc_UID will be created - in case of DIR you
101           NEED to specify a directory. UID is replaced with the numeric user
102           id. The UID directory is being created. The path up to the
103           directory should already exist. Check the details of the Kerberos
104           implmentation.
105
106           When using the KEYRING type, the supported mechanism is
107           “KEYRING:persistent:UID”, which uses the Linux kernel keyring to
108           store credentials on a per-UID basis. The KEYRING has its
109           limitations. As it is secure kernel memory, for example bulk sorage
110           of credentils is for not possible.
111
112           When using th KCM type, the supported mechanism is “KCM:UID”, which
113           uses a Kerberos credential manaager to store credentials on a
114           per-UID basis similar to KEYRING. This is the recommended choice on
115           latest Linux distributions, offering a Kerberos Credential Manager.
116           If not we suggest to use KEYRING as those are the most secure and
117           predictable method.
118
119           It is also possible to define custom filepaths and use the "%u"
120           pattern in order to substitute the numeric user id. Examples:
121
122           krb5_ccache_type = DIR:/run/user/%u/krb5cc
123               This will create a credential cache file in the specified
124               directory.
125
126           krb5_ccache_type = FILE:/tmp/krb5cc_%u
127               This will create a credential cache file.
128
129           Leave empty to just do kerberos authentication without having a
130           ticket cache after the logon has succeeded. This setting is empty
131           by default.
132
133       cached_login
134           Winbind allows one to logon using cached credentials when winbind
135           offline logon is enabled. To use this feature from the PAM module
136           this option must be set.
137
138       silent
139           Do not emit any messages.
140
141       mkhomedir
142           Create homedirectory for a user on-the-fly, option is valid in PAM
143           session block.
144
145       warn_pwd_expire
146           Defines number of days before pam_winbind starts to warn about
147           passwords that are going to expire. Defaults to 14 days.
148

PAM DATA EXPORTS

150       This section describes the data exported in the PAM stack which could
151       be used in other PAM modules.
152
153       PAM_WINBIND_HOMEDIR
154           This is the Windows Home Directory set in the profile tab in the
155           user settings on the Active Directory Server. This could be a local
156           path or a directory on a share mapped to a drive.
157
158       PAM_WINBIND_LOGONSCRIPT
159           The path to the logon script which should be executed if a user
160           logs in. This is normally a relative path to the script stored on
161           the server.
162
163       PAM_WINBIND_LOGONSERVER
164           This exports the Active Directory server we are authenticating
165           against. This can be used as a variable later.
166
167       PAM_WINBIND_PROFILEPATH
168           This is the profile path set in the profile tab in the user
169           settings. Normally the home directory is synced with this directory
170           on a share.
171

SEE ALSO

173       pam_winbind.conf(5), wbinfo(1), winbindd(8), smb.conf(5)
174

VERSION

176       This man page is part of version 4.12.2 of Samba.
177

AUTHOR

179       The original Samba software and related utilities were created by
180       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
181       Source project similar to the way the Linux kernel is developed.
182
183       This manpage was written by Jelmer Vernooij and Guenther Deschner.
184
185
186
187Samba 4.12.2                      04/28/2020                    PAM_WINBIND(8)
Impressum