MAN page from openSUSE Leap 42 authconfig-7.0.1-2.1.x86_64.rpm


Section: Maintenance Commands (8)
Updated: 22 July 2011


authconfig, authconfig-tui - an interface for configuring system authentication resources 


authconfig[options] {--update|--updateall|--test|--probe|--restorebackup <name>|--savebackup <name>|--restorelastbackup} 


authconfig provides a simple method of configuring/etc/sysconfig/network to handle NIS, as well as /etc/passwd and/etc/shadow, the files used for shadow password support. Basic LDAP,Kerberos 5, and Winbind client configuration is also provided.

If --test action is specified, the authconfig just reads thecurrent settings from the various configuration files and printstheir values.If --update action is specified, authconfig must be run byroot and configuration changes are saved. Onlythe files affected by the configuration changes are overwritten.If --updateall action is specified, authconfig must be run byroot and all configuration files are written.The --probe action instructs authconfig to use DNS and other meansto guess at configuration information for the current host, print its guessesif it finds them, to standard output, and exit.

The --restorebackup, --savebackup, and --restorelastbackupactions provide a possibility to save and later restore a backup of configurationfiles which authconfig modifies. Authconfig also saves an automatic backup ofconfiguration files before every configuration change. This special backup canbe restored by the --restorelastbackup action.

If --nostart is specified (which is what the install program does),ypbind or other daemons will not be started or stopped immediately followingprogram execution, but only enabled to start or stop at boot time.

The --enablenis, --enableldap, --enablewinbind,and --enablehesiod optionsare used to configure user information services in /etc/nsswitch.conf,the --enablecache option is used to configure naming services caching,and the --enableshadow, --enableldapauth,--enablekrb5, and --enablewinbindauth options are used to configureauthentication functions via /etc/pam.d/system-auth. Each--enable has a matching --disable option that disables the serviceif it is already enabled. The respective services have parameters which configuretheir server names etc.

The algorithm used for storing new password hashes can be specified bythe --passalgo option which takes one of the following possible values asa parameter: descrypt, bigcrypt, md5, sha256, andsha512.

The --enablelocauthorize option allows to bypass checking networkauthentication services for authorization and the --enablesysnetauthallows authentication of system accounts (with uid < 500) by these services.

When the configuration settings allow use of SSSD for user information servicesand authentication, SSSD will be automatically used instead of the legacyservices and the SSSD configuration will be set up so there is a defaultdomain populated with the settings required to connect the services. The --enablesssdand --enablesssdauth options force adding SSSD to /etc/nsswitch.confand /etc/pam.d/system-auth, but they do not set up the domain in theSSSD configuration files. The SSSD configuration has to beset up manually. The allowed configuration of services for SSSD are: LDAP foruser information (--enableldap) and either LDAP (--enableldapauth), orKerberos (--enablekrb5) for authentication. Please note that even thoughthese options alone do not trigger any change in SSSD configuration files thismay not be true if any of these options is used in conjunction with otheroptions such as --enableldap or --updateall.

In case SSSD does not support some feature of the legacy services that arerequired for the site configuration, the use of the legacy services can be forcedby setting FORCELEGACY=yes in /etc/sysconfig/authconfig.

The list of options mentioned here in the manual page is not exhaustive, pleaserefer to authconfig --help for the complete list of the options.

For namelist you may substitute either a single name or a comma-separated list of names. 


The SSSD service is enabled and possibly started by authconfig when at least two ofthe following three conditions are met:
1) /etc/sssd/sssd.conf file exists (or is configured via the implicit SSSD support)
2) SSSD authentication is enabled ( is used in PAM configuration)
3) SSSD is enabled for user identity (nsswitch.conf contains sss)

When --update action is used the enablement or disablement and possible restartof services happens only in case the changed configuration options affect theservice to be restarted. This means that if for example the ypbind service isenabled with authconfig --update --nostart --enablenis but not startedand you run the same command without the --nostart later the ypbindservice will not be started because no configuration change affecting ypbindhappened. 


authconfig returns 0 on success, 1 on backup operation errors,2 if not running with sufficient privileges, 3 if unknown password hash algorithmis specified or incorrect values are set for password strength checking(this error is non fatal), 4 if download of CA certificate fails,5 if writing configuration files fails on --updateall action, 6 if writingfails on --update action, 7 if Winbind domain join fails.



Used to track whether or not particular authentication mechanisms are enabled.Currently includes variables named USESHADOW, USEMD5, USEKERBEROS, USELDAPAUTH,USEWINBIND, USEWINBINDAUTH, USENIS, USELDAP, and others.
Used for shadow password support.
Configuration file for NIS support.
Another configuration file for NIS support.
Used to configure nss_ldap, pam_ldap, nslcd, and the OpenLDAP library. Onlythe files already existing on the system are modified.
Used to configure Kerberos 5.
Used to configure winbind authentication.
Used to configure user information services.
Used to configure parameters of user accounts (minimum UID of a regular user,password hashing algorithm).
Common PAM configuration for system services which include it using theinclude directive. It is created as symlink and not relinked ifit points to another file.
Contains the actual PAM configuration for system services and is thedefault target of the /etc/pam.d/system-auth symlink. If a local configurationof PAM is created (and symlinked from system-auth file) this file can be includedthere.



authconfig-gtk(8), system-auth-ac(5), passwd(5), shadow(5), pwconv(1),domainname(1), ypbind(8), nsswitch.conf(5), smb.conf(5), sssd(8)



Nalin Dahyabhai <>, Preston Brown <>,Matt Wilson <>, Tomas Mraz <>




This document was created byman2html,using the manual pages.