1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
7 <firstname>Tim</firstname><surname>Potter</surname>
9 <orgname>Samba Team</orgname>
10 <address><email>tpot@linuxcare.com.au</email></address>
15 <firstname>Naag</firstname><surname>Mummaneni</surname>
17 <address><email>getnag@rediffmail.com</email></address>
19 <contrib>Notes for Solaris</contrib>
22 <firstname>John</firstname><surname>Trostel</surname>
24 <orgname>SNAP</orgname>
25 <address><email>jtrostel@snapserver.com</email></address>
31 <pubdate>27 June 2002</pubdate>
34 <title>Winbind: Use of Domain Accounts</title>
37 <title>Features and Benefits</title>
40 Integration of UNIX and Microsoft Windows NT through a unified logon has
41 been considered a <quote>holy grail</quote> in heterogeneous computing environments for
46 There is one other facility without which UNIX and Microsoft Windows network
47 interoperability would suffer greatly. It is imperative that there be a
48 mechanism for sharing files across UNIX systems and to be able to assign
49 domain user and group ownerships with integrity.
53 <emphasis>winbind</emphasis> is a component of the Samba suite of programs that
54 solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
55 RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
56 allow Windows NT domain users to appear and operate as UNIX users on a UNIX
57 machine. This chapter describes the Winbind system, explaining the functionality
58 it provides, how it is configured, and how it works internally.
62 Winbind provides three separate functions:
67 Authentication of user credentials (via PAM). This makes it possible to
68 log onto a UNIX/Linux system using user and group accounts from a Windows
69 NT4 (including a Samba domain) or an Active Directory domain.
73 Identity resolution (via NSS). This is the default when winbind is not used.
77 Winbind maintains a database called winbind_idmap.tdb in which it stores
78 mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
79 for users and groups that do not have a local UID/GID. It stored the UID/GID
80 allocated from the idmap uid/gid range that it has mapped to the NT SID.
81 If <parameter>idmap backend</parameter> has been specified as <constant>ldap:ldap://hostname[:389]</constant>
82 then instead of using a local mapping Winbind will obtain this information
83 from the LDAP database.
88 <indexterm><primary>winbindd</primary></indexterm>
89 <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
90 If <command>winbindd</command> is not running, smbd (which calls <command>winbindd</command>) will fall back to
91 using purely local information from <filename>/etc/passwd</filename> and <filename>/etc/group</filename> and no dynamic
92 mapping will be used. On an operating system that has beeb enabled with the name service switcher (NSS)
93 the resoltion of user and group information will be accomplished via NSS.
97 <image id="winbind_idmap">
98 <imagedescription>Winbind Idmap</imagedescription>
99 <imagefile scale="50">idmap_winbind_no_loop</imagefile>
106 <title>Introduction</title>
108 <para>It is well known that UNIX and Microsoft Windows NT have
109 different models for representing user and group information and
110 use different technologies for implementing them. This fact has
111 made it difficult to integrate the two systems in a satisfactory
114 <para>One common solution in use today has been to create
115 identically named user accounts on both the UNIX and Windows systems
116 and use the Samba suite of programs to provide file and print services
117 between the two. This solution is far from perfect, however, as
118 adding and deleting users on both sets of machines becomes a chore
119 and two sets of passwords are required &smbmdash; both of which
120 can lead to synchronization problems between the UNIX and Windows
121 systems and confusion for users.</para>
123 <para>We divide the unified logon problem for UNIX machines into
124 three smaller problems:</para>
127 <listitem><para>Obtaining Windows NT user and group information.
130 <listitem><para>Authenticating Windows NT users.
133 <listitem><para>Password changing for Windows NT users.
138 <para>Ideally, a prospective solution to the unified logon problem
139 would satisfy all the above components without duplication of
140 information on the UNIX machines and without creating additional
141 tasks for the system administrator when maintaining users and
142 groups on either system. The Winbind system provides a simple
143 and elegant solution to all three components of the unified logon
149 <title>What Winbind Provides</title>
151 <para>Winbind unifies UNIX and Windows NT account management by
152 allowing a UNIX box to become a full member of an NT domain. Once
153 this is done the UNIX box will see NT users and groups as if
154 they were <quote>native</quote> UNIX users and groups, allowing the NT domain
155 to be used in much the same manner that NIS+ is used within
156 UNIX-only environments.</para>
158 <para>The end result is that whenever a
159 program on the UNIX machine asks the operating system to lookup
160 a user or group name, the query will be resolved by asking the
161 NT Domain Controller for the specified domain to do the lookup.
162 Because Winbind hooks into the operating system at a low level
163 (via the NSS name resolution modules in the C library), this
164 redirection to the NT Domain Controller is completely
167 <para>Users on the UNIX machine can then use NT user and group
168 names as they would <quote>native</quote> UNIX names. They can chown files
169 so they are owned by NT domain users or even login to the
170 UNIX machine and run a UNIX X-Window session as a domain user.</para>
172 <para>The only obvious indication that Winbind is being used is
173 that user and group names take the form <constant>DOMAIN\user</constant> and
174 <constant>DOMAIN\group</constant>. This is necessary as it allows Winbind to determine
175 that redirection to a Domain Controller is wanted for a particular
176 lookup and which trusted domain is being referenced.</para>
178 <para>Additionally, Winbind provides an authentication service
179 that hooks into the Pluggable Authentication Modules (PAM) system
180 to provide authentication via an NT domain to any PAM-enabled
181 applications. This capability solves the problem of synchronizing
182 passwords between systems since all passwords are stored in a single
183 location (on the Domain Controller).</para>
186 <title>Target Uses</title>
188 <para>Winbind is targeted at organizations that have an
189 existing NT-based domain infrastructure into which they wish
190 to put UNIX workstations or servers. Winbind will allow these
191 organizations to deploy UNIX workstations without having to
192 maintain a separate account infrastructure. This greatly
193 simplifies the administrative overhead of deploying UNIX
194 workstations into an NT-based organization.</para>
196 <para>Another interesting way in which we expect Winbind to
197 be used is as a central part of UNIX-based appliances. Appliances
198 that provide file and print services to Microsoft-based networks
199 will be able to use Winbind to provide seamless integration of
200 the appliance into the domain.</para>
204 <title>Handling of Foreign SIDs</title>
207 The term <emphasis>foreign SID</emphasis> is often met with the reaction that it
208 is not relevant to a particular environment. The following documents an interchange
209 that took place on the Samba mailing list. It is a good example of the confusion
210 often expressed regarding the use of winbind.
214 Fact: Winbind is needed to handle users who use workstations that are NOT part
219 Response: <quote>Why? I've used samba with workstations that are not part of my domains
220 lots of times without using winbind. I though winbind was for using samba as a memberserver
221 in a domain controlled by another samba/windows PDC.</quote>
225 If the Samba server will be accessed from a domain other than the local Samba domain, or
226 if there will be access from machines that are not local domain members, winbind will
227 permit the allocation of UIDs and GIDs from the assigned pool that will keep the identity
228 of the foreign user separate from users that are members of the Samba domain.
232 Which means that that winbind is eminently useful in cases where one just has a single
233 Samba PDC on a local network combined of both domain member and non-domain member workstations.
234 If winbind is not used, the user george on an windows workstation that is not a domain
235 member will be able to access the files of a user called george in the account database
236 of the Samba server that is acting as a PDC. When winbind is used, the default condition
237 is that the local user george will be treated as the account DOMAIN\george and the
238 foreign (non-member of the domain) account will be treated as MACHINE\george because
239 each has a different SID.
248 <title>How Winbind Works</title>
250 <para>The Winbind system is designed around a client/server
251 architecture. A long running <command>winbindd</command> daemon
252 listens on a UNIX domain socket waiting for requests
253 to arrive. These requests are generated by the NSS and PAM
254 clients and is processed sequentially.</para>
256 <para>The technologies used to implement Winbind are described
257 in detail below.</para>
260 <title>Microsoft Remote Procedure Calls</title>
262 <para>Over the last few years, efforts have been underway
263 by various Samba Team members to decode various aspects of
264 the Microsoft Remote Procedure Call (MSRPC) system. This
265 system is used for most network-related operations between
266 Windows NT machines including remote management, user authentication
267 and print spooling. Although initially this work was done
268 to aid the implementation of Primary Domain Controller (PDC)
269 functionality in Samba, it has also yielded a body of code that
270 can be used for other purposes.</para>
272 <para>Winbind uses various MSRPC calls to enumerate domain users
273 and groups and to obtain detailed information about individual
274 users or groups. Other MSRPC calls can be used to authenticate
275 NT domain users and to change user passwords. By directly querying
276 a Windows PDC for user and group information, Winbind maps the
277 NT account information onto UNIX user and group names.</para>
281 <title>Microsoft Active Directory Services</title>
284 Since late 2001, Samba has gained the ability to
285 interact with Microsoft Windows 2000 using its <quote>Native
286 Mode</quote> protocols, rather than the NT4 RPC services.
287 Using LDAP and Kerberos, a Domain Member running
288 Winbind can enumerate users and groups in exactly the
289 same way as a Windows 200x client would, and in so doing
290 provide a much more efficient and effective Winbind implementation.
295 <title>Name Service Switch</title>
297 <para>The Name Service Switch, or NSS, is a feature that is
298 present in many UNIX operating systems. It allows system
299 information such as hostnames, mail aliases and user information
300 to be resolved from different sources. For example, a standalone
301 UNIX workstation may resolve system information from a series of
302 flat files stored on the local filesystem. A networked workstation
303 may first attempt to resolve system information from local files,
304 and then consult an NIS database for user information or a DNS server
305 for hostname information.</para>
307 <para>The NSS application programming interface allows Winbind
308 to present itself as a source of system information when
309 resolving UNIX usernames and groups. Winbind uses this interface,
310 and information obtained from a Windows NT server using MSRPC
311 calls to provide a new source of account enumeration. Using standard
312 UNIX library calls, one can enumerate the users and groups on
313 a UNIX machine running Winbind and see all users and groups in
314 a NT domain plus any trusted domain as though they were local
315 users and groups.</para>
317 <para>The primary control file for NSS is
318 <filename>/etc/nsswitch.conf</filename>.
319 When a UNIX application makes a request to do a lookup,
320 the C library looks in <filename>/etc/nsswitch.conf</filename>
321 for a line that matches the service type being requested, for
322 example the <quote>passwd</quote> service type is used when user or group names
323 are looked up. This config line specifies which implementations
324 of that service should be tried and in what order. If the passwd
325 config line is:</para>
328 passwd: files example
331 <para>then the C library will first load a module called
332 <filename>/lib/libnss_files.so</filename> followed by
333 the module <filename>/lib/libnss_example.so</filename>. The
334 C library will dynamically load each of these modules in turn
335 and call resolver functions within the modules to try to resolve
336 the request. Once the request is resolved, the C library returns the
337 result to the application.</para>
339 <para>This NSS interface provides an easy way for Winbind
340 to hook into the operating system. All that needs to be done
341 is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
342 then add <quote>winbind</quote> into <filename>/etc/nsswitch.conf</filename> at
343 the appropriate place. The C library will then call Winbind to
344 resolve user and group names.</para>
348 <title>Pluggable Authentication Modules</title>
350 <para>Pluggable Authentication Modules, also known as PAM,
351 is a system for abstracting authentication and authorization
352 technologies. With a PAM module it is possible to specify different
353 authentication methods for different system applications without
354 having to recompile these applications. PAM is also useful
355 for implementing a particular policy for authorization. For example,
356 a system administrator may only allow console logins from users
357 stored in the local password file but only allow users resolved from
358 a NIS database to log in over the network.</para>
360 <para>Winbind uses the authentication management and password
361 management PAM interface to integrate Windows NT users into a
362 UNIX system. This allows Windows NT users to log in to a UNIX
363 machine and be authenticated against a suitable Primary Domain
364 Controller. These users can also change their passwords and have
365 this change take effect directly on the Primary Domain Controller.
368 <para>PAM is configured by providing control files in the directory
369 <filename>/etc/pam.d/</filename> for each of the services that
370 require authentication. When an authentication request is made
371 by an application, the PAM code in the C library looks up this
372 control file to determine what modules to load to do the
373 authentication check and in what order. This interface makes adding
374 a new authentication service for Winbind very easy. All that needs
375 to be done is that the <filename>pam_winbind.so</filename> module
376 is copied to <filename>/lib/security/</filename> and the PAM
377 control files for relevant services are updated to allow
378 authentication via Winbind. See the PAM documentation
379 in <link linkend="pam">PAM-Based Distributed Authentication</link> for more information.</para>
384 <title>User and Group ID Allocation</title>
386 <para>When a user or group is created under Windows NT/200x
387 it is allocated a numerical relative identifier (RID). This is
388 slightly different from UNIX which has a range of numbers that are
389 used to identify users, and the same range in which to identify
390 groups. It is Winbind's job to convert RIDs to UNIX ID numbers and
391 vice versa. When Winbind is configured, it is given part of the UNIX
392 user ID space and a part of the UNIX group ID space in which to
393 store Windows NT users and groups. If a Windows NT user is
394 resolved for the first time, it is allocated the next UNIX ID from
395 the range. The same process applies for Windows NT groups. Over
396 time, Winbind will have mapped all Windows NT users and groups
397 to UNIX user IDs and group IDs.</para>
399 <para>The results of this mapping are stored persistently in
400 an ID mapping database held in a tdb database). This ensures that
401 RIDs are mapped to UNIX IDs in a consistent way.</para>
406 <title>Result Caching</title>
409 <indexterm><primary>SAM</primary></indexterm>
410 An active system can generate a lot of user and group
411 name lookups. To reduce the network cost of these lookups, Winbind
412 uses a caching scheme based on the SAM sequence number supplied
413 by NT Domain Controllers. User or group information returned
414 by a PDC is cached by Winbind along with a sequence number also
415 returned by the PDC. This sequence number is incremented by
416 Windows NT whenever any user or group information is modified. If
417 a cached entry has expired, the sequence number is requested from
418 the PDC and compared against the sequence number of the cached entry.
419 If the sequence numbers do not match, then the cached information
420 is discarded and up-to-date information is requested directly
427 <title>Installation and Configuration</title>
430 <title>Introduction</title>
433 This section describes the procedures used to get Winbind up and
434 running. Winbind is capable of providing access
435 and authentication control for Windows Domain users through an NT
436 or Windows 200x PDC for regular services, such as telnet and ftp, as
437 well for Samba services.
443 <emphasis>Why should I do this?</emphasis>
446 <para>This allows the Samba administrator to rely on the
447 authentication mechanisms on the Windows NT/200x PDC for the authentication
448 of Domain Members. Windows NT/200x users no longer need to have separate
449 accounts on the Samba server.
455 <emphasis>Who should be reading this document?</emphasis>
459 This document is designed for system administrators. If you are
460 implementing Samba on a file server and wish to (fairly easily)
461 integrate existing Windows NT/200x users from your PDC onto the
462 Samba server, this document is for you.
470 <title>Requirements</title>
473 If you have a Samba configuration file that you are currently using, <emphasis>BACK IT UP!</emphasis>
474 If your system already uses PAM, <emphasis>back up the <filename>/etc/pam.d</filename> directory
475 contents!</emphasis> If you haven't already made a boot disk, <emphasis>MAKE ONE NOW!</emphasis>
479 Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's
480 why you want to be able to boot back into your machine in single user mode and restore your
481 <filename>/etc/pam.d</filename> back to the original state they were in if you get frustrated with the
482 way things are going.
486 The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <ulink
487 url="http://samba.org/">main Samba Web page</ulink> or, better yet, your closest Samba mirror site for
488 instructions on downloading the source code.
492 To allow domain users the ability to access Samba shares and files, as well as potentially other services
493 provided by your Samba machine, PAM must be set up properly on your
494 machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
495 on your system. Please refer the PAM web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
500 <title>Testing Things Out</title>
503 Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
504 Kill off all &smbd;, &nmbd;, and &winbindd; processes that may be running. To use PAM,
505 make sure that you have the standard PAM package that supplies the <filename>/etc/pam.d</filename>
506 directory structure, including the PAM modules that are used by PAM-aware services, several pam libraries,
507 and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for pam. Winbind built
508 better in Samba if the pam-devel package is also installed. This package includes the header files
509 needed to compile PAM-aware applications.
513 <title>Configure <filename>nsswitch.conf</filename> and the Winbind Libraries on Linux and Solaris</title>
516 PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install
517 the <filename>pam-devel</filename> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3
518 may auto-install the Winbind files into their correct locations on your system, so before you get too far down
519 the track be sure to check if the following configuration is really
520 necessary. You may only need to configure
521 <filename>/etc/nsswitch.conf</filename>.
525 The libraries needed to run the &winbindd; daemon through nsswitch need to be copied to their proper locations:
530 &rootprompt;<userinput>cp ../samba/source/nsswitch/libnss_winbind.so /lib</userinput>
535 I also found it necessary to make the following symbolic link:
539 &rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
542 <para>And, in the case of Sun Solaris:</para>
544 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
545 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
546 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
550 Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
551 allow user and group entries to be visible from the &winbindd;
552 daemon. My <filename>/etc/nsswitch.conf</filename> file look like
556 <para><programlisting>
557 passwd: files winbind
560 </programlisting></para>
563 The libraries needed by the <command>winbindd</command> daemon will be automatically
564 entered into the <command>ldconfig</command> cache the next time
565 your system reboots, but it is faster (and you do not need to reboot) if you do it manually:
569 &rootprompt;<userinput>/sbin/ldconfig -v | grep winbind</userinput>
573 This makes <filename>libnss_winbind</filename> available to winbindd
574 and echos back a check to you.
580 <title>NSS Winbind on AIX</title>
582 <para>(This section is only for those running AIX.)</para>
585 The Winbind AIX identification module gets built as <filename>libnss_winbind.so</filename> in the
586 nsswitch directory of the Samba source. This file can be copied to <filename>/usr/lib/security</filename>,
587 and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:
590 <para><programlisting>
592 program = /usr/lib/security/WINBIND
594 </programlisting></para>
597 can then be added to <filename>/usr/lib/security/methods.cfg</filename>. This module only supports
598 identification, but there have been success reports using the standard Winbind PAM module for
599 authentication. Use caution configuring loadable authentication
600 modules since you can make
601 it impossible to logon to the system. More information about the AIX authentication module API can
602 be found at <quote>Kernel Extensions and Device Support Programming Concepts for AIX</quote><ulink
603 url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
604 in Chapter 18(John, there is no section like this in 18). Loadable Authentication Module Programming
605 Interface</ulink> and more information on administering the modules
606 can be found at <ulink
607 url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm"> <quote>System
608 Management Guide: Operating System and Devices.</quote></ulink>
613 <title>Configure smb.conf</title>
616 Several parameters are needed in the &smb.conf; file to control the behavior of &winbindd;. These
617 are described in more detail in the <citerefentry><refentrytitle>winbindd</refentrytitle>
618 <manvolnum>8</manvolnum></citerefentry> man page. My &smb.conf; file, as shown in <link
619 linkend="winbindcfg">the next example</link>, was modified to include the necessary entries in the [global] section.
623 <smbconfexample id="winbindcfg" fragment="1">
624 <title>smb.conf for Winbind set-up</title>
625 <smbconfsection name="[global]"/>
626 <smbconfcomment> separate domain and username with '\', like DOMAIN\username</smbconfcomment>
627 <smbconfoption name="winbind separator">\</smbconfoption>
628 <smbconfcomment> use uids from 10000 to 20000 for domain users</smbconfcomment>
629 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
630 <smbconfcomment> use gids from 10000 to 20000 for domain groups</smbconfcomment>
631 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
632 <smbconfcomment> allow enumeration of winbind users and groups</smbconfcomment>
633 <smbconfoption name="winbind enum users">yes</smbconfoption>
634 <smbconfoption name="winbind enum groups">yes</smbconfoption>
635 <smbconfcomment> give winbind users a real shell (only needed if they have telnet access)</smbconfcomment>
636 <smbconfoption name="template homedir">/home/winnt/%D/%U</smbconfoption>
637 <smbconfoption name="template shell">/bin/bash</smbconfoption>
638 </smbconfexample></para>
644 <title>Join the Samba Server to the PDC Domain</title>
647 All machines that will participate in domain security should be members of
648 the domain. This applies also to the PDC and all BDCs.
652 The process of joining a domain requires the use of the <command>net rpc join</command>
653 command. This process communicates with the domain controller it will register with
654 (usually the PDC) via MS DCE RPC. This means, of course, that the <command>smbd</command>
655 process must be running on the target DC. This means that it is necessary to temporarily
656 start Samba on a PDC so that it can join its own domain.
660 Enter the following command to make the Samba server join the
661 domain, where <replaceable>PDC</replaceable> is the name of
662 your PDC and <replaceable>Administrator</replaceable> is
663 a domain user who has administrative privileges in the domain.
667 Before attempting to join a machine to the domain verify that Samba is running
668 on the target DC (usually PDC) and that it is capable of being reached via ports
669 137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx.
673 &rootprompt;<userinput>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</userinput>
677 The proper response to the command should be: <quote>Joined the domain
678 <replaceable>DOMAIN</replaceable></quote> where <replaceable>DOMAIN</replaceable>
685 <title>Starting and Testing the <command>winbindd</command> Daemon</title>
688 Eventually, you will want to modify your Samba startup script to
689 automatically invoke the winbindd daemon when the other parts of
690 Samba start, but it is possible to test out just the Winbind
691 portion first. To start up Winbind services, enter the following
696 &rootprompt;<userinput>/usr/local/samba/sbin/winbindd</userinput>
700 The above assumes that Samba has been installed in the <filename>/usr/local/samba</filename>
701 directory tree. You may need to search for the location of Samba files if this is not the
702 location of <command>winbindd</command> on your system.
706 Winbindd can now also run in <quote>dual daemon mode</quote>. This will make it
707 run as two processes. The first will answer all requests from the cache,
708 thus making responses to clients faster. The other will
709 update the cache for the query that the first has just responded.
710 The advantage of this is that responses stay accurate and are faster.
711 You can enable dual daemon mode by adding <option>-B</option> to the command-line:
715 &rootprompt;<userinput>/usr/local/samba/sbin/winbindd -B</userinput>
719 I'm always paranoid and like to make sure the daemon is really running.
723 &rootprompt;<userinput>ps -ae | grep winbindd</userinput>
726 This command should produce output like this, if the daemon is running you would expect
727 to see a report something like this:
730 3025 ? 00:00:00 winbindd
734 Now, for the real test, try to get some information about the users on your PDC:
738 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -u</userinput>
742 This should echo back a list of users on your Windows users on
743 your PDC. For example, I get the following response:
756 Obviously, I have named my domain <quote>CEO</quote> and my <smbconfoption name="winbind separator"/> is <quote>\</quote>.
760 You can do the same sort of thing to get group information from the PDC:
764 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -g</userinput>
769 CEO\Domain Controllers
772 CEO\Enterprise Admins
773 CEO\Group Policy Creator Owners
777 The function <command>getent</command> can now be used to get unified
778 lists of both local and PDC users and groups. Try the following command:
782 &rootprompt;<userinput>getent passwd</userinput>
786 You should get a list that looks like your <filename>/etc/passwd</filename>
787 list followed by the domain users with their new UIDs, GIDs, home
788 directories and default shells.
792 The same thing can be done for groups with the command:
796 &rootprompt;<userinput>getent group</userinput>
803 <title>Fix the init.d Startup Scripts</title>
809 The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running.
810 To accomplish this task, you need to modify the startup scripts of your system.
811 They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and they are located in
812 <filename>/etc/init.d/samba</filename> in Debian Linux. Edit your
813 script to add commands to invoke this daemon in the proper sequence. My
814 startup script starts up &smbd;, &nmbd;, and &winbindd; from the
815 <filename>/usr/local/samba/bin</filename> directory directly. The <command>start</command>
816 function in the script looks like this:
819 <para><programlisting>
822 echo -n $"Starting $KIND services: "
823 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
827 echo -n $"Starting $KIND services: "
828 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
832 echo -n $"Starting $KIND services: "
833 daemon /usr/local/samba/sbin/winbindd
836 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
837 touch /var/lock/subsys/smb || RETVAL=1
840 </programlisting></para>
842 <para>If you would like to run winbindd in dual daemon mode, replace
845 daemon /usr/local/samba/sbin/winbindd
848 in the example above with:
851 daemon /usr/local/samba/sbin/winbindd -B
856 The <command>stop</command> function has a corresponding entry to shut down the
857 services and looks like this:
860 <para><programlisting>
863 echo -n $"Shutting down $KIND services: "
868 echo -n $"Shutting down $KIND services: "
873 echo -n $"Shutting down $KIND services: "
876 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
877 rm -f /var/lock/subsys/smb
881 </programlisting></para>
885 <title>Solaris</title>
888 Winbind does not work on Solaris 9, see <link linkend="winbind-solaris9">Winbind on Solaris 9</link> section for details.
892 On Solaris, you need to modify the <filename>/etc/init.d/samba.server</filename> startup script. It
893 usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in
894 <filename>/usr/local/samba/bin</filename>, the file could contains something like this:
898 <smbfile name="samba.server.sh">
905 then # /usr not mounted
909 killproc() { # kill the named process(es)
910 pid=`/usr/bin/ps -e |
911 /usr/bin/grep -w $1 |
912 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
913 [ "$pid" != "" ] && kill $pid
916 # Start/stop processes required for Samba server
922 # Edit these lines to suit your installation (paths, workgroup, host)
925 /usr/local/samba/bin/smbd -D -s \
926 /usr/local/samba/smb.conf
929 /usr/local/samba/bin/nmbd -D -l \
930 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
932 echo Starting Winbind Daemon
933 /usr/local/samba/sbin/winbindd
943 echo "Usage: /etc/init.d/samba.server { start | stop }"
946 </programlisting></smbfile></para>
949 Again, if you would like to run Samba in dual daemon mode, replace:
951 /usr/local/samba/sbin/winbindd
953 in the script above with:
955 /usr/local/samba/sbin/winbindd -B
962 <title>Restarting</title>
964 If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
965 should be able to connect to the Samba server as a Domain Member just as
966 if you were a local user.
972 <title>Configure Winbind and PAM</title>
975 If you have made it this far, you know that <command>winbindd</command> and Samba are working
976 together. If you want to use Winbind to provide authentication for other
977 services, keep reading. The PAM configuration files need to be altered in
978 this step. (Did you remember to make backups of your original
979 <filename>/etc/pam.d</filename> files? If not, do it now.)
983 You will need a PAM module to use winbindd with these other services. This
984 module will be compiled in the <filename>../source/nsswitch</filename> directory
985 by invoking the command:
989 &rootprompt;<userinput>make nsswitch/pam_winbind.so</userinput>
993 from the <filename>../source</filename> directory. The
994 <filename>pam_winbind.so</filename> file should be copied to the location of
995 your other PAM security modules. On my Red Hat system, this was the
996 <filename>/lib/security</filename> directory. On Solaris, the PAM security
997 modules reside in <filename>/usr/lib/security</filename>.
1001 &rootprompt;<userinput>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</userinput>
1005 <title>Linux/FreeBSD-specific PAM configuration</title>
1008 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
1009 just left this file as it was:
1013 <para><programlisting>
1014 auth required /lib/security/pam_stack.so service=system-auth
1015 account required /lib/security/pam_stack.so service=system-auth
1016 </programlisting></para>
1019 The other services that I modified to allow the use of Winbind
1020 as an authentication service were the normal login on the console (or a terminal
1021 session), telnet logins, and ftp service. In order to enable these
1022 services, you may first need to change the entries in
1023 <filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>).
1024 Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need
1025 to change the lines in <filename>/etc/xinetd.d/telnet</filename>
1026 and <filename>/etc/xinetd.d/wu-ftp</filename> from
1029 <para><programlisting>
1035 </programlisting></para>
1038 For ftp services to work properly, you will also need to either
1039 have individual directories for the domain users already present on
1040 the server, or change the home directory template to a general
1041 directory for all domain users. These can be easily set using
1042 the &smb.conf; global entry
1043 <smbconfoption name="template homedir"/>.
1047 <para>The directory in <smbconfoption name="template homedir"/> is not created automatically! Use pam_mkhomedir or pre-create
1048 the directories of users to make sure users can log in on UNIX with
1049 their own home directory.
1054 The <filename>/etc/pam.d/ftp</filename> file can be changed
1055 to allow Winbind ftp access in a manner similar to the
1056 samba file. My <filename>/etc/pam.d/ftp</filename> file was
1057 changed to look like this:
1060 <para><smbfile name="pam.ftp.winbind"><programlisting>
1061 auth required /lib/security/pam_listfile.so item=user sense=deny \
1062 file=/etc/ftpusers onerr=succeed
1063 auth sufficient /lib/security/pam_winbind.so
1064 auth required /lib/security/pam_stack.so service=system-auth
1065 auth required /lib/security/pam_shells.so
1066 account sufficient /lib/security/pam_winbind.so
1067 account required /lib/security/pam_stack.so service=system-auth
1068 session required /lib/security/pam_stack.so service=system-auth
1069 </programlisting></smbfile></para>
1072 The <filename>/etc/pam.d/login</filename> file can be changed nearly the
1073 same way. It now looks like this:
1076 <para><smbfile name="pam.login.winbind"><programlisting>
1077 auth required /lib/security/pam_securetty.so
1078 auth sufficient /lib/security/pam_winbind.so
1079 auth sufficient /lib/security/pam_unix.so use_first_pass
1080 auth required /lib/security/pam_stack.so service=system-auth
1081 auth required /lib/security/pam_nologin.so
1082 account sufficient /lib/security/pam_winbind.so
1083 account required /lib/security/pam_stack.so service=system-auth
1084 password required /lib/security/pam_stack.so service=system-auth
1085 session required /lib/security/pam_stack.so service=system-auth
1086 session optional /lib/security/pam_console.so
1087 </programlisting></smbfile></para>
1090 In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
1091 lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
1092 above it, to disallow root logins over the network. I also added a
1093 <programlisting>sufficient /lib/security/pam_unix.so use_first_pass</programlisting>
1094 line after the <command>winbind.so</command> line to get rid of annoying
1095 double prompts for passwords.
1101 <title>Solaris-specific configuration</title>
1104 The <filename>/etc/pam.conf</filename> needs to be changed. I changed this file so my Domain
1105 users can logon both locally as well as telnet. The following are the changes
1106 that I made. You can customize the <filename>pam.conf</filename> file as per your requirements, but
1107 be sure of those changes because in the worst case it will leave your system
1108 nearly impossible to boot.
1111 <para><programlisting>
1113 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
1115 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
1116 # All Rights Reserved.
1120 # Authentication management
1122 login auth required /usr/lib/security/pam_winbind.so
1123 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1124 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
1126 rlogin auth sufficient /usr/lib/security/pam_winbind.so
1127 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1128 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1130 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
1131 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1133 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1134 other auth sufficient /usr/lib/security/pam_winbind.so
1135 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1137 # Account management
1139 login account sufficient /usr/lib/security/pam_winbind.so
1140 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
1141 login account required /usr/lib/security/$ISA/pam_unix.so.1
1143 dtlogin account sufficient /usr/lib/security/pam_winbind.so
1144 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
1145 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
1147 other account sufficient /usr/lib/security/pam_winbind.so
1148 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
1149 other account required /usr/lib/security/$ISA/pam_unix.so.1
1151 # Session management
1153 other session required /usr/lib/security/$ISA/pam_unix.so.1
1155 # Password management
1157 #other password sufficient /usr/lib/security/pam_winbind.so
1158 other password required /usr/lib/security/$ISA/pam_unix.so.1
1159 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
1161 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
1163 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1164 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1165 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1166 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1167 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
1168 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
1169 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
1170 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1171 </programlisting></para>
1174 I also added a <parameter>try_first_pass</parameter> line after the <filename>winbind.so</filename>
1175 line to get rid of annoying double prompts for passwords.
1179 Now restart your Samba and try connecting through your application that you
1180 configured in the pam.conf.
1192 <title>Conclusion</title>
1194 <para>The Winbind system, through the use of the Name Service
1195 Switch, Pluggable Authentication Modules, and appropriate
1196 Microsoft RPC calls have allowed us to provide seamless
1197 integration of Microsoft Windows NT domain users on a
1198 UNIX system. The result is a great reduction in the administrative
1199 cost of running a mixed UNIX and NT network.</para>
1204 <title>Common Errors</title>
1206 <para>Winbind has a number of limitations in its current
1207 released version that we hope to overcome in future
1211 <listitem><para>Winbind is currently only available for
1212 the Linux, Solaris, AIX, and IRIX operating systems, although ports to other operating
1213 systems are certainly possible. For such ports to be feasible,
1214 we require the C library of the target operating system to
1215 support the Name Service Switch and Pluggable Authentication
1216 Modules systems. This is becoming more common as NSS and
1217 PAM gain support among UNIX vendors.</para></listitem>
1219 <listitem><para>The mappings of Windows NT RIDs to UNIX IDs
1220 is not made algorithmically and depends on the order in which
1221 unmapped users or groups are seen by Winbind. It may be difficult
1222 to recover the mappings of RID to UNIX ID mapping if the file
1223 containing this information is corrupted or destroyed.</para>
1226 <listitem><para>Currently the Winbind PAM module does not take
1227 into account possible workstation and logon time restrictions
1228 that may be set for Windows NT users, this is
1229 instead up to the PDC to enforce.</para></listitem>
1233 <title>NSCD Problem Warning</title>
1235 <?latex \nopagebreak ?>
1238 Do not under any circumstances run <command>nscd</command> on any system
1239 on which <command>winbindd</command> is running.
1243 If <command>nscd</command> is running on the UNIX/Linux system, then
1244 even though NSSWITCH is correctly configured it will not be possible to resolve
1245 domain users and groups for file and directory controls.
1251 <title>Winbind Is Not Resolving Users and Groups</title>
1254 My &smb.conf; file is correctly configured. I have specified
1255 <smbconfoption name="idmap uid">12000</smbconfoption>,
1256 and <smbconfoption name="idmap gid">3000-3500</smbconfoption>
1257 and <command>winbind</command> is running. When I do the following it all works fine.
1261 &rootprompt;<userinput>wbinfo -u</userinput>
1268 &rootprompt;<userinput>wbinfo -g</userinput>
1269 MIDEARTH\Domain Users
1270 MIDEARTH\Domain Admins
1271 MIDEARTH\Domain Guests
1275 &rootprompt;<userinput>getent passwd</userinput>
1276 root:x:0:0:root:/root:/bin/bash
1277 bin:x:1:1:bin:/bin:/bin/bash
1279 maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
1283 But the following command just fails:
1286 &rootprompt;<userinput>chown maryo a_file</userinput>
1287 chown: `maryo': invalid user
1290 This is driving me nuts! What can be wrong?
1294 Same problem as the one above.
1295 Your system is likely running <command>nscd</command>, the name service
1296 caching daemon. Shut it down, do not restart it! You will find your problem resolved.