6 <firstname>Tim</firstname><surname>Potter</surname>
8 <orgname>Samba Team</orgname>
9 <address><email>tpot@linuxcare.com.au</email></address>
14 <firstname>Naag</firstname><surname>Mummaneni</surname>
16 <address><email>getnag@rediffmail.com</email></address>
18 <contrib>Notes for Solaris</contrib>
21 <firstname>John</firstname><surname>Trostel</surname>
23 <orgname>SNAP</orgname>
24 <address><email>jtrostel@snapserver.com</email></address>
31 <pubdate>27 June 2002</pubdate>
34 <title>Winbind: Use of Domain Accounts</title>
37 <title>Features and Benefits</title>
40 Integration of UNIX and Microsoft Windows NT through a unified logon has
41 been considered a "holy grail" in heterogeneous computing environments for
46 There is one other facility without which UNIX and Microsoft Windows network
47 interoperability would suffer greatly. It is imperative that there be a
48 mechanism for sharing files across UNIX systems and to be able to assign
49 domain user and group ownerships with integrity.
53 <emphasis>winbind</emphasis> is a component of the Samba suite of programs
54 solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
55 RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
56 allow Windows NT domain users to appear and operate as UNIX users on a UNIX
57 machine. This chapter describes the winbind system, explaining the functionality
58 it provides, how it is configured, and how it works internally.
62 Winbind provides three separate functions:
67 Authentication of user credentials (via PAM)
71 Identity resolution (via NSS)`
75 Windindd maintains a database called winbind_idmap.tdb in which it stores
76 mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
77 for users and groups that do not have a local UID/GID. It stored the UID/GID
78 allocated from the idmap uid/gid range that it has mapped to the NT SID.
79 If <parameter>idmap backend</parameter> has been specified as ldapsam:url
80 then instead of using a local mapping winbindd will obtain this information
81 from the LDAP database.
86 If winbindd is not running, then smbd (which calls winbindd) will fall back to
87 using purely local information from /etc/passwd and /etc/group and no dynamic
92 <!-- <figure id="winbind_idmap"><title></title>
94 <imageobject role="latex"><imagedata fileref="projdoc/imagefiles/idmap_winbind_no_loop" scale="50" scalefit="1"/></imageobject>
95 <imageobject><imagedata fileref="projdoc/imagefiles/idmap_winbind_no_loop.png" scale="50" scalefit="1"/></imageobject>
103 <title>Introduction</title>
105 <para>It is well known that UNIX and Microsoft Windows NT have
106 different models for representing user and group information and
107 use different technologies for implementing them. This fact has
108 made it difficult to integrate the two systems in a satisfactory
111 <para>One common solution in use today has been to create
112 identically named user accounts on both the UNIX and Windows systems
113 and use the Samba suite of programs to provide file and print services
114 between the two. This solution is far from perfect however, as
115 adding and deleting users on both sets of machines becomes a chore
116 and two sets of passwords are required both of which
117 can lead to synchronization problems between the UNIX and Windows
118 systems and confusion for users.</para>
120 <para>We divide the unified logon problem for UNIX machines into
121 three smaller problems:</para>
124 <listitem><para>Obtaining Windows NT user and group information
127 <listitem><para>Authenticating Windows NT users
130 <listitem><para>Password changing for Windows NT users
135 <para>Ideally, a prospective solution to the unified logon problem
136 would satisfy all the above components without duplication of
137 information on the UNIX machines and without creating additional
138 tasks for the system administrator when maintaining users and
139 groups on either system. The winbind system provides a simple
140 and elegant solution to all three components of the unified logon
146 <title>What Winbind Provides</title>
148 <para>Winbind unifies UNIX and Windows NT account management by
149 allowing a UNIX box to become a full member of a NT domain. Once
150 this is done the UNIX box will see NT users and groups as if
151 they were native UNIX users and groups, allowing the NT domain
152 to be used in much the same manner that NIS+ is used within
153 UNIX-only environments.</para>
155 <para>The end result is that whenever any
156 program on the UNIX machine asks the operating system to lookup
157 a user or group name, the query will be resolved by asking the
158 NT domain controller for the specified domain to do the lookup.
159 Because Winbind hooks into the operating system at a low level
160 (via the NSS name resolution modules in the C library) this
161 redirection to the NT domain controller is completely
164 <para>Users on the UNIX machine can then use NT user and group
165 names as they would use "native" UNIX names. They can chown files
166 so that they are owned by NT domain users or even login to the
167 UNIX machine and run a UNIX X-Window session as a domain user.</para>
169 <para>The only obvious indication that Winbind is being used is
170 that user and group names take the form DOMAIN\user and
171 DOMAIN\group. This is necessary as it allows Winbind to determine
172 that redirection to a domain controller is wanted for a particular
173 lookup and which trusted domain is being referenced.</para>
175 <para>Additionally, Winbind provides an authentication service
176 that hooks into the Pluggable Authentication Modules (PAM) system
177 to provide authentication via a NT domain to any PAM enabled
178 applications. This capability solves the problem of synchronizing
179 passwords between systems since all passwords are stored in a single
180 location (on the domain controller).</para>
183 <title>Target Uses</title>
185 <para>Winbind is targeted at organizations that have an
186 existing NT based domain infrastructure into which they wish
187 to put UNIX workstations or servers. Winbind will allow these
188 organizations to deploy UNIX workstations without having to
189 maintain a separate account infrastructure. This greatly
190 simplifies the administrative overhead of deploying UNIX
191 workstations into a NT based organization.</para>
193 <para>Another interesting way in which we expect Winbind to
194 be used is as a central part of UNIX based appliances. Appliances
195 that provide file and print services to Microsoft based networks
196 will be able to use Winbind to provide seamless integration of
197 the appliance into the domain.</para>
204 <title>How Winbind Works</title>
206 <para>The winbind system is designed around a client/server
207 architecture. A long running <command>winbindd</command> daemon
208 listens on a UNIX domain socket waiting for requests
209 to arrive. These requests are generated by the NSS and PAM
210 clients and processed sequentially.</para>
212 <para>The technologies used to implement winbind are described
213 in detail below.</para>
216 <title>Microsoft Remote Procedure Calls</title>
218 <para>Over the last few years, efforts have been underway
219 by various Samba Team members to decode various aspects of
220 the Microsoft Remote Procedure Call (MSRPC) system. This
221 system is used for most network related operations between
222 Windows NT machines including remote management, user authentication
223 and print spooling. Although initially this work was done
224 to aid the implementation of Primary Domain Controller (PDC)
225 functionality in Samba, it has also yielded a body of code which
226 can be used for other purposes.</para>
228 <para>Winbind uses various MSRPC calls to enumerate domain users
229 and groups and to obtain detailed information about individual
230 users or groups. Other MSRPC calls can be used to authenticate
231 NT domain users and to change user passwords. By directly querying
232 a Windows PDC for user and group information, winbind maps the
233 NT account information onto UNIX user and group names.</para>
237 <title>Microsoft Active Directory Services</title>
240 Since late 2001, Samba has gained the ability to
241 interact with Microsoft Windows 2000 using its 'Native
242 Mode' protocols, rather than the NT4 RPC services.
243 Using LDAP and Kerberos, a domain member running
244 winbind can enumerate users and groups in exactly the
245 same way as a Win2k client would, and in so doing
246 provide a much more efficient and
247 effective winbind implementation.
252 <title>Name Service Switch</title>
254 <para>The Name Service Switch, or NSS, is a feature that is
255 present in many UNIX operating systems. It allows system
256 information such as hostnames, mail aliases and user information
257 to be resolved from different sources. For example, a standalone
258 UNIX workstation may resolve system information from a series of
259 flat files stored on the local filesystem. A networked workstation
260 may first attempt to resolve system information from local files,
261 and then consult a NIS database for user information or a DNS server
262 for hostname information.</para>
264 <para>The NSS application programming interface allows winbind
265 to present itself as a source of system information when
266 resolving UNIX usernames and groups. Winbind uses this interface,
267 and information obtained from a Windows NT server using MSRPC
268 calls to provide a new source of account enumeration. Using standard
269 UNIX library calls, one can enumerate the users and groups on
270 a UNIX machine running winbind and see all users and groups in
271 a NT domain plus any trusted domain as though they were local
272 users and groups.</para>
274 <para>The primary control file for NSS is
275 <filename>/etc/nsswitch.conf</filename>.
276 When a UNIX application makes a request to do a lookup
277 the C library looks in <filename>/etc/nsswitch.conf</filename>
278 for a line which matches the service type being requested, for
279 example the "passwd" service type is used when user or group names
280 are looked up. This config line specifies which implementations
281 of that service should be tried and in what order. If the passwd
282 config line is:</para>
284 <para><programlisting>
285 passwd: files example
286 </programlisting></para>
288 <para>then the C library will first load a module called
289 <filename>/lib/libnss_files.so</filename> followed by
290 the module <filename>/lib/libnss_example.so</filename>. The
291 C library will dynamically load each of these modules in turn
292 and call resolver functions within the modules to try to resolve
293 the request. Once the request is resolved the C library returns the
294 result to the application.</para>
296 <para>This NSS interface provides a very easy way for Winbind
297 to hook into the operating system. All that needs to be done
298 is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
299 then add "winbind" into <filename>/etc/nsswitch.conf</filename> at
300 the appropriate place. The C library will then call Winbind to
301 resolve user and group names.</para>
305 <title>Pluggable Authentication Modules</title>
307 <para>Pluggable Authentication Modules, also known as PAM,
308 is a system for abstracting authentication and authorization
309 technologies. With a PAM module it is possible to specify different
310 authentication methods for different system applications without
311 having to recompile these applications. PAM is also useful
312 for implementing a particular policy for authorization. For example,
313 a system administrator may only allow console logins from users
314 stored in the local password file but only allow users resolved from
315 a NIS database to log in over the network.</para>
317 <para>Winbind uses the authentication management and password
318 management PAM interface to integrate Windows NT users into a
319 UNIX system. This allows Windows NT users to log in to a UNIX
320 machine and be authenticated against a suitable Primary Domain
321 Controller. These users can also change their passwords and have
322 this change take effect directly on the Primary Domain Controller.
325 <para>PAM is configured by providing control files in the directory
326 <filename>/etc/pam.d/</filename> for each of the services that
327 require authentication. When an authentication request is made
328 by an application the PAM code in the C library looks up this
329 control file to determine what modules to load to do the
330 authentication check and in what order. This interface makes adding
331 a new authentication service for Winbind very easy, all that needs
332 to be done is that the <filename>pam_winbind.so</filename> module
333 is copied to <filename>/lib/security/</filename> and the PAM
334 control files for relevant services are updated to allow
335 authentication via winbind. See the PAM documentation
336 for more details.</para>
341 <title>User and Group ID Allocation</title>
343 <para>When a user or group is created under Windows NT
344 is it allocated a numerical relative identifier (RID). This is
345 slightly different to UNIX which has a range of numbers that are
346 used to identify users, and the same range in which to identify
347 groups. It is winbind's job to convert RIDs to UNIX id numbers and
348 vice versa. When winbind is configured it is given part of the UNIX
349 user id space and a part of the UNIX group id space in which to
350 store Windows NT users and groups. If a Windows NT user is
351 resolved for the first time, it is allocated the next UNIX id from
352 the range. The same process applies for Windows NT groups. Over
353 time, winbind will have mapped all Windows NT users and groups
354 to UNIX user ids and group ids.</para>
356 <para>The results of this mapping are stored persistently in
357 an ID mapping database held in a tdb database). This ensures that
358 RIDs are mapped to UNIX IDs in a consistent way.</para>
363 <title>Result Caching</title>
365 <para>An active system can generate a lot of user and group
366 name lookups. To reduce the network cost of these lookups winbind
367 uses a caching scheme based on the SAM sequence number supplied
368 by NT domain controllers. User or group information returned
369 by a PDC is cached by winbind along with a sequence number also
370 returned by the PDC. This sequence number is incremented by
371 Windows NT whenever any user or group information is modified. If
372 a cached entry has expired, the sequence number is requested from
373 the PDC and compared against the sequence number of the cached entry.
374 If the sequence numbers do not match, then the cached information
375 is discarded and up to date information is requested directly
382 <title>Installation and Configuration</title>
385 <title>Introduction</title>
388 This section describes the procedures used to get winbind up and
389 running. Winbind is capable of providing access
390 and authentication control for Windows Domain users through an NT
391 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
392 well for SAMBA services.
398 <emphasis>Why should I to this?</emphasis>
401 <para>This allows the SAMBA administrator to rely on the
402 authentication mechanisms on the NT/Win2K PDC for the authentication
403 of domain members. NT/Win2K users no longer need to have separate
404 accounts on the SAMBA server.
410 <emphasis>Who should be reading this document?</emphasis>
414 This HOWTO is designed for system administrators. If you are
415 implementing SAMBA on a file server and wish to (fairly easily)
416 integrate existing NT/Win2K users from your PDC onto the
417 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
418 expert, so you may find a better or easier way to accomplish
427 <title>Requirements</title>
430 If you have a Samba configuration file that you are currently
431 using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM,
432 <emphasis>back up the <filename>/etc/pam.d</filename> directory
433 contents!</emphasis> If you haven't already made a boot disk,
434 <emphasis>MAKE ONE NOW!</emphasis>
438 Messing with the PAM configuration files can make it nearly impossible
439 to log in to your machine. That's why you want to be able to boot back
440 into your machine in single user mode and restore your
441 <filename>/etc/pam.d</filename> back to the original state they were in if
442 you get frustrated with the way things are going. ;-)
446 The latest version of SAMBA (version 3.0 as of this writing), now
447 includes a functioning winbindd daemon. Please refer to the
448 <ulink url="http://samba.org/">main SAMBA web page</ulink> or,
449 better yet, your closest SAMBA mirror site for instructions on
450 downloading the source code.
454 To allow Domain users the ability to access SAMBA shares and
455 files, as well as potentially other services provided by your
456 SAMBA machine, PAM (pluggable authentication modules) must
457 be setup properly on your machine. In order to compile the
458 winbind modules, you should have at least the pam libraries resident
459 on your system. For recent RedHat systems (7.1, for instance), that
460 means <filename>pam-0.74-22</filename>. For best results, it is helpful to also
461 install the development packages in <filename>pam-devel-0.74-22</filename>.
466 <title>Testing Things Out</title>
469 Before starting, it is probably best to kill off all the SAMBA
470 related daemons running on your server. Kill off all &smbd;,
471 &nmbd;, and &winbindd; processes that may
472 be running. To use PAM, you will want to make sure that you have the
473 standard PAM package which supplies the <filename>/etc/pam.d</filename>
474 directory structure, including the pam modules are used by pam-aware
475 services, several pam libraries, and the <filename>/usr/doc</filename>
476 and <filename>/usr/man</filename> entries for pam. Winbind built better
477 in SAMBA if the pam-devel package was also installed. This package includes
478 the header files needed to compile pam-aware applications.
482 <title>Configure <filename>nsswitch.conf</filename> and the
483 winbind libraries on Linux and Solaris</title>
486 The libraries needed to run the &winbindd; daemon
487 through nsswitch need to be copied to their proper locations, so
492 &rootprompt;<userinput>cp ../samba/source/nsswitch/libnss_winbind.so /lib</userinput>
497 I also found it necessary to make the following symbolic link:
501 &rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
504 <para>And, in the case of Sun Solaris:</para>
506 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
507 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
508 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
512 Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
513 allow user and group entries to be visible from the &winbindd;
514 daemon. My <filename>/etc/nsswitch.conf</filename> file look like
518 <para><programlisting>
519 passwd: files winbind
522 </programlisting></para>
525 The libraries needed by the winbind daemon will be automatically
526 entered into the <command>ldconfig</command> cache the next time
527 your system reboots, but it
528 is faster (and you don't need to reboot) if you do it manually:
532 &rootprompt;<userinput>/sbin/ldconfig -v | grep winbind</userinput>
536 This makes <filename>libnss_winbind</filename> available to winbindd
537 and echos back a check to you.
543 <title>NSS Winbind on AIX</title>
545 <para>(This section is only for those running AIX)</para>
548 The winbind AIX identification module gets built as libnss_winbind.so in the
549 nsswitch directory of the samba source. This file can be copied to
550 /usr/lib/security, and the AIX naming convention would indicate that it
551 should be named WINBIND. A stanza like the following:
554 <para><programlisting>
556 program = /usr/lib/security/WINBIND
558 </programlisting></para>
560 <para>can then be added to
561 <filename>/usr/lib/security/methods.cfg</filename>. This module only
562 supports identification, but there have been success reports using the
563 standard winbind pam module for authentication. Use caution configuring
564 loadable authentication modules as it is possible to make it impossible
565 to logon to the system. More information about the AIX authentication
566 module API can be found at "Kernel Extensions and Device Support
567 Programming Concepts for AIX": <ulink
568 url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
569 Chapter 18. Loadable Authentication Module Programming Interface</ulink>
570 and more information on administering the modules at <ulink
571 url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm">
572 "System Management Guide: Operating System and Devices"</ulink>.
577 <title>Configure smb.conf</title>
580 Several parameters are needed in the smb.conf file to control
581 the behavior of &winbindd;. Configure
582 &smb.conf; These are described in more detail in
583 the <citerefentry><refentrytitle>winbindd</refentrytitle>
584 <manvolnum>8</manvolnum></citerefentry> man page. My
585 &smb.conf; file was modified to
586 include the following entries in the [global] section:
589 <para><smbconfexample>
590 <title>smb.conf for winbind set-up</title>
591 <smbconfsection>[global]</smbconfsection>
593 <smbconfcomment> separate domain and username with '+', like DOMAIN+username</smbconfcomment>
594 <smbconfoption><name>winbind separator</name><value>+</value></smbconfoption>
595 <smbconfcomment> use uids from 10000 to 20000 for domain users</smbconfcomment>
596 <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
597 <smbconfcomment> use gids from 10000 to 20000 for domain groups</smbconfcomment>
598 <smbconfoption><name>winbind gid</name><value>10000-20000</value></smbconfoption>
599 <smbconfcomment> allow enumeration of winbind users and groups</smbconfcomment>
600 <smbconfoption><name>winbind enum users</name><value>yes</value></smbconfoption>
601 <smbconfoption><name>winbind enum groups</name><value>yes</value></smbconfoption>
602 <smbconfcomment> give winbind users a real shell (only needed if they have telnet access)</smbconfcomment>
603 <smbconfoption><name>template homedir</name><value>/home/winnt/%D/%U</value></smbconfoption>
604 <smbconfoption><name>template shell</name><value>/bin/bash</value></smbconfoption>
605 </smbconfexample></para>
611 <title>Join the SAMBA server to the PDC domain</title>
614 Enter the following command to make the SAMBA server join the
615 PDC domain, where <replaceable>DOMAIN</replaceable> is the name of
616 your Windows domain and <replaceable>Administrator</replaceable> is
617 a domain user who has administrative privileges in the domain.
622 &rootprompt;<userinput>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</userinput>
627 The proper response to the command should be: "Joined the domain
628 <replaceable>DOMAIN</replaceable>" where <replaceable>DOMAIN</replaceable>
636 <title>Start up the winbindd daemon and test it!</title>
639 Eventually, you will want to modify your smb startup script to
640 automatically invoke the winbindd daemon when the other parts of
641 SAMBA start, but it is possible to test out just the winbind
642 portion first. To start up winbind services, enter the following
647 &rootprompt;<userinput>/usr/local/samba/bin/winbindd</userinput>
651 Winbindd can now also run in 'dual daemon mode'. This will make it
652 run as 2 processes. The first will answer all requests from the cache,
653 thus making responses to clients faster. The other will
654 update the cache for the query that the first has just responded.
655 Advantage of this is that responses stay accurate and are faster.
656 You can enable dual daemon mode by adding <option>-B</option> to the commandline:
660 &rootprompt;<userinput>/usr/local/samba/bin/winbindd -B</userinput>
664 I'm always paranoid and like to make sure the daemon
669 &rootprompt;<userinput>ps -ae | grep winbindd</userinput>
672 This command should produce output like this, if the daemon is running
675 3025 ? 00:00:00 winbindd
679 Now... for the real test, try to get some information about the
684 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -u</userinput>
688 This should echo back a list of users on your Windows users on
689 your PDC. For example, I get the following response:
702 Obviously, I have named my domain 'CEO' and my <smbconfoption><name>winbind separator</name></smbconfoption> is '+'.
706 You can do the same sort of thing to get group information from
711 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -g</userinput>
716 CEO+Domain Controllers
719 CEO+Enterprise Admins
720 CEO+Group Policy Creator Owners
724 The function 'getent' can now be used to get unified
725 lists of both local and PDC users and groups.
726 Try the following command:
730 &rootprompt;<userinput>getent passwd</userinput>
734 You should get a list that looks like your <filename>/etc/passwd</filename>
735 list followed by the domain users with their new uids, gids, home
736 directories and default shells.
740 The same thing can be done for groups with the command
744 &rootprompt;<userinput>getent group</userinput>
751 <title>Fix the init.d startup scripts</title>
757 The &winbindd; daemon needs to start up after the
758 &smbd; and &nmbd; daemons are running.
759 To accomplish this task, you need to modify the startup scripts of your system.
760 They are located at <filename>/etc/init.d/smb</filename> in RedHat and
761 <filename>/etc/init.d/samba</filename> in Debian.
762 script to add commands to invoke this daemon in the proper sequence. My
763 startup script starts up &smbd;, &nmbd;, and &winbindd; from the
764 <filename>/usr/local/samba/bin</filename> directory directly. The 'start'
765 function in the script looks like this:
768 <para><programlisting>
771 echo -n $"Starting $KIND services: "
772 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
776 echo -n $"Starting $KIND services: "
777 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
781 echo -n $"Starting $KIND services: "
782 daemon /usr/local/samba/bin/winbindd
785 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
786 touch /var/lock/subsys/smb || RETVAL=1
789 </programlisting></para>
791 <para>If you would like to run winbindd in dual daemon mode, replace
794 daemon /usr/local/samba/bin/winbindd
797 in the example above with:
800 daemon /usr/local/samba/bin/winbindd -B
805 The 'stop' function has a corresponding entry to shut down the
806 services and looks like this:
809 <para><programlisting>
812 echo -n $"Shutting down $KIND services: "
817 echo -n $"Shutting down $KIND services: "
822 echo -n $"Shutting down $KIND services: "
825 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
826 rm -f /var/lock/subsys/smb
830 </programlisting></para>
834 <title>Solaris</title>
836 <para>Winbind doesn't work on Solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
838 <para>On Solaris, you need to modify the
839 <filename>/etc/init.d/samba.server</filename> startup script. It usually
840 only starts smbd and nmbd but should now start winbindd too. If you
841 have samba installed in <filename>/usr/local/samba/bin</filename>,
842 the file could contains something like this:
845 <para><programlisting>
851 then # /usr not mounted
855 killproc() { # kill the named process(es)
856 pid=`/usr/bin/ps -e |
857 /usr/bin/grep -w $1 |
858 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
859 [ "$pid" != "" ] && kill $pid
862 # Start/stop processes required for samba server
868 # Edit these lines to suit your installation (paths, workgroup, host)
871 /usr/local/samba/bin/smbd -D -s \
872 /usr/local/samba/smb.conf
875 /usr/local/samba/bin/nmbd -D -l \
876 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
878 echo Starting Winbind Daemon
879 /usr/local/samba/bin/winbindd
889 echo "Usage: /etc/init.d/samba.server { start | stop }"
892 </programlisting></para>
895 Again, if you would like to run samba in dual daemon mode, replace
897 /usr/local/samba/bin/winbindd
900 in the script above with:
903 /usr/local/samba/bin/winbindd -B
910 <title>Restarting</title>
912 If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
913 should be able to connect to the samba server as a domain member just as
914 if you were a local user.
920 <title>Configure Winbind and PAM</title>
923 If you have made it this far, you know that winbindd and samba are working
924 together. If you want to use winbind to provide authentication for other
925 services, keep reading. The pam configuration files need to be altered in
926 this step. (Did you remember to make backups of your original
927 <filename>/etc/pam.d</filename> files? If not, do it now.)
931 You will need a pam module to use winbindd with these other services. This
932 module will be compiled in the <filename>../source/nsswitch</filename> directory
933 by invoking the command
937 &rootprompt;<userinput>make nsswitch/pam_winbind.so</userinput>
941 from the <filename>../source</filename> directory. The
942 <filename>pam_winbind.so</filename> file should be copied to the location of
943 your other pam security modules. On my RedHat system, this was the
944 <filename>/lib/security</filename> directory. On Solaris, the pam security
945 modules reside in <filename>/usr/lib/security</filename>.
949 &rootprompt;<userinput>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</userinput>
953 <title>Linux/FreeBSD-specific PAM configuration</title>
956 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
957 just left this file as it was:
961 <para><programlisting>
962 auth required /lib/security/pam_stack.so service=system-auth
963 account required /lib/security/pam_stack.so service=system-auth
964 </programlisting></para>
967 The other services that I modified to allow the use of winbind
968 as an authentication service were the normal login on the console (or a terminal
969 session), telnet logins, and ftp service. In order to enable these
970 services, you may first need to change the entries in
971 <filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>).
972 RedHat 7.1 uses the new xinetd.d structure, in this case you need
973 to change the lines in <filename>/etc/xinetd.d/telnet</filename>
974 and <filename>/etc/xinetd.d/wu-ftp</filename> from
977 <para><programlisting>
979 </programlisting></para>
985 <para><programlisting>
987 </programlisting></para>
990 For ftp services to work properly, you will also need to either
991 have individual directories for the domain users already present on
992 the server, or change the home directory template to a general
993 directory for all domain users. These can be easily set using
994 the &smb.conf; global entry
995 <smbconfoption><name>template homedir</name></smbconfoption>.
999 The <filename>/etc/pam.d/ftp</filename> file can be changed
1000 to allow winbind ftp access in a manner similar to the
1001 samba file. My <filename>/etc/pam.d/ftp</filename> file was
1002 changed to look like this:
1005 <para><programlisting>
1006 auth required /lib/security/pam_listfile.so item=user sense=deny \
1007 file=/etc/ftpusers onerr=succeed
1008 auth sufficient /lib/security/pam_winbind.so
1009 auth required /lib/security/pam_stack.so service=system-auth
1010 auth required /lib/security/pam_shells.so
1011 account sufficient /lib/security/pam_winbind.so
1012 account required /lib/security/pam_stack.so service=system-auth
1013 session required /lib/security/pam_stack.so service=system-auth
1014 </programlisting></para>
1017 The <filename>/etc/pam.d/login</filename> file can be changed nearly the
1018 same way. It now looks like this:
1021 <para><programlisting>
1022 auth required /lib/security/pam_securetty.so
1023 auth sufficient /lib/security/pam_winbind.so
1024 auth sufficient /lib/security/pam_unix.so use_first_pass
1025 auth required /lib/security/pam_stack.so service=system-auth
1026 auth required /lib/security/pam_nologin.so
1027 account sufficient /lib/security/pam_winbind.so
1028 account required /lib/security/pam_stack.so service=system-auth
1029 password required /lib/security/pam_stack.so service=system-auth
1030 session required /lib/security/pam_stack.so service=system-auth
1031 session optional /lib/security/pam_console.so
1032 </programlisting></para>
1035 In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
1036 lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
1037 above it, to disallow root logins over the network. I also added a
1038 <programlisting>sufficient /lib/security/pam_unix.so use_first_pass</programlisting>
1039 line after the <command>winbind.so</command> line to get rid of annoying
1040 double prompts for passwords.
1046 <title>Solaris-specific configuration</title>
1049 The /etc/pam.conf needs to be changed. I changed this file so that my Domain
1050 users can logon both locally as well as telnet.The following are the changes
1051 that I made.You can customize the pam.conf file as per your requirements,but
1052 be sure of those changes because in the worst case it will leave your system
1053 nearly impossible to boot.
1056 <para><programlisting>
1058 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
1060 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
1061 # All Rights Reserved.
1065 # Authentication management
1067 login auth required /usr/lib/security/pam_winbind.so
1068 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1069 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
1071 rlogin auth sufficient /usr/lib/security/pam_winbind.so
1072 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1073 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1075 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
1076 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1078 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1079 other auth sufficient /usr/lib/security/pam_winbind.so
1080 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1082 # Account management
1084 login account sufficient /usr/lib/security/pam_winbind.so
1085 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
1086 login account required /usr/lib/security/$ISA/pam_unix.so.1
1088 dtlogin account sufficient /usr/lib/security/pam_winbind.so
1089 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
1090 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
1092 other account sufficient /usr/lib/security/pam_winbind.so
1093 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
1094 other account required /usr/lib/security/$ISA/pam_unix.so.1
1096 # Session management
1098 other session required /usr/lib/security/$ISA/pam_unix.so.1
1100 # Password management
1102 #other password sufficient /usr/lib/security/pam_winbind.so
1103 other password required /usr/lib/security/$ISA/pam_unix.so.1
1104 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
1106 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
1108 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1109 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1110 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1111 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1112 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
1113 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
1114 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
1115 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1116 </programlisting></para>
1119 I also added a try_first_pass line after the winbind.so line to get rid of
1120 annoying double prompts for passwords.
1124 Now restart your Samba and try connecting through your application that you
1125 configured in the pam.conf.
1137 <title>Conclusion</title>
1139 <para>The winbind system, through the use of the Name Service
1140 Switch, Pluggable Authentication Modules, and appropriate
1141 Microsoft RPC calls have allowed us to provide seamless
1142 integration of Microsoft Windows NT domain users on a
1143 UNIX system. The result is a great reduction in the administrative
1144 cost of running a mixed UNIX and NT network.</para>
1149 <title>Common Errors</title>
1151 <para>Winbind has a number of limitations in its current
1152 released version that we hope to overcome in future
1156 <listitem><para>Winbind is currently only available for
1157 the Linux, Solaris, AIX and IRIX operating systems, although ports to other operating
1158 systems are certainly possible. For such ports to be feasible,
1159 we require the C library of the target operating system to
1160 support the Name Service Switch and Pluggable Authentication
1161 Modules systems. This is becoming more common as NSS and
1162 PAM gain support among UNIX vendors.</para></listitem>
1164 <listitem><para>The mappings of Windows NT RIDs to UNIX ids
1165 is not made algorithmically and depends on the order in which
1166 unmapped users or groups are seen by winbind. It may be difficult
1167 to recover the mappings of rid to UNIX id mapping if the file
1168 containing this information is corrupted or destroyed.</para>
1171 <listitem><para>Currently the winbind PAM module does not take
1172 into account possible workstation and logon time restrictions
1173 that may be been set for Windows NT users, this is
1174 instead up to the PDC to enforce.</para></listitem>
1178 <title>NSCD Problem Warning</title>
1180 <?latex \nopagebreak ?>
1183 Do NOT under ANY circumstances run <command>nscd</command> on any system
1184 on which <command>winbind</command> is running.
1188 If <command>nscd</command> is running on the UNIX/Linux system, then
1189 even though NSSWITCH is correctly configured it will NOT be possible to resolve
1190 domain users and groups for file and directory controls.