source: vendor/current/docs/manpages/pam_winbind.8@ 740

'\" t
.\"     Title: pam_winbind
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 08/08/2011
.\"    Manual: 8
.\"    Source: Samba 3.6
.\"  Language: English
.\"
.TH "PAM_WINBIND" "8" "08/08/2011" "Samba 3\&.6" "8"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_winbind \- PAM module for Winbind
.SH "DESCRIPTION"
.PP
This tool is part of the
\fBsamba\fR(7)
suite\&.
.PP
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon\&.
.SH "SYNOPSIS"
.PP
Edit the PAM system config /etc/pam\&.d/service and modify it as the following example shows:
.sp
.if n \{\
.RS 4
.\}
.nf
                            \&.\&.\&.
                            auth      required        pam_env\&.so
                            auth      sufficient      pam_unix2\&.so
                        +++ auth      required        pam_winbind\&.so  use_first_pass
                            account   requisite       pam_unix2\&.so
                        +++ account   required        pam_winbind\&.so  use_first_pass
                        +++ password  sufficient      pam_winbind\&.so
                            password  requisite       pam_pwcheck\&.so  cracklib
                            password  required        pam_unix2\&.so    use_authtok
                            session   required        pam_unix2\&.so
                        +++ session   required        pam_winbind\&.so
                            \&.\&.\&.
                
.fi
.if n \{\
.RE
.\}
.sp
Make sure that pam_winbind is one of the first modules in the session part\&. It may retrieve kerberos tickets which are needed by other modules\&.
.SH "OPTIONS"
.PP
pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at
/etc/security/pam_winbind\&.conf\&. Options from the PAM configuration file take precedence to those from the configuration file\&. See
\fBpam_winbind.conf\fR(5)
for further details\&.
.PP
debug
.RS 4
Gives debugging output to syslog\&.
.RE
.PP
debug_state
.RS 4
Gives detailed PAM state debugging output to syslog\&.
.RE
.PP
require_membership_of=[SID or NAME]
.RS 4
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME\&. A SID can be either a group\-SID, an alias\-SID or even an user\-SID\&. It is also possible to give a NAME instead of the SID\&. That name must have the form:
\fIMYDOMAIN\e\emygroup\fR
or
\fIMYDOMAIN\e\emyuser\fR\&. pam_winbind will, in that case, lookup the SID internally\&. Note that NAME may not contain any spaces\&. It is thus recommended to only use SIDs\&. You can verify the list of SIDs a user is a member of with
wbinfo \-\-user\-sids=SID\&.
.RE
.PP
use_first_pass
.RS 4
By default, pam_winbind tries to get the authentication token from a previous module\&. If no token is available it asks the user for the old password\&. With this option, pam_winbind aborts with an error if no authentication token from a previous module is available\&.
.RE