This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This used to...

[nivanova/samba-autobuild/.git] / docs / manpages / winbindd.8

.\" This manpage has been automatically generated by docbook2man 
.\" from a DocBook document.  This tool can be found at:
.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> 
.\" Please send any bug reports, improvements, comments, patches, 
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "WINBINDD" "8" "04 March 2003" "" ""
.SH NAME
winbindd \- Name Service Switch daemon for resolving names  from NT servers
.SH SYNOPSIS

\fBwinbindd\fR [ \fB-F\fR ] [ \fB-S\fR ] [ \fB-i\fR ] [ \fB-B\fR ] [ \fB-d <debug level>\fR ] [ \fB-s <smb config file>\fR ] [ \fB-n\fR ]

.SH "DESCRIPTION"
.PP
This program is part of the  Samba suite.
.PP
\fBwinbindd\fR is a daemon that provides 
a service for the Name Service Switch capability that is present 
in most modern C libraries.  The Name Service Switch allows user 
and system information to be obtained from different databases 
services such as NIS or DNS.  The exact behaviour can be configured 
throught the \fI/etc/nsswitch.conf\fR file.  
Users and groups are allocated as they are resolved to a range 
of user and group ids specified by the administrator of the 
Samba system.
.PP
The service provided by \fBwinbindd\fR is called `winbind' and 
can be used to resolve user and group information from a 
Windows NT server. The service can also provide authentication
services via an associated PAM module. 
.PP
The \fIpam_winbind\fR module in the 2.2.2 release only 
supports the \fIauth\fR and \fIaccount\fR 
module-types.  The latter simply
performs a getpwnam() to verify that the system can obtain a uid for the
user.  If the \fIlibnss_winbind\fR library has been correctly 
installed, this should always succeed.
.PP
The following nsswitch databases are implemented by 
the winbindd service: 
.TP
\fBhosts\fR
User information traditionally stored in 
the \fIhosts(5)\fR file and used by 
\fBgethostbyname(3)\fR functions. Names are
resolved through the WINS server or by broadcast.
.TP
\fBpasswd\fR
User information traditionally stored in 
the \fIpasswd(5)\fR file and used by 
\fBgetpwent(3)\fR functions. 
.TP
\fBgroup\fR
Group information traditionally stored in 
the \fIgroup(5)\fR file and used by   
\fBgetgrent(3)\fR functions. 
.PP
For example, the following simple configuration in the
\fI/etc/nsswitch.conf\fR file can be used to initially 
resolve user and group information from \fI/etc/passwd
\fR and \fI/etc/group\fR and then from the 
Windows NT server. 
.PP

.nf
passwd:         files winbind
group:          files winbind
        
.fi
.PP
The following simple configuration in the
\fI/etc/nsswitch.conf\fR file can be used to initially
resolve hostnames from \fI/etc/hosts\fR and then from the
WINS server.
.SH "OPTIONS"
.TP
\fB-F\fR
If specified, this parameter causes
the main \fBwinbindd\fR process to not daemonize,
i.e. double-fork and disassociate with the terminal.
Child processes are still created as normal to service
each connection request, but the main process does not
exit. This operation mode is suitable for running
\fBwinbindd\fR under process supervisors such
as \fBsupervise\fR and \fBsvscan\fR
from Daniel J. Bernstein's \fBdaemontools\fR
package, or the AIX process monitor.
.TP
\fB-S\fR
If specified, this parameter causes
\fBwinbindd\fR to log to standard output rather
than a file.
.TP
\fB-d debuglevel\fR
Sets the debuglevel to an integer between 
0 and 100. 0 is for no debugging and 100 is for reams and 
reams. To submit a bug report to the Samba Team, use debug 
level 100 (see BUGS.txt).   
.TP
\fB-i\fR
Tells \fBwinbindd\fR to not 
become a daemon and detach from the current terminal. This 
option is used by developers when interactive debugging 
of \fBwinbindd\fR is required.
\fBwinbindd\fR also logs to standard output,
as if the \fB-S\fR parameter had been given.
.TP
\fB-n\fR
Disable caching. This means winbindd will 
always have to wait for a response from the domain controller 
before it can respond to a client and this thus makes things 
slower. The results will however be more accurate, since 
results from the cache might not be up-to-date. This 
might also temporarily hang winbindd if the DC doesn't respond.
.TP
\fB-B\fR
Dual daemon mode. This means winbindd will run 
as 2 threads. The first will answer all requests from the cache, 
thus making responses to clients faster. The other will 
update the cache for the query that the first has just responded. 
Advantage of this is that responses are accurate and fast.
.TP
\fB-s|--conf=smb.conf\fR
Specifies the location of the all-important
\fIsmb.conf\fR file. 
.SH "NAME AND ID RESOLUTION"
.PP
Users and groups on a Windows NT server are assigned 
a relative id (rid) which is unique for the domain when the 
user or group is created.  To convert the Windows NT user or group 
into a unix user or group, a mapping between rids and unix user 
and group ids is required.  This is one of the jobs that \fB winbindd\fR performs. 
.PP
As winbindd users and groups are resolved from a server, user 
and group ids are allocated from a specified range.  This
is done on a first come, first served basis, although all existing 
users and groups will be mapped as soon as a client performs a user 
or group enumeration command.  The allocated unix ids are stored 
in a database file under the Samba lock directory and will be 
remembered. 
.PP
WARNING: The rid to unix id database is the only location 
where the user and group mappings are stored by winbindd.  If this 
file is deleted or corrupted, there is no way for winbindd to 
determine which user and group ids correspond to Windows NT user 
and group rids. 
.SH "CONFIGURATION"
.PP
Configuration of the \fBwinbindd\fR daemon 
is done through configuration parameters in the \fIsmb.conf(5)
\fR file.  All parameters should be specified in the 
[global] section of smb.conf. 
.TP 0.2i
\(bu
\fIwinbind separator\fR
.TP 0.2i
\(bu
\fIwinbind uid\fR
.TP 0.2i
\(bu
\fIwinbind gid\fR
.TP 0.2i
\(bu
\fIwinbind cache time\fR
.TP 0.2i
\(bu
\fIwinbind enum users\fR
.TP 0.2i
\(bu
\fIwinbind enum groups\fR
.TP 0.2i
\(bu
\fItemplate homedir\fR
.TP 0.2i
\(bu
\fItemplate shell\fR
.TP 0.2i
\(bu
\fIwinbind use default domain\fR
.SH "EXAMPLE SETUP"
.PP
To setup winbindd for user and group lookups plus 
authentication from a domain controller use something like the 
following setup. This was tested on a RedHat 6.2 Linux box. 
.PP
In \fI/etc/nsswitch.conf\fR put the 
following:
.PP

.nf
passwd:     files winbind
group:      files winbind
        
.fi
.PP
In \fI/etc/pam.d/*\fR replace the 
\fIauth\fR lines with something like this: 
.PP

.nf
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
        
.fi
.PP
Note in particular the use of the \fIsufficient\fR 
keyword and the \fIuse_first_pass\fR keyword. 
.PP
Now replace the account lines with this: 
.PP
\fBaccount    required /lib/security/pam_winbind.so
\fR
.PP
The next step is to join the domain. To do that use the 
\fBsmbpasswd\fR program like this:  
.PP
\fBsmbpasswd -j DOMAIN -r PDC -U
Administrator\fR
.PP
The username after the \fI-U\fR can be any
Domain user that has administrator privileges on the machine.
Substitute your domain name for "DOMAIN" and the name of your PDC
for "PDC".
.PP
Next copy \fIlibnss_winbind.so\fR to 
\fI/lib\fR and \fIpam_winbind.so\fR
to \fI/lib/security\fR.  A symbolic link needs to be
made from \fI/lib/libnss_winbind.so\fR to
\fI/lib/libnss_winbind.so.2\fR.  If you are using an
older version of glibc then the target of the link should be
\fI/lib/libnss_winbind.so.1\fR.
.PP
Finally, setup a \fIsmb.conf\fR containing directives like the 
following:  
.PP

.nf
[global]
        winbind separator = +
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        workgroup = DOMAIN
        security = domain
        password server = *
        
.fi
.PP
Now start winbindd and you should find that your user and 
group database is expanded to include your NT users and groups, 
and that you can login to your unix box as a domain user, using 
the DOMAIN+user syntax for the username. You may wish to use the 
commands \fBgetent passwd\fR and \fBgetent group
\fR to confirm the correct operation of winbindd.
.SH "NOTES"
.PP
The following notes are useful when configuring and 
running \fBwinbindd\fR: 
.PP
\fBnmbd\fR must be running on the local machine 
for \fBwinbindd\fR to work. \fBwinbindd\fR
queries the list of trusted domains for the Windows NT server
on startup and when a SIGHUP is received.  Thus, for a running \fB winbindd\fR to become aware of new trust relationships between 
servers, it must be sent a SIGHUP signal. 
.PP
Client processes resolving names through the \fBwinbindd\fR
nsswitch module read an environment variable named \fB $WINBINDD_DOMAIN\fR.  If this variable contains a comma separated
list of Windows NT domain names, then winbindd will only resolve users
and groups within those Windows NT domains. 
.PP
PAM is really easy to misconfigure.  Make sure you know what 
you are doing when modifying PAM configuration files.  It is possible 
to set up PAM such that you can no longer log into your system. 
.PP
If more than one UNIX machine is running \fBwinbindd\fR, 
then in general the user and groups ids allocated by winbindd will not 
be the same.  The user and group ids will only be valid for the local 
machine.
.PP
If the the Windows NT RID to UNIX user and group id mapping 
file is damaged or destroyed then the mappings will be lost. 
.SH "SIGNALS"
.PP
The following signals can be used to manipulate the 
\fBwinbindd\fR daemon. 
.TP
\fBSIGHUP\fR
Reload the \fIsmb.conf(5)\fR
file and apply any parameter changes to the running 
version of winbindd.  This signal also clears any cached 
user and group information.  The list of other domains trusted 
by winbindd is also reloaded.  
.TP
\fBSIGUSR1\fR
The SIGUSR1 signal will cause \fB  winbindd\fR to write status information to the winbind 
log file including information about the number of user and 
group ids allocated by \fBwinbindd\fR.

Log files are stored in the filename specified by the 
log file parameter.
.SH "FILES"
.TP
\fB\fI/etc/nsswitch.conf(5)\fB\fR
Name service switch configuration file.
.TP
\fB/tmp/.winbindd/pipe\fR
The UNIX pipe over which clients communicate with 
the \fBwinbindd\fR program.  For security reasons, the 
winbind client will only attempt to connect to the winbindd daemon 
if both the \fI/tmp/.winbindd\fR directory
and \fI/tmp/.winbindd/pipe\fR file are owned by 
root. 
.TP
\fB/lib/libnss_winbind.so.X\fR
Implementation of name service switch library.
.TP
\fB$LOCKDIR/winbindd_idmap.tdb\fR
Storage for the Windows NT rid to UNIX user/group 
id mapping.  The lock directory is specified when Samba is initially 
compiled using the \fI--with-lockdir\fR option.
This directory is by default \fI/usr/local/samba/var/locks
\fR. 
.TP
\fB$LOCKDIR/winbindd_cache.tdb\fR
Storage for cached user and group information.
.SH "VERSION"
.PP
This man page is correct for version 3.0 of
the Samba suite.
.SH "SEE ALSO"
.PP
\fInsswitch.conf(5)\fR,
samba(7)
wbinfo(1)
smb.conf(5)
.SH "AUTHOR"
.PP
The original Samba software and related utilities 
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar 
to the way the Linux kernel is developed.
.PP
\fBwbinfo\fR and \fBwinbindd\fR
were written by Tim Potter.
.PP
The conversion to DocBook for Samba 2.2 was done 
by Gerald Carter