table of contents
- bullseye 2:4.13.13+dfsg-1~deb11u5
- bullseye-backports 2:4.17.8+dfsg-1~bpo11+1
- testing 2:4.17.8+dfsg-1
- unstable 2:4.17.8+dfsg-2
- experimental 2:4.18.2+dfsg-1
pam_winbind - PAM module for Winbind
This tool is part of the samba(7) suite.
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon.
Edit the PAM system config /etc/pam.d/service and modify it as the following example shows:
... auth required pam_env.so auth sufficient pam_unix2.so +++ auth required pam_winbind.so use_first_pass account requisite pam_unix2.so +++ account required pam_winbind.so use_first_pass +++ password sufficient pam_winbind.so password requisite pam_pwcheck.so cracklib password required pam_unix2.so use_authtok session required pam_unix2.so +++ session required pam_winbind.so ...
Make sure that pam_winbind is one of the first modules in the session part. It may retrieve kerberos tickets which are needed by other modules.
pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at /etc/security/pam_winbind.conf. Options from the PAM configuration file take precedence to those from the configuration file. See pam_winbind.conf(5) for further details.
require_membership_of=[SID or NAME]
This option must only be specified on a auth module declaration, as it only operates in conjunction with password authentication.
When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. KEYRING has limitations. For example, it is secure kernel memory, so bulk storage of credentials is not possible.
When using the KCM type, the supported mechanism is “KCM:UID”, which uses a Kerberos credential manager to store credentials on a per-UID basis similar to KEYRING. This is the recommended choice on latest Linux distributions that offer a Kerberos Credential Manager. If not, we suggest to use KEYRING, as those are the most secure and predictable method.
It is also possible to define custom filepaths and use the "%u" pattern in order to substitute the numeric user id. Examples:
krb5_ccache_type = DIR:/run/user/%u/krb5cc
krb5_ccache_type = FILE:/tmp/krb5cc_%u
Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded. This setting is empty by default.
PAM DATA EXPORTS¶
This section describes the data exported in the PAM stack which could be used in other PAM modules.
This man page is part of version 4.16.4-Debian of Samba.
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
This manpage was written by Jelmer Vernooij and Guenther Deschner.