diff options
author | John Terpstra <jht@samba.org> | 2003-04-24 05:21:54 +0000 |
---|---|---|
committer | John Terpstra <jht@samba.org> | 2003-04-24 05:21:54 +0000 |
commit | ddd0e5a50622b0a9b6f4605281723ceb519af604 (patch) | |
tree | 883884214fb8c8376f72c669d3344001f6028f39 | |
parent | eae6eb833bba777cc0043f14a44d552f969b9d53 (diff) | |
download | samba-ddd0e5a50622b0a9b6f4605281723ceb519af604.tar.gz samba-ddd0e5a50622b0a9b6f4605281723ceb519af604.tar.bz2 samba-ddd0e5a50622b0a9b6f4605281723ceb519af604.zip |
Updating from HEAD.
(This used to be commit 81203dc95c682d9ef5458a68f8ecbf8db197dba6)
-rw-r--r-- | docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 93 | ||||
-rw-r--r-- | docs/docbook/projdoc/IntroSMB.sgml | 10 | ||||
-rw-r--r-- | docs/docbook/projdoc/NT4Migration.sgml | 18 | ||||
-rw-r--r-- | docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/PolicyMgmt.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/Portability.sgml | 1 | ||||
-rw-r--r-- | docs/docbook/projdoc/SWAT.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/winbind.sgml | 301 |
8 files changed, 234 insertions, 195 deletions
diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index e037da4aeb..841d24b78d 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -3,27 +3,28 @@ <chapterinfo> <author> <firstname>Jean François</firstname><surname>Micouleau</surname> + &person.jerry; </author> </chapterinfo> <title>Configuring Group Mapping</title> -<para> -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -&smbgroupedit;. +<para> +Starting with Samba 3.0 alpha 2, new group mapping functionality +is available to create associations between Windows SIDs and UNIX +groups. The <parameter>groupmap</parameter> subcommand included with +the <command>net</command> tool can be used to manage these associations. </para> <para> -The first immediate reason to use the group mapping on a PDC, is that -the <command>domain admin group</command> of &smb.conf; is -now gone. This parameter was used to give the listed users local admin rights -on their workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups. +The first immediate reason to use the group mapping on a Samba PDC, is that +the <parameter>domain admin group</parameter> &smb.conf; has been removed. +This parameter was used to give the listed users membership in the "Domain Admins" +Windows group which gave local admin rights on their workstations (in +default configurations). </para> <para> -Let me explain how it works on NT/W2K, to have this magic fade away. When installing NT/W2K on a computer, the installer program creates some users and groups. Notably the 'Administrators' group, and gives to that group some privileges like the ability to change the date and time or to kill any process @@ -34,46 +35,70 @@ group privileges. If a 'joe' user is created and become a member of the </para> <para> -When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation. +When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the +PDC is added to the local 'Administrators' group of the workstation. Every +member of the 'Domain Administrators' group 'inherit' the +rights of the local 'Administrators' group when logging on the workstation. </para> <para> -You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy. +The following steps describe how to make samba PDC users members of the +'Domain Admins' group? </para> -<orderedlist> -<listitem><para>create a unix group (usually in <filename>/etc/group</filename>), let's call it domadm</para></listitem> -<listitem><para>add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <filename>/etc/group</filename> will look like:</para> +<orderedlist> +<listitem><para>create a unix group (usually in <filename>/etc/group</filename>), + let's call it domadm</para></listitem> +<listitem><para>add to this group the users that must be Administrators. For example + if you want joe,john and mary, your entry in <filename>/etc/group</filename> will + look like:</para> -<para><programlisting> -domadm:x:502:joe,john,mary -</programlisting></para> + <para><programlisting> + domadm:x:502:joe,john,mary + </programlisting></para> -</listitem> + </listitem> -<listitem><para>Map this domadm group to the <command>domain admins</command> group by running the command:</para> +<listitem><para>Map this domadm group to the "Domain Admins" group + by running the command:</para> -<para><userinput>smbgroupedit -c "Domain Admins" -u domadm</userinput></para></listitem> + <para><prompt>root# </prompt><userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput></para> + + <para>The quotes around "Domain Admins" are necessary due to the space in the group name. Also make + sure to leave no whitespace surrounding the equal character (=).</para> + </listitem> </orderedlist> -<para>You're set, joe, john and mary are domain administrators !</para> +<para>Now joe, john and mary are domain administrators!</para> <para> -Like the Domain Admins group, you can map any arbitrary Unix group to any NT -group. You can also make any Unix group a domain group. For example, on a domain -member machine (an NT/W2K or a samba server running winbind), you would like to -give access to a certain directory to some users who are member of a group on -your samba PDC. Flag that group as a domain group by running: +It is possible to map any arbitrary UNIX group to any Windows NT +group as well as making any UNIX group a Windows domain group. +For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a +local file or printer on a domain member machine, you would flag +that group as a domain group by running the following on the Samba PDC: </para> -<para><userinput>smbgroupedit -a unixgroup -td</userinput></para> +<para><prompt>root# </prompt><userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput></para> + +<para>Be aware that the rid parmeter is a unsigned 32 bit integer that should +normally start at 1000. However, this rid must not overlap with any RID assigned +to a user. Verifying this is done differently depending on on the passdb backend +you are using. Future versions of the tools may perform the verification automatically, +but for now the burden in on you.</para> + +<para>You can list the various groups in the mapping database by executing +<command>net groupmap list</command>. Here is an example:</para> + +<para><programlisting><prompt>root# </prompt>net groupmap list +System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin +Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin +Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser +Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest +</programlisting></para> -<para>You can list the various groups in the mapping database like this</para> -<para><userinput>smbgroupedit -v</userinput></para> +<para>For complete details on <command>net groupmap</command>, refer to the +net(8) man page.</para> </chapter> diff --git a/docs/docbook/projdoc/IntroSMB.sgml b/docs/docbook/projdoc/IntroSMB.sgml index 5bda59c610..32b18cc8fc 100644 --- a/docs/docbook/projdoc/IntroSMB.sgml +++ b/docs/docbook/projdoc/IntroSMB.sgml @@ -161,8 +161,8 @@ related to Samba: SMBFS and CIFS VFS. These are both available in the Linux ker name space), secure per-user session establishment, safe distributed caching (oplock), optional packet signing, Unicode and other internationalization improvements, and optional Winbind (nsswitch) integration. - </para></listitem> - + </para></listitem> + </itemizedlist> <para> @@ -170,6 +170,12 @@ Again, it's important to note that these are implementations for client filesyst nothing to do with acting as a file and print server for SMB/CIFS clients. </para> +<para> +There are other Open Source CIFS client implementations, such as the jCIFS project +(jcifs.samba.org) which provides an SMB client toolkit written in Java. +</para> + + </sect1> diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 60d9f121f4..469215e32e 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -79,19 +79,19 @@ What are the features that Samba-3 can NOT provide? <itemizedlist> <listitem> - <para>Active Directory Server<para> + <para>Active Directory Server</para> </listitem> <listitem> - <para>Group Policy Objects (in Active Direcrtory)<para> + <para>Group Policy Objects (in Active Direcrtory)</para> </listitem> <listitem> - <para>Machine Policy objects<para> + <para>Machine Policy objects</para> </listitem> <listitem> - <para>Logon Scripts in Active Directorty<para> + <para>Logon Scripts in Active Directorty</para> </listitem> <listitem> - <para>Software Application and Access Controls in Active Directory<para> + <para>Software Application and Access Controls in Active Directory</para> </listitem> </itemizedlist> @@ -309,7 +309,7 @@ Samba-3 set up as a DC with netlogon share, profile share, etc. <step><para>initGrps.sh DOMNAME</para></step> - <step><para>smbgroupedit -v</para> + <step><para>net groupmap list</para> <substeps><step><para>Now check that all groups are recognised</para></step></substeps> </step> @@ -469,7 +469,7 @@ Logon Scripts (Know how they work) User and Group mapping to Unix/Linux username map facility may be needed - Use smbgroupedit to connect NT4 groups to Unix groups + Use 'net groupmap' to connect NT4 groups to Unix groups Use pdbedit to set/change user configuration NOTE: If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP @@ -489,7 +489,7 @@ Migration Tools Profiles, Policies, Access Controls, Security Migration Tools - Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles + Samba: net, rpcclient, smbpasswd, pdbedit, profiles Windows: NT4 Domain User Manager, Server Manager (NEXUS) Authentication @@ -497,6 +497,8 @@ Authentication </programlisting> </para> +</sect2> + </sect1> </chapter> diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index a95baf0281..395bd71a27 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -244,7 +244,7 @@ Options recognized by this module are as follows: password used for successful authentication. smbconf=< file > - specify an alternate path to the smb.conf file. -</programlisting><para> +</programlisting></para> <para><programlisting> Thanks go to the following people: diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 7557d496a4..9ec9d452a7 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -310,7 +310,7 @@ Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC <para> With a Samba Domain Controller, the new tools for managing of user account and policy information includes: -<filename>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</filename>. The administrator should read the +<filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the man pages for these tools and become familiar with their use. </para> diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml index cc21ecf255..72c3d20547 100644 --- a/docs/docbook/projdoc/Portability.sgml +++ b/docs/docbook/projdoc/Portability.sgml @@ -229,6 +229,7 @@ Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior is fixed by Sun in patch 113476-05 which as of March 2003 is not in any roll-up packages. </para> +</sect2> </sect1> </chapter> diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index 751138f138..0aea999b53 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -134,7 +134,7 @@ Modifications to the swat setup are as following: root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \ /usr/share/doc/packages/stunnel/stunnel.cnf \ -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem - </programlisting><para></listitem> + </programlisting></para></listitem> <listitem><para> remove swat-entry from [x]inetd diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index 1f65e7a8b7..05460e1a61 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -18,6 +18,7 @@ </affiliation> </author> &author.jelmer; + &author.jht; </authorgroup> <pubdate>27 June 2002</pubdate> </chapterinfo> @@ -643,12 +644,12 @@ your PDC. For example, I get the following response: </para> <para><programlisting> -CEO+Administrator -CEO+burdell -CEO+Guest -CEO+jt-ad -CEO+krbtgt -CEO+TsInternetUser + CEO+Administrator + CEO+burdell + CEO+Guest + CEO+jt-ad + CEO+krbtgt + CEO+TsInternetUser </programlisting></para> <para> @@ -663,15 +664,15 @@ the PDC: <para><programlisting> <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command> -CEO+Domain Admins -CEO+Domain Users -CEO+Domain Guests -CEO+Domain Computers -CEO+Domain Controllers -CEO+Cert Publishers -CEO+Schema Admins -CEO+Enterprise Admins -CEO+Group Policy Creator Owners + CEO+Domain Admins + CEO+Domain Users + CEO+Domain Guests + CEO+Domain Computers + CEO+Domain Controllers + CEO+Cert Publishers + CEO+Schema Admins + CEO+Enterprise Admins + CEO+Group Policy Creator Owners </programlisting></para> <para> @@ -710,7 +711,8 @@ The same thing can be done for groups with the command <para> The <command>winbindd</command> daemon needs to start up after the <command>smbd</command> and <command>nmbd</command> daemons are running. -To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in RedHat and +To accomplish this task, you need to modify the startup scripts of your system. +They are located at <filename>/etc/init.d/smb</filename> in RedHat and <filename>/etc/init.d/samba</filename> in Debian. script to add commands to invoke this daemon in the proper sequence. My startup script starts up <command>smbd</command>, @@ -736,8 +738,8 @@ start() { daemon /usr/local/samba/bin/winbindd RETVAL3=$? echo - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ - RETVAL=1 + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ + touch /var/lock/subsys/smb || RETVAL=1 return $RETVAL } </programlisting></para> @@ -776,7 +778,8 @@ stop() { echo -n $"Shutting down $KIND services: " killproc winbindd RETVAL3=$? - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ + rm -f /var/lock/subsys/smb echo "" return $RETVAL } @@ -796,63 +799,64 @@ the file could contains something like this: </para> <para><programlisting> -## -## samba.server -## - -if [ ! -d /usr/bin ] -then # /usr not mounted - exit -fi - -killproc() { # kill the named process(es) - pid=`/usr/bin/ps -e | - /usr/bin/grep -w $1 | - /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid -} - -# Start/stop processes required for samba server - -case "$1" in - -'start') -# -# Edit these lines to suit your installation (paths, workgroup, host) -# -echo Starting SMBD - /usr/local/samba/bin/smbd -D -s \ - /usr/local/samba/smb.conf - -echo Starting NMBD - /usr/local/samba/bin/nmbd -D -l \ - /usr/local/samba/var/log -s /usr/local/samba/smb.conf - -echo Starting Winbind Daemon - /usr/local/samba/bin/winbindd - ;; - -'stop') - killproc nmbd - killproc smbd - killproc winbindd - ;; - -*) - echo "Usage: /etc/init.d/samba.server { start | stop }" - ;; -esac + ## + ## samba.server + ## + + if [ ! -d /usr/bin ] + then # /usr not mounted + exit + fi + + killproc() { # kill the named process(es) + pid=`/usr/bin/ps -e | + /usr/bin/grep -w $1 | + /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` + [ "$pid" != "" ] && kill $pid + } + + # Start/stop processes required for samba server + + case "$1" in + + 'start') + # + # Edit these lines to suit your installation (paths, workgroup, host) + # + echo Starting SMBD + /usr/local/samba/bin/smbd -D -s \ + /usr/local/samba/smb.conf + + echo Starting NMBD + /usr/local/samba/bin/nmbd -D -l \ + /usr/local/samba/var/log -s /usr/local/samba/smb.conf + + echo Starting Winbind Daemon + /usr/local/samba/bin/winbindd + ;; + + 'stop') + killproc nmbd + killproc smbd + killproc winbindd + ;; + + *) + echo "Usage: /etc/init.d/samba.server { start | stop }" + ;; + esac </programlisting></para> -<para>Again, if you would like to run samba in dual daemon mode, replace +<para> +Again, if you would like to run samba in dual daemon mode, replace <programlisting> - /usr/local/samba/bin/winbindd + /usr/local/samba/bin/winbindd </programlisting> in the script above with: <programlisting> - /usr/local/samba/bin/winbindd -B + /usr/local/samba/bin/winbindd -B </programlisting> </para> @@ -912,8 +916,8 @@ just left this fileas it was: <para><programlisting> -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_stack.so service=system-auth + account required /lib/security/pam_stack.so service=system-auth </programlisting></para> <para> @@ -928,7 +932,7 @@ and <filename>/etc/xinetd.d/wu-ftp</filename> from </para> <para><programlisting> -enable = no + enable = no </programlisting></para> <para> @@ -936,7 +940,7 @@ to </para> <para><programlisting> -enable = yes + enable = yes </programlisting></para> <para> @@ -956,13 +960,14 @@ changed to look like this: </para> <para><programlisting> -auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed -auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_shells.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_listfile.so item=user sense=deny \ + file=/etc/ftpusers onerr=succeed + auth sufficient /lib/security/pam_winbind.so + auth required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_shells.so + account sufficient /lib/security/pam_winbind.so + account required /lib/security/pam_stack.so service=system-auth + session required /lib/security/pam_stack.so service=system-auth </programlisting></para> <para> @@ -971,16 +976,16 @@ same way. It now looks like this: </para> <para><programlisting> -auth required /lib/security/pam_securetty.so -auth sufficient /lib/security/pam_winbind.so -auth sufficient /lib/security/pam_unix.so use_first_pass -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_nologin.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -password required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth -session optional /lib/security/pam_console.so + auth required /lib/security/pam_securetty.so + auth sufficient /lib/security/pam_winbind.so + auth sufficient /lib/security/pam_unix.so use_first_pass + auth required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_nologin.so + account sufficient /lib/security/pam_winbind.so + account required /lib/security/pam_stack.so service=system-auth + password required /lib/security/pam_stack.so service=system-auth + session required /lib/security/pam_stack.so service=system-auth + session optional /lib/security/pam_console.so </programlisting></para> <para> @@ -1006,65 +1011,65 @@ nearly impossible to boot. </para> <para><programlisting> -# -#ident "@(#)pam.conf 1.14 99/09/16 SMI" -# -# Copyright (c) 1996-1999, Sun Microsystems, Inc. -# All Rights Reserved. -# -# PAM configuration -# -# Authentication management -# -login auth required /usr/lib/security/pam_winbind.so -login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass -# -rlogin auth sufficient /usr/lib/security/pam_winbind.so -rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -dtlogin auth sufficient /usr/lib/security/pam_winbind.so -dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -other auth sufficient /usr/lib/security/pam_winbind.so -other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -# Account management -# -login account sufficient /usr/lib/security/pam_winbind.so -login account requisite /usr/lib/security/$ISA/pam_roles.so.1 -login account required /usr/lib/security/$ISA/pam_unix.so.1 -# -dtlogin account sufficient /usr/lib/security/pam_winbind.so -dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 -dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 -# -other account sufficient /usr/lib/security/pam_winbind.so -other account requisite /usr/lib/security/$ISA/pam_roles.so.1 -other account required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Session management -# -other session required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Password management -# -#other password sufficient /usr/lib/security/pam_winbind.so -other password required /usr/lib/security/$ISA/pam_unix.so.1 -dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Support for Kerberos V5 authentication (uncomment to use Kerberos) -# -#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + # + #ident "@(#)pam.conf 1.14 99/09/16 SMI" + # + # Copyright (c) 1996-1999, Sun Microsystems, Inc. + # All Rights Reserved. + # + # PAM configuration + # + # Authentication management + # + login auth required /usr/lib/security/pam_winbind.so + login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass + # + rlogin auth sufficient /usr/lib/security/pam_winbind.so + rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 + rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + # + dtlogin auth sufficient /usr/lib/security/pam_winbind.so + dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + # + rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 + other auth sufficient /usr/lib/security/pam_winbind.so + other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + # + # Account management + # + login account sufficient /usr/lib/security/pam_winbind.so + login account requisite /usr/lib/security/$ISA/pam_roles.so.1 + login account required /usr/lib/security/$ISA/pam_unix.so.1 + # + dtlogin account sufficient /usr/lib/security/pam_winbind.so + dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 + dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 + # + other account sufficient /usr/lib/security/pam_winbind.so + other account requisite /usr/lib/security/$ISA/pam_roles.so.1 + other account required /usr/lib/security/$ISA/pam_unix.so.1 + # + # Session management + # + other session required /usr/lib/security/$ISA/pam_unix.so.1 + # + # Password management + # + #other password sufficient /usr/lib/security/pam_winbind.so + other password required /usr/lib/security/$ISA/pam_unix.so.1 + dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 + # + # Support for Kerberos V5 authentication (uncomment to use Kerberos) + # + #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 + #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 + #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 + #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass </programlisting></para> <para> |