1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % globalentities SYSTEM '../global.ent'> %globalentities;
6 <refentry id="winbindd.8">
9 <refentrytitle>winbindd</refentrytitle>
10 <manvolnum>8</manvolnum>
15 <refname>winbindd</refname>
16 <refpurpose>Name Service Switch daemon for resolving names
17 from NT servers</refpurpose>
22 <command>winbindd</command>
23 <arg choice="opt">-F</arg>
24 <arg choice="opt">-S</arg>
25 <arg choice="opt">-i</arg>
26 <arg choice="opt">-Y</arg>
27 <arg choice="opt">-d <debug level></arg>
28 <arg choice="opt">-s <smb config file></arg>
29 <arg choice="opt">-n</arg>
34 <title>DESCRIPTION</title>
36 <para>This program is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
37 <manvolnum>7</manvolnum></citerefentry> suite.</para>
39 <para><command>winbindd</command> is a daemon that provides
40 a service for the Name Service Switch capability that is present
41 in most modern C libraries. The Name Service Switch allows user
42 and system information to be obtained from different databases
43 services such as NIS or DNS. The exact behaviour can be configured
44 throught the <filename>/etc/nsswitch.conf</filename> file.
45 Users and groups are allocated as they are resolved to a range
46 of user and group ids specified by the administrator of the
49 <para>The service provided by <command>winbindd</command> is called `winbind' and
50 can be used to resolve user and group information from a
51 Windows NT server. The service can also provide authentication
52 services via an associated PAM module. </para>
55 The <filename>pam_winbind</filename> module in the 2.2.2 release only
56 supports the <parameter>auth</parameter> and <parameter>account</parameter>
57 module-types. The latter simply
58 performs a getpwnam() to verify that the system can obtain a uid for the
59 user. If the <filename>libnss_winbind</filename> library has been correctly
60 installed, this should always succeed.
63 <para>The following nsswitch databases are implemented by
64 the winbindd service: </para>
69 <listitem><para>User information traditionally stored in
70 the <filename>hosts(5)</filename> file and used by
71 <command>gethostbyname(3)</command> functions. Names are
72 resolved through the WINS server or by broadcast.
78 <listitem><para>User information traditionally stored in
79 the <filename>passwd(5)</filename> file and used by
80 <command>getpwent(3)</command> functions. </para></listitem>
85 <listitem><para>Group information traditionally stored in
86 the <filename>group(5)</filename> file and used by
87 <command>getgrent(3)</command> functions. </para></listitem>
91 <para>For example, the following simple configuration in the
92 <filename>/etc/nsswitch.conf</filename> file can be used to initially
93 resolve user and group information from <filename>/etc/passwd
94 </filename> and <filename>/etc/group</filename> and then from the
99 </programlisting></para>
101 <para>The following simple configuration in the
102 <filename>/etc/nsswitch.conf</filename> file can be used to initially
103 resolve hostnames from <filename>/etc/hosts</filename> and then from the
110 <title>OPTIONS</title>
115 <listitem><para>If specified, this parameter causes
116 the main <command>winbindd</command> process to not daemonize,
117 i.e. double-fork and disassociate with the terminal.
118 Child processes are still created as normal to service
119 each connection request, but the main process does not
120 exit. This operation mode is suitable for running
121 <command>winbindd</command> under process supervisors such
122 as <command>supervise</command> and <command>svscan</command>
123 from Daniel J. Bernstein's <command>daemontools</command>
124 package, or the AIX process monitor.
130 <listitem><para>If specified, this parameter causes
131 <command>winbindd</command> to log to standard output rather
132 than a file.</para></listitem>
140 <listitem><para>Tells <command>winbindd</command> to not
141 become a daemon and detach from the current terminal. This
142 option is used by developers when interactive debugging
143 of <command>winbindd</command> is required.
144 <command>winbindd</command> also logs to standard output,
145 as if the <command>-S</command> parameter had been given.
151 <listitem><para>Disable caching. This means winbindd will
152 always have to wait for a response from the domain controller
153 before it can respond to a client and this thus makes things
154 slower. The results will however be more accurate, since
155 results from the cache might not be up-to-date. This
156 might also temporarily hang winbindd if the DC doesn't respond.
162 <listitem><para>Single daemon mode. This means winbindd will run
163 as a single process (the mode of operation in Samba 2.2). Winbindd's
164 default behavior is to launch a child process that is responsible for
165 updating expired cache entries.
174 <title>NAME AND ID RESOLUTION</title>
176 <para>Users and groups on a Windows NT server are assigned
177 a relative id (rid) which is unique for the domain when the
178 user or group is created. To convert the Windows NT user or group
179 into a unix user or group, a mapping between rids and unix user
180 and group ids is required. This is one of the jobs that <command>
181 winbindd</command> performs. </para>
183 <para>As winbindd users and groups are resolved from a server, user
184 and group ids are allocated from a specified range. This
185 is done on a first come, first served basis, although all existing
186 users and groups will be mapped as soon as a client performs a user
187 or group enumeration command. The allocated unix ids are stored
188 in a database file under the Samba lock directory and will be
191 <para>WARNING: The rid to unix id database is the only location
192 where the user and group mappings are stored by winbindd. If this
193 file is deleted or corrupted, there is no way for winbindd to
194 determine which user and group ids correspond to Windows NT user
195 and group rids. </para>
200 <title>CONFIGURATION</title>
202 <para>Configuration of the <command>winbindd</command> daemon
203 is done through configuration parameters in the <citerefentry>
204 <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
205 </citerefentry> file. All parameters should be specified in the
206 [global] section of smb.conf. </para>
210 <smbconfoption><name>winbind separator</name></smbconfoption></para></listitem>
212 <smbconfoption><name>idmap uid</name></smbconfoption></para></listitem>
214 <smbconfoption><name>idmap gid</name></smbconfoption></para></listitem>
216 <smbconfoption><name>winbind cache time</name></smbconfoption></para></listitem>
218 <smbconfoption><name>winbind enum users</name></smbconfoption></para></listitem>
220 <smbconfoption><name>winbind enum groups</name></smbconfoption></para></listitem>
222 <smbconfoption><name>template homedir</name></smbconfoption></para></listitem>
224 <smbconfoption><name>template shell</name></smbconfoption></para></listitem>
226 <smbconfoption><name>winbind use default domain</name></smbconfoption></para></listitem>
232 <title>EXAMPLE SETUP</title>
234 <para>To setup winbindd for user and group lookups plus
235 authentication from a domain controller use something like the
236 following setup. This was tested on a RedHat 6.2 Linux box. </para>
238 <para>In <filename>/etc/nsswitch.conf</filename> put the
241 passwd: files winbind
243 </programlisting></para>
245 <para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
246 auth</parameter> lines with something like this:
248 auth required /lib/security/pam_securetty.so
249 auth required /lib/security/pam_nologin.so
250 auth sufficient /lib/security/pam_winbind.so
251 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
252 </programlisting></para>
255 <para>Note in particular the use of the <parameter>sufficient
256 </parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para>
258 <para>Now replace the account lines with this: </para>
260 <para><command>account required /lib/security/pam_winbind.so
263 <para>The next step is to join the domain. To do that use the
264 <command>net</command> program like this: </para>
266 <para><command>net join -S PDC -U Administrator</command></para>
268 <para>The username after the <parameter>-U</parameter> can be any
269 Domain user that has administrator privileges on the machine.
270 Substitute the name or IP of your PDC for "PDC".</para>
272 <para>Next copy <filename>libnss_winbind.so</filename> to
273 <filename>/lib</filename> and <filename>pam_winbind.so
274 </filename> to <filename>/lib/security</filename>. A symbolic link needs to be
275 made from <filename>/lib/libnss_winbind.so</filename> to
276 <filename>/lib/libnss_winbind.so.2</filename>. If you are using an
277 older version of glibc then the target of the link should be
278 <filename>/lib/libnss_winbind.so.1</filename>.</para>
280 <para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle>
281 <manvolnum>5</manvolnum></citerefentry> containing directives like the
285 winbind separator = +
286 winbind cache time = 10
287 template shell = /bin/bash
288 template homedir = /home/%D/%U
289 idmap uid = 10000-20000
290 idmap gid = 10000-20000
294 </programlisting></para>
297 <para>Now start winbindd and you should find that your user and
298 group database is expanded to include your NT users and groups,
299 and that you can login to your unix box as a domain user, using
300 the DOMAIN+user syntax for the username. You may wish to use the
301 commands <command>getent passwd</command> and <command>getent group
302 </command> to confirm the correct operation of winbindd.</para>
309 <para>The following notes are useful when configuring and
310 running <command>winbindd</command>: </para>
312 <para><citerefentry><refentrytitle>nmbd</refentrytitle>
313 <manvolnum>8</manvolnum></citerefentry> must be running on the local machine
314 for <command>winbindd</command> to work. <command>winbindd</command> queries
315 the list of trusted domains for the Windows NT server
316 on startup and when a SIGHUP is received. Thus, for a running <command>
317 winbindd</command> to become aware of new trust relationships between
318 servers, it must be sent a SIGHUP signal. </para>
320 <para>PAM is really easy to misconfigure. Make sure you know what
321 you are doing when modifying PAM configuration files. It is possible
322 to set up PAM such that you can no longer log into your system. </para>
324 <para>If more than one UNIX machine is running <command>winbindd</command>,
325 then in general the user and groups ids allocated by winbindd will not
326 be the same. The user and group ids will only be valid for the local
329 <para>If the the Windows NT RID to UNIX user and group id mapping
330 file is damaged or destroyed then the mappings will be lost. </para>
335 <title>SIGNALS</title>
337 <para>The following signals can be used to manipulate the
338 <command>winbindd</command> daemon. </para>
343 <listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle>
344 <manvolnum>5</manvolnum></citerefentry> file and
345 apply any parameter changes to the running
346 version of winbindd. This signal also clears any cached
347 user and group information. The list of other domains trusted
348 by winbindd is also reloaded. </para></listitem>
353 <listitem><para>The SIGUSR2 signal will cause <command>
354 winbindd</command> to write status information to the winbind
355 log file including information about the number of user and
356 group ids allocated by <command>winbindd</command>.</para>
358 <para>Log files are stored in the filename specified by the
359 log file parameter.</para></listitem>
369 <term><filename>/etc/nsswitch.conf(5)</filename></term>
370 <listitem><para>Name service switch configuration file.</para>
375 <term>/tmp/.winbindd/pipe</term>
376 <listitem><para>The UNIX pipe over which clients communicate with
377 the <command>winbindd</command> program. For security reasons, the
378 winbind client will only attempt to connect to the winbindd daemon
379 if both the <filename>/tmp/.winbindd</filename> directory
380 and <filename>/tmp/.winbindd/pipe</filename> file are owned by
381 root. </para></listitem>
385 <term>$LOCKDIR/winbindd_privilaged/pipe</term>
386 <listitem><para>The UNIX pipe over which 'privilaged' clients
387 communicate with the <command>winbindd</command> program. For security
388 reasons, access to some winbindd functions - like those needed by
389 the <command>ntlm_auth</command> utility - is restricted. By default,
390 only users in the 'root' group will get this access, however the administrator
391 may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
392 programs like 'squid' to use ntlm_auth.
393 Note that the winbind client will only attempt to connect to the winbindd daemon
394 if both the <filename>$LOCKDIR/winbindd_privilaged</filename> directory
395 and <filename>$LOCKDIR/winbindd_privilaged/pipe</filename> file are owned by
396 root. </para></listitem>
400 <term>/lib/libnss_winbind.so.X</term>
401 <listitem><para>Implementation of name service switch library.
406 <term>$LOCKDIR/winbindd_idmap.tdb</term>
407 <listitem><para>Storage for the Windows NT rid to UNIX user/group
408 id mapping. The lock directory is specified when Samba is initially
409 compiled using the <parameter>--with-lockdir</parameter> option.
410 This directory is by default <filename>/usr/local/samba/var/locks
411 </filename>. </para></listitem>
415 <term>$LOCKDIR/winbindd_cache.tdb</term>
416 <listitem><para>Storage for cached user and group information.
424 <title>VERSION</title>
426 <para>This man page is correct for version 3.0 of
427 the Samba suite.</para>
431 <title>SEE ALSO</title>
433 <para><filename>nsswitch.conf(5)</filename>, <citerefentry>
434 <refentrytitle>Samba</refentrytitle>
435 <manvolnum>7</manvolnum></citerefentry>, <citerefentry>
436 <refentrytitle>wbinfo</refentrytitle>
437 <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
438 <refentrytitle>smb.conf</refentrytitle>
439 <manvolnum>5</manvolnum></citerefentry></para>
443 <title>AUTHOR</title>
445 <para>The original Samba software and related utilities
446 were created by Andrew Tridgell. Samba is now developed
447 by the Samba Team as an Open Source project similar
448 to the way the Linux kernel is developed.</para>
450 <para><command>wbinfo</command> and <command>winbindd</command> were
451 written by Tim Potter.</para>
453 <para>The conversion to DocBook for Samba 2.2 was done
454 by Gerald Carter. The conversion to DocBook XML 4.2 for
455 Samba 3.0 was done by Alexander Bokovoy.</para>
git.samba.org / samba.git / blob