- bookworm 2:4.17.12+dfsg-0+deb12u1
- bookworm-backports 2:4.21.2+dfsg-3~bpo12+1
- testing 2:4.21.2+dfsg-3
- unstable 2:4.21.2+dfsg-4
- experimental 2:4.21.2+dfsg-4~exp1
PAM_WINBIND.CONF(5) | 5 | PAM_WINBIND.CONF(5) |
NAME¶
pam_winbind.conf - Configuration file of PAM module for Winbind
DESCRIPTION¶
This configuration file is part of the samba(7) suite.
pam_winbind.conf is the configuration file for the pam_winbind PAM module. See pam_winbind(8) for further details.
SYNOPSIS¶
The pam_winbind.conf configuration file is a classic ini-style configuration file. There is only one section (global) where various options are defined.
OPTIONS¶
pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at /etc/security/pam_winbind.conf. Options from the PAM configuration file take precedence to those from the pam_winbind.conf configuration file.
debug = yes|no
debug_state = yes|no
require_membership_of = [SID or NAME]
This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).
try_first_pass = yes|no
krb5_auth = yes|no
krb5_ccache_type = [type]
When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. The KEYRING has its limitations. As it is secure kernel memory, for example bulk storage of credentials is not possible.
When using the KCM type, the supported mechanism is “KCM:UID”, which uses a Kerberos credential manager to store credentials on a per-UID basis similar to KEYRING. This is the recommended choice on latest Linux distributions, offering a Kerberos Credential Manager. If not we suggest to use KEYRING as that is the most secure and predictable method.
It is also possible to define custom filepaths and use the "%u" pattern in order to substitute the numeric user id. Examples:
krb5_ccache_type = DIR:/run/user/%u/krb5cc
krb5_ccache_type = FILE:/tmp/krb5cc_%u
Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded. This setting is empty by default.
cached_login = yes|no
silent = yes|no
mkhomedir = yes|no
warn_pwd_expire = days
pwd_change_prompt = yes|no
SEE ALSO¶
VERSION¶
This man page is part of version 4.21.2-Debian-4.21.2+dfsg-3~bpo12+1 of Samba.
AUTHOR¶
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
This manpage was written by Jelmer Vernooij and Guenther Deschner.
12/01/2024 | Samba 4.21.2-Debian-4.21.2+dfs |