7 CONTENT=
"Modular DocBook HTML Stylesheet Version 1.57"></HEAD
27 >winbindd
--
Name Service Switch daemon for resolving names
30 CLASS=
"REFSYNOPSISDIV"
40 > [-i] [-d
<debug level
>] [-s
<smb config file
>]
</P
50 >This program is part of the
<A
59 > is a daemon that provides
60 a service for the Name Service Switch capability that is present
61 in most modern C libraries. The Name Service Switch allows user
62 and system information to be obtained from different databases
63 services such as NIS or DNS. The exact behaviour can be configured
66 >/etc/nsswitch.conf
</TT
68 Users and groups are allocated as they are resolved to a range
69 of user and group ids specified by the administrator of the
72 >The service provided by
<B
75 > is called `winbind' and
76 can be used to resolve user and group information from a
77 Windows NT server. The service can also provide authentication
78 services via an associated PAM module.
</P
80 >The following nsswitch databases are implemented by
81 the winbindd service:
</P
91 >User information traditionally stored in
105 >Group information traditionally stored in
118 >For example, the following simple configuration in the
121 >/etc/nsswitch.conf
</TT
122 > file can be used to initially
123 resolve user and group information from
<TT
131 Windows NT server.
</P
140 CLASS=
"PROGRAMLISTING"
141 >passwd: files winbind
165 >Sets the debuglevel to an integer between
166 0 and
100.
0 is for no debugging and
100 is for reams and
167 reams. To submit a bug report to the Samba Team, use debug
168 level
100 (see BUGS.txt).
</P
178 become a daemon and detach from the current terminal. This
179 option is used by developers when interactive debugging
194 >NAME AND ID RESOLUTION
</H2
196 >Users and groups on a Windows NT server are assigned
197 a relative id (rid) which is unique for the domain when the
198 user or group is created. To convert the Windows NT user or group
199 into a unix user or group, a mapping between rids and unix user
200 and group ids is required. This is one of the jobs that
<B
205 >As winbindd users and groups are resolved from a server, user
206 and group ids are allocated from a specified range. This
207 is done on a first come, first served basis, although all existing
208 users and groups will be mapped as soon as a client performs a user
209 or group enumeration command. The allocated unix ids are stored
210 in a database file under the Samba lock directory and will be
213 >WARNING: The rid to unix id database is the only location
214 where the user and group mappings are stored by winbindd. If this
215 file is deleted or corrupted, there is no way for winbindd to
216 determine which user and group ids correspond to Windows NT user
227 >Configuration of the
<B
231 is done through configuration parameters in the
<TT
235 > file. All parameters should be specified in the
236 [global] section of smb.conf.
</P
243 >winbind separator
</DT
246 >The winbind separator option allows you
247 to specify how NT domain names and user names are combined
248 into unix user names when presented to users. By default,
252 > will use the traditional '\'
253 separator so that the unix user names look like
254 DOMAIN\username. In some cases this separator character may
255 cause problems as the '\' character has special meaning in
256 unix shells. In that case you can use the winbind separator
257 option to specify an alternative separator character. Good
258 alternatives may be '/' (although that conflicts
259 with the unix directory separator) or a '+ 'character.
260 The '+' character appears to be the best choice for
100%
261 compatibility with existing unix utilities, but may be an
262 aesthetically bad choice depending on your taste.
</P
266 >winbind separator = \
</B
272 >winbind separator = +
</B
279 >The winbind uid parameter specifies the
280 range of user ids that are allocated by the winbindd daemon.
281 This range of ids should have no existing local or NIS users
282 within it as strange conflicts can occur otherwise.
</P
286 >winbind uid =
<empty string
>
292 >winbind uid =
10000-
20000</B
299 >The winbind gid parameter specifies the
300 range of group ids that are allocated by the winbindd daemon.
301 This range of group ids should have no existing local or NIS
302 groups within it as strange conflicts can occur otherwise.
</P
306 >winbind gid =
<empty string
>
312 >winbind gid =
10000-
20000
317 >winbind cache time
</DT
320 >This parameter specifies the number of
321 seconds the winbindd daemon will cache user and group information
322 before querying a Windows NT server again. When a item in the
323 cache is older than this time winbindd will ask the domain
324 controller for the sequence number of the server's account database.
325 If the sequence number has not changed then the cached item is
326 marked as valid for a further
<TT
332 > seconds. Otherwise the item is fetched from the
333 server. This means that as long as the account database is not
334 actively changing winbindd will only have to send one sequence
335 number query packet every
<TT
345 >winbind cache time =
15</B
350 >winbind enum users
</DT
353 >On large installations it may be necessary
354 to suppress the enumeration of users through the
<B
364 > group of system calls. If
368 >winbind enum users
</I
370 > parameter is false,
374 > system call will not
379 > Turning off user enumeration
380 may cause some programs to behave oddly. For example, the
<B
384 program relies on having access to the full user list when
385 searching for matching usernames.
</P
389 >winbind enum users = yes
</B
393 >winbind enum groups
</DT
396 >On large installations it may be necessary
397 to suppress the enumeration of groups through the
<B
407 > group of system calls. If
411 >winbind enum groups
</I
414 false, calls to the
<B
418 call will not return any data.
</P
423 enumeration may cause some programs to behave oddly.
428 >winbind enum groups = no
</B
433 >template homedir
</DT
436 >When filling out the user information
437 for a Windows NT user, the
<B
441 uses this parameter to fill in the home directory for that user.
448 substituted with the user's Windows NT domain name. If the
454 > is present it is substituted
455 with the user's Windows NT user name.
</P
459 >template homedir = /home/%D/%U
</B
467 >When filling out the user information for
468 a Windows NT user, the
<B
472 uses this parameter to fill in the shell for that user.
477 >template shell = /bin/false
</B
492 >To setup winbindd for user and group lookups plus
493 authentication from a domain controller use something like the
494 following setup. This was tested on a RedHat
6.2 Linux box.
</P
498 >/etc/nsswitch.conf
</TT
509 CLASS=
"PROGRAMLISTING"
510 >passwd: files winbind
527 > lines with something like this:
</P
536 CLASS=
"PROGRAMLISTING"
537 >auth required /lib/security/pam_securetty.so
538 auth required /lib/security/pam_nologin.so
539 auth sufficient /lib/security/pam_winbind.so
540 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
547 >Note in particular the use of the
<TT
560 >Now replace the account lines with this:
</P
564 >account required /lib/security/pam_winbind.so
568 >The next step is to join the domain. To do that use the
572 > program like this:
</P
576 >smbpasswd -j DOMAIN -r PDC -U
580 >The username after the
<TT
586 Domain user that has administrator privileges on the machine.
587 Substitute your domain name for
"DOMAIN" and the name of your PDC
592 >libnss_winbind.so
</TT
604 >. A symbolic link needs to be
607 >/lib/libnss_winbind.so
</TT
611 >/lib/libnss_winbind.so
.2</TT
612 >. If you are using an
613 older version of glibc then the target of the link should be
616 >/lib/libnss_winbind.so
.1</TT
619 >Finally, setup a
<TT
622 > containing directives like the
632 CLASS=
"PROGRAMLISTING"
634 winbind separator = +
635 winbind cache time =
10
636 template shell = /bin/bash
637 template homedir = /home/%D/%U
638 winbind uid =
10000-
20000
639 winbind gid =
10000-
20000
649 >Now start winbindd and you should find that your user and
650 group database is expanded to include your NT users and groups,
651 and that you can login to your unix box as a domain user, using
652 the DOMAIN+user syntax for the username. You may wish to use the
660 > to confirm the correct operation of winbindd.
</P
670 >The following notes are useful when configuring and
679 > must be running on the local machine
687 queries the list of trusted domains for the Windows NT server
688 on startup and when a SIGHUP is received. Thus, for a running
<B
691 > to become aware of new trust relationships between
692 servers, it must be sent a SIGHUP signal.
</P
694 >Client processes resolving names through the
<B
698 nsswitch module read an environment variable named
<TT
700 > $WINBINDD_DOMAIN
</TT
701 >. If this variable contains a comma separated
702 list of Windows NT domain names, then winbindd will only resolve users
703 and groups within those Windows NT domains.
</P
705 >PAM is really easy to misconfigure. Make sure you know what
706 you are doing when modifying PAM configuration files. It is possible
707 to set up PAM such that you can no longer log into your system.
</P
709 >If more than one UNIX machine is running
<B
713 then in general the user and groups ids allocated by winbindd will not
714 be the same. The user and group ids will only be valid for the local
717 >If the the Windows NT RID to UNIX user and group id mapping
718 file is damaged or destroyed then the mappings will be lost.
</P
728 >The following signals can be used to manipulate the
746 file and apply any parameter changes to the running
747 version of winbindd. This signal also clears any cached
748 user and group information. The list of other domains trusted
749 by winbindd is also reloaded.
</P
755 >The SIGUSR1 signal will cause
<B
758 > to write status information to the winbind
759 log file including information about the number of user and
760 group ids allocated by
<B
765 >Log files are stored in the filename specified by the
766 log file parameter.
</P
786 >/etc/nsswitch.conf(
5)
</TT
790 >Name service switch configuration file.
</P
793 >/tmp/.winbindd/pipe
</DT
796 >The UNIX pipe over which clients communicate with
800 > program. For security reasons, the
801 winbind client will only attempt to connect to the winbindd daemon
808 >/tmp/.winbindd/pipe
</TT
813 >/lib/libnss_winbind.so.X
</DT
816 >Implementation of name service switch library.
820 >$LOCKDIR/winbindd_idmap.tdb
</DT
823 >Storage for the Windows NT rid to UNIX user/group
824 id mapping. The lock directory is specified when Samba is initially
825 compiled using the
<TT
831 This directory is by default
<TT
833 >/usr/local/samba/var/locks
838 >$LOCKDIR/winbindd_cache.tdb
</DT
841 >Storage for cached user and group information.
855 >This man page is correct for version
2.2 of
868 >nsswitch.conf(
5)
</TT
881 HREF=
"smb.conf.5.html"
894 >The original Samba software and related utilities
895 were created by Andrew Tridgell. Samba is now developed
896 by the Samba Team as an Open Source project similar
897 to the way the Linux kernel is developed.
</P
906 were written by Tim Potter.
</P
908 >The conversion to DocBook for Samba
2.2 was done