| blob | 5d76dae2fdcec175d92319c851b74f999c7e2d4c |
1 <HTML
2 ><HEAD
3 ><TITLE
5 ><META
8 ><BODY
15 ><H1
16 ><A
19 ></H1
20 ><DIV
22 ><A
24 ></A
25 ><H2
28 from NT servers</DIV
29 ><DIV
31 ><A
33 ></A
34 ><H2
36 ><P
37 ><B
41 ></DIV
42 ><DIV
44 ><A
46 ></A
47 ><H2
49 ><P
55 ><P
56 ><B
59 > is a daemon that provides
60 a service for the Name Service Switch capability that is present
61 in most modern C libraries. The Name Service Switch allows user
62 and system information to be obtained from different databases
63 services such as NIS or DNS. The exact behaviour can be configured
64 throught the <TT
67 > file.
68 Users and groups are allocated as they are resolved to a range
69 of user and group ids specified by the administrator of the
70 Samba system.</P
71 ><P
75 > is called `winbind' and
76 can be used to resolve user and group information from a
77 Windows NT server. The service can also provide authentication
78 services via an associated PAM module. </P
79 ><P
84 supports the <TT
86 ><I
88 ></TT
91 ><I
93 ></TT
94 >
95 module-types. The latter is simply
96 performs a getpwnam() to verify that the system can obtain a uid for the
97 user. If the <TT
100 > library has been correctly
101 installed, this should always suceed.
102 </P
103 ><P
104 >The following nsswitch databases are implemented by
105 the winbindd service: </P
106 ><P
107 ></P
108 ><DIV
110 ><DL
111 ><DT
113 ><DD
114 ><P
115 >User information traditionally stored in
116 the <TT
119 > file and used by
120 <B
123 > functions. Names are
124 resolved through the WINS server or by broadcast.
125 </P
126 ></DD
127 ><DT
129 ><DD
130 ><P
131 >User information traditionally stored in
132 the <TT
135 > file and used by
136 <B
140 ></DD
141 ><DT
143 ><DD
144 ><P
145 >Group information traditionally stored in
146 the <TT
149 > file and used by
150 <B
154 ></DD
155 ></DL
156 ></DIV
157 ><P
158 >For example, the following simple configuration in the
159 <TT
162 > file can be used to initially
163 resolve user and group information from <TT
165 >/etc/passwd
166 </TT
170 > and then from the
171 Windows NT server. </P
172 ><P
173 ><TABLE
177 ><TR
178 ><TD
179 ><PRE
181 >passwd: files winbind
182 group: files winbind
183 </PRE
184 ></TD
185 ></TR
186 ></TABLE
187 ></P
188 ><P
189 >The following simple configuration in the
190 <TT
193 > file can be used to initially
194 resolve hostnames from <TT
197 > and then from the
198 WINS server.</P
199 ></DIV
200 ><DIV
202 ><A
204 ></A
205 ><H2
207 ><P
208 ></P
209 ><DIV
211 ><DL
212 ><DT
214 ><DD
215 ><P
216 >Sets the debuglevel to an integer between
218 reams. To submit a bug report to the Samba Team, use debug
220 ></DD
221 ><DT
223 ><DD
224 ><P
228 > to not
229 become a daemon and detach from the current terminal. This
230 option is used by developers when interactive debugging
231 of <B
235 ></DD
236 ></DL
237 ></DIV
238 ></DIV
239 ><DIV
241 ><A
243 ></A
244 ><H2
246 ><P
247 >Users and groups on a Windows NT server are assigned
248 a relative id (rid) which is unique for the domain when the
249 user or group is created. To convert the Windows NT user or group
250 into a unix user or group, a mapping between rids and unix user
251 and group ids is required. This is one of the jobs that <B
255 ><P
256 >As winbindd users and groups are resolved from a server, user
257 and group ids are allocated from a specified range. This
258 is done on a first come, first served basis, although all existing
259 users and groups will be mapped as soon as a client performs a user
260 or group enumeration command. The allocated unix ids are stored
261 in a database file under the Samba lock directory and will be
262 remembered. </P
263 ><P
264 >WARNING: The rid to unix id database is the only location
265 where the user and group mappings are stored by winbindd. If this
266 file is deleted or corrupted, there is no way for winbindd to
267 determine which user and group ids correspond to Windows NT user
268 and group rids. </P
269 ></DIV
270 ><DIV
272 ><A
274 ></A
275 ><H2
277 ><P
281 > daemon
282 is done through configuration parameters in the <TT
285 </TT
286 > file. All parameters should be specified in the
287 [global] section of smb.conf. </P
288 ><P
289 ></P
290 ><DIV
292 ><DL
293 ><DT
295 ><DD
296 ><P
297 >The winbind separator option allows you
298 to specify how NT domain names and user names are combined
299 into unix user names when presented to users. By default,
300 <B
303 > will use the traditional '\'
304 separator so that the unix user names look like
305 DOMAIN\username. In some cases this separator character may
306 cause problems as the '\' character has special meaning in
307 unix shells. In that case you can use the winbind separator
308 option to specify an alternative separator character. Good
309 alternatives may be '/' (although that conflicts
310 with the unix directory separator) or a '+ 'character.
311 The '+' character appears to be the best choice for 100%
312 compatibility with existing unix utilities, but may be an
313 aesthetically bad choice depending on your taste. </P
314 ><P
318 >
319 </P
320 ><P
324 ></P
325 ></DD
326 ><DT
328 ><DD
329 ><P
330 >The winbind uid parameter specifies the
331 range of user ids that are allocated by the winbindd daemon.
332 This range of ids should have no existing local or NIS users
333 within it as strange conflicts can occur otherwise. </P
334 ><P
338 </B
339 ></P
340 ><P
344 ></P
345 ></DD
346 ><DT
348 ><DD
349 ><P
350 >The winbind gid parameter specifies the
351 range of group ids that are allocated by the winbindd daemon.
352 This range of group ids should have no existing local or NIS
353 groups within it as strange conflicts can occur otherwise.</P
354 ><P
358 </B
359 ></P
360 ><P
364 </B
365 > </P
366 ></DD
367 ><DT
369 ><DD
370 ><P
371 >This parameter specifies the number of
372 seconds the winbindd daemon will cache user and group information
373 before querying a Windows NT server again. When a item in the
374 cache is older than this time winbindd will ask the domain
375 controller for the sequence number of the server's account database.
376 If the sequence number has not changed then the cached item is
377 marked as valid for a further <TT
379 ><I
380 >winbind cache time
381 </I
382 ></TT
383 > seconds. Otherwise the item is fetched from the
384 server. This means that as long as the account database is not
385 actively changing winbindd will only have to send one sequence
386 number query packet every <TT
388 ><I
389 >winbind cache time
390 </I
391 ></TT
393 ><P
397 >
398 </P
399 ></DD
400 ><DT
402 ><DD
403 ><P
404 >On large installations it may be necessary
405 to suppress the enumeration of users through the <B
411 > and
412 <B
415 > group of system calls. If
416 the <TT
418 ><I
420 ></TT
421 > parameter is false,
422 calls to the <B
425 > system call will not
426 return any data. </P
427 ><P
428 ><EM
430 > Turning off user enumeration
431 may cause some programs to behave oddly. For example, the <B
434 >
435 program relies on having access to the full user list when
436 searching for matching usernames. </P
437 ><P
441 ></P
442 ></DD
443 ><DT
445 ><DD
446 ><P
447 >On large installations it may be necessary
448 to suppress the enumeration of groups through the <B
454 > and
455 <B
458 > group of system calls. If
459 the <TT
461 ><I
463 ></TT
464 > parameter is
465 false, calls to the <B
468 > system
469 call will not return any data. </P
470 ><P
471 ><EM
473 > Turning off group
474 enumeration may cause some programs to behave oddly.
475 </P
476 ><P
480 >
481 </P
482 ></DD
483 ><DT
485 ><DD
486 ><P
487 >When filling out the user information
488 for a Windows NT user, the <B
491 > daemon
492 uses this parameter to fill in the home directory for that user.
493 If the string <TT
495 ><I
497 ></TT
498 > is present it is
499 substituted with the user's Windows NT domain name. If the
500 string <TT
502 ><I
504 ></TT
505 > is present it is substituted
506 with the user's Windows NT user name. </P
507 ><P
511 >
512 </P
513 ></DD
514 ><DT
516 ><DD
517 ><P
518 >When filling out the user information for
519 a Windows NT user, the <B
522 > daemon
523 uses this parameter to fill in the shell for that user.
524 </P
525 ><P
529 >
530 </P
531 ></DD
532 ></DL
533 ></DIV
534 ></DIV
535 ><DIV
537 ><A
539 ></A
540 ><H2
542 ><P
543 >To setup winbindd for user and group lookups plus
544 authentication from a domain controller use something like the
546 ><P
550 > put the
551 following:</P
552 ><P
553 ><TABLE
557 ><TR
558 ><TD
559 ><PRE
561 >passwd: files winbind
562 group: files winbind
563 </PRE
564 ></TD
565 ></TR
566 ></TABLE
567 ></P
568 ><P
572 > replace the
573 <TT
575 ><I
577 ></TT
579 ><P
580 ><TABLE
584 ><TR
585 ><TD
586 ><PRE
588 >auth required /lib/security/pam_securetty.so
589 auth required /lib/security/pam_nologin.so
590 auth sufficient /lib/security/pam_winbind.so
591 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
592 </PRE
593 ></TD
594 ></TR
595 ></TABLE
596 ></P
597 ><P
600 ><I
602 ></TT
603 >
604 keyword and the <TT
606 ><I
608 ></TT
610 ><P
612 ><P
613 ><B
615 >account required /lib/security/pam_winbind.so
616 </B
617 ></P
618 ><P
619 >The next step is to join the domain. To do that use the
620 <B
624 ><P
625 ><B
627 >smbpasswd -j DOMAIN -r PDC -U
628 Administrator</B
629 ></P
630 ><P
633 ><I
635 ></TT
636 > can be any
637 Domain user that has administrator privileges on the machine.
638 Substitute your domain name for "DOMAIN" and the name of your PDC
640 ><P
644 > to
645 <TT
651 >
652 to <TT
655 >. A symbolic link needs to be
656 made from <TT
659 > to
660 <TT
663 >. If you are using an
664 older version of glibc then the target of the link should be
665 <TT
669 ><P
673 > containing directives like the
674 following: </P
675 ><P
676 ><TABLE
680 ><TR
681 ><TD
682 ><PRE
684 >[global]
685 winbind separator = +
686 winbind cache time = 10
687 template shell = /bin/bash
688 template homedir = /home/%D/%U
691 workgroup = DOMAIN
692 security = domain
693 password server = *
694 </PRE
695 ></TD
696 ></TR
697 ></TABLE
698 ></P
699 ><P
700 >Now start winbindd and you should find that your user and
701 group database is expanded to include your NT users and groups,
702 and that you can login to your unix box as a domain user, using
703 the DOMAIN+user syntax for the username. You may wish to use the
704 commands <B
709 >getent group
710 </B
712 ></DIV
713 ><DIV
715 ><A
717 ></A
718 ><H2
720 ><P
721 >The following notes are useful when configuring and
722 running <B
726 ><P
727 ><B
730 > must be running on the local machine
731 for <B
737 >
738 queries the list of trusted domains for the Windows NT server
739 on startup and when a SIGHUP is received. Thus, for a running <B
742 > to become aware of new trust relationships between
743 servers, it must be sent a SIGHUP signal. </P
744 ><P
748 >
749 nsswitch module read an environment variable named <TT
752 >. If this variable contains a comma separated
753 list of Windows NT domain names, then winbindd will only resolve users
754 and groups within those Windows NT domains. </P
755 ><P
756 >PAM is really easy to misconfigure. Make sure you know what
757 you are doing when modifying PAM configuration files. It is possible
758 to set up PAM such that you can no longer log into your system. </P
759 ><P
763 >,
764 then in general the user and groups ids allocated by winbindd will not
765 be the same. The user and group ids will only be valid for the local
766 machine.</P
767 ><P
768 >If the the Windows NT RID to UNIX user and group id mapping
769 file is damaged or destroyed then the mappings will be lost. </P
770 ></DIV
771 ><DIV
773 ><A
775 ></A
776 ><H2
778 ><P
779 >The following signals can be used to manipulate the
780 <B
784 ><P
785 ></P
786 ><DIV
788 ><DL
789 ><DT
791 ><DD
792 ><P
796 >
797 file and apply any parameter changes to the running
798 version of winbindd. This signal also clears any cached
799 user and group information. The list of other domains trusted
800 by winbindd is also reloaded. </P
801 ></DD
802 ><DT
804 ><DD
805 ><P
809 > to write status information to the winbind
810 log file including information about the number of user and
811 group ids allocated by <B
815 ><P
816 >Log files are stored in the filename specified by the
817 log file parameter.</P
818 ></DD
819 ></DL
820 ></DIV
821 ></DIV
822 ><DIV
824 ><A
826 ></A
827 ><H2
829 ><P
830 ></P
831 ><DIV
833 ><DL
834 ><DT
835 ><TT
838 ></DT
839 ><DD
840 ><P
842 ></DD
843 ><DT
845 ><DD
846 ><P
847 >The UNIX pipe over which clients communicate with
848 the <B
851 > program. For security reasons, the
852 winbind client will only attempt to connect to the winbindd daemon
853 if both the <TT
856 > directory
857 and <TT
860 > file are owned by
861 root. </P
862 ></DD
863 ><DT
865 ><DD
866 ><P
867 >Implementation of name service switch library.
868 </P
869 ></DD
870 ><DT
872 ><DD
873 ><P
874 >Storage for the Windows NT rid to UNIX user/group
875 id mapping. The lock directory is specified when Samba is initially
876 compiled using the <TT
878 ><I
880 ></TT
881 > option.
882 This directory is by default <TT
884 >/usr/local/samba/var/locks
885 </TT
887 ></DD
888 ><DT
890 ><DD
891 ><P
892 >Storage for cached user and group information.
893 </P
894 ></DD
895 ></DL
896 ></DIV
897 ></DIV
898 ><DIV
900 ><A
902 ></A
903 ><H2
905 ><P
907 the Samba suite.</P
908 ></DIV
909 ><DIV
911 ><A
913 ></A
914 ><H2
916 ><P
917 ><TT
920 >,
921 <A
925 >,
926 <A
930 >,
931 <A
935 ></P
936 ></DIV
937 ><DIV
939 ><A
941 ></A
942 ><H2
944 ><P
945 >The original Samba software and related utilities
946 were created by Andrew Tridgell. Samba is now developed
947 by the Samba Team as an Open Source project similar
948 to the way the Linux kernel is developed.</P
949 ><P
950 ><B
956 >
957 were written by Tim Potter.</P
958 ><P
960 by Gerald Carter</P
961 ></DIV
962 ></BODY
963 ></HTML
964 >