4 >Unified Logons between Windows NT and UNIX using Winbind</TITLE
7 CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
23 >Unified Logons between Windows NT and UNIX using Winbind</A
35 >Integration of UNIX and Microsoft Windows NT through
36 a unified logon has been considered a "holy grail" in heterogeneous
37 computing environments for a long time. We present
41 >, a component of the Samba suite
42 of programs as a solution to the unified logon problem. Winbind
43 uses a UNIX implementation
44 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
45 Service Switch to allow Windows NT domain users to appear and operate
46 as UNIX users on a UNIX machine. This paper describes the winbind
47 system, explaining the functionality it provides, how it is configured,
48 and how it works internally.</P
59 >It is well known that UNIX and Microsoft Windows NT have
60 different models for representing user and group information and
61 use different technologies for implementing them. This fact has
62 made it difficult to integrate the two systems in a satisfactory
65 >One common solution in use today has been to create
66 identically named user accounts on both the UNIX and Windows systems
67 and use the Samba suite of programs to provide file and print services
68 between the two. This solution is far from perfect however, as
69 adding and deleting users on both sets of machines becomes a chore
70 and two sets of passwords are required both of which
71 can lead to synchronization problems between the UNIX and Windows
72 systems and confusion for users.</P
74 >We divide the unified logon problem for UNIX machines into
75 three smaller problems:</P
81 >Obtaining Windows NT user and group information
86 >Authenticating Windows NT users
91 >Password changing for Windows NT users
96 >Ideally, a prospective solution to the unified logon problem
97 would satisfy all the above components without duplication of
98 information on the UNIX machines and without creating additional
99 tasks for the system administrator when maintaining users and
100 groups on either system. The winbind system provides a simple
101 and elegant solution to all three components of the unified logon
110 >What Winbind Provides</A
113 >Winbind unifies UNIX and Windows NT account management by
114 allowing a UNIX box to become a full member of a NT domain. Once
115 this is done the UNIX box will see NT users and groups as if
116 they were native UNIX users and groups, allowing the NT domain
117 to be used in much the same manner that NIS+ is used within
118 UNIX-only environments.</P
120 >The end result is that whenever any
121 program on the UNIX machine asks the operating system to lookup
122 a user or group name, the query will be resolved by asking the
123 NT domain controller for the specified domain to do the lookup.
124 Because Winbind hooks into the operating system at a low level
125 (via the NSS name resolution modules in the C library) this
126 redirection to the NT domain controller is completely
129 >Users on the UNIX machine can then use NT user and group
130 names as they would use "native" UNIX names. They can chown files
131 so that they are owned by NT domain users or even login to the
132 UNIX machine and run a UNIX X-Window session as a domain user.</P
134 >The only obvious indication that Winbind is being used is
135 that user and group names take the form DOMAIN\user and
136 DOMAIN\group. This is necessary as it allows Winbind to determine
137 that redirection to a domain controller is wanted for a particular
138 lookup and which trusted domain is being referenced.</P
140 >Additionally, Winbind provides an authentication service
141 that hooks into the Pluggable Authentication Modules (PAM) system
142 to provide authentication via a NT domain to any PAM enabled
143 applications. This capability solves the problem of synchronizing
144 passwords between systems since all passwords are stored in a single
145 location (on the domain controller).</P
155 >Winbind is targeted at organizations that have an
156 existing NT based domain infrastructure into which they wish
157 to put UNIX workstations or servers. Winbind will allow these
158 organizations to deploy UNIX workstations without having to
159 maintain a separate account infrastructure. This greatly
160 simplifies the administrative overhead of deploying UNIX
161 workstations into a NT based organization.</P
163 >Another interesting way in which we expect Winbind to
164 be used is as a central part of UNIX based appliances. Appliances
165 that provide file and print services to Microsoft based networks
166 will be able to use Winbind to provide seamless integration of
167 the appliance into the domain.</P
176 >How Winbind Works</A
179 >The winbind system is designed around a client/server
180 architecture. A long running <B
184 listens on a UNIX domain socket waiting for requests
185 to arrive. These requests are generated by the NSS and PAM
186 clients and processed sequentially.</P
188 >The technologies used to implement winbind are described
196 >Microsoft Remote Procedure Calls</A
199 >Over the last two years, efforts have been underway
200 by various Samba Team members to decode various aspects of
201 the Microsoft Remote Procedure Call (MSRPC) system. This
202 system is used for most network related operations between
203 Windows NT machines including remote management, user authentication
204 and print spooling. Although initially this work was done
205 to aid the implementation of Primary Domain Controller (PDC)
206 functionality in Samba, it has also yielded a body of code which
207 can be used for other purposes.</P
209 >Winbind uses various MSRPC calls to enumerate domain users
210 and groups and to obtain detailed information about individual
211 users or groups. Other MSRPC calls can be used to authenticate
212 NT domain users and to change user passwords. By directly querying
213 a Windows PDC for user and group information, winbind maps the
214 NT account information onto UNIX user and group names.</P
222 >Name Service Switch</A
225 >The Name Service Switch, or NSS, is a feature that is
226 present in many UNIX operating systems. It allows system
227 information such as hostnames, mail aliases and user information
228 to be resolved from different sources. For example, a standalone
229 UNIX workstation may resolve system information from a series of
230 flat files stored on the local filesystem. A networked workstation
231 may first attempt to resolve system information from local files,
232 and then consult a NIS database for user information or a DNS server
233 for hostname information.</P
235 >The NSS application programming interface allows winbind
236 to present itself as a source of system information when
237 resolving UNIX usernames and groups. Winbind uses this interface,
238 and information obtained from a Windows NT server using MSRPC
239 calls to provide a new source of account enumeration. Using standard
240 UNIX library calls, one can enumerate the users and groups on
241 a UNIX machine running winbind and see all users and groups in
242 a NT domain plus any trusted domain as though they were local
245 >The primary control file for NSS is
248 >/etc/nsswitch.conf</TT
250 When a UNIX application makes a request to do a lookup
251 the C library looks in <TT
253 >/etc/nsswitch.conf</TT
255 for a line which matches the service type being requested, for
256 example the "passwd" service type is used when user or group names
257 are looked up. This config line species which implementations
258 of that service should be tried and in what order. If the passwd
263 >passwd: files example</B
266 >then the C library will first load a module called
269 >/lib/libnss_files.so</TT
273 >/lib/libnss_example.so</TT
275 C library will dynamically load each of these modules in turn
276 and call resolver functions within the modules to try to resolve
277 the request. Once the request is resolved the C library returns the
278 result to the application.</P
280 >This NSS interface provides a very easy way for Winbind
281 to hook into the operating system. All that needs to be done
284 >libnss_winbind.so</TT
289 then add "winbind" into <TT
291 >/etc/nsswitch.conf</TT
293 the appropriate place. The C library will then call Winbind to
294 resolve user and group names.</P
302 >Pluggable Authentication Modules</A
305 >Pluggable Authentication Modules, also known as PAM,
306 is a system for abstracting authentication and authorization
307 technologies. With a PAM module it is possible to specify different
308 authentication methods for different system applications without
309 having to recompile these applications. PAM is also useful
310 for implementing a particular policy for authorization. For example,
311 a system administrator may only allow console logins from users
312 stored in the local password file but only allow users resolved from
313 a NIS database to log in over the network.</P
315 >Winbind uses the authentication management and password
316 management PAM interface to integrate Windows NT users into a
317 UNIX system. This allows Windows NT users to log in to a UNIX
318 machine and be authenticated against a suitable Primary Domain
319 Controller. These users can also change their passwords and have
320 this change take effect directly on the Primary Domain Controller.
323 >PAM is configured by providing control files in the directory
327 > for each of the services that
328 require authentication. When an authentication request is made
329 by an application the PAM code in the C library looks up this
330 control file to determine what modules to load to do the
331 authentication check and in what order. This interface makes adding
332 a new authentication service for Winbind very easy, all that needs
333 to be done is that the <TT
341 control files for relevant services are updated to allow
342 authentication via winbind. See the PAM documentation
351 >User and Group ID Allocation</A
354 >When a user or group is created under Windows NT
355 is it allocated a numerical relative identifier (RID). This is
356 slightly different to UNIX which has a range of numbers that are
357 used to identify users, and the same range in which to identify
358 groups. It is winbind's job to convert RIDs to UNIX id numbers and
359 vice versa. When winbind is configured it is given part of the UNIX
360 user id space and a part of the UNIX group id space in which to
361 store Windows NT users and groups. If a Windows NT user is
362 resolved for the first time, it is allocated the next UNIX id from
363 the range. The same process applies for Windows NT groups. Over
364 time, winbind will have mapped all Windows NT users and groups
365 to UNIX user ids and group ids.</P
367 >The results of this mapping are stored persistently in
368 an ID mapping database held in a tdb database). This ensures that
369 RIDs are mapped to UNIX IDs in a consistent way.</P
380 >An active system can generate a lot of user and group
381 name lookups. To reduce the network cost of these lookups winbind
382 uses a caching scheme based on the SAM sequence number supplied
383 by NT domain controllers. User or group information returned
384 by a PDC is cached by winbind along with a sequence number also
385 returned by the PDC. This sequence number is incremented by
386 Windows NT whenever any user or group information is modified. If
387 a cached entry has expired, the sequence number is requested from
388 the PDC and compared against the sequence number of the cached entry.
389 If the sequence numbers do not match, then the cached information
390 is discarded and up to date information is requested directly
400 >Installation and Configuration</A
403 >Many thanks to John Trostel <A
404 HREF="mailto:jtrostel@snapserver.com"
406 >jtrostel@snapserver.com</A
408 for providing the HOWTO for this section.</P
410 >This HOWTO describes how to get winbind services up and running
411 to control access and authenticate users on your Linux box using
412 the winbind services which come with SAMBA 2.2.2.</P
422 >This HOWTO describes the procedures used to get winbind up and
423 running on my RedHat 7.1 system. Winbind is capable of providing access
424 and authentication control for Windows Domain users through an NT
425 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
426 well for SAMBA services.</P
428 >This HOWTO has been written from a 'RedHat-centric' perspective, so if
429 you are using another distribution, you may have to modify the instructions
430 somewhat to fit the way your distribution works.</P
438 >Why should I to this?</I
442 >This allows the SAMBA administrator to rely on the
443 authentication mechanisms on the NT/Win2K PDC for the authentication
444 of domain members. NT/Win2K users no longer need to have separate
445 accounts on the SAMBA server.
452 >Who should be reading this document?</I
456 > This HOWTO is designed for system administrators. If you are
457 implementing SAMBA on a file server and wish to (fairly easily)
458 integrate existing NT/Win2K users from your PDC onto the
459 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
460 expert, so you may find a better or easier way to accomplish
475 >If you have a samba configuration file that you are currently
479 > If your system already uses PAM,
487 > If you haven't already made a boot disk,
493 >Messing with the pam configuration files can make it nearly impossible
494 to log in to yourmachine. That's why you want to be able to boot back
495 into your machine in single user mode and restore your
499 > back to the original state they were in if
500 you get frustrated with the way things are going. ;-)</P
502 >The latest version of SAMBA (version 2.2.2 as of this writing), now
503 includes a functioning winbindd daemon. Please refer to the
505 HREF="http://samba.org/"
507 >main SAMBA web page</A
509 better yet, your closest SAMBA mirror site for instructions on
510 downloading the source code.</P
512 >To allow Domain users the ability to access SAMBA shares and
513 files, as well as potentially other services provided by your
514 SAMBA machine, PAM (pluggable authentication modules) must
515 be setup properly on your machine. In order to compile the
516 winbind modules, you should have at least the pam libraries resident
517 on your system. For recent RedHat systems (7.1, for instance), that
521 >. For best results, it is helpful to also
522 install the development packages in <TT
524 >pam-devel-0.74-22</TT
533 >Testing Things Out</A
536 >Before starting, it is probably best to kill off all the SAMBA
537 related daemons running on your server. Kill off all <B
548 be running. To use PAM, you will want to make sure that you have the
549 standard PAM package (for RedHat) which supplies the <TT
553 directory structure, including the pam modules are used by pam-aware
554 services, several pam libraries, and the <TT
561 > entries for pam. Winbind built better
562 in SAMBA if the pam-devel package was also installed. This package includes
563 the header files needed to compile pam-aware applications. For instance,
564 my RedHat system has both <TT
570 >pam-devel-0.74-22</TT
578 >Configure and compile SAMBA</A
581 >The configuration and compilation of SAMBA is pretty straightforward.
582 The first three steps may not be necessary depending upon
583 whether or not you have previously built the Samba binaries.</P
586 CLASS="PROGRAMLISTING"
613 >./configure --with-winbind</B
631 >This will, by default, install SAMBA in <TT
633 >/usr/local/samba</TT
635 See the main SAMBA documentation if you want to install SAMBA somewhere else.
636 It will also build the winbindd executable and libraries. </P
651 >The libraries needed to run the <B
655 through nsswitch need to be copied to their proper locations, so</P
662 >cp ../samba/source/nsswitch/libnss_winbind.so /lib</B
665 >I also found it necessary to make the following symbolic link:</P
672 >ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B
675 >Now, as root you need to edit <TT
677 >/etc/nsswitch.conf</TT
679 allow user and group entries to be visible from the <B
685 >/etc/nsswitch.conf</TT
687 this after editing:</P
690 CLASS="PROGRAMLISTING"
691 > passwd: files winbind
693 group: files winbind</PRE
697 The libraries needed by the winbind daemon will be automatically
701 > cache the next time
702 your system reboots, but it
703 is faster (and you don't need to reboot) if you do it manually:</P
710 >/sbin/ldconfig -v | grep winbind</B
716 > available to winbindd
717 and echos back a check to you.</P
725 >Configure smb.conf</A
728 >Several parameters are needed in the smb.conf file to control
736 > These are described in more detail in
738 HREF="winbindd.8.html"
745 > file was modified to
746 include the following entries in the [global] section:</P
749 CLASS="PROGRAMLISTING"
752 # separate domain and username with '+', like DOMAIN+username
754 HREF="winbindd.8.html#WINBINDSEPARATOR"
756 >winbind separator</A
758 # use uids from 10000 to 20000 for domain users
760 HREF="winbindd.8.html#WINBINDUID"
764 # use gids from 10000 to 20000 for domain groups
766 HREF="winbindd.8.html#WINBINDGID"
770 # allow enumeration of winbind users and groups
772 HREF="winbindd.8.html#WINBINDENUMUSERS"
774 >winbind enum users</A
777 HREF="winbindd.8.html#WINBINDENUMGROUP"
779 >winbind enum groups</A
781 # give winbind users a real shell (only needed if they have telnet access)
783 HREF="winbindd.8.html#TEMPLATEHOMEDIR"
786 > = /home/winnt/%D/%U
788 HREF="winbindd.8.html#TEMPLATESHELL"
800 >Join the SAMBA server to the PDC domain</A
803 >Enter the following command to make the SAMBA server join the
804 PDC domain, where <TT
810 your Windows domain and <TT
816 a domain user who has administrative privileges in the domain.</P
823 >/usr/local/samba/bin/net rpc join -s PDC -U Administrator</B
826 >The proper response to the command should be: "Joined the domain
838 is your DOMAIN name.</P
846 >Start up the winbindd daemon and test it!</A
849 >Eventually, you will want to modify your smb startup script to
850 automatically invoke the winbindd daemon when the other parts of
851 SAMBA start, but it is possible to test out just the winbind
852 portion first. To start up winbind services, enter the following
860 >/usr/local/samba/bin/winbindd</B
863 >I'm always paranoid and like to make sure the daemon
864 is really running...</P
871 >ps -ae | grep winbindd</B
874 >This command should produce output like this, if the daemon is running</P
876 >3025 ? 00:00:00 winbindd</P
878 >Now... for the real test, try to get some information about the
886 >/usr/local/samba/bin/wbinfo -u</B
890 This should echo back a list of users on your Windows users on
891 your PDC. For example, I get the following response:</P
894 CLASS="PROGRAMLISTING"
900 CEO+TsInternetUser</PRE
903 >Obviously, I have named my domain 'CEO' and my <TT
911 >You can do the same sort of thing to get group information from
915 CLASS="PROGRAMLISTING"
921 >/usr/local/samba/bin/wbinfo -g</B
927 CEO+Domain Controllers
930 CEO+Enterprise Admins
931 CEO+Group Policy Creator Owners</PRE
934 >The function 'getent' can now be used to get unified
935 lists of both local and PDC users and groups.
936 Try the following command:</P
946 >You should get a list that looks like your <TT
950 list followed by the domain users with their new uids, gids, home
951 directories and default shells.</P
953 >The same thing can be done for groups with the command</P
971 >/etc/rc.d/init.d/smb</TT
978 > daemon needs to start up after the
985 > daemons are running.
986 To accomplish this task, you need to modify the <TT
990 script to add commands to invoke this daemon in the proper sequence. My
1007 >/usr/local/samba/bin</TT
1008 > directory directly. The 'start'
1009 function in the script looks like this:</P
1012 CLASS="PROGRAMLISTING"
1015 echo -n $"Starting $KIND services: "
1016 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
1020 echo -n $"Starting $KIND services: "
1021 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
1025 echo -n $"Starting $KIND services: "
1026 daemon /usr/local/samba/bin/winbindd
1029 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
1035 >The 'stop' function has a corresponding entry to shut down the
1036 services and look s like this:</P
1039 CLASS="PROGRAMLISTING"
1042 echo -n $"Shutting down $KIND services: "
1047 echo -n $"Shutting down $KIND services: "
1052 echo -n $"Shutting down $KIND services: "
1055 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
1061 >If you restart the <B
1071 > daemons at this point, you
1072 should be able to connect to the samba server as a domain member just as
1073 if you were a local user.</P
1081 >Configure Winbind and PAM</A
1084 >If you have made it this far, you know that winbindd and samba are working
1085 together. If you want to use winbind to provide authentication for other
1086 services, keep reading. The pam configuration files need to be altered in
1087 this step. (Did you remember to make backups of your original
1091 > files? If not, do it now.)</P
1093 >You will need a pam module to use winbindd with these other services. This
1094 module will be compiled in the <TT
1096 >../source/nsswitch</TT
1098 by invoking the command</P
1105 >make nsswitch/pam_winbind.so</B
1115 > file should be copied to the location of
1116 your other pam security modules. On my RedHat system, this was the
1127 >cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B
1132 >/etc/pam.d/samba</TT
1133 > file does not need to be changed. I
1134 just left this fileas it was:</P
1137 CLASS="PROGRAMLISTING"
1138 >auth required /lib/security/pam_stack.so service=system-auth
1139 account required /lib/security/pam_stack.so service=system-auth</PRE
1142 >The other services that I modified to allow the use of winbind
1143 as an authentication service were the normal login on the console (or a terminal
1144 session), telnet logins, and ftp service. In order to enable these
1145 services, you may first need to change the entries in
1151 >/etc/inetd.conf</TT
1153 RedHat 7.1 uses the new xinetd.d structure, in this case you need
1154 to change the lines in <TT
1156 >/etc/xinetd.d/telnet</TT
1160 >/etc/xinetd.d/wu-ftp</TT
1164 CLASS="PROGRAMLISTING"
1171 CLASS="PROGRAMLISTING"
1176 For ftp services to work properly, you will also need to either
1177 have individual directories for the domain users already present on
1178 the server, or change the home directory template to a general
1179 directory for all domain users. These can be easily set using
1186 >template homedir</B
1192 > file can be changed
1193 to allow winbind ftp access in a manner similar to the
1198 changed to look like this:</P
1201 CLASS="PROGRAMLISTING"
1202 >auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
1203 auth sufficient /lib/security/pam_winbind.so
1204 auth required /lib/security/pam_stack.so service=system-auth
1205 auth required /lib/security/pam_shells.so
1206 account sufficient /lib/security/pam_winbind.so
1207 account required /lib/security/pam_stack.so service=system-auth
1208 session required /lib/security/pam_stack.so service=system-auth</PRE
1213 >/etc/pam.d/login</TT
1214 > file can be changed nearly the
1215 same way. It now looks like this:</P
1218 CLASS="PROGRAMLISTING"
1219 >auth required /lib/security/pam_securetty.so
1220 auth sufficient /lib/security/pam_winbind.so
1221 auth sufficient /lib/security/pam_unix.so use_first_pass
1222 auth required /lib/security/pam_stack.so service=system-auth
1223 auth required /lib/security/pam_nologin.so
1224 account sufficient /lib/security/pam_winbind.so
1225 account required /lib/security/pam_stack.so service=system-auth
1226 password required /lib/security/pam_stack.so service=system-auth
1227 session required /lib/security/pam_stack.so service=system-auth
1228 session optional /lib/security/pam_console.so</PRE
1231 >In this case, I added the <B
1233 >auth sufficient /lib/security/pam_winbind.so</B
1235 lines as before, but also added the <B
1237 >required pam_securetty.so</B
1239 above it, to disallow root logins over the network. I also added a
1242 >sufficient /lib/security/pam_unix.so use_first_pass</B
1247 > line to get rid of annoying
1248 double prompts for passwords.</P
1261 >Winbind has a number of limitations in its current
1262 released version that we hope to overcome in future
1269 >Winbind is currently only available for
1270 the Linux operating system, although ports to other operating
1271 systems are certainly possible. For such ports to be feasible,
1272 we require the C library of the target operating system to
1273 support the Name Service Switch and Pluggable Authentication
1274 Modules systems. This is becoming more common as NSS and
1275 PAM gain support among UNIX vendors.</P
1279 >The mappings of Windows NT RIDs to UNIX ids
1280 is not made algorithmically and depends on the order in which
1281 unmapped users or groups are seen by winbind. It may be difficult
1282 to recover the mappings of rid to UNIX id mapping if the file
1283 containing this information is corrupted or destroyed.</P
1287 >Currently the winbind PAM module does not take
1288 into account possible workstation and logon time restrictions
1289 that may be been set for Windows NT users.</P
1302 >The winbind system, through the use of the Name Service
1303 Switch, Pluggable Authentication Modules, and appropriate
1304 Microsoft RPC calls have allowed us to provide seamless
1305 integration of Microsoft Windows NT domain users on a
1306 UNIX system. The result is a great reduction in the administrative
1307 cost of running a mixed UNIX and NT network.</P