'\" te
.\" Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
.TH pam_unix_account 5 "14 Feb 2005" "SunOS 5.11" "Standards, Environments, and Macros"
.SH NAME
pam_unix_account \- PAM account management module for UNIX
.SH SYNOPSIS
.LP
.nf
\fBpam_unix_account.so.1\fR
.fi

.SH DESCRIPTION
.sp
.LP
The \fBpam_unix_account\fR module implements \fBpam_sm_acct_mgmt()\fR, which provides functionality to the PAM account management stack. This module provides functions to:
.RS +4
.TP
.ie t \(bu
.el o
Validate that an authenticated user is allowed to log in to the local user account by checking that the account is not locked or expired
.RE
.RS +4
.TP
.ie t \(bu
.el o
The user's password has not expired and does not need to be changed
.RE
.RS +4
.TP
.ie t \(bu
.el o
Validate that the user is permitted to access the PAM service at the current time and day of the week.
.RE
.RS +4
.TP
.ie t \(bu
.el o
The user's account has not been inactive for too long
.RE
.RS +4
.TP
.ie t \(bu
.el o
The \fB/etc/nologin\fR file is not present for non-root users (see \fBnologin\fR(4))
.RE
.sp
.LP
The module retrieves account information from the configured databases in \fBnsswitch.conf\fR(4).
.sp
.LP
The following options can be passed to the module:
.sp
.ne 2
.mk
.na
\fB\fBdebug\fR\fR
.ad
.RS 17n
.rt  
\fBsyslog\fR(3C) debugging information at the \fBLOG_DEBUG\fR level
.RE

.sp
.ne 2
.mk
.na
\fB\fBnowarn\fR\fR
.ad
.RS 17n
.rt  
Turn off warning messages
.RE

.sp
.ne 2
.mk
.na
\fB\fBserver_policy\fR\fR
.ad
.RS 17n
.rt  
If the account authority for the user, as specified by \fBPAM_USER\fR, is a server, do not apply the Unix policy from the passwd entry in the name service switch.
.RE

.SH ERRORS
.sp
.LP
The following values are returned: 
.sp
.ne 2
.mk
.na
\fB\fBPAM_UNIX_ACCOUNT\fR\fR
.ad
.RS 24n
.rt  
User account has expired
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_AUTHTOK_EXPIRED\fR\fR
.ad
.RS 24n
.rt  
Password expired and no longer usable 
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_BUF_ERR\fR\fR
.ad
.RS 24n
.rt  
Memory buffer error
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_IGNORE\fR\fR
.ad
.RS 24n
.rt  
Ignore module, not participating in result
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_NEW_AUTHTOK_REQD\fR\fR
.ad
.RS 24n
.rt  
Obtain new authentication token from the user 
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_PERM_DENIED\fR\fR
.ad
.RS 24n
.rt  
The account is locked or has been inactive for too long or is not permitted at the current time and day of the week
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_SERVICE_ERR\fR\fR
.ad
.RS 24n
.rt  
Error in underlying service module
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_SUCCESS\fR\fR
.ad
.RS 24n
.rt  
The account is valid for use at this time
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_USER_UNKNOWN\fR\fR
.ad
.RS 24n
.rt  
No account is present for the user
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_LOGINS_DISABLED\fR\fR
.ad
.RS 24n
.rt  
Logins for non-root users are disabled due to the presence of the \fB/etc/nologin\fR file. For more information, see \fBnologin\fR(4) man page.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Interface StabilityCommitted
_
MT LevelMT-Safe with exceptions
.TE

.SH SEE ALSO
.sp
.LP
\fBpam\fR(3PAM), \fBpam_authenticate\fR(3PAM), \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBpam.conf\fR(4), \fBnsswitch.conf\fR(4), \fBattributes\fR(5)
.SH NOTES
.sp
.LP
The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
.sp
.LP
Attempts to validate locked accounts are logged via \fBsyslog\fR(3C) to the \fBLOG_AUTH\fR facility with a \fBLOG_NOTICE\fR severity.