PAM_WINBIND​.CONF - Online Linux Manual PageSection : 5
Updated : 04/07/2021
Source : Samba 4​.14​.2
Note : 5

NAMEpam_winbind.conf − Configuration file of PAM module for Winbind

DESCRIPTIONThis configuration file is part of the samba(7) suite​. pam_winbind​.conf is the configuration file for the pam_winbind PAM module​. See pam_winbind(8) for further details​.

SYNOPSISThe pam_winbind​.conf configuration file is a classic ini−style configuration file​. There is only one section (global) where various options are defined​.

OPTIONSpam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at /etc/security/pam_winbind​.conf​. Options from the PAM configuration file take precedence to those from the pam_winbind​.conf configuration file​. debug = yes|no Gives debugging output to syslog​. Defaults to "no"​. debug_state = yes|no Gives detailed PAM state debugging output to syslog​. Defaults to "no"​. require_membership_of = [SID or NAME] If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME​. A SID can be either a group−SID, an alias−SID or even an user−SID​. It is also possible to give a NAME instead of the SID​. That name must have the form: MYDOMAIN\mygroup or MYDOMAIN\myuser (where '\' character corresponds to the value of winbind separator parameter)​. It is also possible to use a UPN in the form user@REALM or group@REALM​. pam_winbind will, in that case, lookup the SID internally​. Note that NAME may not contain any spaces​. It is thus recommended to only use SIDs​. You can verify the list of SIDs a user is a member of with wbinfo −−user−sids=SID​. This setting is empty by default​. This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key−based login)​. try_first_pass = yes|no By default, pam_winbind tries to get the authentication token from a previous module​. If no token is available it asks the user for the old password​. With this option, pam_winbind aborts with an error if no authentication token from a previous module is available​. If a primary password is not valid, PAM will prompt for a password​. Default to "no"​. krb5_auth = yes|no pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller​. Kerberos authentication must be enabled with this parameter​. When Kerberos authentication can not succeed (e​.g​. due to clock skew), winbindd will fallback to samlogon authentication over MSRPC​. When this parameter is used in conjunction with winbind refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) up−to−date by refreshing it whenever necessary​. Defaults to "no"​. krb5_ccache_type = [type] When pam_winbind is configured to try kerberos authentication by enabling the krb5_auth option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache​. The type of credential cache can be controlled with this option​. The supported values are: KCM or KEYRING (when supported by the system's Kerberos library and operating system), FILE and DIR (when the DIR type is supported by the system's Kerberos library)​. In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created − in case of DIR you NEED to specify a directory​. UID is replaced with the numeric user id​. The UID directory is being created​. The path up to the directory should already exist​. Check the details of the Kerberos implmentation​. When using the KEYRING type, the supported mechanism is KEYRING:persistent:UID, which uses the Linux kernel keyring to store credentials on a per−UID basis​. The KEYRING has its limitations​. As it is secure kernel memory, for example bulk sorage of credentils is for not possible​. When using th KCM type, the supported mechanism is KCM:UID, which uses a Kerberos credential manaager to store credentials on a per−UID basis similar to KEYRING​. This is the recommended choice on latest Linux distributions, offering a Kerberos Credential Manager​. If not we suggest to use KEYRING as those are the most secure and predictable method​. It is also possible to define custom filepaths and use the "%u" pattern in order to substitute the numeric user id​. Examples: krb5_ccache_type = DIR:/run/user/%u/krb5cc This will create a credential cache file in the specified directory​. krb5_ccache_type = FILE:/tmp/krb5cc_%u This will create a credential cache file​. Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded​. This setting is empty by default​. cached_login = yes|no Winbind allows one to logon using cached credentials when winbind offline logon is enabled​. To use this feature from the PAM module this option must be set​. Defaults to "no"​. silent = yes|no Do not emit any messages​. Defaults to "no"​. mkhomedir = yes|no Create homedirectory for a user on−the−fly, option is valid in PAM session block​. Defaults to "no"​. warn_pwd_expire = days Defines number of days before pam_winbind starts to warn about passwords that are going to expire​. Defaults to 14 days​.

SEE ALSOpam_winbind(8), wbinfo(1), winbindd(8), smb.conf(5)

VERSIONThis man page is part of version 4​.14​.2 of Samba​.

AUTHORThe original Samba software and related utilities were created by Andrew Tridgell​. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed​. This manpage was written by Jelmer Vernooij and Guenther Deschner​.
0
Johanes Gumabo
Data Size   :   15,714 byte
man-pam_winbind.conf.5Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   2 / 183,189
Visitor ID   :     :  
Visitor IP   :   3.22.242.169   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.