1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
28 >winbindd -- Name Service Switch daemon for resolving names
31 CLASS="REFSYNOPSISDIV"
41 > [-F] [-S] [-i] [-B] [-d <debug level>] [-s <smb config file>] [-n]</P
51 >This program is part of the <SPAN
62 > is a daemon that provides
63 a service for the Name Service Switch capability that is present
64 in most modern C libraries. The Name Service Switch allows user
65 and system information to be obtained from different databases
66 services such as NIS or DNS. The exact behaviour can be configured
69 >/etc/nsswitch.conf</TT
71 Users and groups are allocated as they are resolved to a range
72 of user and group ids specified by the administrator of the
75 >The service provided by <B
78 > is called `winbind' and
79 can be used to resolve user and group information from a
80 Windows NT server. The service can also provide authentication
81 services via an associated PAM module. </P
86 > module in the 2.2.2 release only
94 module-types. The latter simply
95 performs a getpwnam() to verify that the system can obtain a uid for the
99 > library has been correctly
100 installed, this should always succeed.
103 >The following nsswitch databases are implemented by
104 the winbindd service: </P
114 >User information traditionally stored in
122 > functions. Names are
123 resolved through the WINS server or by broadcast.
130 >User information traditionally stored in
144 >Group information traditionally stored in
157 >For example, the following simple configuration in the
160 >/etc/nsswitch.conf</TT
161 > file can be used to initially
162 resolve user and group information from <TT
172 CLASS="PROGRAMLISTING"
173 >passwd: files winbind
174 group: files winbind</PRE
177 >The following simple configuration in the
180 >/etc/nsswitch.conf</TT
181 > file can be used to initially
182 resolve hostnames from <TT
204 >If specified, this parameter causes
208 > process to not daemonize,
209 i.e. double-fork and disassociate with the terminal.
210 Child processes are still created as normal to service
211 each connection request, but the main process does not
212 exit. This operation mode is suitable for running
216 > under process supervisors such
224 from Daniel J. Bernstein's <B
228 package, or the AIX process monitor.
235 >If specified, this parameter causes
239 > to log to standard output rather
246 >Prints the version number for
253 >-s <configuration file></DT
256 >The file specified contains the
257 configuration details required by the server. The
258 information in this file includes server-specific
259 information such as what printcap file to use, as well
260 as descriptions of all the services that the server is
262 HREF="smb.conf.5.html"
268 > for more information.
269 The default configuration file name is determined at
273 >-d|--debug=debuglevel</DT
280 from 0 to 10. The default value if this parameter is
281 not specified is zero.</P
283 >The higher this value, the more detail will be
284 logged to the log files about the activities of the
285 server. At level 0, only critical errors and serious
286 warnings will be logged. Level 1 is a reasonable level for
287 day to day running - it generates a small amount of
288 information about operations carried out.</P
290 >Levels above 1 will generate considerable
291 amounts of log data, and should only be used when
292 investigating a problem. Levels above 3 are designed for
293 use only by developers and generate HUGE amounts of log
294 data, most of which is extremely cryptic.</P
296 >Note that specifying this parameter here will
298 HREF="smb.conf.5.html#loglevel"
302 > parameter in the <A
303 HREF="smb.conf.5.html"
312 >-l|--logfile=logbasename</DT
315 >File name for log/debug files. The extension
319 > will be appended. The log file is
320 never removed by the client.</P
326 >Print a summary of command line options.</P
336 become a daemon and detach from the current terminal. This
337 option is used by developers when interactive debugging
345 > also logs to standard output,
349 > parameter had been given.
356 >Disable caching. This means winbindd will
357 always have to wait for a response from the domain controller
358 before it can respond to a client and this thus makes things
359 slower. The results will however be more accurate, since
360 results from the cache might not be up-to-date. This
361 might also temporarily hang winbindd if the DC doesn't respond.
368 >Dual daemon mode. This means winbindd will run
369 as 2 threads. The first will answer all requests from the cache,
370 thus making responses to clients faster. The other will
371 update the cache for the query that the first has just responded.
372 Advantage of this is that responses stay accurate and are faster.
384 >NAME AND ID RESOLUTION</H2
386 >Users and groups on a Windows NT server are assigned
387 a relative id (rid) which is unique for the domain when the
388 user or group is created. To convert the Windows NT user or group
389 into a unix user or group, a mapping between rids and unix user
390 and group ids is required. This is one of the jobs that <B
395 >As winbindd users and groups are resolved from a server, user
396 and group ids are allocated from a specified range. This
397 is done on a first come, first served basis, although all existing
398 users and groups will be mapped as soon as a client performs a user
399 or group enumeration command. The allocated unix ids are stored
400 in a database file under the Samba lock directory and will be
403 >WARNING: The rid to unix id database is the only location
404 where the user and group mappings are stored by winbindd. If this
405 file is deleted or corrupted, there is no way for winbindd to
406 determine which user and group ids correspond to Windows NT user
417 >Configuration of the <B
421 is done through configuration parameters in the <SPAN
424 CLASS="REFENTRYTITLE"
427 > file. All parameters should be specified in the
428 [global] section of smb.conf. </P
435 HREF="smb.conf.5.html#WINBINDSEPARATOR"
439 >winbind separator</VAR
446 HREF="smb.conf.5.html#WINBINDUID"
457 HREF="smb.conf.5.html#WINBINDGID"
468 HREF="smb.conf.5.html#WINBINDCACHETIME"
472 >winbind cache time</VAR
479 HREF="smb.conf.5.html#WINBINDENUMUSERS"
483 >winbind enum users</VAR
490 HREF="smb.conf.5.html#WINBINDENUMGROUPS"
494 >winbind enum groups</VAR
501 HREF="smb.conf.5.html#TEMPLATEHOMEDIR"
505 >template homedir</VAR
512 HREF="smb.conf.5.html#TEMPLATESHELL"
523 HREF="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN"
527 >winbind use default domain</VAR
541 >To setup winbindd for user and group lookups plus
542 authentication from a domain controller use something like the
543 following setup. This was tested on a RedHat 6.2 Linux box. </P
547 >/etc/nsswitch.conf</TT
551 CLASS="PROGRAMLISTING"
552 >passwd: files winbind
553 group: files winbind</PRE
562 > lines with something like this:
564 CLASS="PROGRAMLISTING"
565 >auth required /lib/security/pam_securetty.so
566 auth required /lib/security/pam_nologin.so
567 auth sufficient /lib/security/pam_winbind.so
568 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok</PRE
571 >Note in particular the use of the <VAR
575 > keyword and the <VAR
580 >Now replace the account lines with this: </P
584 >account required /lib/security/pam_winbind.so
588 >The next step is to join the domain. To do that use the
592 > program like this: </P
596 >net join -S PDC -U Administrator</B
599 >The username after the <VAR
603 Domain user that has administrator privileges on the machine.
604 Substitute the name or IP of your PDC for "PDC".</P
608 >libnss_winbind.so</TT
620 >. A symbolic link needs to be
623 >/lib/libnss_winbind.so</TT
627 >/lib/libnss_winbind.so.2</TT
628 >. If you are using an
629 older version of glibc then the target of the link should be
632 >/lib/libnss_winbind.so.1</TT
635 >Finally, setup a <SPAN
638 CLASS="REFENTRYTITLE"
641 > containing directives like the
644 CLASS="PROGRAMLISTING"
646 winbind separator = +
647 winbind cache time = 10
648 template shell = /bin/bash
649 template homedir = /home/%D/%U
650 winbind uid = 10000-20000
651 winbind gid = 10000-20000
654 password server = *</PRE
657 >Now start winbindd and you should find that your user and
658 group database is expanded to include your NT users and groups,
659 and that you can login to your unix box as a domain user, using
660 the DOMAIN+user syntax for the username. You may wish to use the
668 > to confirm the correct operation of winbindd.</P
678 >The following notes are useful when configuring and
687 CLASS="REFENTRYTITLE"
690 > must be running on the local machine
698 the list of trusted domains for the Windows NT server
699 on startup and when a SIGHUP is received. Thus, for a running <B
702 > to become aware of new trust relationships between
703 servers, it must be sent a SIGHUP signal. </P
705 >PAM is really easy to misconfigure. Make sure you know what
706 you are doing when modifying PAM configuration files. It is possible
707 to set up PAM such that you can no longer log into your system. </P
709 >If more than one UNIX machine is running <B
713 then in general the user and groups ids allocated by winbindd will not
714 be the same. The user and group ids will only be valid for the local
717 >If the the Windows NT RID to UNIX user and group id mapping
718 file is damaged or destroyed then the mappings will be lost. </P
728 >The following signals can be used to manipulate the
745 CLASS="REFENTRYTITLE"
749 apply any parameter changes to the running
750 version of winbindd. This signal also clears any cached
751 user and group information. The list of other domains trusted
752 by winbindd is also reloaded. </P
758 >The SIGUSR1 signal will cause <B
761 > to write status information to the winbind
762 log file including information about the number of user and
763 group ids allocated by <B
768 >Log files are stored in the filename specified by the
769 log file parameter.</P
789 >/etc/nsswitch.conf(5)</TT
793 >Name service switch configuration file.</P
796 >/tmp/.winbindd/pipe</DT
799 >The UNIX pipe over which clients communicate with
803 > program. For security reasons, the
804 winbind client will only attempt to connect to the winbindd daemon
811 >/tmp/.winbindd/pipe</TT
816 >$LOCKDIR/winbindd_privilaged/pipe</DT
819 >The UNIX pipe over which 'privilaged' clients
820 communicate with the <B
823 > program. For security
824 reasons, access to some winbindd functions - like those needed by
828 > utility - is restricted. By default,
829 only users in the 'root' group will get this access, however the administrator
830 may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
831 programs like 'squid' to use ntlm_auth.
832 Note that the winbind client will only attempt to connect to the winbindd daemon
835 >$LOCKDIR/winbindd_privilaged</TT
839 >$LOCKDIR/winbindd_privilaged/pipe</TT
844 >/lib/libnss_winbind.so.X</DT
847 >Implementation of name service switch library.
851 >$LOCKDIR/winbindd_idmap.tdb</DT
854 >Storage for the Windows NT rid to UNIX user/group
855 id mapping. The lock directory is specified when Samba is initially
856 compiled using the <VAR
860 This directory is by default <TT
862 >/usr/local/samba/var/locks
867 >$LOCKDIR/winbindd_cache.tdb</DT
870 >Storage for cached user and group information.
884 >This man page is correct for version 3.0 of
897 >nsswitch.conf(5)</TT
901 CLASS="REFENTRYTITLE"
907 CLASS="REFENTRYTITLE"
913 CLASS="REFENTRYTITLE"
926 >The original Samba software and related utilities
927 were created by Andrew Tridgell. Samba is now developed
928 by the Samba Team as an Open Source project similar
929 to the way the Linux kernel is developed.</P
938 written by Tim Potter.</P
940 >The conversion to DocBook for Samba 2.2 was done
941 by Gerald Carter. The conversion to DocBook XML 4.2 for
942 Samba 3.0 was done by Alexander Bokovoy.</P