Test harness stuff for compiling things.

[samba.git] / docs / manpages / winbindd.8

.TH "winbindd " "8" "13 Jun 2000" "Samba" "SAMBA" 
.PP 
.SH "NAME" 
winbindd \- Name Service Switch daemon for resolving names from NT servers
.PP 
.SH "SYNOPSIS" 
.PP 
\fBwinbindd\fP [-d debuglevel] [-i]
.PP 
.SH "DESCRIPTION" 
.PP 
This program is part of the \fBSamba\fP suite version 3\&.0 and describes
functionality not yet implemented in the main version of Samba\&.
.PP 
\fBwinbindd\fP is a daemon that provides a service for the Name Service
Switch capability that is present in most modern C libraries\&.  The Name
Service Switch allows user and system information to be obtained from
different databases services such as NIS or DNS\&.  The exact behaviour can
be configured throught the \f(CW/etc/nsswitch\&.conf\fP file\&.  Users and groups
are allocated as they are resolved to a range of user and group ids
specified by the administrator of the Samba system\&.  
.PP 
The service provided by \fBwinbindd\fP is called `winbind\' and can be
used to resolve user and group information from a Windows NT server\&.
The service can also provide authentication services via an associated
PAM module\&.
.PP 
The following nsswitch databases are implemented by the \fBwinbindd\fP
service:
.PP 
.IP 
.IP "passwd" 
.IP 
User information traditionally stored in the \fBpasswd(5)\fP file and used by
\fBgetpwent(3)\fP functions\&.
.IP 
.IP "group" 
.IP 
Group information traditionally stored in the \fBgroup(5)\fP file and used by
\fBgetgrent(3)\fP functions\&.
.IP 
.PP 
For example, the following simple configuration in the
\f(CW/etc/nsswitch\&.conf\fP file can be used to initially resolve user and group
information from \f(CW/etc/passwd\fP and \f(CW/etc/group\fP and then from the
Windows NT server\&.
.PP 

.nf 
 

  passwd:         files winbind
  group:          files winbind

.fi 
 

.PP 
.SH "OPTIONS" 
.PP 
The following options are available to the \fBwinbindd\fP daemon:
.PP 
.IP 
.IP "\fB-d debuglevel\fP" 
Sets the debuglevel to an integer between 0 and 100\&. 0 is for no debugging
and 100 is for reams and reams\&. To submit a bug report to the Samba Team,
use debug level 100 (see \fBBUGS\&.txt\fP)\&.  
.IP 
.IP "\fB-i\fP" 
Tells winbindd to not become a daemon and detach from the current terminal\&.
This option is used by developers when interactive debugging of winbindd is
required\&.
.IP 
.PP 
.SH "NAME AND ID RESOLUTION" 
.PP 
Users and groups on a Windows NT server are assigned a relative id (rid)
which is unique for the domain when the user or group is created\&.  To
convert the Windows NT user or group into a unix user or group, a mapping
between rids and unix user and group ids is required\&.  This is one of the
jobs that \fBwinbindd\fP performs\&.
.PP 
As \fBwinbindd\fP users and groups are resolved from a server, user and group
ids are allocated from a specified range\&.  This is done on a first come,
first served basis, although all existing users and groups will be mapped
as soon as a client performs a user or group enumeration command\&.  The
allocated unix ids are stored in a database file under the Samba lock
directory and will be remembered\&.
.PP 
WARNING: The rid to unix id database is the only location where the user
and group mappings are stored by \fBwinbindd\fP\&.  If this file is deleted or
corrupted, there is no way for \fBwinbindd\fP to determine which user and
group ids correspond to Windows NT user and group rids\&.
.PP 
.SH "CONFIGURATION" 
.PP 
Configuration of the \fBwinbindd\fP daemon is done through configuration
parameters in the \fBsmb\&.conf\fP file\&.  All parameters
should be specified in the [global] section of
\fBsmb\&.conf\fP\&.
.PP 
.IP 
.IP "winbind separator" 
.IP 
The winbind separator option allows you to specify how NT domain names
and user names are combined into unix user names when presented to
users\&. By default winbind will use the traditional \e separator so
that the unix user names look like DOMAIN\eusername\&. In some cases
this separator character may cause problems as the \e character has
special meaning in unix shells\&. In that case you can use the winbind
separator option to specify an alternative sepataror character\&. Good
alternatives may be / (although that conflicts with the unix directory
separator) or a + character\&. The + character appears to be the best
choice for 100% compatibility with existing unix utilities, but may be
an aesthetically bad choice depending on your taste\&.
.IP 
\fBDefault:\fP
\f(CW     winbind separator = \e\fP
.IP 
\fBExample:\fP
\f(CW     winbind separator = +\fP
.IP 
.IP "winbind uid" 
.IP 
The winbind uid parameter specifies the range of user ids that are
allocated by the \fBwinbindd\fP daemon\&.  This range of
ids should have no existing local or nis users within it as strange
conflicts can occur otherwise\&.
.IP 
\fBDefault:\fP
\f(CW     winbind uid = <empty string>\fP
.IP 
\fBExample:\fP
\f(CW     winbind uid = 10000-20000\fP
.IP 
.IP "winbind gid" 
.IP 
The winbind gid parameter specifies the range of group ids that are
allocated by the \fBwinbindd\fP daemon\&.  This range of group ids should have
no existing local or nis groups within it as strange conflicts can occur
otherwise\&.
.IP 
\fBDefault:\fP
\f(CW     winbind gid = <empty string>\fP
.IP 
\fBExample:\fP
\f(CW     winbind gid = 10000-20000\fP
.IP 
.IP "winbind cache time" 
.IP 
This parameter specifies the number of seconds the \fBwinbindd\fP daemon will
cache user and group information before querying a Windows NT server
again\&. When a item in the cache is older than this time winbindd will ask
the domain controller for the sequence number of the servers account
database\&. If the sequence number has not changed then the cached item is
marked as valid for a further "winbind cache time" seconds\&.  Otherwise the
item is fetched from the server\&. This means that as long as the account
database is not actively changing winbindd will only have to send one
sequence number query packet every "winbind cache time" seconds\&.
.IP 
\fBDefault:\fP
\f(CW     winbind cache time = 15\fP
.IP 
.IP "template homedir" 
.IP 
When filling out the user information for a Windows NT user, the
\fBwinbindd\fP daemon uses this parameter to fill in the home directory for
that user\&.  If the string \f(CW%D\fP is present it is substituted with the
user\'s Windows NT domain name\&.  If the string \f(CW%U\fP is present it is
substituted with the user\'s Windows NT user name\&.
.IP 
\fBDefault:\fP
\f(CW     template homedir = /home/%D/%U\fP
.IP 
.IP "template shell" 
.IP 
When filling out the user information for a Windows NT user, the
\fBwinbindd\fP daemon uses this parameter to fill in the shell for that user\&.
.IP 
\fBDefault:\fP
\f(CW     template shell = /bin/false\fP
.IP 
.PP 
.SH "EXAMPLE SETUP" 
.PP 
To setup winbindd for user and group lookups plus authentication from
a domain controller use something like the following setup\&. This was
tested on a RedHat 6\&.2 Linux box\&.
.PP 
In \f(CW/etc/nsswitch\&.conf\fP put the following:

.nf 
 

   passwd:     files winbind
   group:      files winbind

.fi 
 

.PP 
In \f(CW/etc/pam\&.d/*\fP replace the \f(CWauth\fP lines with something like this:

.nf 
 

        auth       required     /lib/security/pam_securetty\&.so
        auth       required     /lib/security/pam_nologin\&.so
        auth       sufficient   /lib/security/pam_winbind\&.so
        auth       required     /lib/security/pam_pwdb\&.so use_first_pass shadow nullok

.fi 
 

.PP 
Note in particular the use of the \f(CWsufficient\fP keyword and the
\f(CWuse_first_pass\fP keyword\&.
.PP 
Now replace the account lines with this:

.nf 
 

        account    required     /lib/security/pam_winbind\&.so

.fi 
 

.PP 
The next step is to join the domain\&. To do that use the samedit
program like this:

.nf 
 

        samedit -S \'*\' -W DOMAIN -UAdministrator

.fi 
 

.PP 
Then within samedit run the command:

.nf 
 

        createuser MACHINE$ -j DOMAIN -L

.fi 
 

.PP 
This assumes your domain is called \f(CWDOMAIN\fP and your Samba workstation
is called \f(CWMACHINE\fP\&.
.PP 
Next copy \f(CWlibnss_winbind\&.so\&.2\fP to \f(CW/lib\fP and \f(CWpam_winbind\&.so\fP to
\f(CW/lib/security\fP\&.
.PP 
Finally, setup a smb\&.conf containing directives like the following:

.nf 
 

  [global]
        winbind separator = +
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        workgroup = DOMAIN
        security = domain
        password server = *

.fi 
 

.PP 
Now start winbindd and you should find that your user and group
database is expanded to include your NT users and groups, and that you
can login to your unix box as a domain user, using the \f(CWDOMAIN+user\fP
syntax for the username\&. You may wish to use the commands "getent
passwd" and "getent group" to confirm the correct operation of
winbindd\&. 
.PP 
.SH "NOTES" 
.PP 
The following notes are useful when configuring and running \fBwinbindd\fP:
.PP 
.IP 
.IP "" 
\fBnmbd\fP must be running on the local machine for
\fBwinbindd\fP to work\&.
.IP 
.IP "" 
Client processes resolving names through the \fBwinbindd\fP nsswitch module
read an environment variable named \f(CWWINBINDD_DOMAIN\fP\&.  If this variable
contains a comma separated list of Windows NT domain names, then winbindd
will only resolve users and groups within those Windows NT domains\&.
.IP 
.IP "" 
PAM is really easy to misconfigure\&.  Make sure you know what you are doing
when modifying PAM configuration files\&.  It is possible to set up PAM
such that you can no longer log into your system\&.
.IP 
.IP "" 
If more than one UNIX machine is running \fBwinbindd\fP, then in general the
user and groups ids allocated by \fBwinbindd\fP will not be the same\&.  The
user and group ids will only be valid for the local machine\&.  
.IP 
.IP "" 
If the the Windows NT RID to UNIX user and group id mapping file
is damaged or destroyed then the mappings will be lost\&.
.IP 
.PP 
.SH "SIGNALS" 
.PP 
The following signals can be used to manipulate the \fBwinbindd\fP daemon\&.
.PP 
.IP 
.IP "\f(CWSIGHUP\fP" 
.IP 
Reload the \f(CWsmb\&.conf\fP file and apply any parameter changes to the running
version of \fBwinbindd\fP\&.  This signal also clears any cached user and group
information\&.
.IP 
.IP "\f(CWSIGUSR1\fP" 
.IP 
The \f(CWSIGUSR1\fP signal will cause \fBwinbindd\fP to write status information
to the winbind log file including information about the number of user and
group ids allocated by \fBwinbindd\fP\&.
.IP 
Log files are stored in the filename specified by the \fBlog file\fP parameter\&.
.IP 
.PP 
.SH "FILES" 
.PP 
The following files are relevant to the operation of the \fBwinbindd\fP
daemon\&.
.PP 
.IP 
.IP "/etc/nsswitch\&.conf(5)" 
.IP 
Name service switch configuration file\&.
.IP 
.IP "/tmp/\&.winbindd/pipe" 
.IP 
The UNIX pipe over which clients communicate with the \fBwinbindd\fP program\&.
For security reasons, the winbind client will only attempt to connect to the
\fBwinbindd\fP daemon if both the \f(CW/tmp/\&.winbindd\fP directory and
\f(CW/tmp/\&.winbindd/pipe\fP file are owned by root\&.
.IP 
.IP "/lib/libnss_winbind\&.so\&.X" 
.IP 
Implementation of name service switch library\&. 
.IP 
.IP "$LOCKDIR/winbindd_idmap\&.tdb" 
.IP 
Storage for the Windows NT rid to UNIX user/group id mapping\&.  The lock
directory is specified when Samba is initially compiled using the
\f(CW--with-lockdir\fP option\&.  This directory is by default
\f(CW/usr/local/samba/var/locks\fP\&.
.IP 
.IP "$LOCKDIR/winbindd_cache\&.tdb" 
.IP 
Storage for cached user and group information\&.
.IP 
.PP 
.SH "SEE ALSO" 
.PP 
\fBsamba(7)\fP, \fBsmb\&.conf(5)\fP, 
\fBnsswitch\&.conf(5)\fP
.PP 
.SH "AUTHOR" 
.PP 
The original Samba software and related utilities were created by
Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open
Source project\&.
.PP 
\fBwinbindd\fP was written by Tim Potter\&.