1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77+"></HEAD
28 >winbindd -- Name Service Switch daemon for resolving names
31 CLASS="REFSYNOPSISDIV"
41 > [-F] [-S] [-i] [-B] [-d <debug level>] [-s <smb config file>] [-n]</P
51 >This program is part of the <SPAN
62 > is a daemon that provides
63 a service for the Name Service Switch capability that is present
64 in most modern C libraries. The Name Service Switch allows user
65 and system information to be obtained from different databases
66 services such as NIS or DNS. The exact behaviour can be configured
69 >/etc/nsswitch.conf</TT
71 Users and groups are allocated as they are resolved to a range
72 of user and group ids specified by the administrator of the
75 >The service provided by <B
78 > is called `winbind' and
79 can be used to resolve user and group information from a
80 Windows NT server. The service can also provide authentication
81 services via an associated PAM module. </P
86 > module in the 2.2.2 release only
98 module-types. The latter simply
99 performs a getpwnam() to verify that the system can obtain a uid for the
103 > library has been correctly
104 installed, this should always succeed.
107 >The following nsswitch databases are implemented by
108 the winbindd service: </P
118 >User information traditionally stored in
126 > functions. Names are
127 resolved through the WINS server or by broadcast.
134 >User information traditionally stored in
148 >Group information traditionally stored in
161 >For example, the following simple configuration in the
164 >/etc/nsswitch.conf</TT
165 > file can be used to initially
166 resolve user and group information from <TT
176 CLASS="PROGRAMLISTING"
177 >passwd: files winbind
178 group: files winbind</PRE
181 >The following simple configuration in the
184 >/etc/nsswitch.conf</TT
185 > file can be used to initially
186 resolve hostnames from <TT
208 >If specified, this parameter causes
212 > process to not daemonize,
213 i.e. double-fork and disassociate with the terminal.
214 Child processes are still created as normal to service
215 each connection request, but the main process does not
216 exit. This operation mode is suitable for running
220 > under process supervisors such
228 from Daniel J. Bernstein's <B
232 package, or the AIX process monitor.
239 >If specified, this parameter causes
243 > to log to standard output rather
250 >Sets the debuglevel to an integer between
251 0 and 100. 0 is for no debugging and 100 is for reams and
252 reams. To submit a bug report to the Samba Team, use debug
253 level 100 (see BUGS.txt). </P
263 become a daemon and detach from the current terminal. This
264 option is used by developers when interactive debugging
272 > also logs to standard output,
276 > parameter had been given.
283 >Disable caching. This means winbindd will
284 always have to wait for a response from the domain controller
285 before it can respond to a client and this thus makes things
286 slower. The results will however be more accurate, since
287 results from the cache might not be up-to-date. This
288 might also temporarily hang winbindd if the DC doesn't respond.
295 >Dual daemon mode. This means winbindd will run
296 as 2 threads. The first will answer all requests from the cache,
297 thus making responses to clients faster. The other will
298 update the cache for the query that the first has just responded.
299 Advantage of this is that responses are accurate and fast.
303 >-s|--conf=smb.conf</DT
306 >Specifies the location of the all-important
310 CLASS="REFENTRYTITLE"
324 >NAME AND ID RESOLUTION</H2
326 >Users and groups on a Windows NT server are assigned
327 a relative id (rid) which is unique for the domain when the
328 user or group is created. To convert the Windows NT user or group
329 into a unix user or group, a mapping between rids and unix user
330 and group ids is required. This is one of the jobs that <B
335 >As winbindd users and groups are resolved from a server, user
336 and group ids are allocated from a specified range. This
337 is done on a first come, first served basis, although all existing
338 users and groups will be mapped as soon as a client performs a user
339 or group enumeration command. The allocated unix ids are stored
340 in a database file under the Samba lock directory and will be
343 >WARNING: The rid to unix id database is the only location
344 where the user and group mappings are stored by winbindd. If this
345 file is deleted or corrupted, there is no way for winbindd to
346 determine which user and group ids correspond to Windows NT user
357 >Configuration of the <B
361 is done through configuration parameters in the <SPAN
364 CLASS="REFENTRYTITLE"
367 > file. All parameters should be specified in the
368 [global] section of smb.conf. </P
375 HREF="smb.conf.5.html#WINBINDSEPARATOR"
380 >winbind separator</I
388 HREF="smb.conf.5.html#WINBINDUID"
401 HREF="smb.conf.5.html#WINBINDGID"
414 HREF="smb.conf.5.html#WINBINDCACHETIME"
419 >winbind cache time</I
427 HREF="smb.conf.5.html#WINBINDENUMUSERS"
432 >winbind enum users</I
440 HREF="smb.conf.5.html#WINBINDENUMGROUPS"
445 >winbind enum groups</I
453 HREF="smb.conf.5.html#TEMPLATEHOMEDIR"
466 HREF="smb.conf.5.html#TEMPLATESHELL"
479 HREF="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN"
484 >winbind use default domain</I
499 >To setup winbindd for user and group lookups plus
500 authentication from a domain controller use something like the
501 following setup. This was tested on a RedHat 6.2 Linux box. </P
505 >/etc/nsswitch.conf</TT
509 CLASS="PROGRAMLISTING"
510 >passwd: files winbind
511 group: files winbind</PRE
522 > lines with something like this:
524 CLASS="PROGRAMLISTING"
525 >auth required /lib/security/pam_securetty.so
526 auth required /lib/security/pam_nologin.so
527 auth sufficient /lib/security/pam_winbind.so
528 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok</PRE
531 >Note in particular the use of the <TT
537 > keyword and the <TT
544 >Now replace the account lines with this: </P
548 >account required /lib/security/pam_winbind.so
552 >The next step is to join the domain. To do that use the
556 > program like this: </P
560 >net join -S PDC -U Administrator</B
563 >The username after the <TT
569 Domain user that has administrator privileges on the machine.
570 Substitute the name or IP of your PDC for "PDC".</P
574 >libnss_winbind.so</TT
586 >. A symbolic link needs to be
589 >/lib/libnss_winbind.so</TT
593 >/lib/libnss_winbind.so.2</TT
594 >. If you are using an
595 older version of glibc then the target of the link should be
598 >/lib/libnss_winbind.so.1</TT
601 >Finally, setup a <SPAN
604 CLASS="REFENTRYTITLE"
607 > containing directives like the
610 CLASS="PROGRAMLISTING"
612 winbind separator = +
613 winbind cache time = 10
614 template shell = /bin/bash
615 template homedir = /home/%D/%U
616 winbind uid = 10000-20000
617 winbind gid = 10000-20000
620 password server = *</PRE
623 >Now start winbindd and you should find that your user and
624 group database is expanded to include your NT users and groups,
625 and that you can login to your unix box as a domain user, using
626 the DOMAIN+user syntax for the username. You may wish to use the
634 > to confirm the correct operation of winbindd.</P
644 >The following notes are useful when configuring and
653 CLASS="REFENTRYTITLE"
656 > must be running on the local machine
664 the list of trusted domains for the Windows NT server
665 on startup and when a SIGHUP is received. Thus, for a running <B
668 > to become aware of new trust relationships between
669 servers, it must be sent a SIGHUP signal. </P
671 >Client processes resolving names through the <B
675 nsswitch module read an environment variable named <TT
677 > $WINBINDD_DOMAIN</TT
678 >. If this variable contains a comma separated
679 list of Windows NT domain names, then winbindd will only resolve users
680 and groups within those Windows NT domains. </P
682 >PAM is really easy to misconfigure. Make sure you know what
683 you are doing when modifying PAM configuration files. It is possible
684 to set up PAM such that you can no longer log into your system. </P
686 >If more than one UNIX machine is running <B
690 then in general the user and groups ids allocated by winbindd will not
691 be the same. The user and group ids will only be valid for the local
694 >If the the Windows NT RID to UNIX user and group id mapping
695 file is damaged or destroyed then the mappings will be lost. </P
705 >The following signals can be used to manipulate the
722 CLASS="REFENTRYTITLE"
726 apply any parameter changes to the running
727 version of winbindd. This signal also clears any cached
728 user and group information. The list of other domains trusted
729 by winbindd is also reloaded. </P
735 >The SIGUSR1 signal will cause <B
738 > to write status information to the winbind
739 log file including information about the number of user and
740 group ids allocated by <B
745 >Log files are stored in the filename specified by the
746 log file parameter.</P
766 >/etc/nsswitch.conf(5)</TT
770 >Name service switch configuration file.</P
773 >/tmp/.winbindd/pipe</DT
776 >The UNIX pipe over which clients communicate with
780 > program. For security reasons, the
781 winbind client will only attempt to connect to the winbindd daemon
788 >/tmp/.winbindd/pipe</TT
793 >/lib/libnss_winbind.so.X</DT
796 >Implementation of name service switch library.
800 >$LOCKDIR/winbindd_idmap.tdb</DT
803 >Storage for the Windows NT rid to UNIX user/group
804 id mapping. The lock directory is specified when Samba is initially
805 compiled using the <TT
811 This directory is by default <TT
813 >/usr/local/samba/var/locks
818 >$LOCKDIR/winbindd_cache.tdb</DT
821 >Storage for cached user and group information.
835 >This man page is correct for version 3.0 of
848 >nsswitch.conf(5)</TT
852 CLASS="REFENTRYTITLE"
858 CLASS="REFENTRYTITLE"
864 CLASS="REFENTRYTITLE"
877 >The original Samba software and related utilities
878 were created by Andrew Tridgell. Samba is now developed
879 by the Samba Team as an Open Source project similar
880 to the way the Linux kernel is developed.</P
889 written by Tim Potter.</P
891 >The conversion to DocBook for Samba 2.2 was done
892 by Gerald Carter. The conversion to DocBook XML 4.2 for
893 Samba 3.0 was done by Alexander Bokovoy.</P