1PAM_WINBIND(8) 8 PAM_WINBIND(8)
2
3
4
6 pam_winbind - PAM module for Winbind
7
9 This tool is part of the samba(7) suite.
10
11 pam_winbind is a PAM module that can authenticate users against the
12 local domain by talking to the Winbind daemon.
13
15 Edit the PAM system config /etc/pam.d/service and modify it as the
16 following example shows:
17
18 ...
19 auth required pam_env.so
20 auth sufficient pam_unix2.so
21 +++ auth required pam_winbind.so use_first_pass
22 account requisite pam_unix2.so
23 +++ account required pam_winbind.so use_first_pass
24 +++ password sufficient pam_winbind.so
25 password requisite pam_pwcheck.so cracklib
26 password required pam_unix2.so use_authtok
27 session required pam_unix2.so
28 +++ session required pam_winbind.so
29 ...
30
31
32 Make sure that pam_winbind is one of the first modules in the session
33 part. It may retrieve kerberos tickets which are needed by other
34 modules.
35
37 pam_winbind supports several options which can either be set in the PAM
38 configuration files or in the pam_winbind configuration file situated
39 at /etc/security/pam_winbind.conf. Options from the PAM configuration
40 file take precedence to those from the configuration file. See
41 pam_winbind.conf(5) for further details.
42
43 debug
44 Gives debugging output to syslog.
45
46 debug_state
47 Gives detailed PAM state debugging output to syslog.
48
49 require_membership_of=[SID or NAME]
50 If this option is set, pam_winbind will only succeed if the user is
51 a member of the given SID or NAME. A SID can be either a group-SID,
52 an alias-SID or even an user-SID. It is also possible to give a
53 NAME instead of the SID. That name must have the form:
54 MYDOMAIN\mygroup or MYDOMAIN\myuser (where '\' character
55 corresponds to the value of winbind separator parameter). It is
56 also possible to use a UPN in the form user@REALM or group@REALM.
57 pam_winbind will, in that case, lookup the SID internally. Note
58 that NAME may not contain any spaces. It is thus recommended to
59 only use SIDs. You can verify the list of SIDs a user is a member
60 of with wbinfo --user-sids=SID.
61
62 This option must only be specified on a auth module declaration, as
63 it only operates in conjunction with password authentication.
64
65 use_first_pass
66 By default, pam_winbind tries to get the authentication token from
67 a previous module. If no token is available it asks the user for
68 the old password. With this option, pam_winbind aborts with an
69 error if no authentication token from a previous module is
70 available.
71
72 try_first_pass
73 Same as the use_first_pass option (previous item), except that if
74 the primary password is not valid, PAM will prompt for a password.
75
76 use_authtok
77 Set the new password to the one provided by the previously stacked
78 password module. If this option is not set pam_winbind will ask the
79 user for the new password.
80
81 try_authtok
82 Same as the use_authtok option (previous item), except that if the
83 new password is not valid, PAM will prompt for a password.
84
85 krb5_auth
86 pam_winbind can authenticate using Kerberos when winbindd is
87 talking to an Active Directory domain controller. Kerberos
88 authentication must be enabled with this parameter. When Kerberos
89 authentication can not succeed (e.g. due to clock skew), winbindd
90 will fallback to samlogon authentication over MSRPC. When this
91 parameter is used in conjunction with winbind refresh tickets,
92 winbind will keep your Ticket Granting Ticket (TGT) up-to-date by
93 refreshing it whenever necessary.
94
95 krb5_ccache_type=[type]
96 When pam_winbind is configured to try kerberos authentication by
97 enabling the krb5_auth option, it can store the retrieved Ticket
98 Granting Ticket (TGT) in a credential cache. The type of credential
99 cache can be controlled with this option. The supported values are:
100 KCM or KEYRING (when supported by the system's Kerberos library and
101 operating system), FILE and DIR (when the DIR type is supported by
102 the system's Kerberos library). In case of FILE a credential cache
103 in the form of /tmp/krb5cc_UID will be created - in case of DIR you
104 NEED to specify a directory which must exist, the UID directory
105 will be created in the specified directory. In all cases UID is
106 replaced with the numeric user id. Check the details of the
107 Kerberos implementation.
108
109 When using the KEYRING type, the supported mechanism is
110 “KEYRING:persistent:UID”, which uses the Linux kernel keyring to
111 store credentials on a per-UID basis. KEYRING has limitations. For
112 example, it is secure kernel memory, so bulk storage of credentials
113 is not possible.
114
115 When using the KCM type, the supported mechanism is “KCM:UID”,
116 which uses a Kerberos credential manager to store credentials on a
117 per-UID basis similar to KEYRING. This is the recommended choice on
118 latest Linux distributions that offer a Kerberos Credential
119 Manager. If not, we suggest to use KEYRING, as those are the most
120 secure and predictable method.
121
122 It is also possible to define custom filepaths and use the "%u"
123 pattern in order to substitute the numeric user id. Examples:
124
125 krb5_ccache_type = DIR:/run/user/%u/krb5cc
126 This will create a credential cache file in the specified
127 directory.
128
129 krb5_ccache_type = FILE:/tmp/krb5cc_%u
130 This will create a credential cache file.
131
132 Leave empty to just do kerberos authentication without having a
133 ticket cache after the logon has succeeded. This setting is empty
134 by default.
135
136 cached_login
137 Winbind allows one to logon using cached credentials when winbind
138 offline logon is enabled. To use this feature from the PAM module
139 this option must be set.
140
141 silent
142 Do not emit any messages.
143
144 mkhomedir
145 Create homedirectory for a user on-the-fly, option is valid in PAM
146 session block.
147
148 warn_pwd_expire
149 Defines number of days before pam_winbind starts to warn about
150 passwords that are going to expire. Defaults to 14 days.
151
153 This section describes the data exported in the PAM stack which could
154 be used in other PAM modules.
155
156 PAM_WINBIND_HOMEDIR
157 This is the Windows Home Directory set in the profile tab in the
158 user settings on the Active Directory Server. This could be a local
159 path or a directory on a share mapped to a drive.
160
161 PAM_WINBIND_LOGONSCRIPT
162 The path to the logon script which should be executed if a user
163 logs in. This is normally a relative path to the script stored on
164 the server.
165
166 PAM_WINBIND_LOGONSERVER
167 This exports the Active Directory server we are authenticating
168 against. This can be used as a variable later.
169
170 PAM_WINBIND_PROFILEPATH
171 This is the profile path set in the profile tab in the user
172 settings. Normally the home directory is synced with this directory
173 on a share.
174
176 pam_winbind.conf(5), wbinfo(1), winbindd(8), smb.conf(5)
177
179 This man page is part of version 4.15.2 of Samba.
180
182 The original Samba software and related utilities were created by
183 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
184 Source project similar to the way the Linux kernel is developed.
185
186 This manpage was written by Jelmer Vernooij and Guenther Deschner.
187
188
189
190Samba 4.15.2 11/13/2021 PAM_WINBIND(8)