Authenticating Domain Users Using PAM

From SambaWiki
Revision as of 21:01, 26 February 2017 by Mmuehlfeld (talk | contribs) (Updated category)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


To enable domain users to log in locally or to authenticate to services installed on the domain member, such as SSH, you must enable PAM to use the pam_winbind module.

System Requirements

Before enabling the pam_winbind module:

Adding the pam_winbind Module to the PAM Modules Directory

If you built Samba, you must create a symbolic link to the pam_winbind module in the PAM modules directory. For details, see pam_winbind Link.

Configuring PAM

Using Operating System-specific Utilities

If you distribution provides a utility to configure PAM, do not edit the PAM configuration files manually.

Operating system-specific PAM configuration tools:

  • Red Hat-based operating systems: authconfig-tui and authconfig
  • Debian-based operating systems: pam-auth-update
  • SUSE-based operating systems: yast

See your operating system's documentation for details about using the utilities.

Manually Configuring PAM

To manually configure PAM to enable domain users to authenticate to a service, you must update the service-specific PAM configuration file. For example, to enable SSH authentication for domain users on a Red Hat-based operating system, edit the /etc/pam.d/password-auth-ac configuration file and add the highlighted configuration entries:

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

For further details, see the PAM documentation.