From fd3d104d9b5dc74cd82377e35ce77bf5e1029930 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 9 Jul 2020 11:48:26 +0200 Subject: [PATCH 1/2] docs: Fix documentation for require_membership_of of pam_winbind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971) --- docs-xml/manpages/pam_winbind.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml index 622e9e188d9..32030ef0ecc 100644 --- a/docs-xml/manpages/pam_winbind.8.xml +++ b/docs-xml/manpages/pam_winbind.8.xml @@ -84,9 +84,11 @@ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the SID. That name must have the form: MYDOMAIN\mygroup or - MYDOMAIN\myuser. pam_winbind will, in that case, lookup the SID internally. Note that - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a - user is a member of with wbinfo --user-sids=SID. + MYDOMAIN\myuser (where '\' character corresponds to the value of + winbind separator parameter). It is also possible to use a UPN in the form + user@REALM or group@REALM. pam_winbind will, in that case, lookup + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can + verify the list of SIDs a user is a member of with wbinfo --user-sids=SID. -- 2.27.0 From 66352fd787425edcd1d744a8927c886acfdce802 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Jul 2020 12:14:16 +0200 Subject: [PATCH 2/2] docs: Fix documentation for require_membership_of of pam_winbind.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 Signed-off-by: Andreas Schneider Reviewed-by: Isaac Boukris (cherry picked from commit 71b7140fd0a33e7e8c5bf37c2897cea8224b3f01) --- docs-xml/manpages/pam_winbind.conf.5.xml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index c4a7771fb31..0bc288f91a1 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -69,9 +69,12 @@ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the SID. That name must have the form: MYDOMAIN\mygroup or - MYDOMAIN\myuser. pam_winbind will, in that case, lookup the SID internally. Note that - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a - user is a member of with wbinfo --user-sids=SID. This setting is empty by default. + MYDOMAIN\myuser (where '\' character corresponds to the value of + winbind separator parameter). It is also possible to use a UPN in the form + user@REALM or group@REALM. pam_winbind will, in that case, lookup + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can + verify the list of SIDs a user is a member of with wbinfo --user-sids=SID. + This setting is empty by default. This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login). -- 2.27.0