Authenticating Domain Users Using PAM

From SambaWiki


To enable domain users to log in locally or to authenticate to services installed on the domain member, such as SSH, you must enable PAM to use the pam_winbind module.

System Requirements

Before enabling the pam_winbind module:

Adding the pam_winbind Module to the PAM Modules Directory

If you built Samba, you must create a symbolic link to the pam_winbind module in the PAM modules directory. For details, see pam_winbind Link.

Configuring PAM

Using Operating System-specific Utilities

If you distribution provides a utility to configure PAM, do not edit the PAM configuration files manually.

Operating system-specific PAM configuration tools:

  • Red Hat-based operating systems: authconfig-tui and authconfig
  • Debian-based operating systems: pam-auth-update
  • SUSE-based operating systems: yast

See your operating system's documentation for details about using the utilities.

Manually Configuring PAM

To manually configure PAM to enable domain users to authenticate to a service, you must update the service-specific PAM configuration file. For example, to enable SSH authentication for domain users on a Red Hat-based operating system, edit the /etc/pam.d/password-auth-ac configuration file and add the highlighted configuration entries:

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

For further details, see the PAM documentation.