summaryrefslogtreecommitdiff
path: root/docs-xml/manpages-3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2009-12-18 13:56:01 +0100
committerGünther Deschner <gd@samba.org>2009-12-18 14:03:36 +0100
commit74816678706b7028fa63a4e552887fcf98322711 (patch)
tree54132aef5d7ce7f107b073ee77bca2a7bd071419 /docs-xml/manpages-3
parent19cdcdec096f5d1e3be2707d546715912e3db122 (diff)
downloadsamba-74816678706b7028fa63a4e552887fcf98322711.tar.gz
samba-74816678706b7028fa63a4e552887fcf98322711.tar.bz2
samba-74816678706b7028fa63a4e552887fcf98322711.zip
s3-docs: add new pam_winbind.conf(5) manpage.
Guenther
Diffstat (limited to 'docs-xml/manpages-3')
-rw-r--r--docs-xml/manpages-3/pam_winbind.conf.5.xml190
1 files changed, 190 insertions, 0 deletions
diff --git a/docs-xml/manpages-3/pam_winbind.conf.5.xml b/docs-xml/manpages-3/pam_winbind.conf.5.xml
new file mode 100644
index 0000000000..113515ce84
--- /dev/null
+++ b/docs-xml/manpages-3/pam_winbind.conf.5.xml
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="pam_winbind.conf.5">
+
+<refmeta>
+ <refentrytitle>pam_winbind.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">5</refmiscinfo>
+ <refmiscinfo class="version">3.6</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>pam_winbind.conf</refname>
+ <refpurpose>Configuration file of PAM module for Winbind</refpurpose>
+</refnamediv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This configuration file is part of the <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.</para>
+
+ <para>
+ pam_winbind.conf is the configuration file for the pam_winbind PAM
+ module. See
+ <citerefentry><refentrytitle>pam_winbind</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for further details.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>SYNOPSIS</title>
+
+ <para>
+ The pam_winbind.conf configuration file is a classic ini-style
+ configuration file. There is only one section (global) where
+ various options are defined.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+ <para>
+
+ pam_winbind supports several options which can either be set in
+ the PAM configuration files or in the pam_winbind configuration
+ file situated at
+ <filename>/etc/security/pam_winbind.conf</filename>. Options
+ from the PAM configuration file take precedence to those from
+ the pam_winbind.conf configuration file.
+
+ <variablelist>
+
+ <varlistentry>
+ <term>debug = yes|no</term>
+ <listitem><para>Gives debugging output to syslog. Defaults to "no".</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>debug_state = yes|no</term>
+ <listitem><para>Gives detailed PAM state debugging output to syslog. Defaults to "no".</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>require_membership_of = [SID or NAME]</term>
+ <listitem><para>
+ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
+ can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
+ SID. That name must have the form: <parameter>MYDOMAIN\\mygroup</parameter> or
+ <parameter>MYDOMAIN\\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
+ NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
+ user is a member of with <command>wbinfo --user-sids=SID</command>. This setting is empty by default.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>try_first_pass = yes|no</term>
+ <listitem><para>
+ By default, pam_winbind tries to get the authentication token from a previous module. If no token is available
+ it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication
+ token from a previous module is available. If a primary password is not valid, PAM will prompt for a password.
+ Default to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_auth = yes|no</term>
+ <listitem><para>
+
+ pam_winbind can authenticate using Kerberos when winbindd is
+ talking to an Active Directory domain controller. Kerberos
+ authentication must be enabled with this parameter. When
+ Kerberos authentication can not succeed (e.g. due to clock
+ skew), winbindd will fallback to samlogon authentication over
+ MSRPC. When this parameter is used in conjunction with
+ <parameter>winbind refresh tickets</parameter>, winbind will
+ keep your Ticket Granting Ticket (TGT) uptodate by refreshing
+ it whenever necessary. Defaults to "no".
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccache_type = [type]</term>
+ <listitem><para>
+
+ When pam_winbind is configured to try kerberos authentication
+ by enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a
+ credential cache. The type of credential cache can be set with
+ this option. Currently the only supported value is:
+ <parameter>FILE</parameter>. In that case a credential cache in
+ the form of /tmp/krb5cc_UID will be created, where UID is
+ replaced with the numeric user id. Leave empty to just do
+ kerberos authentication without having a ticket cache after the
+ logon has succeeded. This setting is empty by default.
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>cached_login = yes|no</term>
+ <listitem><para>
+ Winbind allows to logon using cached credentials when <parameter>winbind offline logon</parameter> is enabled. To use this feature from the PAM module this option must be set. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>silent = yes|no</term>
+ <listitem><para>
+ Do not emit any messages. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>mkhomedir = yes|no</term>
+ <listitem><para>
+ Create homedirectory for a user on-the-fly, option is valid in
+ PAM session block. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>warn_pwd_expire = days</term>
+ <listitem><para>
+ Defines number of days before pam_winbind starts to warn about passwords that are
+ going to expire. Defaults to 14 days.
+ </para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </para>
+
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>pam_winbind</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>wbinfo</refentrytitle>
+ <manvolnum>1</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry></para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 3 of Samba.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by
+ the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
+ </para>
+
+ <para>This manpage was written by Jelmer Vernooij and Guenther Deschner.</para>
+
+</refsect1>
+
+</refentry>