.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "PAM_WINBIND" 7 "" "" "" .SH NAME pam_winbind \- PAM module for Winbind .SH "DESCRIPTION" .PP This tool is part of the \fBsamba\fR(7) suite\&. .PP pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon\&. .SH "OPTIONS" .PP pam_winbind supports several options which can either be set in the PAM configuration files or in the pam_winbind configuration file situated at\fI/etc/security/pam_winbind\&.conf\fR\&. Options from the PAM configuration file take precedence to those from the configuration file\&. .TP debug Gives debugging output to syslog\&. .TP require_membership_of=[SID or NAME] If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME\&. A SID can be either a group\-SID, a alias\-SID or even a user\-SID\&. It is also possible to give a NAME instead of the SID\&. That name must have the form: \fIMYDOMAIN\\\\mygroup\fR or\fIMYDOMAIN\\\\myuser\fR\&. pam_winbind will, in that case, lookup the SID internally\&. Note that NAME may not contain any spaces\&. It is thus recommended to only use SIDs\&. You can verify the list of SIDs a user is a member of with \fBwbinfo \-\-user\-sids=SID\fR\&. .TP try_first_pass .TP use_first_pass By default, pam_winbind tries to get the authentication token from a previous module\&. If no token is available it asks the user for the old password\&. With this option, pam_winbind aborts with an error if no authentication token from a previous module is available\&. .TP use_authtok Set the new password to the one provided by the previously stacked password module\&. If this option is not set pam_winbind will ask the user for the new password\&. .TP krb5_auth pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller\&. Kerberos authentication must be enabled with this parameter\&. When Kerberos authentication can not succeed (e\&.g\&. due to clock skew), winbindd will fallback to samlogon authentication over MSRPC\&. When this parameter is used in conjunction with\fIwinbind refresh tickets\fR, winbind will keep your Ticket Granting Ticket (TGT) uptodate by refreshing it whenever necessary\&. .TP krb5_ccache_type=[type] When pam_winbind is configured to try kerberos authentication by enabling the \fIkrb5_auth\fR option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache\&. The type of credential cache can be set with this option\&. Currently the only supported value is:\fIFILE\fR\&. In that case a credential cache in the form of /tmp/krb5cc_UID will be created, where UID is replaced with the numeric user id\&. Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded\&. .TP cached_login Winbind allows to logon using cached credentials when \fIwinbind offline logon\fR is enabled\&. To use this feature from the PAM module this option must be set\&. .TP silent Do not emit any messages\&. .SH "SEE ALSO" .PP \fBwbinfo\fR(1), \fBwinbindd\fR(8), \fBsmb\&.conf\fR(5) .SH "VERSION" .PP This man page is correct for version 3\&.0 of Samba\&. .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. .PP This manpage was written by Jelmer Vernooij and Guenther Deschner\&.