--- /dev/null
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbtar">
+
+<refmeta>
+ <refentrytitle>smbtar</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbtar</refname>
+ <refpurpose>shell script for backing up SMB/CIFS shares
+ directly to UNIX tape drives</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbtar</command>
+ <arg choice="req">-s server</arg>
+ <arg choice="opt">-p password</arg>
+ <arg choice="opt">-x services</arg>
+ <arg choice="opt">-X</arg>
+ <arg choice="opt">-d directory</arg>
+ <arg choice="opt">-u user</arg>
+ <arg choice="opt">-t tape</arg>
+ <arg choice="opt">-t tape</arg>
+ <arg choice="opt">-b blocksize</arg>
+ <arg choice="opt">-N filename</arg>
+ <arg choice="opt">-i</arg>
+ <arg choice="opt">-r</arg>
+ <arg choice="opt">-l loglevel</arg>
+ <arg choice="opt">-v</arg>
+ <arg choice="req">filenames</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>smbtar</command> is a very small shell script on top
+ of <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>
+ which dumps SMB shares directly to tape. </para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-s server</term>
+ <listitem><para>The SMB/CIFS server that the share resides
+ upon.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-x service</term>
+ <listitem><para>The share name on the server to connect to.
+ The default is "backup".</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-X</term>
+ <listitem><para>Exclude mode. Exclude filenames... from tar
+ create or restore. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-d directory</term>
+ <listitem><para>Change to initial <parameter>directory
+ </parameter> before restoring / backing up files. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-v</term>
+ <listitem><para>Verbose mode.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-p password</term>
+ <listitem><para>The password to use to access a share.
+ Default: none </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-u user</term>
+ <listitem><para>The user id to connect as. Default:
+ UNIX login name. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-t tape</term>
+ <listitem><para>Tape device. May be regular file or tape
+ device. Default: <parameter>$TAPE</parameter> environmental
+ variable; if not set, a file called <filename>tar.out
+ </filename>. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-b blocksize</term>
+ <listitem><para>Blocking factor. Defaults to 20. See
+ <command>tar(1)</command> for a fuller explanation. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-N filename</term>
+ <listitem><para>Backup only files newer than filename. Could
+ be used (for example) on a log file to implement incremental
+ backups. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-i</term>
+ <listitem><para>Incremental mode; tar files are only backed
+ up if they have the archive bit set. The archive bit is reset
+ after each file is read. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-r</term>
+ <listitem><para>Restore. Files are restored to the share
+ from the tar file. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-l log level</term>
+ <listitem><para>Log (debug) level. Corresponds to the
+ <parameter>-d</parameter> flag of <command>smbclient(1)
+ </command>. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>ENVIRONMENT VARIABLES</title>
+
+ <para>The <parameter>$TAPE</parameter> variable specifies the
+ default tape device to write to. May be overridden
+ with the -t option. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>BUGS</title>
+
+ <para>The <command>smbtar</command> script has different
+ options from ordinary tar and tar called from smbclient. </para>
+
+</refsect1>
+
+<refsect1>
+ <title>CAVEATS</title>
+
+ <para>Sites that are more careful about security may not like
+ the way the script handles PC passwords. Backup and restore work
+ on entire shares, should work on file lists. smbtar works best
+ with GNU tar and may not work well with other versions. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>DIAGNOSTICS</title>
+
+ <para>See the <emphasis>DIAGNOSTICS</emphasis> section for the
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command>
+ </ulink> command.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink>,
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para><ulink url="mailto:poultenr@logica.co.uk">Ricky Poulten</ulink>
+ wrote the tar extension and this man page. The <command>smbtar</command>
+ script was heavily rewritten and improved by <ulink
+ url="mailto:Martin.Kraemer@mch.sni.de">Martin Kraemer</ulink>. Many
+ thanks to everyone who suggested extensions, improvements, bug
+ fixes, etc. The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter.</para>
+</refsect1>
+
+</refentry>
</varlistentry>
</variablelist>
+</refsect1>
-<RefSect1><title>Installation</title>
-
-<para>After
-you compile SWAT you need to run "make install" <ItemizedList MARK=Bullet>
-<term>to install the </term><listitem><para>swat binary
-and the various help files and images. A default install would put these
-in: </para></listitem>
-</ItemizedList>
-
-
-<para> <BR>
- <BR>
-/usr/local/samba/bin/swat<BR>
-/usr/local/samba/swat/images/*<BR>
-/usr/local/samba/swat/help/*<BR>
- <BR>
-
-
-<para></RefSect1>
-
-<RefSect1><title>Inetd Installation</title>
-
-<para>You need to edit your CW/etc/inetd.conf and CW/etc/services
-to enable SWAT to be launched via inetd.
-
-<para>In CW/etc/services you need to
-add a line like this:
-
-<para>CWswat 901/tcp
-
-<para>Note for NIS/YP users -
-you may need to rebuild the NIS service maps rather than alter your local
-CW/etc/services file.
-
-<para>the choice of port number isn't really important except
-that it should be less than 1024 and not currently used (using a number
-above 1024 presents an obscure security hole depending on the implementation
-details of your inetd daemon).
+<refsect1>
-<para>In CW/etc/inetd.conf you should add a line
-like this:
+ <title>INSTALLATION</title>
-<para>CWswat stream tcp nowait.400 root /usr/local/samba/bin/swat
-swat
+ <para>After you compile SWAT you need to run <command>make install
+ </command> to install the <command>swat</command> binary
+ and the various help files and images. A default install would put
+ these in: </para>
+
+ <itemizedlist>
+ <listitem><para>/usr/local/samba/bin/swat</para></listitem>
+ <listitem><para>/usr/local/samba/swat/images/*</para></listitem>
+ <listitem><para>/usr/local/samba/swat/help/*</para></listitem>
+ </itemizedlist>
-<para>One you have edited CW/etc/services and CW/etc/inetd.conf you need
-to send a HUP signal to inetd. To do this use CW"kill -1 PID" where PID is
-the process ID of the inetd daemon.
+ <refsect2>
+ <title>Inetd Installation</title>
-<para></RefSect1>
+ <para>You need to edit your <filename>/etc/inetd.conf
+ </filename> and <filename>/etc/services</filename>
+ to enable SWAT to be launched via inetd.</para>
-<RefSect1><title>Launching</title>
+ <para>In <filename>/etc/services</filename> you need to
+ add a line like this: </para>
-<para>To launch swat just run your
-favorite web browser and point it at CW<Command>http://localhost:901/.</Command>
+ <para><command>swat 901/tcp</command></para>
-<para>Note that
-you can attach to swat from any IP connected machine but connecting from
-a remote machine leaves your connection open to password sniffing as passwords
-will be sent in the clear over the wire.
+ <para>Note for NIS/YP users - you may need to rebuild the
+ NIS service maps rather than alter your local <filename>
+ /etc/services</filename> file. </para>
-<para></RefSect1>
+ <para>the choice of port number isn't really important
+ except that it should be less than 1024 and not currently
+ used (using a number above 1024 presents an obscure security
+ hole depending on the implementation details of your
+ <command>inetd</command> daemon). </para>
-<RefSect1><title>Files</title>
+ <para>In <filename>/etc/inetd.conf</filename> you should
+ add a line like this: </para>
-<para>/etc/inetd.conf
+ <para><command>swat stream tcp nowait.400 root
+ /usr/local/samba/bin/swat swat</command></para>
+
+ <para>One you have edited <filename>/etc/services</filename>
+ and <filename>/etc/inetd.conf</filename> you need to send a
+ HUP signal to inetd. To do this use <command>kill -1 PID
+ </command> where PID is the process ID of the inetd daemon. </para>
-<para>This file must
-contain suitable startup information for the meta-daemon.
+ </refsect2>
-<para>/etc/services
+ <refsect2>
+ <title>Launching</title>
-<para>This file must contain a mapping of service name (e.g., swat) to service
-port (e.g., 901) and protocol type (e.g., tcp).
+ <para>To launch swat just run your favorite web browser and
+ point it at "http://localhost:901/".</para>
-<para>/usr/local/samba/lib/smb.conf
+ <para>Note that you can attach to swat from any IP connected
+ machine but connecting from a remote machine leaves your
+ connection open to password sniffing as passwords will be sent
+ in the clear over the wire. </para>
+ </refsect2>
+</refsect1>
+<refsect1>
+ <title>FILES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/inetd.conf</filename></term>
+ <listitem><para>This file must contain suitable startup
+ information for the meta-daemon.</para></listitem>
+ </varlistentry>
-<para>This is the default location of the <I>smb.conf</I> server configuration file that
-swat edits. Other common places that systems install this file are <I>/usr/samba/lib/smb.conf</I>
-and <I>/etc/smb.conf</I>.
+ <varlistentry>
+ <term><filename>/etc/services</filename></term>
+ <listitem><para>This file must contain a mapping of service name
+ (e.g., swat) to service port (e.g., 901) and protocol type
+ (e.g., tcp). </para></listitem>
+ </varlistentry>
-<para>This file describes all the services the server is to
-make available to clients. See <Command>smb.conf (5)</Command> for more information.
+ <varlistentry>
+ <term><filename>/usr/local/samba/lib/smb.conf</filename></term>
+ <listitem><para>This is the default location of the <filename>smb.conf(5)
+ </filename> server configuration file that swat edits. Other
+ common places that systems install this file are <filename>
+ /usr/samba/lib/smb.conf</filename> and <filename>/etc/smb.conf
+ </filename>. This file describes all the services the server
+ is to make available to clients. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
-<para></RefSect1>
<refsect1>
- <title>WANRNIGS</title>
+ <title>WARNINGS</title>
<para><command>swat</command> will rewrite your <filename>smb.conf
</filename> file. It will rearrange the entries and delete all
comments, <parameter>include=</parameter> and <parameter>copy="
</parameter> options. If you have a carefully crafted <filename>
- smb.conf</filanem> then back it up or don't use swat! </para>
+ smb.conf</filename> then back it up or don't use swat! </para>
</refsect1>
--- /dev/null
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="winbindd">
+
+<refmeta>
+ <refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>winbindd</refname>
+ <refpurpose>Name Service Switch daemon for resolving names
+ from NT servers</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>nmblookup</command>
+ <arg choice="opt">-d debuglevel</arg>
+ <arg choice="opt">-i</arg>
+ <arg choice="opt">-S</arg>
+ <arg choice="opt">-r</arg>
+ <arg choice="opt">-A</arg>
+ <arg choice="opt">-h</arg>
+ <arg choice="opt">-B <broadcast address></arg>
+ <arg choice="opt">-U <unicast address></arg>
+ <arg choice="opt">-d <debug level></arg>
+ <arg choice="opt">-s <smb config file></arg>
+ <arg choice="opt">-i <NetBIOS scope></arg>
+ <arg choice="opt">-T</arg>
+ <arg choice="req">name</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite version 3.0 and describes functionality not
+ yet implemented in the main version of Samba.</para>
+
+ <para><command>winbindd</command> is a daemon that provides
+ a service for the Name Service Switch capability that is present
+ in most modern C libraries. The Name Service Switch allows user
+ and system information to be obtained from different databases
+ services such as NIS or DNS. The exact behaviour can be configured
+ throught the <filename>/etc/nsswitch.conf</filename> file.
+ Users and groups are allocated as they are resolved to a range
+ of user and group ids specified by the administrator of the
+ Samba system.</para>
+
+ <para>The service provided by winbindd is called `winbind' and
+ can be used to resolve user and group information from a
+ Windows NT server. The service can also provide authentication
+ services via an associated PAM module. </para>
+
+ <para>The following nsswitch databases are implemented by
+ the winbindd service: </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>passwd</term>
+ <listitem><para>User information traditionally stored in
+ the <filename>passwd(5)</filename> file and used by
+ <command>getpwent(3)</command> functions. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>group</term>
+ <listitem><para>Group information traditionally stored in
+ the <filename>group(5)</filename> file and used by
+ <command>getgrent(3)</command> functions. </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>For example, the following simple configuration in the
+ <filename>/etc/nsswitch.conf</filename> file can be used to initially
+ resolve user and group information from <filename>/etc/passwd
+ </filename> and <filename>/etc/group</filename> and then from the
+ Windows NT server. </para>
+
+ <para><programlisting>
+passwd: files winbind
+group: files winbind
+ </programlisting></para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-d debuglevel</term>
+ <listitem><para>Sets the debuglevel to an integer between
+ 0 and 100. 0 is for no debugging and 100 is for reams and
+ reams. To submit a bug report to the Samba Team, use debug
+ level 100 (see BUGS.txt). </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i</term>
+ <listitem><para>Tells <command>winbindd</command> to not
+ become a daemon and detach from the current terminal. This
+ option is used by developers when interactive debugging
+ of <command>winbindd</command> is required. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>NAME AND ID RESOLUTION</title>
+
+ <para>Users and groups on a Windows NT server are assigned
+ a relative id (rid) which is unique for the domain when the
+ user or group is created. To convert the Windows NT user or group
+ into a unix user or group, a mapping between rids and unix user
+ and group ids is required. This is one of the jobs that <command>
+ winbindd</command> performs. </para>
+
+ <para>As winbindd users and groups are resolved from a server, user
+ and group ids are allocated from a specified range. This
+ is done on a first come, first served basis, although all existing
+ users and groups will be mapped as soon as a client performs a user
+ or group enumeration command. The allocated unix ids are stored
+ in a database file under the Samba lock directory and will be
+ remembered. </para>
+
+ <para>WARNING: The rid to unix id database is the only location
+ where the user and group mappings are stored by winbindd. If this
+ file is deleted or corrupted, there is no way for winbindd to
+ determine which user and group ids correspond to Windows NT user
+ and group rids. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>CONFIGURATION</title>
+
+ <para>Configuration of the <command>winbindd</command> daemon
+ is done through configuration parameters in the <filename>smb.conf(5)
+ </filename> file. All parameters should be specified in the
+ [global] section of smb.conf. </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>winbind separator</term>
+ <listitem><para>The winbind separator option allows you
+ to specify how NT domain names and user names are combined
+ into unix user names when presented to users. By default,
+ <command>winbindd</command> will use the traditional '\'
+ separator so that the unix user names look like
+ DOMAIN\username. In some cases this separator character may
+ cause problems as the '\' character has special meaning in
+ unix shells. In that case you can use the winbind separator
+ option to specify an alternative sepataror character. Good
+ alternatives may be '/' (although that conflicts
+ with the unix directory separator) or a '+ 'character.
+ The '+' character appears to be the best choice for 100%
+ compatibility with existing unix utilities, but may be an
+ aesthetically bad choice depending on your taste. </para>
+
+ <para>Default: <command>winbind separator = \ </command>
+ </para>
+ <para>Example: <command>winbind separator = + </command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>winbind uid</term>
+ <listitem><para>The winbind uid parameter specifies the
+ range of user ids that are allocated by the winbindd daemon.
+ This range of ids should have no existing local or nis users
+ within it as strange conflicts can occur otherwise. </para>
+
+ <para>Default: <command>winbind uid = <empty string>
+ </command></para>
+ <para>Example: <command>winbind uid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>winbind gid</term>
+ <listitem><para>The winbind gid parameter specifies the
+ range of group ids that are allocated by the winbindd daemon.
+ This range of group ids should have no existing local or nis
+ groups within it as strange conflicts can occur otherwise.</para>
+
+ <para>Default: <command>winbind gid = <empty string>
+ </command></para>
+ <para>Example: <command>winbind gid = 10000-20000
+ </command> </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>winbind cache time</term>
+ <listitem><para>This parameter specifies the number of
+ seconds the winbindd daemon will cache user and group information
+ before querying a Windows NT server again. When a item in the
+ cache is older than this time winbindd will ask the domain
+ controller for the sequence number of the servers account database.
+ If the sequence number has not changed then the cached item is
+ marked as valid for a further <parameter>winbind cache time
+ </parameter> seconds. Otherwise the item is fetched from the
+ server. This means that as long as the account database is not
+ actively changing winbindd will only have to send one sequence
+ number query packet every <parameter>winbind cache time
+ </parameter> seconds. </para>
+
+ <para>Default: <command>winbind cache time = 15</command>
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>winbind enum users</term>
+ <listitem><para>On large installations it may be necessary
+ to suppress the enumeration of users through the <command>
+ setpwent()</command>, <command>getpwent()</command> and
+ <command>endpwent()</command> group of system calls. If
+ the <parameter>winbind enum users</parameter> parameter is false,
+ calls to the <command>getpwent</command> system call will not
+ return any data. </para>
+
+ <para><emphasis>Warning:</emphasis> Turning off user enumeration
+ may cause some programs to behave oddly. For example, the finger
+ program relies on having access to the full user list when
+ searching for matching usernames. </para>
+
+ <para>Default: <command>winbind enum users = yes </command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>winbind enum groups</term>
+ <listitem><para>On large installations it may be necessary
+ to suppress the enumeration of groups through the <command>
+ setgrent()</command>, <command>getgrent()</command> and
+ <command>endgrent()</command> group of system calls. If
+ the <parameter>winbind enum groups</parameter> parameter is
+ false, calls to the <command>getgrent()</command> system
+ call will not return any data. </para>
+
+ <para><emphasis>Warning:</emphasis> Turning off group
+ enumeration may cause some programs to behave oddly.
+ </para>
+
+ <para>Default: <command>winbind enum groups = no </command>
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>template homedir</term>
+ <listitem><para>When filling out the user information
+ for a Windows NT user, the <command>winbindd</command> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <parameter>%D</parameter> is present it is
+ substituted with the user's Windows NT domain name. If the
+ string <parameter>%U</parameter> is present it is substituted
+ with the user's Windows NT user name. </para>
+
+ <para>Default: <command>template homedir = /home/%D/%U </command>
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>template shell</term>
+ <listitem><para>When filling out the user information for
+ a Windows NT user, the <command>winbindd</command> daemon
+ uses this parameter to fill in the shell for that user.
+ </para>
+
+ <para>Default: <command>template shell = /bin/false </command>
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>EXAMPLE SETUP</title>
+
+ <para>To setup winbindd for user and group lookups plus
+ authentication from a domain controller use something like the
+ following setup. This was tested on a RedHat 6.2 Linux box. </para>
+
+ <para>In <filename>/etc/nsswitch.conf</filename> put the
+ following:</para>
+
+ <para><programlisting>
+passwd: files winbind
+group: files winbind
+ </programlisting></para>
+
+ <para>In <filename>/etc/pam.d/*</filename> replace the
+ <parameter>auth</parameter> lines with something like this: </para>
+
+
+ <para><programlisting>
+auth required /lib/security/pam_securetty.so
+auth required /lib/security/pam_nologin.so
+auth sufficient /lib/security/pam_winbind.so
+auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
+ </programlisting></para>
+
+
+ <para>Note in particular the use of the <parameter>sufficient</parameter>
+ keyword and the <parameter>use_first_pass</parameter> keyword. </para>
+
+ <para>Now replace the account lines with this: </para>
+
+ <para><command>account required /lib/security/pam_winbind.so
+ </command></para>
+
+ <para>The next step is to join the domain. To do that use the
+ <command>samedit</command> program like this: </para>
+
+ <para><command>samedit -S '*' -W DOMAIN -UAdministrator</command></para>
+
+ <para>The username after the <parameter>-U</parameter> can be any Domain
+ user that has administrator priviliges on the machine. Next from
+ within <command>samedit</command>, run the command: </para>
+
+ <para><command>createuser MACHINE$ -j DOMAIN -L</command></para>
+
+ <para>This assumes your domain is called "DOMAIN" and your Samba
+ workstation is called "MACHINE". </para>
+
+ <para>Next copy <filename>libnss_winbind.so.2</filename> to
+ <filename>/lib</filename> and <filename>pam_winbind.so</filename>
+ to <filename>/lib/security</filename>.</para>
+
+ <para>Finally, setup a smb.conf containing directives like the
+ following: </para>
+
+ <para><programlisting>
+[global]
+ winbind separator = +
+ winbind cache time = 10
+ template shell = /bin/bash
+ template homedir = /home/%D/%U
+ winbind uid = 10000-20000
+ winbind gid = 10000-20000
+ workgroup = DOMAIN
+ security = domain
+ password server = *
+ </programlisting></para>
+
+
+ <para>Now start winbindd and you should find that your user and
+ group database is expanded to include your NT users and groups,
+ and that you can login to your unix box as a domain user, using
+ the DOMAIN+user syntax for the username. You may wish to use the
+ commands <command>getent passwd</command> and <command>getent group
+ </command> to confirm the correct operation of winbindd.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>Notes</title>
+
+ <para>The following notes are useful when configuring and
+ running <command>winbindd</command>: </para>
+
+ <para><command>nmbd</command> must be running on the local machine
+ for <command>winbindd</command> to work. <command>winbindd</command>
+ queries the list of trusted domains for the Windows NT server
+ on startup and when a SIGHUP is received. Thus, for a running <command>
+ winbindd</command> to become aware of new trust relationships between
+ servers, it must be sent a SIGHUP signal. </para>
+
+ <para>Client processes resolving names through the <command>winbindd</command>
+ nsswitch module read an environment variable named <parameter>
+ $WINBINDD_DOMAIN</parameter>. If this variable contains a comma separated
+ list of Windows NT domain names, then winbindd will only resolve users
+ and groups within those Windows NT domains. </para>
+
+ <para>PAM is really easy to misconfigure. Make sure you know what
+ you are doing when modifying PAM configuration files. It is possible
+ to set up PAM such that you can no longer log into your system. </para>
+
+ <para>If more than one UNIX machine is running <command>winbindd</command>,
+ then in general the user and groups ids allocated by winbindd will not
+ be the same. The user and group ids will only be valid for the local
+ machine.</para>
+
+ <para>If the the Windows NT RID to UNIX user and group id mapping
+ file is damaged or destroyed then the mappings will be lost. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>Signals</title>
+
+ <para>The following signals can be used to manipulate the
+ <command>winbindd</command> daemon. </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>SIGHUP</term>
+ <listitem><para>Reload the <filename>smb.conf(5)</filename>
+ file and apply any parameter changes to the running
+ version of winbindd. This signal also clears any cached
+ user and group information. The list of other domains trusted
+ by winbindd is also reloaded. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>SIGUSR1</term>
+ <listitem><para>The SIGUSR1 signal will cause <command>
+ winbindd</command> to write status information to the winbind
+ log file including information about the number of user and
+ group ids allocated by <command>winbindd</command>.</para>
+
+ <para>Log files are stored in the filename specified by the
+ log file parameter.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>Files</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/nsswitch.conf(5)</filename></term>
+ <listitem><para>Name service switch configuration file.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>/tmp/.winbindd/pipe</term>
+ <listitem><para>The UNIX pipe over which clients communicate with
+ the <command>winbindd</command> program. For security reasons, the
+ winbind client will only attempt to connect to the winbindd daemon
+ if both the <filename>/tmp/.winbindd</filename> directory
+ and <filename>/tmp/.winbindd/pipe</filename> file are owned by
+ root. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>/lib/libnss_winbind.so.X</term>
+ <listitem><para>Implementation of name service switch library.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>$LOCKDIR/winbindd_idmap.tdb</term>
+ <listitem><para>Storage for the Windows NT rid to UNIX user/group
+ id mapping. The lock directory is specified when Samba is initially
+ compiled using the <filename>--with-lockdir</filename> option.
+ This directory is by default <filename>/usr/local/samba/var/locks
+ </filename>. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>$LOCKDIR/winbindd_cache.tdb</term>
+ <listitem><para>Storage for cached user and group information.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite. winbindd is however not available in
+ stable release of Samba as of yet.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+
+ <para><filename>nsswitch.conf(5)</filename>,
+ <ulink url="samba.7.html">samba(7)</ulink>,
+ <ulink url="wbinfo.1.html">wbinfo(1)</ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink></para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para><command>wbinfo</command> and <command>winbindd</command>
+ were written by Tim Potter.</para>
+
+ <para>The conversion to DocBook for Samba 2.2 was done
+ by Gerald Carter</para>
+</refsect1>
+
+</refentry>
git.samba.org / ira / wip.git / commitdiff