Authenticating Domain Users Using PAM

From SambaWiki
Revision as of 16:25, 17 December 2016 by Mmuehlfeld (talk | contribs) (Added new page "Authenticating Domain Users Using PAM")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


To enable domain users to log in locally or to authenticate to services installed on the domain member, such as SSH, you must enable PAM to use the pam_winbind module.

System Requirements

Before enabling the pam_winbind module, join the machine to the domain and configure the name services switch (NSS) to use the Winbind library . For details, see:

Adding the pam_winbind Module to the PAM Modules Directory

If you built Samba, you must create a symbolic link to the pam_winbind module in the PAM modules directory. For details, see pam_winbind Link.

Configuring PAM

Using Operating System-specific Utilities

If you distribution provides a utility to configure PAM, do not edit the PAM configuration files manually.

Operating system-specific PAM configuration tools:

  • Red Hat-based operating systems: authconfig-tui and authconfig
  • Debian-based operating systems: pam-auth-update
  • SUSE-based operating systems: yast

See your operating system's documentation for details about using the utilities.

Manually Configuring PAM

To manually configure PAM to enable domain users to authenticate to a service, you must update the service-specific PAM configuration file. For example, to enable SSH authentication for domain users on a Red Hat-based operating system, edit the /etc/pam.d/password-auth-ac configuration file and add the highlighted configuration entries:

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

For further details, see the PAM documentation.