1PAM_WINBIND(8)                         8                        PAM_WINBIND(8)
2
3
4

NAME

6       pam_winbind - PAM module for Winbind
7

DESCRIPTION

9       This tool is part of the samba(7) suite.
10
11       pam_winbind is a PAM module that can authenticate users against the
12       local domain by talking to the Winbind daemon.
13

SYNOPSIS

15       Edit the PAM system config /etc/pam.d/service and modify it as the
16       following example shows:
17
18                              ...
19                              auth      required        pam_env.so
20                              auth      sufficient      pam_unix2.so
21                          +++ auth      required        pam_winbind.so  use_first_pass
22                              account   requisite       pam_unix2.so
23                          +++ account   required        pam_winbind.so  use_first_pass
24                          +++ password  sufficient      pam_winbind.so
25                              password  requisite       pam_pwcheck.so  cracklib
26                              password  required        pam_unix2.so    use_authtok
27                              session   required        pam_unix2.so
28                          +++ session   required        pam_winbind.so
29                              ...
30
31
32       Make sure that pam_winbind is one of the first modules in the session
33       part. It may retrieve kerberos tickets which are needed by other
34       modules.
35

OPTIONS

37       pam_winbind supports several options which can either be set in the PAM
38       configuration files or in the pam_winbind configuration file situated
39       at /etc/security/pam_winbind.conf. Options from the PAM configuration
40       file take precedence to those from the configuration file. See
41       pam_winbind.conf(5) for further details.
42
43       debug
44           Gives debugging output to syslog.
45
46       debug_state
47           Gives detailed PAM state debugging output to syslog.
48
49       require_membership_of=[SID or NAME]
50           If this option is set, pam_winbind will only succeed if the user is
51           a member of the given SID or NAME. A SID can be either a group-SID,
52           an alias-SID or even an user-SID. It is also possible to give a
53           NAME instead of the SID. That name must have the form:
54           MYDOMAIN\mygroup or MYDOMAIN\myuser (where '\' character
55           corresponds to the value of winbind separator parameter). It is
56           also possible to use a UPN in the form user@REALM or group@REALM.
57           pam_winbind will, in that case, lookup the SID internally. Note
58           that NAME may not contain any spaces. It is thus recommended to
59           only use SIDs. You can verify the list of SIDs a user is a member
60           of with wbinfo --user-sids=SID.
61
62           This option must only be specified on a auth module declaration, as
63           it only operates in conjunction with password authentication.
64
65       use_first_pass
66           By default, pam_winbind tries to get the authentication token from
67           a previous module. If no token is available it asks the user for
68           the old password. With this option, pam_winbind aborts with an
69           error if no authentication token from a previous module is
70           available.
71
72       try_first_pass
73           Same as the use_first_pass option (previous item), except that if
74           the primary password is not valid, PAM will prompt for a password.
75
76       use_authtok
77           Set the new password to the one provided by the previously stacked
78           password module. If this option is not set pam_winbind will ask the
79           user for the new password.
80
81       try_authtok
82           Same as the use_authtok option (previous item), except that if the
83           new password is not valid, PAM will prompt for a password.
84
85       krb5_auth
86           pam_winbind can authenticate using Kerberos when winbindd is
87           talking to an Active Directory domain controller. Kerberos
88           authentication must be enabled with this parameter. When Kerberos
89           authentication can not succeed (e.g. due to clock skew), winbindd
90           will fallback to samlogon authentication over MSRPC. When this
91           parameter is used in conjunction with winbind refresh tickets,
92           winbind will keep your Ticket Granting Ticket (TGT) up-to-date by
93           refreshing it whenever necessary.
94
95       krb5_ccache_type=[type]
96           When pam_winbind is configured to try kerberos authentication by
97           enabling the krb5_auth option, it can store the retrieved Ticket
98           Granting Ticket (TGT) in a credential cache. The type of credential
99           cache can be controlled with this option. The supported values are:
100           KCM or KEYRING (when supported by the system's Kerberos library and
101           operating system), FILE and DIR (when the DIR type is supported by
102           the system's Kerberos library). In case of FILE a credential cache
103           in the form of /tmp/krb5cc_UID will be created - in case of DIR you
104           NEED to specify a directory which must exist, the UID directory
105           will be created in the specified directory. In all cases UID is
106           replaced with the numeric user id. Check the details of the
107           Kerberos implementation.
108
109           When using the KEYRING type, the supported mechanism is
110           “KEYRING:persistent:UID”, which uses the Linux kernel keyring to
111           store credentials on a per-UID basis. KEYRING has limitations. For
112           example, it is secure kernel memory, so bulk storage of credentials
113           is not possible.
114
115           When using the KCM type, the supported mechanism is “KCM:UID”,
116           which uses a Kerberos credential manager to store credentials on a
117           per-UID basis similar to KEYRING. This is the recommended choice on
118           latest Linux distributions that offer a Kerberos Credential
119           Manager. If not, we suggest to use KEYRING, as those are the most
120           secure and predictable method.
121
122           It is also possible to define custom filepaths and use the "%u"
123           pattern in order to substitute the numeric user id. Examples:
124
125           krb5_ccache_type = DIR:/run/user/%u/krb5cc
126               This will create a credential cache file in the specified
127               directory.
128
129           krb5_ccache_type = FILE:/tmp/krb5cc_%u
130               This will create a credential cache file.
131
132           Leave empty to just do kerberos authentication without having a
133           ticket cache after the logon has succeeded. This setting is empty
134           by default.
135
136       cached_login
137           Winbind allows one to logon using cached credentials when winbind
138           offline logon is enabled. To use this feature from the PAM module
139           this option must be set.
140
141       silent
142           Do not emit any messages.
143
144       mkhomedir
145           Create homedirectory for a user on-the-fly, option is valid in PAM
146           session block.
147
148       warn_pwd_expire
149           Defines number of days before pam_winbind starts to warn about
150           passwords that are going to expire. Defaults to 14 days.
151

PAM DATA EXPORTS

153       This section describes the data exported in the PAM stack which could
154       be used in other PAM modules.
155
156       PAM_WINBIND_HOMEDIR
157           This is the Windows Home Directory set in the profile tab in the
158           user settings on the Active Directory Server. This could be a local
159           path or a directory on a share mapped to a drive.
160
161       PAM_WINBIND_LOGONSCRIPT
162           The path to the logon script which should be executed if a user
163           logs in. This is normally a relative path to the script stored on
164           the server.
165
166       PAM_WINBIND_LOGONSERVER
167           This exports the Active Directory server we are authenticating
168           against. This can be used as a variable later.
169
170       PAM_WINBIND_PROFILEPATH
171           This is the profile path set in the profile tab in the user
172           settings. Normally the home directory is synced with this directory
173           on a share.
174

SEE ALSO

176       pam_winbind.conf(5), wbinfo(1), winbindd(8), smb.conf(5)
177

VERSION

179       This man page is part of version 4.15.2 of Samba.
180

AUTHOR

182       The original Samba software and related utilities were created by
183       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
184       Source project similar to the way the Linux kernel is developed.
185
186       This manpage was written by Jelmer Vernooij and Guenther Deschner.
187
188
189
190Samba 4.15.2                      11/13/2021                    PAM_WINBIND(8)
Impressum