1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"></HEAD
28 >winbindd -- Name Service Switch daemon for resolving names
31 CLASS="REFSYNOPSISDIV"
41 > [-i] [-d <debug level>] [-s <smb config file>]</P
51 >This program is part of the <A
60 > is a daemon that provides
61 a service for the Name Service Switch capability that is present
62 in most modern C libraries. The Name Service Switch allows user
63 and system information to be obtained from different databases
64 services such as NIS or DNS. The exact behaviour can be configured
67 >/etc/nsswitch.conf</TT
69 Users and groups are allocated as they are resolved to a range
70 of user and group ids specified by the administrator of the
73 >The service provided by <B
76 > is called `winbind' and
77 can be used to resolve user and group information from a
78 Windows NT server. The service can also provide authentication
79 services via an associated PAM module. </P
84 > module in the 2.2.2 release only
96 module-types. The latter simply
97 performs a getpwnam() to verify that the system can obtain a uid for the
101 > library has been correctly
102 installed, this should always succeed.
105 >The following nsswitch databases are implemented by
106 the winbindd service: </P
116 >User information traditionally stored in
124 > functions. Names are
125 resolved through the WINS server or by broadcast.
132 >User information traditionally stored in
146 >Group information traditionally stored in
159 >For example, the following simple configuration in the
162 >/etc/nsswitch.conf</TT
163 > file can be used to initially
164 resolve user and group information from <TT
172 Windows NT server. </P
175 CLASS="PROGRAMLISTING"
176 >passwd: files winbind
181 >The following simple configuration in the
184 >/etc/nsswitch.conf</TT
185 > file can be used to initially
186 resolve hostnames from <TT
208 >Sets the debuglevel to an integer between
209 0 and 100. 0 is for no debugging and 100 is for reams and
210 reams. To submit a bug report to the Samba Team, use debug
211 level 100 (see BUGS.txt). </P
221 become a daemon and detach from the current terminal. This
222 option is used by developers when interactive debugging
237 >NAME AND ID RESOLUTION</H2
239 >Users and groups on a Windows NT server are assigned
240 a relative id (rid) which is unique for the domain when the
241 user or group is created. To convert the Windows NT user or group
242 into a unix user or group, a mapping between rids and unix user
243 and group ids is required. This is one of the jobs that <B
248 >As winbindd users and groups are resolved from a server, user
249 and group ids are allocated from a specified range. This
250 is done on a first come, first served basis, although all existing
251 users and groups will be mapped as soon as a client performs a user
252 or group enumeration command. The allocated unix ids are stored
253 in a database file under the Samba lock directory and will be
256 >WARNING: The rid to unix id database is the only location
257 where the user and group mappings are stored by winbindd. If this
258 file is deleted or corrupted, there is no way for winbindd to
259 determine which user and group ids correspond to Windows NT user
270 >Configuration of the <B
274 is done through configuration parameters in the <TT
278 > file. All parameters should be specified in the
279 [global] section of smb.conf. </P
286 HREF="smb.conf.5.html#WINBINDSEPARATOR"
291 >winbind separator</I
299 HREF="smb.conf.5.html#WINBINDUID"
312 HREF="smb.conf.5.html#WINBINDGID"
325 HREF="smb.conf.5.html#WINBINDCACHETIME"
330 >winbind cache time</I
338 HREF="smb.conf.5.html#WINBINDENUMUSERS"
343 >winbind enum users</I
351 HREF="smb.conf.5.html#WINBINDENUMGROUPS"
356 >winbind enum groups</I
364 HREF="smb.conf.5.html#TEMPLATEHOMEDIR"
377 HREF="smb.conf.5.html#TEMPLATESHELL"
390 HREF="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN"
395 >winbind use default domain</I
410 >To setup winbindd for user and group lookups plus
411 authentication from a domain controller use something like the
412 following setup. This was tested on a RedHat 6.2 Linux box. </P
416 >/etc/nsswitch.conf</TT
421 CLASS="PROGRAMLISTING"
422 >passwd: files winbind
436 > lines with something like this: </P
439 CLASS="PROGRAMLISTING"
440 >auth required /lib/security/pam_securetty.so
441 auth required /lib/security/pam_nologin.so
442 auth sufficient /lib/security/pam_winbind.so
443 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
447 >Note in particular the use of the <TT
460 >Now replace the account lines with this: </P
464 >account required /lib/security/pam_winbind.so
468 >The next step is to join the domain. To do that use the
472 > program like this: </P
476 >smbpasswd -j DOMAIN -r PDC -U
480 >The username after the <TT
486 Domain user that has administrator privileges on the machine.
487 Substitute your domain name for "DOMAIN" and the name of your PDC
492 >libnss_winbind.so</TT
504 >. A symbolic link needs to be
507 >/lib/libnss_winbind.so</TT
511 >/lib/libnss_winbind.so.2</TT
512 >. If you are using an
513 older version of glibc then the target of the link should be
516 >/lib/libnss_winbind.so.1</TT
519 >Finally, setup a <TT
522 > containing directives like the
526 CLASS="PROGRAMLISTING"
528 winbind separator = +
529 winbind cache time = 10
530 template shell = /bin/bash
531 template homedir = /home/%D/%U
532 winbind uid = 10000-20000
533 winbind gid = 10000-20000
540 >Now start winbindd and you should find that your user and
541 group database is expanded to include your NT users and groups,
542 and that you can login to your unix box as a domain user, using
543 the DOMAIN+user syntax for the username. You may wish to use the
551 > to confirm the correct operation of winbindd.</P
561 >The following notes are useful when configuring and
570 > must be running on the local machine
578 queries the list of trusted domains for the Windows NT server
579 on startup and when a SIGHUP is received. Thus, for a running <B
582 > to become aware of new trust relationships between
583 servers, it must be sent a SIGHUP signal. </P
585 >Client processes resolving names through the <B
589 nsswitch module read an environment variable named <TT
591 > $WINBINDD_DOMAIN</TT
592 >. If this variable contains a comma separated
593 list of Windows NT domain names, then winbindd will only resolve users
594 and groups within those Windows NT domains. </P
596 >PAM is really easy to misconfigure. Make sure you know what
597 you are doing when modifying PAM configuration files. It is possible
598 to set up PAM such that you can no longer log into your system. </P
600 >If more than one UNIX machine is running <B
604 then in general the user and groups ids allocated by winbindd will not
605 be the same. The user and group ids will only be valid for the local
608 >If the the Windows NT RID to UNIX user and group id mapping
609 file is damaged or destroyed then the mappings will be lost. </P
619 >The following signals can be used to manipulate the
637 file and apply any parameter changes to the running
638 version of winbindd. This signal also clears any cached
639 user and group information. The list of other domains trusted
640 by winbindd is also reloaded. </P
646 >The SIGUSR1 signal will cause <B
649 > to write status information to the winbind
650 log file including information about the number of user and
651 group ids allocated by <B
656 >Log files are stored in the filename specified by the
657 log file parameter.</P
677 >/etc/nsswitch.conf(5)</TT
681 >Name service switch configuration file.</P
684 >/tmp/.winbindd/pipe</DT
687 >The UNIX pipe over which clients communicate with
691 > program. For security reasons, the
692 winbind client will only attempt to connect to the winbindd daemon
699 >/tmp/.winbindd/pipe</TT
704 >/lib/libnss_winbind.so.X</DT
707 >Implementation of name service switch library.
711 >$LOCKDIR/winbindd_idmap.tdb</DT
714 >Storage for the Windows NT rid to UNIX user/group
715 id mapping. The lock directory is specified when Samba is initially
716 compiled using the <TT
722 This directory is by default <TT
724 >/usr/local/samba/var/locks
729 >$LOCKDIR/winbindd_cache.tdb</DT
732 >Storage for cached user and group information.
746 >This man page is correct for version 2.2 of
759 >nsswitch.conf(5)</TT
772 HREF="smb.conf.5.html"
785 >The original Samba software and related utilities
786 were created by Andrew Tridgell. Samba is now developed
787 by the Samba Team as an Open Source project similar
788 to the way the Linux kernel is developed.</P
797 were written by Tim Potter.</P
799 >The conversion to DocBook for Samba 2.2 was done