| blob | ad54228a6f4d8ca90a5a129e6a710c586d017995 |
1 <HTML
2 ><HEAD
3 ><TITLE
5 ><META
8 ><BODY
15 ><H1
16 ><A
19 ></H1
20 ><DIV
22 ><A
24 ></A
25 ><H2
28 from NT servers</DIV
29 ><DIV
31 ><A
33 ></A
34 ><H2
36 ><P
37 ><B
41 ></DIV
42 ><DIV
44 ><A
46 ></A
47 ><H2
49 ><P
55 ><P
56 ><B
59 > is a daemon that provides
60 a service for the Name Service Switch capability that is present
61 in most modern C libraries. The Name Service Switch allows user
62 and system information to be obtained from different databases
63 services such as NIS or DNS. The exact behaviour can be configured
64 throught the <TT
67 > file.
68 Users and groups are allocated as they are resolved to a range
69 of user and group ids specified by the administrator of the
70 Samba system.</P
71 ><P
75 > is called `winbind' and
76 can be used to resolve user and group information from a
77 Windows NT server. The service can also provide authentication
78 services via an associated PAM module. </P
79 ><P
80 >The following nsswitch databases are implemented by
81 the winbindd service: </P
82 ><P
83 ></P
84 ><DIV
86 ><DL
87 ><DT
89 ><DD
90 ><P
91 >User information traditionally stored in
92 the <TT
95 > file and used by
96 <B
100 ></DD
101 ><DT
103 ><DD
104 ><P
105 >Group information traditionally stored in
106 the <TT
109 > file and used by
110 <B
114 ></DD
115 ></DL
116 ></DIV
117 ><P
118 >For example, the following simple configuration in the
119 <TT
122 > file can be used to initially
123 resolve user and group information from <TT
125 >/etc/passwd
126 </TT
130 > and then from the
131 Windows NT server. </P
132 ><P
133 ><TABLE
137 ><TR
138 ><TD
139 ><PRE
141 >passwd: files winbind
142 group: files winbind
143 </PRE
144 ></TD
145 ></TR
146 ></TABLE
147 ></P
148 ></DIV
149 ><DIV
151 ><A
153 ></A
154 ><H2
156 ><P
157 ></P
158 ><DIV
160 ><DL
161 ><DT
163 ><DD
164 ><P
165 >Sets the debuglevel to an integer between
167 reams. To submit a bug report to the Samba Team, use debug
169 ></DD
170 ><DT
172 ><DD
173 ><P
177 > to not
178 become a daemon and detach from the current terminal. This
179 option is used by developers when interactive debugging
180 of <B
184 ></DD
185 ></DL
186 ></DIV
187 ></DIV
188 ><DIV
190 ><A
192 ></A
193 ><H2
195 ><P
196 >Users and groups on a Windows NT server are assigned
197 a relative id (rid) which is unique for the domain when the
198 user or group is created. To convert the Windows NT user or group
199 into a unix user or group, a mapping between rids and unix user
200 and group ids is required. This is one of the jobs that <B
204 ><P
205 >As winbindd users and groups are resolved from a server, user
206 and group ids are allocated from a specified range. This
207 is done on a first come, first served basis, although all existing
208 users and groups will be mapped as soon as a client performs a user
209 or group enumeration command. The allocated unix ids are stored
210 in a database file under the Samba lock directory and will be
211 remembered. </P
212 ><P
213 >WARNING: The rid to unix id database is the only location
214 where the user and group mappings are stored by winbindd. If this
215 file is deleted or corrupted, there is no way for winbindd to
216 determine which user and group ids correspond to Windows NT user
217 and group rids. </P
218 ></DIV
219 ><DIV
221 ><A
223 ></A
224 ><H2
226 ><P
230 > daemon
231 is done through configuration parameters in the <TT
234 </TT
235 > file. All parameters should be specified in the
236 [global] section of smb.conf. </P
237 ><P
238 ></P
239 ><DIV
241 ><DL
242 ><DT
244 ><DD
245 ><P
246 >The winbind separator option allows you
247 to specify how NT domain names and user names are combined
248 into unix user names when presented to users. By default,
249 <B
252 > will use the traditional '\'
253 separator so that the unix user names look like
254 DOMAIN\username. In some cases this separator character may
255 cause problems as the '\' character has special meaning in
256 unix shells. In that case you can use the winbind separator
257 option to specify an alternative separator character. Good
258 alternatives may be '/' (although that conflicts
259 with the unix directory separator) or a '+ 'character.
260 The '+' character appears to be the best choice for 100%
261 compatibility with existing unix utilities, but may be an
262 aesthetically bad choice depending on your taste. </P
263 ><P
267 >
268 </P
269 ><P
273 ></P
274 ></DD
275 ><DT
277 ><DD
278 ><P
279 >The winbind uid parameter specifies the
280 range of user ids that are allocated by the winbindd daemon.
281 This range of ids should have no existing local or NIS users
282 within it as strange conflicts can occur otherwise. </P
283 ><P
287 </B
288 ></P
289 ><P
293 ></P
294 ></DD
295 ><DT
297 ><DD
298 ><P
299 >The winbind gid parameter specifies the
300 range of group ids that are allocated by the winbindd daemon.
301 This range of group ids should have no existing local or NIS
302 groups within it as strange conflicts can occur otherwise.</P
303 ><P
307 </B
308 ></P
309 ><P
313 </B
314 > </P
315 ></DD
316 ><DT
318 ><DD
319 ><P
320 >This parameter specifies the number of
321 seconds the winbindd daemon will cache user and group information
322 before querying a Windows NT server again. When a item in the
323 cache is older than this time winbindd will ask the domain
324 controller for the sequence number of the server's account database.
325 If the sequence number has not changed then the cached item is
326 marked as valid for a further <TT
328 ><I
329 >winbind cache time
330 </I
331 ></TT
332 > seconds. Otherwise the item is fetched from the
333 server. This means that as long as the account database is not
334 actively changing winbindd will only have to send one sequence
335 number query packet every <TT
337 ><I
338 >winbind cache time
339 </I
340 ></TT
342 ><P
346 >
347 </P
348 ></DD
349 ><DT
351 ><DD
352 ><P
353 >On large installations it may be necessary
354 to suppress the enumeration of users through the <B
360 > and
361 <B
364 > group of system calls. If
365 the <TT
367 ><I
369 ></TT
370 > parameter is false,
371 calls to the <B
374 > system call will not
375 return any data. </P
376 ><P
377 ><EM
379 > Turning off user enumeration
380 may cause some programs to behave oddly. For example, the <B
383 >
384 program relies on having access to the full user list when
385 searching for matching usernames. </P
386 ><P
390 ></P
391 ></DD
392 ><DT
394 ><DD
395 ><P
396 >On large installations it may be necessary
397 to suppress the enumeration of groups through the <B
403 > and
404 <B
407 > group of system calls. If
408 the <TT
410 ><I
412 ></TT
413 > parameter is
414 false, calls to the <B
417 > system
418 call will not return any data. </P
419 ><P
420 ><EM
422 > Turning off group
423 enumeration may cause some programs to behave oddly.
424 </P
425 ><P
429 >
430 </P
431 ></DD
432 ><DT
434 ><DD
435 ><P
436 >When filling out the user information
437 for a Windows NT user, the <B
440 > daemon
441 uses this parameter to fill in the home directory for that user.
442 If the string <TT
444 ><I
446 ></TT
447 > is present it is
448 substituted with the user's Windows NT domain name. If the
449 string <TT
451 ><I
453 ></TT
454 > is present it is substituted
455 with the user's Windows NT user name. </P
456 ><P
460 >
461 </P
462 ></DD
463 ><DT
465 ><DD
466 ><P
467 >When filling out the user information for
468 a Windows NT user, the <B
471 > daemon
472 uses this parameter to fill in the shell for that user.
473 </P
474 ><P
478 >
479 </P
480 ></DD
481 ></DL
482 ></DIV
483 ></DIV
484 ><DIV
486 ><A
488 ></A
489 ><H2
491 ><P
492 >To setup winbindd for user and group lookups plus
493 authentication from a domain controller use something like the
495 ><P
499 > put the
500 following:</P
501 ><P
502 ><TABLE
506 ><TR
507 ><TD
508 ><PRE
510 >passwd: files winbind
511 group: files winbind
512 </PRE
513 ></TD
514 ></TR
515 ></TABLE
516 ></P
517 ><P
521 > replace the
522 <TT
524 ><I
526 ></TT
528 ><P
529 ><TABLE
533 ><TR
534 ><TD
535 ><PRE
537 >auth required /lib/security/pam_securetty.so
538 auth required /lib/security/pam_nologin.so
539 auth sufficient /lib/security/pam_winbind.so
540 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
541 </PRE
542 ></TD
543 ></TR
544 ></TABLE
545 ></P
546 ><P
549 ><I
551 ></TT
552 >
553 keyword and the <TT
555 ><I
557 ></TT
559 ><P
561 ><P
562 ><B
564 >account required /lib/security/pam_winbind.so
565 </B
566 ></P
567 ><P
568 >The next step is to join the domain. To do that use the
569 <B
573 ><P
574 ><B
576 >smbpasswd -j DOMAIN -r PDC -U
577 Administrator</B
578 ></P
579 ><P
582 ><I
584 ></TT
585 > can be any
586 Domain user that has administrator privileges on the machine.
587 Substitute your domain name for "DOMAIN" and the name of your PDC
589 ><P
593 > to
594 <TT
600 >
601 to <TT
604 >. A symbolic link needs to be
605 made from <TT
608 > to
609 <TT
612 >. If you are using an
613 older version of glibc then the target of the link should be
614 <TT
618 ><P
622 > containing directives like the
623 following: </P
624 ><P
625 ><TABLE
629 ><TR
630 ><TD
631 ><PRE
633 >[global]
634 winbind separator = +
635 winbind cache time = 10
636 template shell = /bin/bash
637 template homedir = /home/%D/%U
640 workgroup = DOMAIN
641 security = domain
642 password server = *
643 </PRE
644 ></TD
645 ></TR
646 ></TABLE
647 ></P
648 ><P
649 >Now start winbindd and you should find that your user and
650 group database is expanded to include your NT users and groups,
651 and that you can login to your unix box as a domain user, using
652 the DOMAIN+user syntax for the username. You may wish to use the
653 commands <B
658 >getent group
659 </B
661 ></DIV
662 ><DIV
664 ><A
666 ></A
667 ><H2
669 ><P
670 >The following notes are useful when configuring and
671 running <B
675 ><P
676 ><B
679 > must be running on the local machine
680 for <B
686 >
687 queries the list of trusted domains for the Windows NT server
688 on startup and when a SIGHUP is received. Thus, for a running <B
691 > to become aware of new trust relationships between
692 servers, it must be sent a SIGHUP signal. </P
693 ><P
697 >
698 nsswitch module read an environment variable named <TT
701 >. If this variable contains a comma separated
702 list of Windows NT domain names, then winbindd will only resolve users
703 and groups within those Windows NT domains. </P
704 ><P
705 >PAM is really easy to misconfigure. Make sure you know what
706 you are doing when modifying PAM configuration files. It is possible
707 to set up PAM such that you can no longer log into your system. </P
708 ><P
712 >,
713 then in general the user and groups ids allocated by winbindd will not
714 be the same. The user and group ids will only be valid for the local
715 machine.</P
716 ><P
717 >If the the Windows NT RID to UNIX user and group id mapping
718 file is damaged or destroyed then the mappings will be lost. </P
719 ></DIV
720 ><DIV
722 ><A
724 ></A
725 ><H2
727 ><P
728 >The following signals can be used to manipulate the
729 <B
733 ><P
734 ></P
735 ><DIV
737 ><DL
738 ><DT
740 ><DD
741 ><P
745 >
746 file and apply any parameter changes to the running
747 version of winbindd. This signal also clears any cached
748 user and group information. The list of other domains trusted
749 by winbindd is also reloaded. </P
750 ></DD
751 ><DT
753 ><DD
754 ><P
758 > to write status information to the winbind
759 log file including information about the number of user and
760 group ids allocated by <B
764 ><P
765 >Log files are stored in the filename specified by the
766 log file parameter.</P
767 ></DD
768 ></DL
769 ></DIV
770 ></DIV
771 ><DIV
773 ><A
775 ></A
776 ><H2
778 ><P
779 ></P
780 ><DIV
782 ><DL
783 ><DT
784 ><TT
787 ></DT
788 ><DD
789 ><P
791 ></DD
792 ><DT
794 ><DD
795 ><P
796 >The UNIX pipe over which clients communicate with
797 the <B
800 > program. For security reasons, the
801 winbind client will only attempt to connect to the winbindd daemon
802 if both the <TT
805 > directory
806 and <TT
809 > file are owned by
810 root. </P
811 ></DD
812 ><DT
814 ><DD
815 ><P
816 >Implementation of name service switch library.
817 </P
818 ></DD
819 ><DT
821 ><DD
822 ><P
823 >Storage for the Windows NT rid to UNIX user/group
824 id mapping. The lock directory is specified when Samba is initially
825 compiled using the <TT
827 ><I
829 ></TT
830 > option.
831 This directory is by default <TT
833 >/usr/local/samba/var/locks
834 </TT
836 ></DD
837 ><DT
839 ><DD
840 ><P
841 >Storage for cached user and group information.
842 </P
843 ></DD
844 ></DL
845 ></DIV
846 ></DIV
847 ><DIV
849 ><A
851 ></A
852 ><H2
854 ><P
856 the Samba suite.</P
857 ></DIV
858 ><DIV
860 ><A
862 ></A
863 ><H2
865 ><P
866 ><TT
869 >,
870 <A
874 >,
875 <A
879 >,
880 <A
884 ></P
885 ></DIV
886 ><DIV
888 ><A
890 ></A
891 ><H2
893 ><P
894 >The original Samba software and related utilities
895 were created by Andrew Tridgell. Samba is now developed
896 by the Samba Team as an Open Source project similar
897 to the way the Linux kernel is developed.</P
898 ><P
899 ><B
905 >
906 were written by Tim Potter.</P
907 ><P
909 by Gerald Carter</P
910 ></DIV
911 ></BODY
912 ></HTML
913 >