1 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
2 <!ENTITY % globalentities SYSTEM '../global.ent'> %globalentities;
4 <refentry id="winbindd.8">
7 <refentrytitle>winbindd</refentrytitle>
8 <manvolnum>8</manvolnum>
13 <refname>winbindd</refname>
14 <refpurpose>Name Service Switch daemon for resolving names
15 from NT servers</refpurpose>
20 <command>winbindd</command>
21 <arg choice="opt">-F</arg>
22 <arg choice="opt">-S</arg>
23 <arg choice="opt">-i</arg>
24 <arg choice="opt">-B</arg>
25 <arg choice="opt">-d <debug level></arg>
26 <arg choice="opt">-s <smb config file></arg>
27 <arg choice="opt">-n</arg>
32 <title>DESCRIPTION</title>
34 <para>This program is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
35 <manvolnum>7</manvolnum></citerefentry> suite.</para>
37 <para><command>winbindd</command> is a daemon that provides
38 a service for the Name Service Switch capability that is present
39 in most modern C libraries. The Name Service Switch allows user
40 and system information to be obtained from different databases
41 services such as NIS or DNS. The exact behaviour can be configured
42 throught the <filename>/etc/nsswitch.conf</filename> file.
43 Users and groups are allocated as they are resolved to a range
44 of user and group ids specified by the administrator of the
47 <para>The service provided by <command>winbindd</command> is called `winbind' and
48 can be used to resolve user and group information from a
49 Windows NT server. The service can also provide authentication
50 services via an associated PAM module. </para>
53 The <filename>pam_winbind</filename> module in the 2.2.2 release only
54 supports the <parameter>auth</parameter> and <parameter>account</parameter>
55 module-types. The latter simply
56 performs a getpwnam() to verify that the system can obtain a uid for the
57 user. If the <filename>libnss_winbind</filename> library has been correctly
58 installed, this should always succeed.
61 <para>The following nsswitch databases are implemented by
62 the winbindd service: </para>
67 <listitem><para>User information traditionally stored in
68 the <filename>hosts(5)</filename> file and used by
69 <command>gethostbyname(3)</command> functions. Names are
70 resolved through the WINS server or by broadcast.
76 <listitem><para>User information traditionally stored in
77 the <filename>passwd(5)</filename> file and used by
78 <command>getpwent(3)</command> functions. </para></listitem>
83 <listitem><para>Group information traditionally stored in
84 the <filename>group(5)</filename> file and used by
85 <command>getgrent(3)</command> functions. </para></listitem>
89 <para>For example, the following simple configuration in the
90 <filename>/etc/nsswitch.conf</filename> file can be used to initially
91 resolve user and group information from <filename>/etc/passwd
92 </filename> and <filename>/etc/group</filename> and then from the
97 </programlisting></para>
99 <para>The following simple configuration in the
100 <filename>/etc/nsswitch.conf</filename> file can be used to initially
101 resolve hostnames from <filename>/etc/hosts</filename> and then from the
108 <title>OPTIONS</title>
113 <listitem><para>If specified, this parameter causes
114 the main <command>winbindd</command> process to not daemonize,
115 i.e. double-fork and disassociate with the terminal.
116 Child processes are still created as normal to service
117 each connection request, but the main process does not
118 exit. This operation mode is suitable for running
119 <command>winbindd</command> under process supervisors such
120 as <command>supervise</command> and <command>svscan</command>
121 from Daniel J. Bernstein's <command>daemontools</command>
122 package, or the AIX process monitor.
128 <listitem><para>If specified, this parameter causes
129 <command>winbindd</command> to log to standard output rather
130 than a file.</para></listitem>
138 <listitem><para>Tells <command>winbindd</command> to not
139 become a daemon and detach from the current terminal. This
140 option is used by developers when interactive debugging
141 of <command>winbindd</command> is required.
142 <command>winbindd</command> also logs to standard output,
143 as if the <command>-S</command> parameter had been given.
149 <listitem><para>Disable caching. This means winbindd will
150 always have to wait for a response from the domain controller
151 before it can respond to a client and this thus makes things
152 slower. The results will however be more accurate, since
153 results from the cache might not be up-to-date. This
154 might also temporarily hang winbindd if the DC doesn't respond.
160 <listitem><para>Dual daemon mode. This means winbindd will run
161 as 2 threads. The first will answer all requests from the cache,
162 thus making responses to clients faster. The other will
163 update the cache for the query that the first has just responded.
164 Advantage of this is that responses stay accurate and are faster.
173 <title>NAME AND ID RESOLUTION</title>
175 <para>Users and groups on a Windows NT server are assigned
176 a relative id (rid) which is unique for the domain when the
177 user or group is created. To convert the Windows NT user or group
178 into a unix user or group, a mapping between rids and unix user
179 and group ids is required. This is one of the jobs that <command>
180 winbindd</command> performs. </para>
182 <para>As winbindd users and groups are resolved from a server, user
183 and group ids are allocated from a specified range. This
184 is done on a first come, first served basis, although all existing
185 users and groups will be mapped as soon as a client performs a user
186 or group enumeration command. The allocated unix ids are stored
187 in a database file under the Samba lock directory and will be
190 <para>WARNING: The rid to unix id database is the only location
191 where the user and group mappings are stored by winbindd. If this
192 file is deleted or corrupted, there is no way for winbindd to
193 determine which user and group ids correspond to Windows NT user
194 and group rids. </para>
199 <title>CONFIGURATION</title>
201 <para>Configuration of the <command>winbindd</command> daemon
202 is done through configuration parameters in the <citerefentry>
203 <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
204 </citerefentry> file. All parameters should be specified in the
205 [global] section of smb.conf. </para>
208 <listitem><para><ulink url="smb.conf.5.html#WINBINDSEPARATOR">
209 <parameter>winbind separator</parameter></ulink></para></listitem>
210 <listitem><para><ulink url="smb.conf.5.html#WINBINDUID">
211 <parameter>winbind uid</parameter></ulink></para></listitem>
212 <listitem><para><ulink url="smb.conf.5.html#WINBINDGID">
213 <parameter>winbind gid</parameter></ulink></para></listitem>
214 <listitem><para><ulink url="smb.conf.5.html#WINBINDCACHETIME">
215 <parameter>winbind cache time</parameter></ulink></para></listitem>
216 <listitem><para><ulink url="smb.conf.5.html#WINBINDENUMUSERS">
217 <parameter>winbind enum users</parameter></ulink></para></listitem>
218 <listitem><para><ulink url="smb.conf.5.html#WINBINDENUMGROUPS">
219 <parameter>winbind enum groups</parameter></ulink></para></listitem>
220 <listitem><para><ulink url="smb.conf.5.html#TEMPLATEHOMEDIR">
221 <parameter>template homedir</parameter></ulink></para></listitem>
222 <listitem><para><ulink url="smb.conf.5.html#TEMPLATESHELL">
223 <parameter>template shell</parameter></ulink></para></listitem>
224 <listitem><para><ulink url="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN">
225 <parameter>winbind use default domain</parameter></ulink></para></listitem>
231 <title>EXAMPLE SETUP</title>
233 <para>To setup winbindd for user and group lookups plus
234 authentication from a domain controller use something like the
235 following setup. This was tested on a RedHat 6.2 Linux box. </para>
237 <para>In <filename>/etc/nsswitch.conf</filename> put the
240 passwd: files winbind
242 </programlisting></para>
244 <para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
245 auth</parameter> lines with something like this:
247 auth required /lib/security/pam_securetty.so
248 auth required /lib/security/pam_nologin.so
249 auth sufficient /lib/security/pam_winbind.so
250 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
251 </programlisting></para>
254 <para>Note in particular the use of the <parameter>sufficient
255 </parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para>
257 <para>Now replace the account lines with this: </para>
259 <para><command>account required /lib/security/pam_winbind.so
262 <para>The next step is to join the domain. To do that use the
263 <command>net</command> program like this: </para>
265 <para><command>net join -S PDC -U Administrator</command></para>
267 <para>The username after the <parameter>-U</parameter> can be any
268 Domain user that has administrator privileges on the machine.
269 Substitute the name or IP of your PDC for "PDC".</para>
271 <para>Next copy <filename>libnss_winbind.so</filename> to
272 <filename>/lib</filename> and <filename>pam_winbind.so
273 </filename> to <filename>/lib/security</filename>. A symbolic link needs to be
274 made from <filename>/lib/libnss_winbind.so</filename> to
275 <filename>/lib/libnss_winbind.so.2</filename>. If you are using an
276 older version of glibc then the target of the link should be
277 <filename>/lib/libnss_winbind.so.1</filename>.</para>
279 <para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle>
280 <manvolnum>5</manvolnum></citerefentry> containing directives like the
284 winbind separator = +
285 winbind cache time = 10
286 template shell = /bin/bash
287 template homedir = /home/%D/%U
288 winbind uid = 10000-20000
289 winbind gid = 10000-20000
293 </programlisting></para>
296 <para>Now start winbindd and you should find that your user and
297 group database is expanded to include your NT users and groups,
298 and that you can login to your unix box as a domain user, using
299 the DOMAIN+user syntax for the username. You may wish to use the
300 commands <command>getent passwd</command> and <command>getent group
301 </command> to confirm the correct operation of winbindd.</para>
308 <para>The following notes are useful when configuring and
309 running <command>winbindd</command>: </para>
311 <para><citerefentry><refentrytitle>nmbd</refentrytitle>
312 <manvolnum>8</manvolnum></citerefentry> must be running on the local machine
313 for <command>winbindd</command> to work. <command>winbindd</command> queries
314 the list of trusted domains for the Windows NT server
315 on startup and when a SIGHUP is received. Thus, for a running <command>
316 winbindd</command> to become aware of new trust relationships between
317 servers, it must be sent a SIGHUP signal. </para>
319 <para>PAM is really easy to misconfigure. Make sure you know what
320 you are doing when modifying PAM configuration files. It is possible
321 to set up PAM such that you can no longer log into your system. </para>
323 <para>If more than one UNIX machine is running <command>winbindd</command>,
324 then in general the user and groups ids allocated by winbindd will not
325 be the same. The user and group ids will only be valid for the local
328 <para>If the the Windows NT RID to UNIX user and group id mapping
329 file is damaged or destroyed then the mappings will be lost. </para>
334 <title>SIGNALS</title>
336 <para>The following signals can be used to manipulate the
337 <command>winbindd</command> daemon. </para>
342 <listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle>
343 <manvolnum>5</manvolnum></citerefentry> file and
344 apply any parameter changes to the running
345 version of winbindd. This signal also clears any cached
346 user and group information. The list of other domains trusted
347 by winbindd is also reloaded. </para></listitem>
352 <listitem><para>The SIGUSR1 signal will cause <command>
353 winbindd</command> to write status information to the winbind
354 log file including information about the number of user and
355 group ids allocated by <command>winbindd</command>.</para>
357 <para>Log files are stored in the filename specified by the
358 log file parameter.</para></listitem>
368 <term><filename>/etc/nsswitch.conf(5)</filename></term>
369 <listitem><para>Name service switch configuration file.</para>
374 <term>/tmp/.winbindd/pipe</term>
375 <listitem><para>The UNIX pipe over which clients communicate with
376 the <command>winbindd</command> program. For security reasons, the
377 winbind client will only attempt to connect to the winbindd daemon
378 if both the <filename>/tmp/.winbindd</filename> directory
379 and <filename>/tmp/.winbindd/pipe</filename> file are owned by
380 root. </para></listitem>
384 <term>$LOCKDIR/winbindd_privilaged/pipe</term>
385 <listitem><para>The UNIX pipe over which 'privilaged' clients
386 communicate with the <command>winbindd</command> program. For security
387 reasons, access to some winbindd functions - like those needed by
388 the <command>ntlm_auth</command> utility - is restricted. By default,
389 only users in the 'root' group will get this access, however the administrator
390 may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
391 programs like 'squid' to use ntlm_auth.
392 Note that the winbind client will only attempt to connect to the winbindd daemon
393 if both the <filename>$LOCKDIR/winbindd_privilaged</filename> directory
394 and <filename>$LOCKDIR/winbindd_privilaged/pipe</filename> file are owned by
395 root. </para></listitem>
399 <term>/lib/libnss_winbind.so.X</term>
400 <listitem><para>Implementation of name service switch library.
405 <term>$LOCKDIR/winbindd_idmap.tdb</term>
406 <listitem><para>Storage for the Windows NT rid to UNIX user/group
407 id mapping. The lock directory is specified when Samba is initially
408 compiled using the <parameter>--with-lockdir</parameter> option.
409 This directory is by default <filename>/usr/local/samba/var/locks
410 </filename>. </para></listitem>
414 <term>$LOCKDIR/winbindd_cache.tdb</term>
415 <listitem><para>Storage for cached user and group information.
423 <title>VERSION</title>
425 <para>This man page is correct for version 3.0 of
426 the Samba suite.</para>
430 <title>SEE ALSO</title>
432 <para><filename>nsswitch.conf(5)</filename>, <citerefentry>
433 <refentrytitle>Samba</refentrytitle>
434 <manvolnum>7</manvolnum></citerefentry>, <citerefentry>
435 <refentrytitle>wbinfo</refentrytitle>
436 <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
437 <refentrytitle>smb.conf</refentrytitle>
438 <manvolnum>5</manvolnum></citerefentry></para>
442 <title>AUTHOR</title>
444 <para>The original Samba software and related utilities
445 were created by Andrew Tridgell. Samba is now developed
446 by the Samba Team as an Open Source project similar
447 to the way the Linux kernel is developed.</para>
449 <para><command>wbinfo</command> and <command>winbindd</command> were
450 written by Tim Potter.</para>
452 <para>The conversion to DocBook for Samba 2.2 was done
453 by Gerald Carter. The conversion to DocBook XML 4.2 for
454 Samba 3.0 was done by Alexander Bokovoy.</para>
git.samba.org / ira / wip.git / blob