From 59ab1574e41993d24733affbca07d3f7da245fc7 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 15 Jun 2009 12:21:07 +0200 Subject: Move pam_winbind to the right manpage section (8). Signed-off-by: Andreas Schneider --- docs-xml/manpages-3/pam_winbind.7.xml | 260 ---------------------------------- docs-xml/manpages-3/pam_winbind.8.xml | 260 ++++++++++++++++++++++++++++++++++ 2 files changed, 260 insertions(+), 260 deletions(-) delete mode 100644 docs-xml/manpages-3/pam_winbind.7.xml create mode 100644 docs-xml/manpages-3/pam_winbind.8.xml (limited to 'docs-xml/manpages-3') diff --git a/docs-xml/manpages-3/pam_winbind.7.xml b/docs-xml/manpages-3/pam_winbind.7.xml deleted file mode 100644 index 7ceb9d39ce..0000000000 --- a/docs-xml/manpages-3/pam_winbind.7.xml +++ /dev/null @@ -1,260 +0,0 @@ - - - - - - pam_winbind - 7 - Samba - 7 - 3.5 - - - - - pam_winbind - PAM module for Winbind - - - - DESCRIPTION - - This tool is part of the samba - 7 suite. - - - pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon. - - - - - - SYNOPSIS - - - Edit the PAM system config /etc/pam.d/service and modify it as the following example shows: - - ... - auth required pam_env.so - auth sufficient pam_unix2.so - +++ auth required pam_winbind.so use_first_pass - account requisite pam_unix2.so - +++ account required pam_winbind.so use_first_pass - +++ password sufficient pam_winbind.so - password requisite pam_pwcheck.so cracklib - password required pam_unix2.so use_authtok - session required pam_unix2.so - +++ session required pam_winbind.so - ... - - - Make sure that pam_winbind is one of the first modules in the session part. It may retrieve - kerberos tickets which are needed by other modules. - - - - - OPTIONS - - - pam_winbind supports several options which can either be set in - the PAM configuration files or in the pam_winbind configuration - file situated at - /etc/security/pam_winbind.conf. Options - from the PAM configuration file take precedence to those from - the configuration file. - - - - - debug - Gives debugging output to syslog. - - - - debug_state - Gives detailed PAM state debugging output to syslog. - - - - require_membership_of=[SID or NAME] - - If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID - can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the - SID. That name must have the form: MYDOMAIN\\mygroup or - MYDOMAIN\\myuser. pam_winbind will, in that case, lookup the SID internally. Note that - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a - user is a member of with wbinfo --user-sids=SID. - - - - - use_first_pass - - By default, pam_winbind tries to get the authentication token from a previous module. If no token is available - it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication - token from a previous module is available. - - - - - try_first_pass - - Same as the use_first_pass option (previous item), except that if the primary password is not - valid, PAM will prompt for a password. - - - - - use_authtok - - Set the new password to the one provided by the previously stacked password module. If this option is not set - pam_winbind will ask the user for the new password. - - - - - krb5_auth - - - pam_winbind can authenticate using Kerberos when winbindd is - talking to an Active Directory domain controller. Kerberos - authentication must be enabled with this parameter. When - Kerberos authentication can not succeed (e.g. due to clock - skew), winbindd will fallback to samlogon authentication over - MSRPC. When this parameter is used in conjunction with - winbind refresh tickets, winbind will - keep your Ticket Granting Ticket (TGT) uptodate by refreshing - it whenever necessary. - - - - - - krb5_ccache_type=[type] - - - When pam_winbind is configured to try kerberos authentication - by enabling the krb5_auth option, it can - store the retrieved Ticket Granting Ticket (TGT) in a - credential cache. The type of credential cache can be set with - this option. Currently the only supported value is: - FILE. In that case a credential cache in - the form of /tmp/krb5cc_UID will be created, where UID is - replaced with the numeric user id. Leave empty to just do - kerberos authentication without having a ticket cache after the - logon has succeeded. - - - - - - cached_login - - Winbind allows to logon using cached credentials when winbind offline logon is enabled. To use this feature from the PAM module this option must be set. - - - - - silent - - Do not emit any messages. - - - - - mkhomedir - - Create homedirectory for a user on-the-fly, option is valid in - PAM session block. - - - - - warn_pwd_expire - - Defines number of days before pam_winbind starts to warn about passwords that are - going to expire. Defaults to 14 days. - - - - - - - - - - - PAM DATA EXPORTS - - This section describes the data exported in the PAM stack which could be used in other PAM modules. - - - PAM_WINBIND_HOMEDIR - - - This is the Windows Home Directory set in the profile tab in the user settings - on the Active Directory Server. This could be a local path or a directory on a - share mapped to a drive. - - - - - PAM_WINBIND_LOGONSCRIPT - - - The path to the logon script which should be executed if a user logs in. This is - normally a relative path to the script stored on the server. - - - - - PAM_WINBIND_LOGONSERVER - - - This exports the Active Directory server we are authenticating against. This can be - used as a variable later. - - - - - PAM_WINBIND_PROFILEPATH - - - This is the profile path set in the profile tab in the user settings. Noramlly - the home directory is synced with this directory on a share. - - - - - - - SEE ALSO - - wbinfo - 1, - winbindd - 8, - smb.conf - 5 - - - - VERSION - - This man page is correct for version 3 of Samba. - - - - AUTHOR - - - The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by - the Samba Team as an Open Source project similar to the way the Linux kernel is developed. - - - This manpage was written by Jelmer Vernooij and Guenther Deschner. - - - - diff --git a/docs-xml/manpages-3/pam_winbind.8.xml b/docs-xml/manpages-3/pam_winbind.8.xml new file mode 100644 index 0000000000..7ceb9d39ce --- /dev/null +++ b/docs-xml/manpages-3/pam_winbind.8.xml @@ -0,0 +1,260 @@ + + + + + + pam_winbind + 7 + Samba + 7 + 3.5 + + + + + pam_winbind + PAM module for Winbind + + + + DESCRIPTION + + This tool is part of the samba + 7 suite. + + + pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon. + + + + + + SYNOPSIS + + + Edit the PAM system config /etc/pam.d/service and modify it as the following example shows: + + ... + auth required pam_env.so + auth sufficient pam_unix2.so + +++ auth required pam_winbind.so use_first_pass + account requisite pam_unix2.so + +++ account required pam_winbind.so use_first_pass + +++ password sufficient pam_winbind.so + password requisite pam_pwcheck.so cracklib + password required pam_unix2.so use_authtok + session required pam_unix2.so + +++ session required pam_winbind.so + ... + + + Make sure that pam_winbind is one of the first modules in the session part. It may retrieve + kerberos tickets which are needed by other modules. + + + + + OPTIONS + + + pam_winbind supports several options which can either be set in + the PAM configuration files or in the pam_winbind configuration + file situated at + /etc/security/pam_winbind.conf. Options + from the PAM configuration file take precedence to those from + the configuration file. + + + + + debug + Gives debugging output to syslog. + + + + debug_state + Gives detailed PAM state debugging output to syslog. + + + + require_membership_of=[SID or NAME] + + If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID + can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the + SID. That name must have the form: MYDOMAIN\\mygroup or + MYDOMAIN\\myuser. pam_winbind will, in that case, lookup the SID internally. Note that + NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a + user is a member of with wbinfo --user-sids=SID. + + + + + use_first_pass + + By default, pam_winbind tries to get the authentication token from a previous module. If no token is available + it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication + token from a previous module is available. + + + + + try_first_pass + + Same as the use_first_pass option (previous item), except that if the primary password is not + valid, PAM will prompt for a password. + + + + + use_authtok + + Set the new password to the one provided by the previously stacked password module. If this option is not set + pam_winbind will ask the user for the new password. + + + + + krb5_auth + + + pam_winbind can authenticate using Kerberos when winbindd is + talking to an Active Directory domain controller. Kerberos + authentication must be enabled with this parameter. When + Kerberos authentication can not succeed (e.g. due to clock + skew), winbindd will fallback to samlogon authentication over + MSRPC. When this parameter is used in conjunction with + winbind refresh tickets, winbind will + keep your Ticket Granting Ticket (TGT) uptodate by refreshing + it whenever necessary. + + + + + + krb5_ccache_type=[type] + + + When pam_winbind is configured to try kerberos authentication + by enabling the krb5_auth option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be set with + this option. Currently the only supported value is: + FILE. In that case a credential cache in + the form of /tmp/krb5cc_UID will be created, where UID is + replaced with the numeric user id. Leave empty to just do + kerberos authentication without having a ticket cache after the + logon has succeeded. + + + + + + cached_login + + Winbind allows to logon using cached credentials when winbind offline logon is enabled. To use this feature from the PAM module this option must be set. + + + + + silent + + Do not emit any messages. + + + + + mkhomedir + + Create homedirectory for a user on-the-fly, option is valid in + PAM session block. + + + + + warn_pwd_expire + + Defines number of days before pam_winbind starts to warn about passwords that are + going to expire. Defaults to 14 days. + + + + + + + + + + + PAM DATA EXPORTS + + This section describes the data exported in the PAM stack which could be used in other PAM modules. + + + PAM_WINBIND_HOMEDIR + + + This is the Windows Home Directory set in the profile tab in the user settings + on the Active Directory Server. This could be a local path or a directory on a + share mapped to a drive. + + + + + PAM_WINBIND_LOGONSCRIPT + + + The path to the logon script which should be executed if a user logs in. This is + normally a relative path to the script stored on the server. + + + + + PAM_WINBIND_LOGONSERVER + + + This exports the Active Directory server we are authenticating against. This can be + used as a variable later. + + + + + PAM_WINBIND_PROFILEPATH + + + This is the profile path set in the profile tab in the user settings. Noramlly + the home directory is synced with this directory on a share. + + + + + + + SEE ALSO + + wbinfo + 1, + winbindd + 8, + smb.conf + 5 + + + + VERSION + + This man page is correct for version 3 of Samba. + + + + AUTHOR + + + The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by + the Samba Team as an Open Source project similar to the way the Linux kernel is developed. + + + This manpage was written by Jelmer Vernooij and Guenther Deschner. + + + + -- cgit