 |
Index for
Section 8 |
|
 |
Alphabetical
listing for W |
|
 |
Bottom of
page |
|
WINBINDD(8)
NAME
winbindd - Name Service Switch daemon for resolving names from NT servers
SYNOPSIS
winbindd [ -i ] [ -d <debug level> ] [ -s <smb config file> ]
DESCRIPTION
This program is part of the Sambasuite.
winbindd is a daemon that provides a service for the Name Service Switch
capability that is present in most modern C libraries. The Name Service
Switch allows user and system information to be obtained from different
databases services such as NIS or DNS. The exact behaviour can be
configured throught the /etc/nsswitch.conf file. Users and groups are
allocated as they are resolved to a range of user and group ids specified
by the administrator of the Samba system.
The service provided by winbindd is called `winbind' and can be used to
resolve user and group information from a Windows NT server. The service
can also provide authentication services via an associated PAM module.
The pam_winbind module in the 2.2.2 release only supports the auth and
account module-types. The latter is simply performs a getpwnam() to verify
that the system can obtain a uid for the user. If the libnss_winbind
library has been correctly installed, this should always suceed.
The following nsswitch databases are implemented by the winbindd service:
hosts
User information traditionally stored in the hosts(5) file and used by
gethostbyname(3) functions. Names are resolved through the WINS server
or by broadcast.
passwd
User information traditionally stored in the passwd(5) file and used
by getpwent(3) functions.
group
Group information traditionally stored in the group(5) file and used
by getgrent(3) functions.
For example, the following simple configuration in the /etc/nsswitch.conf
file can be used to initially resolve user and group information from
/etc/passwd and /etc/group and then from the Windows NT server.
passwd: files winbind
group: files winbind
The following simple configuration in the /etc/nsswitch.conf file can be
used to initially resolve hostnames from /etc/hosts and then from the WINS
server.
OPTIONS
-d debuglevel
Sets the debuglevel to an integer between 0 and 100. 0 is for no
debugging and 100 is for reams and reams. To submit a bug report to
the Samba Team, use debug level 100 (see BUGS.txt).
-i Tells winbindd to not become a daemon and detach from the current
terminal. This option is used by developers when interactive debugging
of winbindd is required.
NAME AND ID RESOLUTION
Users and groups on a Windows NT server are assigned a relative id (rid)
which is unique for the domain when the user or group is created. To
convert the Windows NT user or group into a unix user or group, a mapping
between rids and unix user and group ids is required. This is one of the
jobs that winbindd performs.
As winbindd users and groups are resolved from a server, user and group ids
are allocated from a specified range. This is done on a first come, first
served basis, although all existing users and groups will be mapped as soon
as a client performs a user or group enumeration command. The allocated
unix ids are stored in a database file under the Samba lock directory and
will be remembered.
WARNING: The rid to unix id database is the only location where the user
and group mappings are stored by winbindd. If this file is deleted or
corrupted, there is no way for winbindd to determine which user and group
ids correspond to Windows NT user and group rids.
CONFIGURATION
Configuration of the winbindd daemon is done through configuration
parameters in the smb.conf(5) file. All parameters should be specified in
the [global] section of smb.conf.
winbind separator
The winbind separator option allows you to specify how NT domain names
and user names are combined into unix user names when presented to
users. By default, winbindd will use the traditional '\' separator so
that the unix user names look like DOMAIN\username. In some cases this
separator character may cause problems as the '\' character has
special meaning in unix shells. In that case you can use the winbind
separator option to specify an alternative separator character. Good
alternatives may be '/' (although that conflicts with the unix
directory separator) or a '+ 'character. The '+' character appears to
be the best choice for 100% compatibility with existing unix
utilities, but may be an aesthetically bad choice depending on your
taste.
Default: winbind separator = \
Example: winbind separator = +
winbind uid
The winbind uid parameter specifies the range of user ids that are
allocated by the winbindd daemon. This range of ids should have no
existing local or NIS users within it as strange conflicts can occur
otherwise.
Default: winbind uid = <empty string> Example: winbind uid = 10000-
20000
winbind gid
The winbind gid parameter specifies the range of group ids that are
allocated by the winbindd daemon. This range of group ids should have
no existing local or NIS groups within it as strange conflicts can
occur otherwise.
Default: winbind gid = <empty string> Example: winbind gid = 10000-
20000 .TP winbind cache time This parameter specifies the number of
seconds the winbindd daemon will cache user and group information
before querying a Windows NT server again. When a item in the cache is
older than this time winbindd will ask the domain controller for the
sequence number of the server's account database. If the sequence
number has not changed then the cached item is marked as valid for a
further winbind cache time seconds. Otherwise the item is fetched from
the server. This means that as long as the account database is not
actively changing winbindd will only have to send one sequence number
query packet every winbind cache time seconds.
Default: winbind cache time = 15
winbind enum users
On large installations it may be necessary to suppress the enumeration
of users through the setpwent(), getpwent() and endpwent() group of
system calls. If the winbind enum users parameter is false, calls to
the getpwent system call will not return any data.
Warning: Turning off user enumeration may cause some programs to
behave oddly. For example, the finger program relies on having access
to the full user list when searching for matching usernames.
Default: winbind enum users = yes
winbind enum groups
On large installations it may be necessary to suppress the enumeration
of groups through the setgrent(), getgrent() and endgrent() group of
system calls. If the winbind enum groups parameter is false, calls to
the getgrent() system call will not return any data.
Warning: Turning off group enumeration may cause some programs to
behave oddly.
Default: winbind enum groups = no
template homedir
When filling out the user information for a Windows NT user, the
winbindd daemon uses this parameter to fill in the home directory for
that user. If the string %D is present it is substituted with the
user's Windows NT domain name. If the string %U is present it is
substituted with the user's Windows NT user name.
Default: template homedir = /home/%D/%U
template shell
When filling out the user information for a Windows NT user, the
winbindd daemon uses this parameter to fill in the shell for that
user.
Default: template shell = /bin/false
EXAMPLE SETUP
To setup winbindd for user and group lookups plus authentication from a
domain controller use something like the following setup. This was tested
on a RedHat 6.2 Linux box.
In /etc/nsswitch.conf put the following:
passwd: files winbind
group: files winbind
In /etc/pam.d/* replace the auth lines with something like this:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
Note in particular the use of the sufficient keyword and the use_first_pass
keyword.
Now replace the account lines with this:
account required /lib/security/pam_winbind.so .PP The next step is to join
the domain. To do that use the smbpasswd program like this:
smbpasswd -j DOMAIN -r PDC -U Administrator
The username after the -U can be any Domain user that has administrator
privileges on the machine. Substitute your domain name for "DOMAIN" and
the name of your PDC for "PDC".
Next copy libnss_winbind.so to /lib and pam_winbind.so to /lib/security. A
symbolic link needs to be made from /lib/libnss_winbind.so to
/lib/libnss_winbind.so.2. If you are using an older version of glibc then
the target of the link should be /lib/libnss_winbind.so.1.
Finally, setup a smb.conf containing directives like the following:
[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = DOMAIN
security = domain
password server = *
Now start winbindd and you should find that your user and group database is
expanded to include your NT users and groups, and that you can login to
your unix box as a domain user, using the DOMAIN+user syntax for the
username. You may wish to use the commands getent passwd and getent group
to confirm the correct operation of winbindd.
NOTES
The following notes are useful when configuring and running winbindd:
nmbd must be running on the local machine for winbindd to work. winbindd
queries the list of trusted domains for the Windows NT server on startup
and when a SIGHUP is received. Thus, for a running winbindd to become
aware of new trust relationships between servers, it must be sent a SIGHUP
signal.
Client processes resolving names through the winbindd nsswitch module read
an environment variable named $WINBINDD_DOMAIN. If this variable contains
a comma separated list of Windows NT domain names, then winbindd will only
resolve users and groups within those Windows NT domains.
PAM is really easy to misconfigure. Make sure you know what you are doing
when modifying PAM configuration files. It is possible to set up PAM such
that you can no longer log into your system.
If more than one UNIX machine is running winbindd, then in general the user
and groups ids allocated by winbindd will not be the same. The user and
group ids will only be valid for the local machine.
If the the Windows NT RID to UNIX user and group id mapping file is damaged
or destroyed then the mappings will be lost.
SIGNALS
The following signals can be used to manipulate the winbindd daemon.
SIGHUP
Reload the smb.conf(5) file and apply any parameter changes to the
running version of winbindd. This signal also clears any cached user
and group information. The list of other domains trusted by winbindd
is also reloaded.
SIGUSR1
The SIGUSR1 signal will cause winbindd to write status information to
the winbind log file including information about the number of user
and group ids allocated by winbindd.
Log files are stored in the filename specified by the log file
parameter.
FILES
/etc/nsswitch.conf(5)
Name service switch configuration file.
/tmp/.winbindd/pipe
The UNIX pipe over which clients communicate with the winbindd
program. For security reasons, the winbind client will only attempt to
connect to the winbindd daemon if both the /tmp/.winbindd directory
and /tmp/.winbindd/pipe file are owned by root.
/lib/libnss_winbind.so.X
Implementation of name service switch library.
$LOCKDIR/winbindd_idmap.tdb
Storage for the Windows NT rid to UNIX user/group id mapping. The lock
directory is specified when Samba is initially compiled using the --
with-lockdir option. This directory is by default
/usr/local/samba/var/locks .
$LOCKDIR/winbindd_cache.tdb
Storage for cached user and group information.
VERSION
This man page is correct for version 2.2 of the Samba suite.
SEE ALSO
nsswitch.conf(5), samba(7), wbinfo(1), smb.conf(5)
AUTHOR
The original Samba software and related utilities were created by Andrew
Tridgell. Samba is now developed by the Samba Team as an Open Source
project similar to the way the Linux kernel is developed.
wbinfo and winbindd were written by Tim Potter.
The conversion to DocBook for Samba 2.2 was done by Gerald Carter
|
Index for
Section 8 |
|
|
Alphabetical
listing for W |
|
 |
Top of
page |
|