6 <firstname>Tim</firstname><surname>Potter</surname>
8 <orgname>Samba Team</orgname>
9 <address><email>tpot@linuxcare.com.au</email></address>
15 <firstname>Naag</firstname><surname>Mummaneni</surname>
17 <address><email>getnag@rediffmail.com</email></address>
22 <pubdate>27 June 2002</pubdate>
25 <title>Unified Logons between Windows NT and UNIX using Winbind</title>
28 <title>Abstract</title>
30 <para>Integration of UNIX and Microsoft Windows NT through
31 a unified logon has been considered a "holy grail" in heterogeneous
32 computing environments for a long time. We present
33 <emphasis>winbind</emphasis>, a component of the Samba suite
34 of programs as a solution to the unified logon problem. Winbind
35 uses a UNIX implementation
36 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
37 Service Switch to allow Windows NT domain users to appear and operate
38 as UNIX users on a UNIX machine. This paper describes the winbind
39 system, explaining the functionality it provides, how it is configured,
40 and how it works internally.</para>
45 <title>Introduction</title>
47 <para>It is well known that UNIX and Microsoft Windows NT have
48 different models for representing user and group information and
49 use different technologies for implementing them. This fact has
50 made it difficult to integrate the two systems in a satisfactory
53 <para>One common solution in use today has been to create
54 identically named user accounts on both the UNIX and Windows systems
55 and use the Samba suite of programs to provide file and print services
56 between the two. This solution is far from perfect however, as
57 adding and deleting users on both sets of machines becomes a chore
58 and two sets of passwords are required both of which
59 can lead to synchronization problems between the UNIX and Windows
60 systems and confusion for users.</para>
62 <para>We divide the unified logon problem for UNIX machines into
63 three smaller problems:</para>
66 <listitem><para>Obtaining Windows NT user and group information
69 <listitem><para>Authenticating Windows NT users
72 <listitem><para>Password changing for Windows NT users
77 <para>Ideally, a prospective solution to the unified logon problem
78 would satisfy all the above components without duplication of
79 information on the UNIX machines and without creating additional
80 tasks for the system administrator when maintaining users and
81 groups on either system. The winbind system provides a simple
82 and elegant solution to all three components of the unified logon
88 <title>What Winbind Provides</title>
90 <para>Winbind unifies UNIX and Windows NT account management by
91 allowing a UNIX box to become a full member of a NT domain. Once
92 this is done the UNIX box will see NT users and groups as if
93 they were native UNIX users and groups, allowing the NT domain
94 to be used in much the same manner that NIS+ is used within
95 UNIX-only environments.</para>
97 <para>The end result is that whenever any
98 program on the UNIX machine asks the operating system to lookup
99 a user or group name, the query will be resolved by asking the
100 NT domain controller for the specified domain to do the lookup.
101 Because Winbind hooks into the operating system at a low level
102 (via the NSS name resolution modules in the C library) this
103 redirection to the NT domain controller is completely
106 <para>Users on the UNIX machine can then use NT user and group
107 names as they would use "native" UNIX names. They can chown files
108 so that they are owned by NT domain users or even login to the
109 UNIX machine and run a UNIX X-Window session as a domain user.</para>
111 <para>The only obvious indication that Winbind is being used is
112 that user and group names take the form DOMAIN\user and
113 DOMAIN\group. This is necessary as it allows Winbind to determine
114 that redirection to a domain controller is wanted for a particular
115 lookup and which trusted domain is being referenced.</para>
117 <para>Additionally, Winbind provides an authentication service
118 that hooks into the Pluggable Authentication Modules (PAM) system
119 to provide authentication via a NT domain to any PAM enabled
120 applications. This capability solves the problem of synchronizing
121 passwords between systems since all passwords are stored in a single
122 location (on the domain controller).</para>
125 <title>Target Uses</title>
127 <para>Winbind is targeted at organizations that have an
128 existing NT based domain infrastructure into which they wish
129 to put UNIX workstations or servers. Winbind will allow these
130 organizations to deploy UNIX workstations without having to
131 maintain a separate account infrastructure. This greatly
132 simplifies the administrative overhead of deploying UNIX
133 workstations into a NT based organization.</para>
135 <para>Another interesting way in which we expect Winbind to
136 be used is as a central part of UNIX based appliances. Appliances
137 that provide file and print services to Microsoft based networks
138 will be able to use Winbind to provide seamless integration of
139 the appliance into the domain.</para>
146 <title>How Winbind Works</title>
148 <para>The winbind system is designed around a client/server
149 architecture. A long running <command>winbindd</command> daemon
150 listens on a UNIX domain socket waiting for requests
151 to arrive. These requests are generated by the NSS and PAM
152 clients and processed sequentially.</para>
154 <para>The technologies used to implement winbind are described
155 in detail below.</para>
158 <title>Microsoft Remote Procedure Calls</title>
160 <para>Over the last few years, efforts have been underway
161 by various Samba Team members to decode various aspects of
162 the Microsoft Remote Procedure Call (MSRPC) system. This
163 system is used for most network related operations between
164 Windows NT machines including remote management, user authentication
165 and print spooling. Although initially this work was done
166 to aid the implementation of Primary Domain Controller (PDC)
167 functionality in Samba, it has also yielded a body of code which
168 can be used for other purposes.</para>
170 <para>Winbind uses various MSRPC calls to enumerate domain users
171 and groups and to obtain detailed information about individual
172 users or groups. Other MSRPC calls can be used to authenticate
173 NT domain users and to change user passwords. By directly querying
174 a Windows PDC for user and group information, winbind maps the
175 NT account information onto UNIX user and group names.</para>
179 <title>Microsoft Active Directory Services</title>
182 Since late 2001, Samba has gained the ability to
183 interact with Microsoft Windows 2000 using its 'Native
184 Mode' protocols, rather than the NT4 RPC services.
185 Using LDAP and Kerberos, a domain member running
186 winbind can enumerate users and groups in exactly the
187 same way as a Win2k client would, and in so doing
188 provide a much more efficient and
189 effective winbind implementation.
194 <title>Name Service Switch</title>
196 <para>The Name Service Switch, or NSS, is a feature that is
197 present in many UNIX operating systems. It allows system
198 information such as hostnames, mail aliases and user information
199 to be resolved from different sources. For example, a standalone
200 UNIX workstation may resolve system information from a series of
201 flat files stored on the local filesystem. A networked workstation
202 may first attempt to resolve system information from local files,
203 and then consult a NIS database for user information or a DNS server
204 for hostname information.</para>
206 <para>The NSS application programming interface allows winbind
207 to present itself as a source of system information when
208 resolving UNIX usernames and groups. Winbind uses this interface,
209 and information obtained from a Windows NT server using MSRPC
210 calls to provide a new source of account enumeration. Using standard
211 UNIX library calls, one can enumerate the users and groups on
212 a UNIX machine running winbind and see all users and groups in
213 a NT domain plus any trusted domain as though they were local
214 users and groups.</para>
216 <para>The primary control file for NSS is
217 <filename>/etc/nsswitch.conf</filename>.
218 When a UNIX application makes a request to do a lookup
219 the C library looks in <filename>/etc/nsswitch.conf</filename>
220 for a line which matches the service type being requested, for
221 example the "passwd" service type is used when user or group names
222 are looked up. This config line species which implementations
223 of that service should be tried and in what order. If the passwd
224 config line is:</para>
226 <para><command>passwd: files example</command></para>
228 <para>then the C library will first load a module called
229 <filename>/lib/libnss_files.so</filename> followed by
230 the module <filename>/lib/libnss_example.so</filename>. The
231 C library will dynamically load each of these modules in turn
232 and call resolver functions within the modules to try to resolve
233 the request. Once the request is resolved the C library returns the
234 result to the application.</para>
236 <para>This NSS interface provides a very easy way for Winbind
237 to hook into the operating system. All that needs to be done
238 is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
239 then add "winbind" into <filename>/etc/nsswitch.conf</filename> at
240 the appropriate place. The C library will then call Winbind to
241 resolve user and group names.</para>
245 <title>Pluggable Authentication Modules</title>
247 <para>Pluggable Authentication Modules, also known as PAM,
248 is a system for abstracting authentication and authorization
249 technologies. With a PAM module it is possible to specify different
250 authentication methods for different system applications without
251 having to recompile these applications. PAM is also useful
252 for implementing a particular policy for authorization. For example,
253 a system administrator may only allow console logins from users
254 stored in the local password file but only allow users resolved from
255 a NIS database to log in over the network.</para>
257 <para>Winbind uses the authentication management and password
258 management PAM interface to integrate Windows NT users into a
259 UNIX system. This allows Windows NT users to log in to a UNIX
260 machine and be authenticated against a suitable Primary Domain
261 Controller. These users can also change their passwords and have
262 this change take effect directly on the Primary Domain Controller.
265 <para>PAM is configured by providing control files in the directory
266 <filename>/etc/pam.d/</filename> for each of the services that
267 require authentication. When an authentication request is made
268 by an application the PAM code in the C library looks up this
269 control file to determine what modules to load to do the
270 authentication check and in what order. This interface makes adding
271 a new authentication service for Winbind very easy, all that needs
272 to be done is that the <filename>pam_winbind.so</filename> module
273 is copied to <filename>/lib/security/</filename> and the PAM
274 control files for relevant services are updated to allow
275 authentication via winbind. See the PAM documentation
276 for more details.</para>
281 <title>User and Group ID Allocation</title>
283 <para>When a user or group is created under Windows NT
284 is it allocated a numerical relative identifier (RID). This is
285 slightly different to UNIX which has a range of numbers that are
286 used to identify users, and the same range in which to identify
287 groups. It is winbind's job to convert RIDs to UNIX id numbers and
288 vice versa. When winbind is configured it is given part of the UNIX
289 user id space and a part of the UNIX group id space in which to
290 store Windows NT users and groups. If a Windows NT user is
291 resolved for the first time, it is allocated the next UNIX id from
292 the range. The same process applies for Windows NT groups. Over
293 time, winbind will have mapped all Windows NT users and groups
294 to UNIX user ids and group ids.</para>
296 <para>The results of this mapping are stored persistently in
297 an ID mapping database held in a tdb database). This ensures that
298 RIDs are mapped to UNIX IDs in a consistent way.</para>
303 <title>Result Caching</title>
305 <para>An active system can generate a lot of user and group
306 name lookups. To reduce the network cost of these lookups winbind
307 uses a caching scheme based on the SAM sequence number supplied
308 by NT domain controllers. User or group information returned
309 by a PDC is cached by winbind along with a sequence number also
310 returned by the PDC. This sequence number is incremented by
311 Windows NT whenever any user or group information is modified. If
312 a cached entry has expired, the sequence number is requested from
313 the PDC and compared against the sequence number of the cached entry.
314 If the sequence numbers do not match, then the cached information
315 is discarded and up to date information is requested directly
322 <title>Installation and Configuration</title>
325 Many thanks to John Trostel <ulink
326 url="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</ulink>
327 for providing the HOWTO for this section.
331 This HOWTO describes how to get winbind services up and running
332 to control access and authenticate users on your Linux box using
333 the winbind services which come with SAMBA 2.2.2.
337 <title>Introduction</title>
340 This HOWTO describes the procedures used to get winbind up and
341 running on my RedHat 7.1 system. Winbind is capable of providing access
342 and authentication control for Windows Domain users through an NT
343 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
344 well for SAMBA services.
348 This HOWTO has been written from a 'RedHat-centric' perspective, so if
349 you are using another distribution, you may have to modify the instructions
350 somewhat to fit the way your distribution works.
357 <emphasis>Why should I to this?</emphasis>
360 <para>This allows the SAMBA administrator to rely on the
361 authentication mechanisms on the NT/Win2K PDC for the authentication
362 of domain members. NT/Win2K users no longer need to have separate
363 accounts on the SAMBA server.
369 <emphasis>Who should be reading this document?</emphasis>
373 This HOWTO is designed for system administrators. If you are
374 implementing SAMBA on a file server and wish to (fairly easily)
375 integrate existing NT/Win2K users from your PDC onto the
376 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
377 expert, so you may find a better or easier way to accomplish
386 <title>Requirements</title>
389 If you have a samba configuration file that you are currently
390 using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM,
391 <emphasis>back up the <filename>/etc/pam.d</filename> directory
392 contents!</emphasis> If you haven't already made a boot disk,
393 <emphasis>MAKE ONE NOW!</emphasis>
397 Messing with the pam configuration files can make it nearly impossible
398 to log in to yourmachine. That's why you want to be able to boot back
399 into your machine in single user mode and restore your
400 <filename>/etc/pam.d</filename> back to the original state they were in if
401 you get frustrated with the way things are going. ;-)
405 The latest version of SAMBA (version 3.0 as of this writing), now
406 includes a functioning winbindd daemon. Please refer to the
407 <ulink url="http://samba.org/">main SAMBA web page</ulink> or,
408 better yet, your closest SAMBA mirror site for instructions on
409 downloading the source code.
413 To allow Domain users the ability to access SAMBA shares and
414 files, as well as potentially other services provided by your
415 SAMBA machine, PAM (pluggable authentication modules) must
416 be setup properly on your machine. In order to compile the
417 winbind modules, you should have at least the pam libraries resident
418 on your system. For recent RedHat systems (7.1, for instance), that
419 means <filename>pam-0.74-22</filename>. For best results, it is helpful to also
420 install the development packages in <filename>pam-devel-0.74-22</filename>.
427 <title>Testing Things Out</title>
430 Before starting, it is probably best to kill off all the SAMBA
431 related daemons running on your server. Kill off all <command>smbd</command>,
432 <command>nmbd</command>, and <command>winbindd</command> processes that may
433 be running. To use PAM, you will want to make sure that you have the
434 standard PAM package (for RedHat) which supplies the <filename>/etc/pam.d</filename>
435 directory structure, including the pam modules are used by pam-aware
436 services, several pam libraries, and the <filename>/usr/doc</filename>
437 and <filename>/usr/man</filename> entries for pam. Winbind built better
438 in SAMBA if the pam-devel package was also installed. This package includes
439 the header files needed to compile pam-aware applications. For instance,
440 my RedHat system has both <filename>pam-0.74-22</filename> and
441 <filename>pam-devel-0.74-22</filename> RPMs installed.
445 <title>Configure and compile SAMBA</title>
448 The configuration and compilation of SAMBA is pretty straightforward.
449 The first three steps may not be necessary depending upon
450 whether or not you have previously built the Samba binaries.
453 <para><programlisting>
454 <prompt>root#</prompt> <command>autoconf</command>
455 <prompt>root#</prompt> <command>make clean</command>
456 <prompt>root#</prompt> <command>rm config.cache</command>
457 <prompt>root#</prompt> <command>./configure</command>
458 <prompt>root#</prompt> <command>make</command>
459 <prompt>root#</prompt> <command>make install</command>
460 </programlisting></para>
464 This will, by default, install SAMBA in <filename>/usr/local/samba</filename>.
465 See the main SAMBA documentation if you want to install SAMBA somewhere else.
466 It will also build the winbindd executable and libraries.
472 <title>Configure <filename>nsswitch.conf</filename> and the
473 winbind libraries</title>
476 The libraries needed to run the <command>winbindd</command> daemon
477 through nsswitch need to be copied to their proper locations, so
481 <prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command>
485 I also found it necessary to make the following symbolic link:
489 <prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command>
492 <para>And, in the case of Sun solaris:</para>
494 <prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</command>
495 <prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</command>
496 <prompt>root#</prompt> <command>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</command>
500 Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
501 allow user and group entries to be visible from the <command>winbindd</command>
502 daemon. My <filename>/etc/nsswitch.conf</filename> file look like
506 <para><programlisting>
507 passwd: files winbind
510 </programlisting></para>
513 The libraries needed by the winbind daemon will be automatically
514 entered into the <command>ldconfig</command> cache the next time
515 your system reboots, but it
516 is faster (and you don't need to reboot) if you do it manually:
520 <prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command>
524 This makes <filename>libnss_winbind</filename> available to winbindd
525 and echos back a check to you.
532 <title>Configure smb.conf</title>
535 Several parameters are needed in the smb.conf file to control
536 the behavior of <command>winbindd</command>. Configure
537 <filename>smb.conf</filename> These are described in more detail in
538 the <ulink url="winbindd.8.html">winbindd(8)</ulink> man page. My
539 <filename>smb.conf</filename> file was modified to
540 include the following entries in the [global] section:
543 <para><programlisting>
546 # separate domain and username with '+', like DOMAIN+username
547 <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = +
548 # use uids from 10000 to 20000 for domain users
549 <ulink url="winbindd.8.html#WINBINDUID">winbind uid</ulink> = 10000-20000
550 # use gids from 10000 to 20000 for domain groups
551 <ulink url="winbindd.8.html#WINBINDGID">winbind gid</ulink> = 10000-20000
552 # allow enumeration of winbind users and groups
553 <ulink url="winbindd.8.html#WINBINDENUMUSERS">winbind enum users</ulink> = yes
554 <ulink url="winbindd.8.html#WINBINDENUMGROUP">winbind enum groups</ulink> = yes
555 # give winbind users a real shell (only needed if they have telnet access)
556 <ulink url="winbindd.8.html#TEMPLATEHOMEDIR">template homedir</ulink> = /home/winnt/%D/%U
557 <ulink url="winbindd.8.html#TEMPLATESHELL">template shell</ulink> = /bin/bash
558 </programlisting></para>
564 <title>Join the SAMBA server to the PDC domain</title>
567 Enter the following command to make the SAMBA server join the
568 PDC domain, where <replaceable>DOMAIN</replaceable> is the name of
569 your Windows domain and <replaceable>Administrator</replaceable> is
570 a domain user who has administrative privileges in the domain.
575 <prompt>root#</prompt> <command>/usr/local/samba/bin/net join -S PDC -U Administrator</command>
580 The proper response to the command should be: "Joined the domain
581 <replaceable>DOMAIN</replaceable>" where <replaceable>DOMAIN</replaceable>
589 <title>Start up the winbindd daemon and test it!</title>
592 Eventually, you will want to modify your smb startup script to
593 automatically invoke the winbindd daemon when the other parts of
594 SAMBA start, but it is possible to test out just the winbind
595 portion first. To start up winbind services, enter the following
600 <prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command>
604 Winbindd can now also run in 'dual daemon mode'. This will make it
605 run as 2 processes. The first will answer all requests from the cache,
606 thus making responses to clients faster. The other will
607 update the cache for the query that the first has just responded.
608 Advantage of this is that responses stay accurate and are faster.
609 You can enable dual daemon mode by adding '-B' to the commandline:
613 <prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd -B</command>
617 I'm always paranoid and like to make sure the daemon
622 <prompt>root#</prompt> <command>ps -ae | grep winbindd</command>
625 This command should produce output like this, if the daemon is running
628 3025 ? 00:00:00 winbindd
632 Now... for the real test, try to get some information about the
637 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command>
641 This should echo back a list of users on your Windows users on
642 your PDC. For example, I get the following response:
645 <para><programlisting>
652 </programlisting></para>
655 Obviously, I have named my domain 'CEO' and my <parameter>winbind
656 separator</parameter> is '+'.
660 You can do the same sort of thing to get group information from
664 <para><programlisting>
665 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command>
670 CEO+Domain Controllers
673 CEO+Enterprise Admins
674 CEO+Group Policy Creator Owners
675 </programlisting></para>
678 The function 'getent' can now be used to get unified
679 lists of both local and PDC users and groups.
680 Try the following command:
684 <prompt>root#</prompt> <command>getent passwd</command>
688 You should get a list that looks like your <filename>/etc/passwd</filename>
689 list followed by the domain users with their new uids, gids, home
690 directories and default shells.
694 The same thing can be done for groups with the command
698 <prompt>root#</prompt> <command>getent group</command>
705 <title>Fix the init.d startup scripts</title>
711 The <command>winbindd</command> daemon needs to start up after the
712 <command>smbd</command> and <command>nmbd</command> daemons are running.
713 To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in RedHat and
714 <filename>/etc/init.d/samba</filename> in Debian.
715 script to add commands to invoke this daemon in the proper sequence. My
716 startup script starts up <command>smbd</command>,
717 <command>nmbd</command>, and <command>winbindd</command> from the
718 <filename>/usr/local/samba/bin</filename> directory directly. The 'start'
719 function in the script looks like this:
722 <para><programlisting>
725 echo -n $"Starting $KIND services: "
726 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
730 echo -n $"Starting $KIND services: "
731 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
735 echo -n $"Starting $KIND services: "
736 daemon /usr/local/samba/bin/winbindd
739 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
743 </programlisting></para>
745 <para>If you would like to run winbindd in dual daemon mode, replace
748 daemon /usr/local/samba/bin/winbindd
751 in the example above with:
754 daemon /usr/local/samba/bin/winbindd -B
759 The 'stop' function has a corresponding entry to shut down the
760 services and looks like this:
763 <para><programlisting>
766 echo -n $"Shutting down $KIND services: "
771 echo -n $"Shutting down $KIND services: "
776 echo -n $"Shutting down $KIND services: "
779 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
783 </programlisting></para>
787 <title>Solaris</title>
789 <para>On solaris, you need to modify the
790 <filename>/etc/init.d/samba.server</filename> startup script. It usually
791 only starts smbd and nmbd but should now start winbindd too. If you
792 have samba installed in <filename>/usr/local/samba/bin</filename>,
793 the file could contains something like this:
796 <para><programlisting>
802 then # /usr not mounted
806 killproc() { # kill the named process(es)
807 pid=`/usr/bin/ps -e |
808 /usr/bin/grep -w $1 |
809 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
810 [ "$pid" != "" ] && kill $pid
813 # Start/stop processes required for samba server
819 # Edit these lines to suit your installation (paths, workgroup, host)
822 /usr/local/samba/bin/smbd -D -s \
823 /usr/local/samba/smb.conf
826 /usr/local/samba/bin/nmbd -D -l \
827 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
829 echo Starting Winbind Daemon
830 /usr/local/samba/bin/winbindd
840 echo "Usage: /etc/init.d/samba.server { start | stop }"
843 </programlisting></para>
845 <para>Again, if you would like to run samba in dual daemon mode, replace
847 /usr/local/samba/bin/winbindd
850 in the script above with:
853 /usr/local/samba/bin/winbindd -B
860 <title>Restarting</title>
862 If you restart the <command>smbd</command>, <command>nmbd</command>,
863 and <command>winbindd</command> daemons at this point, you
864 should be able to connect to the samba server as a domain member just as
865 if you were a local user.
871 <title>Configure Winbind and PAM</title>
874 If you have made it this far, you know that winbindd and samba are working
875 together. If you want to use winbind to provide authentication for other
876 services, keep reading. The pam configuration files need to be altered in
877 this step. (Did you remember to make backups of your original
878 <filename>/etc/pam.d</filename> files? If not, do it now.)
882 You will need a pam module to use winbindd with these other services. This
883 module will be compiled in the <filename>../source/nsswitch</filename> directory
884 by invoking the command
888 <prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command>
892 from the <filename>../source</filename> directory. The
893 <filename>pam_winbind.so</filename> file should be copied to the location of
894 your other pam security modules. On my RedHat system, this was the
895 <filename>/lib/security</filename> directory. On Solaris, the pam security
896 modules reside in <filename>/usr/lib/security</filename>.
900 <prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command>
904 <title>Linux/FreeBSD-specific PAM configuration</title>
907 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
908 just left this fileas it was:
912 <para><programlisting>
913 auth required /lib/security/pam_stack.so service=system-auth
914 account required /lib/security/pam_stack.so service=system-auth
915 </programlisting></para>
918 The other services that I modified to allow the use of winbind
919 as an authentication service were the normal login on the console (or a terminal
920 session), telnet logins, and ftp service. In order to enable these
921 services, you may first need to change the entries in
922 <filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>).
923 RedHat 7.1 uses the new xinetd.d structure, in this case you need
924 to change the lines in <filename>/etc/xinetd.d/telnet</filename>
925 and <filename>/etc/xinetd.d/wu-ftp</filename> from
928 <para><programlisting>
930 </programlisting></para>
936 <para><programlisting>
938 </programlisting></para>
941 For ftp services to work properly, you will also need to either
942 have individual directories for the domain users already present on
943 the server, or change the home directory template to a general
944 directory for all domain users. These can be easily set using
945 the <filename>smb.conf</filename> global entry
946 <command>template homedir</command>.
950 The <filename>/etc/pam.d/ftp</filename> file can be changed
951 to allow winbind ftp access in a manner similar to the
952 samba file. My <filename>/etc/pam.d/ftp</filename> file was
953 changed to look like this:
956 <para><programlisting>
957 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
958 auth sufficient /lib/security/pam_winbind.so
959 auth required /lib/security/pam_stack.so service=system-auth
960 auth required /lib/security/pam_shells.so
961 account sufficient /lib/security/pam_winbind.so
962 account required /lib/security/pam_stack.so service=system-auth
963 session required /lib/security/pam_stack.so service=system-auth
964 </programlisting></para>
967 The <filename>/etc/pam.d/login</filename> file can be changed nearly the
968 same way. It now looks like this:
971 <para><programlisting>
972 auth required /lib/security/pam_securetty.so
973 auth sufficient /lib/security/pam_winbind.so
974 auth sufficient /lib/security/pam_unix.so use_first_pass
975 auth required /lib/security/pam_stack.so service=system-auth
976 auth required /lib/security/pam_nologin.so
977 account sufficient /lib/security/pam_winbind.so
978 account required /lib/security/pam_stack.so service=system-auth
979 password required /lib/security/pam_stack.so service=system-auth
980 session required /lib/security/pam_stack.so service=system-auth
981 session optional /lib/security/pam_console.so
982 </programlisting></para>
985 In this case, I added the <command>auth sufficient /lib/security/pam_winbind.so</command>
986 lines as before, but also added the <command>required pam_securetty.so</command>
987 above it, to disallow root logins over the network. I also added a
988 <command>sufficient /lib/security/pam_unix.so use_first_pass</command>
989 line after the <command>winbind.so</command> line to get rid of annoying
990 double prompts for passwords.
996 <title>Solaris-specific configuration</title>
999 The /etc/pam.conf needs to be changed. I changed this file so that my Domain
1000 users can logon both locally as well as telnet.The following are the changes
1001 that I made.You can customize the pam.conf file as per your requirements,but
1002 be sure of those changes because in the worst case it will leave your system
1003 nearly impossible to boot.
1006 <para><programlisting>
1008 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
1010 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
1011 # All Rights Reserved.
1015 # Authentication management
1017 login auth required /usr/lib/security/pam_winbind.so
1018 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1019 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
1021 rlogin auth sufficient /usr/lib/security/pam_winbind.so
1022 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1023 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1025 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
1026 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1028 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1029 other auth sufficient /usr/lib/security/pam_winbind.so
1030 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1032 # Account management
1034 login account sufficient /usr/lib/security/pam_winbind.so
1035 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
1036 login account required /usr/lib/security/$ISA/pam_unix.so.1
1038 dtlogin account sufficient /usr/lib/security/pam_winbind.so
1039 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
1040 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
1042 other account sufficient /usr/lib/security/pam_winbind.so
1043 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
1044 other account required /usr/lib/security/$ISA/pam_unix.so.1
1046 # Session management
1048 other session required /usr/lib/security/$ISA/pam_unix.so.1
1050 # Password management
1052 #other password sufficient /usr/lib/security/pam_winbind.so
1053 other password required /usr/lib/security/$ISA/pam_unix.so.1
1054 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
1056 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
1058 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1059 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1060 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1061 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1062 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
1063 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
1064 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
1065 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1066 </programlisting></para>
1069 I also added a try_first_pass line after the winbind.so line to get rid of
1070 annoying double prompts for passwords.
1074 Now restart your Samba and try connecting through your application that you
1075 configured in the pam.conf.
1087 <title>Limitations</title>
1089 <para>Winbind has a number of limitations in its current
1090 released version that we hope to overcome in future
1094 <listitem><para>Winbind is currently only available for
1095 the Linux, Solaris and IRIX operating systems, although ports to other operating
1096 systems are certainly possible. For such ports to be feasible,
1097 we require the C library of the target operating system to
1098 support the Name Service Switch and Pluggable Authentication
1099 Modules systems. This is becoming more common as NSS and
1100 PAM gain support among UNIX vendors.</para></listitem>
1102 <listitem><para>The mappings of Windows NT RIDs to UNIX ids
1103 is not made algorithmically and depends on the order in which
1104 unmapped users or groups are seen by winbind. It may be difficult
1105 to recover the mappings of rid to UNIX id mapping if the file
1106 containing this information is corrupted or destroyed.</para>
1109 <listitem><para>Currently the winbind PAM module does not take
1110 into account possible workstation and logon time restrictions
1111 that may be been set for Windows NT users, this is
1112 instead up to the PDC to enforce.</para></listitem>
1118 <title>Conclusion</title>
1120 <para>The winbind system, through the use of the Name Service
1121 Switch, Pluggable Authentication Modules, and appropriate
1122 Microsoft RPC calls have allowed us to provide seamless
1123 integration of Microsoft Windows NT domain users on a
1124 UNIX system. The result is a great reduction in the administrative
1125 cost of running a mixed UNIX and NT network.</para>