NAME¶pam_winbind - PAM module for Winbind
DESCRIPTION¶This tool is part of the samba(7) suite.
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon.
SYNOPSIS¶Edit the PAM system config /etc/pam.d/service and modify it as the following example shows:
... auth required pam_env.so auth sufficient pam_unix2.so +++ auth required pam_winbind.so use_first_pass account requisite pam_unix2.so +++ account required pam_winbind.so use_first_pass +++ password sufficient pam_winbind.so password requisite pam_pwcheck.so cracklib password required pam_unix2.so use_authtok session required pam_unix2.so +++ session required pam_winbind.so ...
Make sure that pam_winbind is one of the first modules in the session part. It may retrieve kerberos tickets which are needed by other modules.
OPTIONS¶pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at /etc/security/pam_winbind.conf. Options from the PAM configuration file take precedence to those from the configuration file. See pam_winbind.conf(5) for further details.
require_membership_of=[SID or NAME]
This option must only be specified on a auth module declaration, as it only operates in conjunction with password authentication.
When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. The KEYRING has its limitations. As it is secure kernel memory, for example bulk sorage of credentils is for not possible.
When using th KCM type, the supported mechanism is “KCM:UID”, which uses a Kerberos credential manaager to store credentials on a per-UID basis similar to KEYRING. This is the recommended choice on latest Linux distributions, offering a Kerberos Credential Manager. If not we suggest to use KEYRING as those are the most secure and predictable method.
It is also possible to define custom filepaths and use the "%u" pattern in order to substitute the numeric user id. Examples:
krb5_ccache_type = DIR:/run/user/%u/krb5cc
krb5_ccache_type = FILE:/tmp/krb5cc_%u
Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded. This setting is empty by default.
PAM DATA EXPORTS¶This section describes the data exported in the PAM stack which could be used in other PAM modules.
SEE ALSO¶pam_winbind.conf(5), wbinfo(1), winbindd(8), smb.conf(5)
VERSION¶This man page is part of version 4.13.2-Debian of Samba.
AUTHOR¶The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
This manpage was written by Jelmer Vernooij and Guenther Deschner.