1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="winbindd.8">
6 <refentrytitle>winbindd</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">3.0</refmiscinfo>
15 <refname>winbindd</refname>
16 <refpurpose>Name Service Switch daemon for resolving names
17 from NT servers</refpurpose>
22 <command>winbindd</command>
23 <arg choice="opt">-D</arg>
24 <arg choice="opt">-F</arg>
25 <arg choice="opt">-S</arg>
26 <arg choice="opt">-i</arg>
27 <arg choice="opt">-Y</arg>
28 <arg choice="opt">-d <debug level></arg>
29 <arg choice="opt">-s <smb config file></arg>
30 <arg choice="opt">-n</arg>
35 <title>DESCRIPTION</title>
37 <para>This program is part of the <citerefentry><refentrytitle>samba</refentrytitle>
38 <manvolnum>7</manvolnum></citerefentry> suite.</para>
40 <para><command>winbindd</command> is a daemon that provides
41 a number of services to the Name Service Switch capability found
42 in most modern C libraries, to arbitrary applications via PAM
43 and <command>ntlm_auth</command> and to Samba itself.</para>
45 <para>Even if winbind is not used for nsswitch, it still provides a
46 service to <command>smbd</command>, <command>ntlm_auth</command>
47 and the <command>pam_winbind.so</command> PAM module, by managing connections to
48 domain controllers. In this configuraiton the
49 <smbconfoption name="idmap uid"/> and
50 <smbconfoption name="idmap gid"/>
51 parameters are not required. (This is known as `netlogon proxy only mode'.)</para>
53 <para> The Name Service Switch allows user
54 and system information to be obtained from different databases
55 services such as NIS or DNS. The exact behaviour can be configured
56 throught the <filename>/etc/nsswitch.conf</filename> file.
57 Users and groups are allocated as they are resolved to a range
58 of user and group ids specified by the administrator of the
61 <para>The service provided by <command>winbindd</command> is called `winbind' and
62 can be used to resolve user and group information from a
63 Windows NT server. The service can also provide authentication
64 services via an associated PAM module. </para>
67 The <filename>pam_winbind</filename> module supports the
68 <parameter>auth</parameter>, <parameter>account</parameter>
69 and <parameter>password</parameter>
70 module-types. It should be noted that the
71 <parameter>account</parameter> module simply performs a getpwnam() to verify that
72 the system can obtain a uid for the user, as the domain
73 controller has already performed access control. If the
74 <filename>libnss_winbind</filename> library has been correctly
75 installed, or an alternate source of names configured, this should always succeed.
78 <para>The following nsswitch databases are implemented by
79 the winbindd service: </para>
84 <listitem><para>If specified, this parameter causes
85 the server to operate as a daemon. That is, it detaches
86 itself and runs in the background on the appropriate port.
87 This switch is assumed if <command>winbindd</command> is
88 executed on the command line of a shell.
94 <listitem><para>This feature is only available on IRIX.
95 User information traditionally stored in
96 the <filename>hosts(5)</filename> file and used by
97 <command>gethostbyname(3)</command> functions. Names are
98 resolved through the WINS server or by broadcast.
104 <listitem><para>User information traditionally stored in
105 the <filename>passwd(5)</filename> file and used by
106 <command>getpwent(3)</command> functions. </para></listitem>
111 <listitem><para>Group information traditionally stored in
112 the <filename>group(5)</filename> file and used by
113 <command>getgrent(3)</command> functions. </para></listitem>
117 <para>For example, the following simple configuration in the
118 <filename>/etc/nsswitch.conf</filename> file can be used to initially
119 resolve user and group information from <filename>/etc/passwd
120 </filename> and <filename>/etc/group</filename> and then from the
123 passwd: files winbind
125 ## only available on IRIX; Linux users should us libnss_wins.so
126 hosts: files dns winbind
127 </programlisting></para>
129 <para>The following simple configuration in the
130 <filename>/etc/nsswitch.conf</filename> file can be used to initially
131 resolve hostnames from <filename>/etc/hosts</filename> and then from the
141 <title>OPTIONS</title>
146 <listitem><para>If specified, this parameter causes
147 the main <command>winbindd</command> process to not daemonize,
148 i.e. double-fork and disassociate with the terminal.
149 Child processes are still created as normal to service
150 each connection request, but the main process does not
151 exit. This operation mode is suitable for running
152 <command>winbindd</command> under process supervisors such
153 as <command>supervise</command> and <command>svscan</command>
154 from Daniel J. Bernstein's <command>daemontools</command>
155 package, or the AIX process monitor.
161 <listitem><para>If specified, this parameter causes
162 <command>winbindd</command> to log to standard output rather
163 than a file.</para></listitem>
166 &stdarg.server.debug;
172 <listitem><para>Tells <command>winbindd</command> to not
173 become a daemon and detach from the current terminal. This
174 option is used by developers when interactive debugging
175 of <command>winbindd</command> is required.
176 <command>winbindd</command> also logs to standard output,
177 as if the <command>-S</command> parameter had been given.
183 <listitem><para>Disable caching. This means winbindd will
184 always have to wait for a response from the domain controller
185 before it can respond to a client and this thus makes things
186 slower. The results will however be more accurate, since
187 results from the cache might not be up-to-date. This
188 might also temporarily hang winbindd if the DC doesn't respond.
194 <listitem><para>Single daemon mode. This means winbindd will run
195 as a single process (the mode of operation in Samba 2.2). Winbindd's
196 default behavior is to launch a child process that is responsible for
197 updating expired cache entries.
206 <title>NAME AND ID RESOLUTION</title>
208 <para>Users and groups on a Windows NT server are assigned
209 a security id (SID) which is globally unique when the
210 user or group is created. To convert the Windows NT user or group
211 into a unix user or group, a mapping between SIDs and unix user
212 and group ids is required. This is one of the jobs that <command>
213 winbindd</command> performs. </para>
215 <para>As winbindd users and groups are resolved from a server, user
216 and group ids are allocated from a specified range. This
217 is done on a first come, first served basis, although all existing
218 users and groups will be mapped as soon as a client performs a user
219 or group enumeration command. The allocated unix ids are stored
220 in a database and will be remembered. </para>
222 <para>WARNING: The SID to unix id database is the only location
223 where the user and group mappings are stored by winbindd. If this
224 store is deleted or corrupted, there is no way for winbindd to
225 determine which user and group ids correspond to Windows NT user
226 and group rids. </para>
228 <para>See the <smbconfoption name="idmap domains"/> or the old <smbconfoption name="idmap backend"/> parameters in
229 <filename>smb.conf</filename> for options for sharing this
230 database, such as via LDAP.</para>
235 <title>CONFIGURATION</title>
237 <para>Configuration of the <command>winbindd</command> daemon
238 is done through configuration parameters in the <citerefentry>
239 <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
240 </citerefentry> file. All parameters should be specified in the
241 [global] section of smb.conf. </para>
245 <smbconfoption name="winbind separator"/></para></listitem>
247 <smbconfoption name="idmap uid"/></para></listitem>
249 <smbconfoption name="idmap gid"/></para></listitem>
251 <smbconfoption name="idmap backend"/></para></listitem>
253 <smbconfoption name="winbind cache time"/></para></listitem>
255 <smbconfoption name="winbind enum users"/></para></listitem>
257 <smbconfoption name="winbind enum groups"/></para></listitem>
259 <smbconfoption name="template homedir"/></para></listitem>
261 <smbconfoption name="template shell"/></para></listitem>
263 <smbconfoption name="winbind use default domain"/></para></listitem>
265 <smbconfoption name="winbind: rpc only"/>
266 Setting this parameter forces winbindd to use RPC
267 instead of LDAP to retrieve information from Domain
275 <title>EXAMPLE SETUP</title>
278 To setup winbindd for user and group lookups plus
279 authentication from a domain controller use something like the
280 following setup. This was tested on an early Red Hat Linux box.
283 <para>In <filename>/etc/nsswitch.conf</filename> put the
286 passwd: files winbind
291 <para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
292 auth</parameter> lines with something like this:
294 auth required /lib/security/pam_securetty.so
295 auth required /lib/security/pam_nologin.so
296 auth sufficient /lib/security/pam_winbind.so
297 auth required /lib/security/pam_unix.so \
298 use_first_pass shadow nullok
303 The PAM module pam_unix has recently replaced the module pam_pwdb.
304 Some Linux systems use the module pam_unix2 in place of pam_unix.
307 <para>Note in particular the use of the <parameter>sufficient
308 </parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para>
310 <para>Now replace the account lines with this: </para>
312 <para><command>account required /lib/security/pam_winbind.so
315 <para>The next step is to join the domain. To do that use the
316 <command>net</command> program like this: </para>
318 <para><command>net join -S PDC -U Administrator</command></para>
320 <para>The username after the <parameter>-U</parameter> can be any
321 Domain user that has administrator privileges on the machine.
322 Substitute the name or IP of your PDC for "PDC".</para>
324 <para>Next copy <filename>libnss_winbind.so</filename> to
325 <filename>/lib</filename> and <filename>pam_winbind.so
326 </filename> to <filename>/lib/security</filename>. A symbolic link needs to be
327 made from <filename>/lib/libnss_winbind.so</filename> to
328 <filename>/lib/libnss_winbind.so.2</filename>. If you are using an
329 older version of glibc then the target of the link should be
330 <filename>/lib/libnss_winbind.so.1</filename>.</para>
332 <para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle>
333 <manvolnum>5</manvolnum></citerefentry> containing directives like the
337 winbind separator = +
338 winbind cache time = 10
339 template shell = /bin/bash
340 template homedir = /home/%D/%U
341 idmap uid = 10000-20000
342 idmap gid = 10000-20000
346 </programlisting></para>
349 <para>Now start winbindd and you should find that your user and
350 group database is expanded to include your NT users and groups,
351 and that you can login to your unix box as a domain user, using
352 the DOMAIN+user syntax for the username. You may wish to use the
353 commands <command>getent passwd</command> and <command>getent group
354 </command> to confirm the correct operation of winbindd.</para>
361 <para>The following notes are useful when configuring and
362 running <command>winbindd</command>: </para>
364 <para><citerefentry><refentrytitle>nmbd</refentrytitle>
365 <manvolnum>8</manvolnum></citerefentry> must be running on the local machine
366 for <command>winbindd</command> to work. </para>
368 <para>PAM is really easy to misconfigure. Make sure you know what
369 you are doing when modifying PAM configuration files. It is possible
370 to set up PAM such that you can no longer log into your system. </para>
372 <para>If more than one UNIX machine is running <command>winbindd</command>,
373 then in general the user and groups ids allocated by winbindd will not
374 be the same. The user and group ids will only be valid for the local
375 machine, unless a shared <smbconfoption name="idmap backend"/> is configured.</para>
377 <para>If the the Windows NT SID to UNIX user and group id mapping
378 file is damaged or destroyed then the mappings will be lost. </para>
383 <title>SIGNALS</title>
385 <para>The following signals can be used to manipulate the
386 <command>winbindd</command> daemon. </para>
391 <listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle>
392 <manvolnum>5</manvolnum></citerefentry> file and
393 apply any parameter changes to the running
394 version of winbindd. This signal also clears any cached
395 user and group information. The list of other domains trusted
396 by winbindd is also reloaded. </para></listitem>
401 <listitem><para>The SIGUSR2 signal will cause <command>
402 winbindd</command> to write status information to the winbind
405 <para>Log files are stored in the filename specified by the
406 log file parameter.</para></listitem>
416 <term><filename>/etc/nsswitch.conf(5)</filename></term>
417 <listitem><para>Name service switch configuration file.</para>
422 <term>/tmp/.winbindd/pipe</term>
423 <listitem><para>The UNIX pipe over which clients communicate with
424 the <command>winbindd</command> program. For security reasons, the
425 winbind client will only attempt to connect to the winbindd daemon
426 if both the <filename>/tmp/.winbindd</filename> directory
427 and <filename>/tmp/.winbindd/pipe</filename> file are owned by
428 root. </para></listitem>
432 <term>$LOCKDIR/winbindd_privileged/pipe</term>
433 <listitem><para>The UNIX pipe over which 'privileged' clients
434 communicate with the <command>winbindd</command> program. For security
435 reasons, access to some winbindd functions - like those needed by
436 the <command>ntlm_auth</command> utility - is restricted. By default,
437 only users in the 'root' group will get this access, however the administrator
438 may change the group permissions on $LOCKDIR/winbindd_privileged to allow
439 programs like 'squid' to use ntlm_auth.
440 Note that the winbind client will only attempt to connect to the winbindd daemon
441 if both the <filename>$LOCKDIR/winbindd_privileged</filename> directory
442 and <filename>$LOCKDIR/winbindd_privileged/pipe</filename> file are owned by
443 root. </para></listitem>
447 <term>/lib/libnss_winbind.so.X</term>
448 <listitem><para>Implementation of name service switch library.
453 <term>$LOCKDIR/winbindd_idmap.tdb</term>
454 <listitem><para>Storage for the Windows NT rid to UNIX user/group
455 id mapping. The lock directory is specified when Samba is initially
456 compiled using the <parameter>--with-lockdir</parameter> option.
457 This directory is by default <filename>/usr/local/samba/var/locks
458 </filename>. </para></listitem>
462 <term>$LOCKDIR/winbindd_cache.tdb</term>
463 <listitem><para>Storage for cached user and group information.
471 <title>VERSION</title>
473 <para>This man page is correct for version 3.0 of
474 the Samba suite.</para>
478 <title>SEE ALSO</title>
480 <para><filename>nsswitch.conf(5)</filename>, <citerefentry>
481 <refentrytitle>samba</refentrytitle>
482 <manvolnum>7</manvolnum></citerefentry>, <citerefentry>
483 <refentrytitle>wbinfo</refentrytitle>
484 <manvolnum>1</manvolnum></citerefentry>, <citerefentry>
485 <refentrytitle>ntlm_auth</refentrytitle>
486 <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
487 <refentrytitle>smb.conf</refentrytitle>
488 <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
489 <refentrytitle>pam_winbind</refentrytitle>
490 <manvolnum>8</manvolnum></citerefentry></para>
494 <title>AUTHOR</title>
496 <para>The original Samba software and related utilities
497 were created by Andrew Tridgell. Samba is now developed
498 by the Samba Team as an Open Source project similar
499 to the way the Linux kernel is developed.</para>
501 <para><command>wbinfo</command> and <command>winbindd</command> were
502 written by Tim Potter.</para>
504 <para>The conversion to DocBook for Samba 2.2 was done
505 by Gerald Carter. The conversion to DocBook XML 4.2 for
506 Samba 3.0 was done by Alexander Bokovoy.</para>