6 <firstname>Tim</firstname><surname>Potter</surname>
8 <orgname>Samba Team</orgname>
9 <address><email>tpot@linuxcare.com.au</email></address>
13 <firstname>Andrew</firstname><surname>Trigdell</surname>
15 <orgname>Samba Team</orgname>
16 <address><email>tridge@linuxcare.com.au</email></address>
20 <firstname>John</firstname><surname>Trostel</surname>
22 <orgname>Snapserver</orgname>
23 <address><email>jtrostel@snapserver.com</email></address>
28 <pubdate>16 Oct 2000</pubdate>
31 <title>Unified Logons between Windows NT and UNIX using Winbind</title>
34 <title>Abstract</title>
36 <para>Integration of UNIX and Microsoft Windows NT through
37 a unified logon has been considered a "holy grail" in heterogeneous
38 computing environments for a long time. We present
39 <emphasis>winbind</emphasis>, a component of the Samba suite
40 of programs as a solution to the unified logon problem. Winbind
41 uses a UNIX implementation
42 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
43 Service Switch to allow Windows NT domain users to appear and operate
44 as UNIX users on a UNIX machine. This paper describes the winbind
45 system, explaining the functionality it provides, how it is configured,
46 and how it works internally.</para>
51 <title>Introduction</title>
53 <para>It is well known that UNIX and Microsoft Windows NT have
54 different models for representing user and group information and
55 use different technologies for implementing them. This fact has
56 made it difficult to integrate the two systems in a satisfactory
59 <para>One common solution in use today has been to create
60 identically named user accounts on both the UNIX and Windows systems
61 and use the Samba suite of programs to provide file and print services
62 between the two. This solution is far from perfect however, as
63 adding and deleting users on both sets of machines becomes a chore
64 and two sets of passwords are required both of which
65 can lead to synchronization problems between the UNIX and Windows
66 systems and confusion for users.</para>
68 <para>We divide the unified logon problem for UNIX machines into
69 three smaller problems:</para>
72 <listitem><para>Obtaining Windows NT user and group information
75 <listitem><para>Authenticating Windows NT users
78 <listitem><para>Password changing for Windows NT users
83 <para>Ideally, a prospective solution to the unified logon problem
84 would satisfy all the above components without duplication of
85 information on the UNIX machines and without creating additional
86 tasks for the system administrator when maintaining users and
87 groups on either system. The winbind system provides a simple
88 and elegant solution to all three components of the unified logon
94 <title>What Winbind Provides</title>
96 <para>Winbind unifies UNIX and Windows NT account management by
97 allowing a UNIX box to become a full member of a NT domain. Once
98 this is done the UNIX box will see NT users and groups as if
99 they were native UNIX users and groups, allowing the NT domain
100 to be used in much the same manner that NIS+ is used within
101 UNIX-only environments.</para>
103 <para>The end result is that whenever any
104 program on the UNIX machine asks the operating system to lookup
105 a user or group name, the query will be resolved by asking the
106 NT domain controller for the specified domain to do the lookup.
107 Because Winbind hooks into the operating system at a low level
108 (via the NSS name resolution modules in the C library) this
109 redirection to the NT domain controller is completely
112 <para>Users on the UNIX machine can then use NT user and group
113 names as they would use "native" UNIX names. They can chown files
114 so that they are owned by NT domain users or even login to the
115 UNIX machine and run a UNIX X-Window session as a domain user.</para>
117 <para>The only obvious indication that Winbind is being used is
118 that user and group names take the form DOMAIN\user and
119 DOMAIN\group. This is necessary as it allows Winbind to determine
120 that redirection to a domain controller is wanted for a particular
121 lookup and which trusted domain is being referenced.</para>
123 <para>Additionally, Winbind provides an authentication service
124 that hooks into the Pluggable Authentication Modules (PAM) system
125 to provide authentication via a NT domain to any PAM enabled
126 applications. This capability solves the problem of synchronizing
127 passwords between systems since all passwords are stored in a single
128 location (on the domain controller).</para>
131 <title>Target Uses</title>
133 <para>Winbind is targeted at organizations that have an
134 existing NT based domain infrastructure into which they wish
135 to put UNIX workstations or servers. Winbind will allow these
136 organizations to deploy UNIX workstations without having to
137 maintain a separate account infrastructure. This greatly
138 simplifies the administrative overhead of deploying UNIX
139 workstations into a NT based organization.</para>
141 <para>Another interesting way in which we expect Winbind to
142 be used is as a central part of UNIX based appliances. Appliances
143 that provide file and print services to Microsoft based networks
144 will be able to use Winbind to provide seamless integration of
145 the appliance into the domain.</para>
152 <title>How Winbind Works</title>
154 <para>The winbind system is designed around a client/server
155 architecture. A long running <command>winbindd</command> daemon
156 listens on a UNIX domain socket waiting for requests
157 to arrive. These requests are generated by the NSS and PAM
158 clients and processed sequentially.</para>
160 <para>The technologies used to implement winbind are described
161 in detail below.</para>
164 <title>Microsoft Remote Procedure Calls</title>
166 <para>Over the last two years, efforts have been underway
167 by various Samba Team members to decode various aspects of
168 the Microsoft Remote Procedure Call (MSRPC) system. This
169 system is used for most network related operations between
170 Windows NT machines including remote management, user authentication
171 and print spooling. Although initially this work was done
172 to aid the implementation of Primary Domain Controller (PDC)
173 functionality in Samba, it has also yielded a body of code which
174 can be used for other purposes.</para>
176 <para>Winbind uses various MSRPC calls to enumerate domain users
177 and groups and to obtain detailed information about individual
178 users or groups. Other MSRPC calls can be used to authenticate
179 NT domain users and to change user passwords. By directly querying
180 a Windows PDC for user and group information, winbind maps the
181 NT account information onto UNIX user and group names.</para>
185 <title>Name Service Switch</title>
187 <para>The Name Service Switch, or NSS, is a feature that is
188 present in many UNIX operating systems. It allows system
189 information such as hostnames, mail aliases and user information
190 to be resolved from different sources. For example, a standalone
191 UNIX workstation may resolve system information from a series of
192 flat files stored on the local filesystem. A networked workstation
193 may first attempt to resolve system information from local files,
194 and then consult a NIS database for user information or a DNS server
195 for hostname information.</para>
197 <para>The NSS application programming interface allows winbind
198 to present itself as a source of system information when
199 resolving UNIX usernames and groups. Winbind uses this interface,
200 and information obtained from a Windows NT server using MSRPC
201 calls to provide a new source of account enumeration. Using standard
202 UNIX library calls, one can enumerate the users and groups on
203 a UNIX machine running winbind and see all users and groups in
204 a NT domain plus any trusted domain as though they were local
205 users and groups.</para>
207 <para>The primary control file for NSS is
208 <filename>/etc/nsswitch.conf</filename>.
209 When a UNIX application makes a request to do a lookup
210 the C library looks in <filename>/etc/nsswitch.conf</filename>
211 for a line which matches the service type being requested, for
212 example the "passwd" service type is used when user or group names
213 are looked up. This config line species which implementations
214 of that service should be tried and in what order. If the passwd
215 config line is:</para>
217 <para><command>passwd: files example</command></para>
219 <para>then the C library will first load a module called
220 <filename>/lib/libnss_files.so</filename> followed by
221 the module <filename>/lib/libnss_example.so</filename>. The
222 C library will dynamically load each of these modules in turn
223 and call resolver functions within the modules to try to resolve
224 the request. Once the request is resolved the C library returns the
225 result to the application.</para>
227 <para>This NSS interface provides a very easy way for Winbind
228 to hook into the operating system. All that needs to be done
229 is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
230 then add "winbind" into <filename>/etc/nsswitch.conf</filename> at
231 the appropriate place. The C library will then call Winbind to
232 resolve user and group names.</para>
236 <title>Pluggable Authentication Modules</title>
238 <para>Pluggable Authentication Modules, also known as PAM,
239 is a system for abstracting authentication and authorization
240 technologies. With a PAM module it is possible to specify different
241 authentication methods for different system applications without
242 having to recompile these applications. PAM is also useful
243 for implementing a particular policy for authorization. For example,
244 a system administrator may only allow console logins from users
245 stored in the local password file but only allow users resolved from
246 a NIS database to log in over the network.</para>
248 <para>Winbind uses the authentication management and password
249 management PAM interface to integrate Windows NT users into a
250 UNIX system. This allows Windows NT users to log in to a UNIX
251 machine and be authenticated against a suitable Primary Domain
252 Controller. These users can also change their passwords and have
253 this change take effect directly on the Primary Domain Controller.
256 <para>PAM is configured by providing control files in the directory
257 <filename>/etc/pam.d/</filename> for each of the services that
258 require authentication. When an authentication request is made
259 by an application the PAM code in the C library looks up this
260 control file to determine what modules to load to do the
261 authentication check and in what order. This interface makes adding
262 a new authentication service for Winbind very easy, all that needs
263 to be done is that the <filename>pam_winbind.so</filename> module
264 is copied to <filename>/lib/security/</filename> and the PAM
265 control files for relevant services are updated to allow
266 authentication via winbind. See the PAM documentation
267 for more details.</para>
272 <title>User and Group ID Allocation</title>
274 <para>When a user or group is created under Windows NT
275 is it allocated a numerical relative identifier (RID). This is
276 slightly different to UNIX which has a range of numbers that are
277 used to identify users, and the same range in which to identify
278 groups. It is winbind's job to convert RIDs to UNIX id numbers and
279 vice versa. When winbind is configured it is given part of the UNIX
280 user id space and a part of the UNIX group id space in which to
281 store Windows NT users and groups. If a Windows NT user is
282 resolved for the first time, it is allocated the next UNIX id from
283 the range. The same process applies for Windows NT groups. Over
284 time, winbind will have mapped all Windows NT users and groups
285 to UNIX user ids and group ids.</para>
287 <para>The results of this mapping are stored persistently in
288 an ID mapping database held in a tdb database). This ensures that
289 RIDs are mapped to UNIX IDs in a consistent way.</para>
294 <title>Result Caching</title>
296 <para>An active system can generate a lot of user and group
297 name lookups. To reduce the network cost of these lookups winbind
298 uses a caching scheme based on the SAM sequence number supplied
299 by NT domain controllers. User or group information returned
300 by a PDC is cached by winbind along with a sequence number also
301 returned by the PDC. This sequence number is incremented by
302 Windows NT whenever any user or group information is modified. If
303 a cached entry has expired, the sequence number is requested from
304 the PDC and compared against the sequence number of the cached entry.
305 If the sequence numbers do not match, then the cached information
306 is discarded and up to date information is requested directly
313 <title>Installation and Configuration</title>
316 Many thanks to John Trostel <ulink
317 url="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</ulink>
318 for providing the HOWTO for this section.
322 This HOWTO describes how to get winbind services up and running
323 to control access and authenticate users on your Linux box using
324 the winbind services which come with SAMBA 2.2.2.
329 <title>Introduction</title>
332 This HOWTO describes the procedures used to get winbind up and
333 running on my RedHat 7.1 system. Winbind is capable of providing access
334 and authentication control for Windows Domain users through an NT
335 or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
336 well for SAMBA services.
340 This HOWTO has been written from a 'RedHat-centric' perspective, so if
341 you are using another distribution, you may have to modify the instructions
342 somewhat to fit the way your distribution works.
349 <emphasis>Why should I to this?</emphasis>
352 <para>This allows the SAMBA administrator to rely on the
353 authentication mechanisms on the NT/Win2K PDC for the authentication
354 of domain members. NT/Win2K users no longer need to have separate
355 accounts on the SAMBA server.
361 <emphasis>Who should be reading this document?</emphasis>
365 This HOWTO is designed for system administrators. If you are
366 implementing SAMBA on a file server and wish to (fairly easily)
367 integrate existing NT/Win2K users from your PDC onto the
368 SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
369 expert, so you may find a better or easier way to accomplish
378 <title>Requirements</title>
381 If you have a samba configuration file that you are currently
382 using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM,
383 <emphasis>back up the <filename>/etc/pam.d</filename> directory
384 contents!</emphasis> If you haven't already made a boot disk,
385 <emphasis>MAKE ONE NOW!</emphasis>
389 Messing with the pam configuration files can make it nearly impossible
390 to log in to yourmachine. That's why you want to be able to boot back
391 into your machine in single user mode and restore your
392 <filename>/etc/pam.d</filename> back to the original state they were in if
393 you get frustrated with the way things are going. ;-)
397 The latest version of SAMBA (version 2.2.2 as of this writing), now
398 includes a functioning winbindd daemon. Please refer to the
399 <ulink url="http://samba.org/">main SAMBA web page</ulink> or,
400 better yet, your closest SAMBA mirror site for instructions on
401 downloading the source code.
405 To allow Domain users the ability to access SAMBA shares and
406 files, as well as potentially other services provided by your
407 SAMBA machine, PAM (pluggable authentication modules) must
408 be setup properly on your machine. In order to compile the
409 winbind modules, you should have at least the pam libraries resident
410 on your system. For recent RedHat systems (7.1, for instance), that
411 means <filename>pam-0.74-22</filename>. For best results, it is helpful to also
412 install the development packages in <filename>pam-devel-0.74-22</filename>.
419 <title>Testing Things Out</title>
422 Before starting, it is probably best to kill off all the SAMBA
423 related daemons running on your server. Kill off all <command>smbd</command>,
424 <command>nmbd</command>, and <command>winbindd</command> processes that may
425 be running. To use PAM, you will want to make sure that you have the
426 standard PAM package (for RedHat) which supplies the <filename>/etc/pam.d</filename>
427 directory structure, including the pam modules are used by pam-aware
428 services, several pam libraries, and the <filename>/usr/doc</filename>
429 and <filename>/usr/man</filename> entries for pam. Winbind built better
430 in SAMBA if the pam-devel package was also installed. This package includes
431 the header files needed to compile pam-aware applications. For instance,
432 my RedHat system has both <filename>pam-0.74-22</filename> and
433 <filename>pam-devel-0.74-22</filename> RPMs installed.
437 <title>Configure and compile SAMBA</title>
440 The configuration and compilation of SAMBA is pretty straightforward.
441 The first three steps may not be necessary depending upon
442 whether or not you have previously built the Samba binaries.
445 <para><programlisting>
446 <prompt>root#</prompt> <command>autoconf</command>
447 <prompt>root#</prompt> <command>make clean</command>
448 <prompt>root#</prompt> <command>rm config.cache</command>
449 <prompt>root#</prompt> <command>./configure --with-winbind</command>
450 <prompt>root#</prompt> <command>make</command>
451 <prompt>root#</prompt> <command>make install</command>
452 </programlisting></para>
456 This will, by default, install SAMBA in <filename>/usr/local/samba</filename>.
457 See the main SAMBA documentation if you want to install SAMBA somewhere else.
458 It will also build the winbindd executable and libraries.
464 <title>Configure <filename>nsswitch.conf</filename> and the
465 winbind libraries</title>
468 The libraries needed to run the <command>winbindd</command> daemon
469 through nsswitch need to be copied to their proper locations, so
473 <prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command>
477 I also found it necessary to make the following symbolic link:
481 <prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command>
485 Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
486 allow user and group entries to be visible from the <command>winbindd</command>
487 daemon. My <filename>/etc/nsswitch.conf</filename> file look like
491 <para><programlisting>
492 passwd: files winbind
495 </programlisting></para>
498 The libraries needed by the winbind daemon will be automatically
499 entered into the <command>ldconfig</command> cache the next time
500 your system reboots, but it
501 is faster (and you don't need to reboot) if you do it manually:
505 <prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command>
509 This makes <filename>libnss_winbind</filename> available to winbindd
510 and echos back a check to you.
517 <title>Configure smb.conf</title>
520 Several parameters are needed in the smb.conf file to control
521 the behavior of <command>winbindd</command>. Configure
522 <filename>smb.conf</filename> These are described in more detail in
523 the <ulink url="winbindd.8.html">winbindd(8)</ulink> man page. My
524 <filename>smb.conf</filename> file was modified to
525 include the following entries in the [global] section:
528 <para><programlisting>
531 # separate domain and username with '+', like DOMAIN+username
532 <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = +
533 # use uids from 10000 to 20000 for domain users
534 <ulink url="winbindd.8.html#WINBINDUID">winbind uid</ulink> = 10000-20000
535 # use gids from 10000 to 20000 for domain groups
536 <ulink url="winbindd.8.html#WINBINDGID">winbind gid</ulink> = 10000-20000
537 # allow enumeration of winbind users and groups
538 <ulink url="winbindd.8.html#WINBINDENUMUSERS">winbind enum users</ulink> = yes
539 <ulink url="winbindd.8.html#WINBINDENUMGROUP">winbind enum groups</ulink> = yes
540 # give winbind users a real shell (only needed if they have telnet access)
541 <ulink url="winbindd.8.html#TEMPLATEHOMEDIR">template homedir</ulink> = /home/winnt/%D/%U
542 <ulink url="winbindd.8.html#TEMPLATESHELL">template shell</ulink> = /bin/bash
543 </programlisting></para>
549 <title>Join the SAMBA server to the PDC domain</title>
552 Enter the following command to make the SAMBA server join the
553 PDC domain, where <replaceable>DOMAIN</replaceable> is the name of
554 your Windows domain and <replaceable>Administrator</replaceable> is
555 a domain user who has administrative privileges in the domain.
560 <prompt>root#</prompt> <command>/usr/local/samba/bin/net rpc join -s PDC -U Administrator</command>
565 The proper response to the command should be: "Joined the domain
566 <replaceable>DOMAIN</replaceable>" where <replaceable>DOMAIN</replaceable>
574 <title>Start up the winbindd daemon and test it!</title>
577 Eventually, you will want to modify your smb startup script to
578 automatically invoke the winbindd daemon when the other parts of
579 SAMBA start, but it is possible to test out just the winbind
580 portion first. To start up winbind services, enter the following
585 <prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command>
589 I'm always paranoid and like to make sure the daemon
594 <prompt>root#</prompt> <command>ps -ae | grep winbindd</command>
597 This command should produce output like this, if the daemon is running
600 3025 ? 00:00:00 winbindd
604 Now... for the real test, try to get some information about the
609 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command>
613 This should echo back a list of users on your Windows users on
614 your PDC. For example, I get the following response:
617 <para><programlisting>
624 </programlisting></para>
627 Obviously, I have named my domain 'CEO' and my <parameter>winbind
628 separator</parameter> is '+'.
632 You can do the same sort of thing to get group information from
636 <para><programlisting>
637 <prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command>
642 CEO+Domain Controllers
645 CEO+Enterprise Admins
646 CEO+Group Policy Creator Owners
647 </programlisting></para>
650 The function 'getent' can now be used to get unified
651 lists of both local and PDC users and groups.
652 Try the following command:
656 <prompt>root#</prompt> <command>getent passwd</command>
660 You should get a list that looks like your <filename>/etc/passwd</filename>
661 list followed by the domain users with their new uids, gids, home
662 directories and default shells.
666 The same thing can be done for groups with the command
670 <prompt>root#</prompt> <command>getent group</command>
677 <title>Fix the <filename>/etc/rc.d/init.d/smb</filename> startup files</title>
680 The <command>winbindd</command> daemon needs to start up after the
681 <command>smbd</command> and <command>nmbd</command> daemons are running.
682 To accomplish this task, you need to modify the <filename>/etc/init.d/smb</filename>
683 script to add commands to invoke this daemon in the proper sequence. My
684 <filename>/etc/init.d/smb</filename> file starts up <command>smbd</command>,
685 <command>nmbd</command>, and <command>winbindd</command> from the
686 <filename>/usr/local/samba/bin</filename> directory directly. The 'start'
687 function in the script looks like this:
690 <para><programlisting>
693 echo -n $"Starting $KIND services: "
694 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
698 echo -n $"Starting $KIND services: "
699 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
703 echo -n $"Starting $KIND services: "
704 daemon /usr/local/samba/bin/winbindd
707 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
711 </programlisting></para>
714 The 'stop' function has a corresponding entry to shut down the
715 services and look s like this:
718 <para><programlisting>
721 echo -n $"Shutting down $KIND services: "
726 echo -n $"Shutting down $KIND services: "
731 echo -n $"Shutting down $KIND services: "
734 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
738 </programlisting></para>
741 If you restart the <command>smbd</command>, <command>nmbd</command>,
742 and <command>winbindd</command> daemons at this point, you
743 should be able to connect to the samba server as a domain member just as
744 if you were a local user.
752 <title>Configure Winbind and PAM</title>
755 If you have made it this far, you know that winbindd and samba are working
756 together. If you want to use winbind to provide authentication for other
757 services, keep reading. The pam configuration files need to be altered in
758 this step. (Did you remember to make backups of your original
759 <filename>/etc/pam.d</filename> files? If not, do it now.)
763 You will need a pam module to use winbindd with these other services. This
764 module will be compiled in the <filename>../source/nsswitch</filename> directory
765 by invoking the command
769 <prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command>
773 from the <filename>../source</filename> directory. The
774 <filename>pam_winbind.so</filename> file should be copied to the location of
775 your other pam security modules. On my RedHat system, this was the
776 <filename>/lib/security</filename> directory.
780 <prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command>
784 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
785 just left this fileas it was:
789 <para><programlisting>
790 auth required /lib/security/pam_stack.so service=system-auth
791 account required /lib/security/pam_stack.so service=system-auth
792 </programlisting></para>
795 The other services that I modified to allow the use of winbind
796 as an authentication service were the normal login on the console (or a terminal
797 session), telnet logins, and ftp service. In order to enable these
798 services, you may first need to change the entries in
799 <filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>).
800 RedHat 7.1 uses the new xinetd.d structure, in this case you need
801 to change the lines in <filename>/etc/xinetd.d/telnet</filename>
802 and <filename>/etc/xinetd.d/wu-ftp</filename> from
805 <para><programlisting>
807 </programlisting></para>
813 <para><programlisting>
815 </programlisting></para>
818 For ftp services to work properly, you will also need to either
819 have individual directories for the domain users already present on
820 the server, or change the home directory template to a general
821 directory for all domain users. These can be easily set using
822 the <filename>smb.conf</filename> global entry
823 <command>template homedir</command>.
827 The <filename>/etc/pam.d/ftp</filename> file can be changed
828 to allow winbind ftp access in a manner similar to the
829 samba file. My <filename>/etc/pam.d/ftp</filename> file was
830 changed to look like this:
833 <para><programlisting>
834 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
835 auth sufficient /lib/security/pam_winbind.so
836 auth required /lib/security/pam_stack.so service=system-auth
837 auth required /lib/security/pam_shells.so
838 account sufficient /lib/security/pam_winbind.so
839 account required /lib/security/pam_stack.so service=system-auth
840 session required /lib/security/pam_stack.so service=system-auth
841 </programlisting></para>
844 The <filename>/etc/pam.d/login</filename> file can be changed nearly the
845 same way. It now looks like this:
848 <para><programlisting>
849 auth required /lib/security/pam_securetty.so
850 auth sufficient /lib/security/pam_winbind.so
851 auth sufficient /lib/security/pam_unix.so use_first_pass
852 auth required /lib/security/pam_stack.so service=system-auth
853 auth required /lib/security/pam_nologin.so
854 account sufficient /lib/security/pam_winbind.so
855 account required /lib/security/pam_stack.so service=system-auth
856 password required /lib/security/pam_stack.so service=system-auth
857 session required /lib/security/pam_stack.so service=system-auth
858 session optional /lib/security/pam_console.so
859 </programlisting></para>
862 In this case, I added the <command>auth sufficient /lib/security/pam_winbind.so</command>
863 lines as before, but also added the <command>required pam_securetty.so</command>
864 above it, to disallow root logins over the network. I also added a
865 <command>sufficient /lib/security/pam_unix.so use_first_pass</command>
866 line after the <command>winbind.so</command> line to get rid of annoying
867 double prompts for passwords.
878 <title>Limitations</title>
880 <para>Winbind has a number of limitations in its current
881 released version that we hope to overcome in future
885 <listitem><para>Winbind is currently only available for
886 the Linux operating system, although ports to other operating
887 systems are certainly possible. For such ports to be feasible,
888 we require the C library of the target operating system to
889 support the Name Service Switch and Pluggable Authentication
890 Modules systems. This is becoming more common as NSS and
891 PAM gain support among UNIX vendors.</para></listitem>
893 <listitem><para>The mappings of Windows NT RIDs to UNIX ids
894 is not made algorithmically and depends on the order in which
895 unmapped users or groups are seen by winbind. It may be difficult
896 to recover the mappings of rid to UNIX id mapping if the file
897 containing this information is corrupted or destroyed.</para>
900 <listitem><para>Currently the winbind PAM module does not take
901 into account possible workstation and logon time restrictions
902 that may be been set for Windows NT users.</para></listitem>
908 <title>Conclusion</title>
910 <para>The winbind system, through the use of the Name Service
911 Switch, Pluggable Authentication Modules, and appropriate
912 Microsoft RPC calls have allowed us to provide seamless
913 integration of Microsoft Windows NT domain users on a
914 UNIX system. The result is a great reduction in the administrative
915 cost of running a mixed UNIX and NT network.</para>