kiwi/klara-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Try samba420

Browse Source
This commit is contained in:
Xavier Beaudouin
2025-01-20 18:42:30 +01:00
parent c9e958d235
commit f6ff52230b
122 changed files with 41099 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
net/samba420/files/man/pam_winbind.conf.5 Normal file
View File

@ -0,0 +1,161 @@
'\" t
.\" Title: pam_winbind.conf
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 08/09/2022
.\" Manual: 5
.\" Source: Samba 4.16.4
.\" Language: English
.\"
.TH "PAM_WINBIND\&.CONF" "5" "08/09/2022" "Samba 4\&.16\&.4" "5"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_winbind.conf \- Configuration file of PAM module for Winbind
.SH "DESCRIPTION"
.PP
This configuration file is part of the
\fBsamba\fR(7)
suite\&.
.PP
pam_winbind\&.conf is the configuration file for the pam_winbind PAM module\&. See
\fBpam_winbind\fR(8)
for further details\&.
.SH "SYNOPSIS"
.PP
The pam_winbind\&.conf configuration file is a classic ini\-style configuration file\&. There is only one section (global) where various options are defined\&.
.SH "OPTIONS"
.PP
pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at
/etc/security/pam_winbind\&.conf\&. Options from the PAM configuration file take precedence to those from the pam_winbind\&.conf configuration file\&.
.PP
debug = yes|no
.RS 4
Gives debugging output to syslog\&. Defaults to "no"\&.
.RE
.PP
debug_state = yes|no
.RS 4
Gives detailed PAM state debugging output to syslog\&. Defaults to "no"\&.
.RE
.PP
require_membership_of = [SID or NAME]
.RS 4
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME\&. A SID can be either a group\-SID, an alias\-SID or even an user\-SID\&. It is also possible to give a NAME instead of the SID\&. That name must have the form:
\fIMYDOMAIN\emygroup\fR
or
\fIMYDOMAIN\emyuser\fR
(where \*(Aq\e\*(Aq character corresponds to the value of
\fIwinbind separator\fR
parameter)\&. It is also possible to use a UPN in the form
\fIuser@REALM\fR
or
\fIgroup@REALM\fR\&. pam_winbind will, in that case, lookup the SID internally\&. Note that NAME may not contain any spaces\&. It is thus recommended to only use SIDs\&. You can verify the list of SIDs a user is a member of with
wbinfo \-\-user\-sids=SID\&. This setting is empty by default\&.
.sp
This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key\-based login)\&.
.RE
.PP
try_first_pass = yes|no
.RS 4
By default, pam_winbind tries to get the authentication token from a previous module\&. If no token is available it asks the user for the old password\&. With this option, pam_winbind aborts with an error if no authentication token from a previous module is available\&. If a primary password is not valid, PAM will prompt for a password\&. Default to "no"\&.
.RE
.PP
krb5_auth = yes|no
.RS 4
pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller\&. Kerberos authentication must be enabled with this parameter\&. When Kerberos authentication can not succeed (e\&.g\&. due to clock skew), winbindd will fallback to samlogon authentication over MSRPC\&. When this parameter is used in conjunction with
\fIwinbind refresh tickets\fR, winbind will keep your Ticket Granting Ticket (TGT) up\-to\-date by refreshing it whenever necessary\&. Defaults to "no"\&.
.RE
.PP
krb5_ccache_type = [type]
.RS 4
When pam_winbind is configured to try kerberos authentication by enabling the
\fIkrb5_auth\fR
option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache\&. The type of credential cache can be controlled with this option\&. The supported values are:
\fIKCM\fR
or
\fIKEYRING\fR
(when supported by the system\*(Aqs Kerberos library and operating system),
\fIFILE\fR
and
\fIDIR\fR
(when the DIR type is supported by the system\*(Aqs Kerberos library)\&. In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created \- in case of DIR you NEED to specify a directory\&. UID is replaced with the numeric user id\&. The UID directory is being created\&. The path up to the directory should already exist\&. Check the details of the Kerberos implmentation\&.
.sp
When using the KEYRING type, the supported mechanism is
\(lqKEYRING:persistent:UID\(rq, which uses the Linux kernel keyring to store credentials on a per\-UID basis\&. The KEYRING has its limitations\&. As it is secure kernel memory, for example bulk sorage of credentils is for not possible\&.
.sp
When using th KCM type, the supported mechanism is
\(lqKCM:UID\(rq, which uses a Kerberos credential manaager to store credentials on a per\-UID basis similar to KEYRING\&. This is the recommended choice on latest Linux distributions, offering a Kerberos Credential Manager\&. If not we suggest to use KEYRING as those are the most secure and predictable method\&.
.sp
It is also possible to define custom filepaths and use the "%u" pattern in order to substitute the numeric user id\&. Examples:
.PP
krb5_ccache_type = DIR:/run/user/%u/krb5cc
.RS 4
This will create a credential cache file in the specified directory\&.
.RE
.PP
krb5_ccache_type = FILE:/tmp/krb5cc_%u
.RS 4
This will create a credential cache file\&.
.RE
.sp
Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded\&. This setting is empty by default\&.
.RE
.PP
cached_login = yes|no
.RS 4
Winbind allows one to logon using cached credentials when
\fIwinbind offline logon\fR
is enabled\&. To use this feature from the PAM module this option must be set\&. Defaults to "no"\&.
.RE
.PP
silent = yes|no
.RS 4
Do not emit any messages\&. Defaults to "no"\&.
.RE
.PP
mkhomedir = yes|no
.RS 4
Create homedirectory for a user on\-the\-fly, option is valid in PAM session block\&. Defaults to "no"\&.
.RE
.PP
warn_pwd_expire = days
.RS 4
Defines number of days before pam_winbind starts to warn about passwords that are going to expire\&. Defaults to 14 days\&.
.RE
.PP
pwd_change_prompt = yes|no
.RS 4
Generate prompt for changing an expired password\&. Defaults to "no"\&.
.RE
.SH "SEE ALSO"
.PP
\fBpam_winbind\fR(8),
\fBwbinfo\fR(1),
\fBwinbindd\fR(8),
\fBsmb.conf\fR(5)
.SH "VERSION"
.PP
This man page is part of version 4\&.16\&.4 of Samba\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
.PP
This manpage was written by Jelmer Vernooij and Guenther Deschner\&.