Pluggable Authentication Modules
PAMs provide a system for abstracting authentication and authorization
technologies. With a PAM module, it is possible to specify different
authentication methods for different system applications without
having to recompile these applications. PAM is also useful
for implementing a particular policy for authorization. For example,
a system administrator may only allow console logins from users
stored in the local password file but only allow users resolved from
an NIS database to log in over the network.
Winbind uses the authentication management and password
management PAM interface to integrate Windows NT users into a
UNIX system. This allows Windows NT users to log in to a UNIX
machine and be authenticated against a suitable PDC.
These users can also change their passwords and have
this change take effect directly on the PDC.
PAM is configured by providing control files in the directory
/etc/pam.d/ for each of the services that
require authentication. When an authentication request is made
by an application, the PAM code in the C library looks up this
control file to determine what modules to load to do the
authentication check and in what order. This interface makes adding
a new authentication service for Winbind very easy: simply copy
/lib/security/, and the PAM
control files for relevant services are updated to allow
authentication via Winbind. See the PAM documentation
PAM-Based Distributed Authentication, for more information.