<refsect1>
<title>OPTIONS</title>
<para>
- pam_winbind supports several options:
+
+ pam_winbind supports several options which can either be set in
+ the PAM configuration files or in the pam_winbind configuration
+ file situated at
+ <filename>/etc/security/pam_winbind.conf</filename>. Options
+ from the PAM configuration file take precedence to those from
+ the configuration file.
+
<variablelist>
<varlistentry>
<listitem><para>
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
can be either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the
- SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
+ SID. That name must have the form: <parameter>MYDOMAIN\\mygroup</parameter> or
+ <parameter>MYDOMAIN\\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
user is a member of with <command>wbinfo --user-sids=SID</command>.
</para></listitem>
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_auth</term>
+ <listitem><para>
+
+ pam_winbind can authenticate using Kerberos when winbindd is
+ talking to an Active Directory domain controller. Kerberos
+ authentication must be enabled with this parameter. When
+ Kerberos authentication can not succeed (e.g. due to clock
+ skew), winbindd will fallback to samlogon authentication over
+ MSRPC. When this parameter is used in conjunction with
+ <parameter>winbind refresh tickets</parameter>, winbind will
+ keep your Ticket Granting Ticket (TGT) uptodate by refreshing
+ it whenever necessary.
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccache_type=[type]</term>
+ <listitem><para>
+
+ When pam_winbind is configured to try kerberos authentication
+ by enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a
+ credential cache. The type of credential cache can be set with
+ this option. Currently the only supported value is:
+ <parameter>FILE</parameter>. In that case a credential cache in
+ the form of /tmp/krb5cc_UID will be created, where UID is
+ replaced with the numeric user id. Leave empty to just do
+ kerberos authentication without having a ticket cache after the
+ logon has succeeded.
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>cached_login</term>
+ <listitem><para>
+ Winbind allows to logon using cached credentials when <parameter>winbind offline logon</parameter> is enabled. To use this feature from the PAM module this option must be set.
+ </para></listitem>
+ </varlistentry>
+
</variablelist>
<refentrytitle>wbinfo</refentrytitle>
<manvolnum>1</manvolnum></citerefentry>, <citerefentry>
<refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry></para>
+ <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry></para>
</refsect1>
<refsect1>
--- /dev/null
+<samba:parameter name="winbind offline logon"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This parameter is designed to control whether Winbind should
+ allow to login with the <parameter moreinfo="none">pam_winbind</parameter>
+ module using Cached Credentials. If enabled, winbindd will store user credentials
+ from successful logins encrypted in a local cache.
+ </para>
+
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>
git.samba.org / samba.git / commitdiff