Product SiteDocumentation Site

A.5. Users, Groups and Authentication

The commands below are used to control user accounts, groups, and related areas.

A.5.1. auth or authconfig (optional) - Configure Authentication

Sets up the authentication options for the system using the authconfig command, which can also be run on a command line after the installation finishes. See the authconfig(8) manual page and the authconfig --help command for more details. Passwords are shadowed by default.
auth [--enablenis | --nisdomain= | --nisserver= | --enableshadow | --enableldap | --enableldapauth | --ldapserver= | --ldapbasedn= | --enableldaptls | --disableldaptls | --enablekrb5 | --krb5realm= | --krb5kdc= | --krb5adminserver= | --enablehesiod | --hesiodlhs= | --hesiodrhs= | --enablesmbauth | --smbservers= | --smbworkgroup= | --enablecache | --passalgo=]
--enablenis
Turns on NIS support. By default, --enablenis uses whatever domain it finds on the network. A domain should almost always be set by hand with the --nisdomain= option.
--nisdomain=
NIS domain name to use for NIS services.
--nisserver=
Server to use for NIS services (broadcasts by default).
--useshadowor --enableshadow
Use shadow passwords. Active by default.
--enableldap
Turns on LDAP support in /etc/nsswitch.conf, allowing your system to retrieve information about users (for example, their UIDs, home directories, and shells) from an LDAP directory. To use this option, you must install the nss-pam-ldapd package. You must also specify a server and a base DN (distinguished name) with --ldapserver= and --ldapbasedn=.
--enableldapauth
Use LDAP as an authentication method. This enables the pam_ldap module for authentication and changing passwords, using an LDAP directory. To use this option, you must have the nss-pam-ldapd package installed. You must also specify a server and a base DN with --ldapserver= and --ldapbasedn=. If your environment does not use TLS (Transport Layer Security), use the --disableldaptls switch to ensure that the resulting configuration file works.
--ldapserver=
If you specified either --enableldap or --enableldapauth, use this option to specify the name of the LDAP server to use. This option is set in the /etc/ldap.conf file.
--ldapbasedn=
If you specified either --enableldap or --enableldapauth, use this option to specify the DN in your LDAP directory tree under which user information is stored. This option is set in the /etc/ldap.conf file.
--enableldaptls
Use TLS (Transport Layer Security) lookups. This option allows LDAP to send encrypted usernames and passwords to an LDAP server before authentication.
--disableldaptls
Do not use TLS (Transport Layer Security) lookups in an environment that uses LDAP for authentication.
--enablekrb5
Use Kerberos 5 for authenticating users. Kerberos itself does not know about home directories, UIDs, or shells. If you enable Kerberos, you must make users' accounts known to this workstation by enabling LDAP, NIS, or Hesiod or by using the useradd command. If you use this option, you must have the pam_krb5 package installed.
--krb5realm=
The Kerberos 5 realm to which your workstation belongs.
--krb5kdc=
The KDC (or KDCs) that serve requests for the realm. If you have multiple KDCs in your realm, use a comma-separated list without spaces.
--krb5adminserver=
The KDC in your realm that is also running kadmind. This server handles password changing and other administrative requests. This server must be run on the master KDC if you have more than one KDC.
--enablehesiod
Enables Hesiod support for looking up user home directories, UIDs, and shells. More information on setting up and using Hesiod on your network is in /usr/share/doc/glibc-2.x.x/README.hesiod, which is included in the glibc package. Hesiod is an extension of DNS that uses DNS records to store information about users, groups, and various other items.
--hesiodlhs= and --hesiodrhs=
The Hesiod LHS (left-hand side) and RHS (right-hand side) values, set in /etc/hesiod.conf. The Hesiod library uses these values to search DNS for a name, similar to the way that LDAP uses a base DN.
To look up user information for the username jim, the Hesiod library looks up jim.passwdLHSRHS, which should resolve to a TXT record that contains a string identical to an entry for that user in the passwd file: jim:*:501:501:Jungle Jim:/home/jim:/bin/bash. To look up groups, the Hesiod library looks up jim.groupLHSRHS instead.
To look up users and groups by number, make 501.uid a CNAME for jim.passwd, and 501.gid a CNAME for jim.group. Note that the library does not place a period (.) in front of the LHS and RHS values when performing a search. Therefore, if the LHS and RHS values need to have a period placed in front of them, you must include the period in the values you set for --hesiodlhs= and --hesiodrhs=.
--enablesmbauth
Enables authentication of users against an SMB server (typically a Samba or Windows server). SMB authentication support does not know about home directories, UIDs, or shells. If you enable SMB, you must make users' accounts known to the workstation by enabling LDAP, NIS, or Hesiod or by using the useradd command.
--smbservers=
The name of the servers to use for SMB authentication. To specify more than one server, separate the names with commas (,).
--smbworkgroup=
The name of the workgroup for the SMB servers.
--enablecache
Enables the nscd service. The nscd service caches information about users, groups, and various other types of information. Caching is especially helpful if you choose to distribute information about users and groups over your network using NIS, LDAP, or Hesiod.
--passalgo=
Specify sha256 to set up the SHA-256 hashing algorithm or sha512 to set up the SHA-512 hashing algorithm.