1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
11 <firstname>Tim</firstname><surname>Potter</surname>
13 <orgname>Samba Team</orgname>
14 <address><email>tpot@linuxcare.com.au</email></address>
19 <firstname>Naag</firstname><surname>Mummaneni</surname>
21 <address><email>getnag@rediffmail.com</email></address>
23 <contrib>Notes for Solaris</contrib>
26 <firstname>John</firstname><surname>Trostel</surname>
28 <address><email>jtrostel@snapserver.com</email></address>
29 <orgname>SNAP</orgname>
35 <pubdate>27 June 2002</pubdate>
38 <title>Winbind: Use of Domain Accounts</title>
41 <title>Features and Benefits</title>
44 Integration of UNIX and Microsoft Windows NT through a unified logon has
45 been considered a <quote>holy grail</quote> in heterogeneous computing environments for
50 There is one other facility without which UNIX and Microsoft Windows network
51 interoperability would suffer greatly. It is imperative that there be a
52 mechanism for sharing files across UNIX systems and to be able to assign
53 domain user and group ownerships with integrity.
57 <emphasis>winbind</emphasis> is a component of the Samba suite of programs that
58 solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
59 RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
60 allow Windows NT domain users to appear and operate as UNIX users on a UNIX
61 machine. This chapter describes the Winbind system, explaining the functionality
62 it provides, how it is configured, and how it works internally.
66 Winbind provides three separate functions:
71 Authentication of user credentials (via PAM).
75 Identity resolution (via NSS).
79 Winbind maintains a database called winbind_idmap.tdb in which it stores
80 mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
81 for users and groups that do not have a local UID/GID. It stored the UID/GID
82 allocated from the idmap uid/gid range that it has mapped to the NT SID.
83 If <parameter>idmap backend</parameter> has been specified as ldapsam:url
84 then instead of using a local mapping Winbind will obtain this information
85 from the LDAP database.
90 <indexterm><primary>winbindd</primary></indexterm>
91 <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
92 If <command>winbindd</command> is not running, smbd (which calls <command>winbindd</command>) will fall back to
93 using purely local information from <filename>/etc/passwd</filename> and <filename>/etc/group</filename> and no dynamic
98 <image id="winbind_idmap">
99 <imagedescription>Winbind Idmap</imagedescription>
100 <imagefile scale="50">idmap_winbind_no_loop</imagefile>
107 <title>Introduction</title>
109 <para>It is well known that UNIX and Microsoft Windows NT have
110 different models for representing user and group information and
111 use different technologies for implementing them. This fact has
112 made it difficult to integrate the two systems in a satisfactory
115 <para>One common solution in use today has been to create
116 identically named user accounts on both the UNIX and Windows systems
117 and use the Samba suite of programs to provide file and print services
118 between the two. This solution is far from perfect, however, as
119 adding and deleting users on both sets of machines becomes a chore
120 and two sets of passwords are required &smbmdash; both of which
121 can lead to synchronization problems between the UNIX and Windows
122 systems and confusion for users.</para>
124 <para>We divide the unified logon problem for UNIX machines into
125 three smaller problems:</para>
128 <listitem><para>Obtaining Windows NT user and group information.
131 <listitem><para>Authenticating Windows NT users.
134 <listitem><para>Password changing for Windows NT users.
139 <para>Ideally, a prospective solution to the unified logon problem
140 would satisfy all the above components without duplication of
141 information on the UNIX machines and without creating additional
142 tasks for the system administrator when maintaining users and
143 groups on either system. The Winbind system provides a simple
144 and elegant solution to all three components of the unified logon
150 <title>What Winbind Provides</title>
152 <para>Winbind unifies UNIX and Windows NT account management by
153 allowing a UNIX box to become a full member of an NT domain. Once
154 this is done the UNIX box will see NT users and groups as if
155 they were <quote>native</quote> UNIX users and groups, allowing the NT domain
156 to be used in much the same manner that NIS+ is used within
157 UNIX-only environments.</para>
159 <para>The end result is that whenever any
160 program on the UNIX machine asks the operating system to lookup
161 a user or group name, the query will be resolved by asking the
162 NT Domain Controller for the specified domain to do the lookup.
163 Because Winbind hooks into the operating system at a low level
164 (via the NSS name resolution modules in the C library), this
165 redirection to the NT Domain Controller is completely
168 <para>Users on the UNIX machine can then use NT user and group
169 names as they would <quote>native</quote> UNIX names. They can chown files
170 so they are owned by NT domain users or even login to the
171 UNIX machine and run a UNIX X-Window session as a domain user.</para>
173 <para>The only obvious indication that Winbind is being used is
174 that user and group names take the form <constant>DOMAIN\user</constant> and
175 <constant>DOMAIN\group</constant>. This is necessary as it allows Winbind to determine
176 that redirection to a Domain Controller is wanted for a particular
177 lookup and which trusted domain is being referenced.</para>
179 <para>Additionally, Winbind provides an authentication service
180 that hooks into the Pluggable Authentication Modules (PAM) system
181 to provide authentication via an NT domain to any PAM-enabled
182 applications. This capability solves the problem of synchronizing
183 passwords between systems since all passwords are stored in a single
184 location (on the Domain Controller).</para>
187 <title>Target Uses</title>
189 <para>Winbind is targeted at organizations that have an
190 existing NT-based domain infrastructure into which they wish
191 to put UNIX workstations or servers. Winbind will allow these
192 organizations to deploy UNIX workstations without having to
193 maintain a separate account infrastructure. This greatly
194 simplifies the administrative overhead of deploying UNIX
195 workstations into an NT-based organization.</para>
197 <para>Another interesting way in which we expect Winbind to
198 be used is as a central part of UNIX-based appliances. Appliances
199 that provide file and print services to Microsoft-based networks
200 will be able to use Winbind to provide seamless integration of
201 the appliance into the domain.</para>
208 <title>How Winbind Works</title>
210 <para>The Winbind system is designed around a client/server
211 architecture. A long running <command>winbindd</command> daemon
212 listens on a UNIX domain socket waiting for requests
213 to arrive. These requests are generated by the NSS and PAM
214 clients and is processed sequentially.</para>
216 <para>The technologies used to implement Winbind are described
217 in detail below.</para>
220 <title>Microsoft Remote Procedure Calls</title>
222 <para>Over the last few years, efforts have been underway
223 by various Samba Team members to decode various aspects of
224 the Microsoft Remote Procedure Call (MSRPC) system. This
225 system is used for most network-related operations between
226 Windows NT machines including remote management, user authentication
227 and print spooling. Although initially this work was done
228 to aid the implementation of Primary Domain Controller (PDC)
229 functionality in Samba, it has also yielded a body of code that
230 can be used for other purposes.</para>
232 <para>Winbind uses various MSRPC calls to enumerate domain users
233 and groups and to obtain detailed information about individual
234 users or groups. Other MSRPC calls can be used to authenticate
235 NT domain users and to change user passwords. By directly querying
236 a Windows PDC for user and group information, Winbind maps the
237 NT account information onto UNIX user and group names.</para>
241 <title>Microsoft Active Directory Services</title>
244 Since late 2001, Samba has gained the ability to
245 interact with Microsoft Windows 2000 using its <quote>Native
246 Mode</quote> protocols, rather than the NT4 RPC services.
247 Using LDAP and Kerberos, a Domain Member running
248 Winbind can enumerate users and groups in exactly the
249 same way as a Windows 200x client would, and in so doing
250 provide a much more efficient and effective Winbind implementation.
255 <title>Name Service Switch</title>
257 <para>The Name Service Switch, or NSS, is a feature that is
258 present in many UNIX operating systems. It allows system
259 information such as hostnames, mail aliases and user information
260 to be resolved from different sources. For example, a standalone
261 UNIX workstation may resolve system information from a series of
262 flat files stored on the local filesystem. A networked workstation
263 may first attempt to resolve system information from local files,
264 and then consult an NIS database for user information or a DNS server
265 for hostname information.</para>
267 <para>The NSS application programming interface allows Winbind
268 to present itself as a source of system information when
269 resolving UNIX usernames and groups. Winbind uses this interface,
270 and information obtained from a Windows NT server using MSRPC
271 calls to provide a new source of account enumeration. Using standard
272 UNIX library calls, one can enumerate the users and groups on
273 a UNIX machine running Winbind and see all users and groups in
274 a NT domain plus any trusted domain as though they were local
275 users and groups.</para>
277 <para>The primary control file for NSS is
278 <filename>/etc/nsswitch.conf</filename>.
279 When a UNIX application makes a request to do a lookup,
280 the C library looks in <filename>/etc/nsswitch.conf</filename>
281 for a line that matches the service type being requested, for
282 example the <quote>passwd</quote> service type is used when user or group names
283 are looked up. This config line specifies which implementations
284 of that service should be tried and in what order. If the passwd
285 config line is:</para>
288 passwd: files example
291 <para>then the C library will first load a module called
292 <filename>/lib/libnss_files.so</filename> followed by
293 the module <filename>/lib/libnss_example.so</filename>. The
294 C library will dynamically load each of these modules in turn
295 and call resolver functions within the modules to try to resolve
296 the request. Once the request is resolved, the C library returns the
297 result to the application.</para>
299 <para>This NSS interface provides an easy way for Winbind
300 to hook into the operating system. All that needs to be done
301 is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
302 then add <quote>winbind</quote> into <filename>/etc/nsswitch.conf</filename> at
303 the appropriate place. The C library will then call Winbind to
304 resolve user and group names.</para>
308 <title>Pluggable Authentication Modules</title>
310 <para>Pluggable Authentication Modules, also known as PAM,
311 is a system for abstracting authentication and authorization
312 technologies. With a PAM module it is possible to specify different
313 authentication methods for different system applications without
314 having to recompile these applications. PAM is also useful
315 for implementing a particular policy for authorization. For example,
316 a system administrator may only allow console logins from users
317 stored in the local password file but only allow users resolved from
318 a NIS database to log in over the network.</para>
320 <para>Winbind uses the authentication management and password
321 management PAM interface to integrate Windows NT users into a
322 UNIX system. This allows Windows NT users to log in to a UNIX
323 machine and be authenticated against a suitable Primary Domain
324 Controller. These users can also change their passwords and have
325 this change take effect directly on the Primary Domain Controller.
328 <para>PAM is configured by providing control files in the directory
329 <filename>/etc/pam.d/</filename> for each of the services that
330 require authentication. When an authentication request is made
331 by an application, the PAM code in the C library looks up this
332 control file to determine what modules to load to do the
333 authentication check and in what order. This interface makes adding
334 a new authentication service for Winbind very easy. All that needs
335 to be done is that the <filename>pam_winbind.so</filename> module
336 is copied to <filename>/lib/security/</filename> and the PAM
337 control files for relevant services are updated to allow
338 authentication via Winbind. See the PAM documentation
339 in <link linkend="pam">PAM-Based Distributed Authentication</link> for more information.</para>
344 <title>User and Group ID Allocation</title>
346 <para>When a user or group is created under Windows NT/200x
347 it is allocated a numerical relative identifier (RID). This is
348 slightly different from UNIX which has a range of numbers that are
349 used to identify users, and the same range in which to identify
350 groups. It is Winbind's job to convert RIDs to UNIX ID numbers and
351 vice versa. When Winbind is configured, it is given part of the UNIX
352 user ID space and a part of the UNIX group ID space in which to
353 store Windows NT users and groups. If a Windows NT user is
354 resolved for the first time, it is allocated the next UNIX ID from
355 the range. The same process applies for Windows NT groups. Over
356 time, Winbind will have mapped all Windows NT users and groups
357 to UNIX user IDs and group IDs.</para>
359 <para>The results of this mapping are stored persistently in
360 an ID mapping database held in a tdb database). This ensures that
361 RIDs are mapped to UNIX IDs in a consistent way.</para>
366 <title>Result Caching</title>
369 <indexterm><primary>SAM</primary></indexterm>
370 An active system can generate a lot of user and group
371 name lookups. To reduce the network cost of these lookups, Winbind
372 uses a caching scheme based on the SAM sequence number supplied
373 by NT Domain Controllers. User or group information returned
374 by a PDC is cached by Winbind along with a sequence number also
375 returned by the PDC. This sequence number is incremented by
376 Windows NT whenever any user or group information is modified. If
377 a cached entry has expired, the sequence number is requested from
378 the PDC and compared against the sequence number of the cached entry.
379 If the sequence numbers do not match, then the cached information
380 is discarded and up-to-date information is requested directly
387 <title>Installation and Configuration</title>
390 <title>Introduction</title>
393 This section describes the procedures used to get Winbind up and
394 running. Winbind is capable of providing access
395 and authentication control for Windows Domain users through an NT
396 or Windows 200x PDC for regular services, such as telnet and ftp, as
397 well for Samba services.
403 <emphasis>Why should I do this?</emphasis>
406 <para>This allows the Samba administrator to rely on the
407 authentication mechanisms on the Windows NT/200x PDC for the authentication
408 of Domain Members. Windows NT/200x users no longer need to have separate
409 accounts on the Samba server.
415 <emphasis>Who should be reading this document?</emphasis>
419 This document is designed for system administrators. If you are
420 implementing Samba on a file server and wish to (fairly easily)
421 integrate existing Windows NT/200x users from your PDC onto the
422 Samba server, this document is for you.
430 <title>Requirements</title>
433 If you have a Samba configuration file that you are currently using, <emphasis>BACK IT UP!</emphasis>
434 If your system already uses PAM, <emphasis>back up the <filename>/etc/pam.d</filename> directory
435 contents!</emphasis> If you haven't already made a boot disk, <emphasis>MAKE ONE NOW!</emphasis>
439 Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's
440 why you want to be able to boot back into your machine in single user mode and restore your
441 <filename>/etc/pam.d</filename> back to the original state they were in if you get frustrated with the
442 way things are going.
446 The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <ulink
447 url="http://samba.org/">main Samba Web page</ulink> or, better yet, your closest Samba mirror site for
448 instructions on downloading the source code.
452 To allow domain users the ability to access Samba shares and files, as well as potentially other services
453 provided by your Samba machine, PAM must be set up properly on your
454 machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
455 on your system. Please refer the PAM web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
460 <title>Testing Things Out</title>
463 Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
464 Kill off all &smbd;, &nmbd;, and &winbindd; processes that may be running. To use PAM,
465 make sure that you have the standard PAM package that supplies the <filename>/etc/pam.d</filename>
466 directory structure, including the PAM modules that are used by PAM-aware services, several pam libraries,
467 and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for pam. Winbind built
468 better in Samba if the pam-devel package is also installed. This package includes the header files
469 needed to compile PAM-aware applications.
473 <title>Configure <filename>nsswitch.conf</filename> and the Winbind Libraries on Linux and Solaris</title>
476 PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install
477 the <filename>pam-devel</filename> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3
478 may auto-install the Winbind files into their correct locations on your system, so before you get too far down
479 the track be sure to check if the following configuration is really
480 necessary. You may only need to configure
481 <filename>/etc/nsswitch.conf</filename>.
485 The libraries needed to run the &winbindd; daemon through nsswitch need to be copied to their proper locations:
490 &rootprompt;<userinput>cp ../samba/source/nsswitch/libnss_winbind.so /lib</userinput>
495 I also found it necessary to make the following symbolic link:
499 &rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
502 <para>And, in the case of Sun Solaris:</para>
504 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
505 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
506 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
510 Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
511 allow user and group entries to be visible from the &winbindd;
512 daemon. My <filename>/etc/nsswitch.conf</filename> file look like
516 <para><programlisting>
517 passwd: files winbind
520 </programlisting></para>
523 The libraries needed by the <command>winbindd</command> daemon will be automatically
524 entered into the <command>ldconfig</command> cache the next time
525 your system reboots, but it is faster (and you do not need to reboot) if you do it manually:
529 &rootprompt;<userinput>/sbin/ldconfig -v | grep winbind</userinput>
533 This makes <filename>libnss_winbind</filename> available to winbindd
534 and echos back a check to you.
540 <title>NSS Winbind on AIX</title>
542 <para>(This section is only for those running AIX.)</para>
545 The Winbind AIX identification module gets built as <filename>libnss_winbind.so</filename> in the
546 nsswitch directory of the Samba source. This file can be copied to <filename>/usr/lib/security</filename>,
547 and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:
550 <para><programlisting>
552 program = /usr/lib/security/WINBIND
554 </programlisting></para>
557 can then be added to <filename>/usr/lib/security/methods.cfg</filename>. This module only supports
558 identification, but there have been success reports using the standard Winbind PAM module for
559 authentication. Use caution configuring loadable authentication
560 modules since you can make
561 it impossible to logon to the system. More information about the AIX authentication module API can
562 be found at <quote>Kernel Extensions and Device Support Programming Concepts for AIX</quote><ulink
563 url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
564 in Chapter 18(John, there is no section like this in 18). Loadable Authentication Module Programming
565 Interface</ulink> and more information on administering the modules
566 can be found at <ulink
567 url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm"> <quote>System
568 Management Guide: Operating System and Devices.</quote></ulink>
573 <title>Configure smb.conf</title>
576 Several parameters are needed in the &smb.conf; file to control the behavior of &winbindd;. These
577 are described in more detail in the <citerefentry><refentrytitle>winbindd</refentrytitle>
578 <manvolnum>8</manvolnum></citerefentry> man page. My &smb.conf; file, as shown in <link
579 linkend="winbindcfg">the next example</link>, was modified to include the necessary entries in the [global] section.
582 <para><smbconfexample id="winbindcfg">
583 <title>smb.conf for Winbind set-up</title>
584 <smbconfsection>[global]</smbconfsection>
586 <smbconfcomment> separate domain and username with '+', like DOMAIN+username</smbconfcomment>
587 <smbconfoption><name>winbind separator</name><value>+</value></smbconfoption>
588 <smbconfcomment> use uids from 10000 to 20000 for domain users</smbconfcomment>
589 <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
590 <smbconfcomment> use gids from 10000 to 20000 for domain groups</smbconfcomment>
591 <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
592 <smbconfcomment> allow enumeration of winbind users and groups</smbconfcomment>
593 <smbconfoption><name>winbind enum users</name><value>yes</value></smbconfoption>
594 <smbconfoption><name>winbind enum groups</name><value>yes</value></smbconfoption>
595 <smbconfcomment> give winbind users a real shell (only needed if they have telnet access)</smbconfcomment>
596 <smbconfoption><name>template homedir</name><value>/home/winnt/%D/%U</value></smbconfoption>
597 <smbconfoption><name>template shell</name><value>/bin/bash</value></smbconfoption>
598 </smbconfexample></para>
604 <title>Join the Samba Server to the PDC Domain</title>
607 Enter the following command to make the Samba server join the
608 PDC domain, where <replaceable>PDC</replaceable> is the name of
609 your PDC and <replaceable>Administrator</replaceable> is
610 a domain user who has administrative privileges in the domain.
615 &rootprompt;<userinput>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</userinput>
619 The proper response to the command should be: <quote>Joined the domain
620 <replaceable>DOMAIN</replaceable></quote> where <replaceable>DOMAIN</replaceable>
627 <title>Starting and Testing the <command>winbindd</command> Daemon</title>
630 Eventually, you will want to modify your Samba startup script to
631 automatically invoke the winbindd daemon when the other parts of
632 Samba start, but it is possible to test out just the Winbind
633 portion first. To start up Winbind services, enter the following
638 &rootprompt;<userinput>/usr/local/samba/sbin/winbindd</userinput>
642 The above assumes that Samba has been installed in the <filename>/usr/local/samba</filename>
643 directory tree. You may need to search for the location of Samba files if this is not the
644 location of <command>winbindd</command> on your system.
648 Winbindd can now also run in <quote>dual daemon mode</quote>. This will make it
649 run as two processes. The first will answer all requests from the cache,
650 thus making responses to clients faster. The other will
651 update the cache for the query that the first has just responded.
652 The advantage of this is that responses stay accurate and are faster.
653 You can enable dual daemon mode by adding <option>-B</option> to the command-line:
657 &rootprompt;<userinput>/usr/local/samba/sbin/winbindd -B</userinput>
661 I'm always paranoid and like to make sure the daemon is really running.
665 &rootprompt;<userinput>ps -ae | grep winbindd</userinput>
668 This command should produce output like this, if the daemon is running you would expect
669 to see a report something like this:
672 3025 ? 00:00:00 winbindd
676 Now, for the real test, try to get some information about the users on your PDC:
680 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -u</userinput>
684 This should echo back a list of users on your Windows users on
685 your PDC. For example, I get the following response:
698 Obviously, I have named my domain <quote>CEO</quote> and my <smbconfoption><name>winbind separator</name></smbconfoption> is <quote>+</quote>.
702 You can do the same sort of thing to get group information from the PDC:
706 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -g</userinput>
711 CEO+Domain Controllers
714 CEO+Enterprise Admins
715 CEO+Group Policy Creator Owners
719 The function <command>getent</command> can now be used to get unified
720 lists of both local and PDC users and groups. Try the following command:
724 &rootprompt;<userinput>getent passwd</userinput>
728 You should get a list that looks like your <filename>/etc/passwd</filename>
729 list followed by the domain users with their new UIDs, GIDs, home
730 directories and default shells.
734 The same thing can be done for groups with the command:
738 &rootprompt;<userinput>getent group</userinput>
745 <title>Fix the init.d Startup Scripts</title>
751 The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running.
752 To accomplish this task, you need to modify the startup scripts of your system.
753 They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and they are located in
754 <filename>/etc/init.d/samba</filename> in Debian Linux. Edit your
755 script to add commands to invoke this daemon in the proper sequence. My
756 startup script starts up &smbd;, &nmbd;, and &winbindd; from the
757 <filename>/usr/local/samba/bin</filename> directory directly. The <command>start</command>
758 function in the script looks like this:
761 <para><programlisting>
764 echo -n $"Starting $KIND services: "
765 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
769 echo -n $"Starting $KIND services: "
770 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
774 echo -n $"Starting $KIND services: "
775 daemon /usr/local/samba/sbin/winbindd
778 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
779 touch /var/lock/subsys/smb || RETVAL=1
782 </programlisting></para>
784 <para>If you would like to run winbindd in dual daemon mode, replace
787 daemon /usr/local/samba/sbin/winbindd
790 in the example above with:
793 daemon /usr/local/samba/sbin/winbindd -B
798 The <command>stop</command> function has a corresponding entry to shut down the
799 services and looks like this:
802 <para><programlisting>
805 echo -n $"Shutting down $KIND services: "
810 echo -n $"Shutting down $KIND services: "
815 echo -n $"Shutting down $KIND services: "
818 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
819 rm -f /var/lock/subsys/smb
823 </programlisting></para>
827 <title>Solaris</title>
830 Winbind does not work on Solaris 9, see <link linkend="winbind-solaris9">Winbind on Solaris 9</link> section for details.
834 On Solaris, you need to modify the <filename>/etc/init.d/samba.server</filename> startup script. It
835 usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in
836 <filename>/usr/local/samba/bin</filename>, the file could contains something like this:
840 <smbfile name="samba.server.sh">
847 then # /usr not mounted
851 killproc() { # kill the named process(es)
852 pid=`/usr/bin/ps -e |
853 /usr/bin/grep -w $1 |
854 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
855 [ "$pid" != "" ] && kill $pid
858 # Start/stop processes required for Samba server
864 # Edit these lines to suit your installation (paths, workgroup, host)
867 /usr/local/samba/bin/smbd -D -s \
868 /usr/local/samba/smb.conf
871 /usr/local/samba/bin/nmbd -D -l \
872 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
874 echo Starting Winbind Daemon
875 /usr/local/samba/sbin/winbindd
885 echo "Usage: /etc/init.d/samba.server { start | stop }"
888 </programlisting></smbfile></para>
891 Again, if you would like to run Samba in dual daemon mode, replace:
893 /usr/local/samba/sbin/winbindd
895 in the script above with:
897 /usr/local/samba/sbin/winbindd -B
904 <title>Restarting</title>
906 If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
907 should be able to connect to the Samba server as a Domain Member just as
908 if you were a local user.
914 <title>Configure Winbind and PAM</title>
917 If you have made it this far, you know that <command>winbindd</command> and Samba are working
918 together. If you want to use Winbind to provide authentication for other
919 services, keep reading. The PAM configuration files need to be altered in
920 this step. (Did you remember to make backups of your original
921 <filename>/etc/pam.d</filename> files? If not, do it now.)
925 You will need a PAM module to use winbindd with these other services. This
926 module will be compiled in the <filename>../source/nsswitch</filename> directory
927 by invoking the command:
931 &rootprompt;<userinput>make nsswitch/pam_winbind.so</userinput>
935 from the <filename>../source</filename> directory. The
936 <filename>pam_winbind.so</filename> file should be copied to the location of
937 your other PAM security modules. On my Red Hat system, this was the
938 <filename>/lib/security</filename> directory. On Solaris, the PAM security
939 modules reside in <filename>/usr/lib/security</filename>.
943 &rootprompt;<userinput>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</userinput>
947 <title>Linux/FreeBSD-specific PAM configuration</title>
950 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
951 just left this file as it was:
955 <para><programlisting>
956 auth required /lib/security/pam_stack.so service=system-auth
957 account required /lib/security/pam_stack.so service=system-auth
958 </programlisting></para>
961 The other services that I modified to allow the use of Winbind
962 as an authentication service were the normal login on the console (or a terminal
963 session), telnet logins, and ftp service. In order to enable these
964 services, you may first need to change the entries in
965 <filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>).
966 Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need
967 to change the lines in <filename>/etc/xinetd.d/telnet</filename>
968 and <filename>/etc/xinetd.d/wu-ftp</filename> from
971 <para><programlisting>
977 </programlisting></para>
980 For ftp services to work properly, you will also need to either
981 have individual directories for the domain users already present on
982 the server, or change the home directory template to a general
983 directory for all domain users. These can be easily set using
984 the &smb.conf; global entry
985 <smbconfoption><name>template homedir</name></smbconfoption>.
989 <para>The directory in <smbconfoption><name>template homedir</name></smbconfoption> is not created automatically! Use pam_mkhomedir or pre-create
990 the directories of users to make sure users can log in on UNIX with
991 their own home directory.
996 The <filename>/etc/pam.d/ftp</filename> file can be changed
997 to allow Winbind ftp access in a manner similar to the
998 samba file. My <filename>/etc/pam.d/ftp</filename> file was
999 changed to look like this:
1002 <para><smbfile name="pam.ftp.winbind"><programlisting>
1003 auth required /lib/security/pam_listfile.so item=user sense=deny \
1004 file=/etc/ftpusers onerr=succeed
1005 auth sufficient /lib/security/pam_winbind.so
1006 auth required /lib/security/pam_stack.so service=system-auth
1007 auth required /lib/security/pam_shells.so
1008 account sufficient /lib/security/pam_winbind.so
1009 account required /lib/security/pam_stack.so service=system-auth
1010 session required /lib/security/pam_stack.so service=system-auth
1011 </programlisting></smbfile></para>
1014 The <filename>/etc/pam.d/login</filename> file can be changed nearly the
1015 same way. It now looks like this:
1018 <para><smbfile name="pam.login.winbind"><programlisting>
1019 auth required /lib/security/pam_securetty.so
1020 auth sufficient /lib/security/pam_winbind.so
1021 auth sufficient /lib/security/pam_unix.so use_first_pass
1022 auth required /lib/security/pam_stack.so service=system-auth
1023 auth required /lib/security/pam_nologin.so
1024 account sufficient /lib/security/pam_winbind.so
1025 account required /lib/security/pam_stack.so service=system-auth
1026 password required /lib/security/pam_stack.so service=system-auth
1027 session required /lib/security/pam_stack.so service=system-auth
1028 session optional /lib/security/pam_console.so
1029 </programlisting></smbfile></para>
1032 In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
1033 lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
1034 above it, to disallow root logins over the network. I also added a
1035 <programlisting>sufficient /lib/security/pam_unix.so use_first_pass</programlisting>
1036 line after the <command>winbind.so</command> line to get rid of annoying
1037 double prompts for passwords.
1043 <title>Solaris-specific configuration</title>
1046 The <filename>/etc/pam.conf</filename> needs to be changed. I changed this file so my Domain
1047 users can logon both locally as well as telnet. The following are the changes
1048 that I made. You can customize the <filename>pam.conf</filename> file as per your requirements, but
1049 be sure of those changes because in the worst case it will leave your system
1050 nearly impossible to boot.
1053 <para><programlisting>
1055 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
1057 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
1058 # All Rights Reserved.
1062 # Authentication management
1064 login auth required /usr/lib/security/pam_winbind.so
1065 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1066 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
1068 rlogin auth sufficient /usr/lib/security/pam_winbind.so
1069 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1070 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1072 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
1073 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1075 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1076 other auth sufficient /usr/lib/security/pam_winbind.so
1077 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1079 # Account management
1081 login account sufficient /usr/lib/security/pam_winbind.so
1082 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
1083 login account required /usr/lib/security/$ISA/pam_unix.so.1
1085 dtlogin account sufficient /usr/lib/security/pam_winbind.so
1086 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
1087 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
1089 other account sufficient /usr/lib/security/pam_winbind.so
1090 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
1091 other account required /usr/lib/security/$ISA/pam_unix.so.1
1093 # Session management
1095 other session required /usr/lib/security/$ISA/pam_unix.so.1
1097 # Password management
1099 #other password sufficient /usr/lib/security/pam_winbind.so
1100 other password required /usr/lib/security/$ISA/pam_unix.so.1
1101 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
1103 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
1105 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1106 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1107 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1108 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1109 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
1110 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
1111 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
1112 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1113 </programlisting></para>
1116 I also added a <parameter>try_first_pass</parameter> line after the <filename>winbind.so</filename>
1117 line to get rid of annoying double prompts for passwords.
1121 Now restart your Samba and try connecting through your application that you
1122 configured in the pam.conf.
1134 <title>Conclusion</title>
1136 <para>The Winbind system, through the use of the Name Service
1137 Switch, Pluggable Authentication Modules, and appropriate
1138 Microsoft RPC calls have allowed us to provide seamless
1139 integration of Microsoft Windows NT domain users on a
1140 UNIX system. The result is a great reduction in the administrative
1141 cost of running a mixed UNIX and NT network.</para>
1146 <title>Common Errors</title>
1148 <para>Winbind has a number of limitations in its current
1149 released version that we hope to overcome in future
1153 <listitem><para>Winbind is currently only available for
1154 the Linux, Solaris, AIX, and IRIX operating systems, although ports to other operating
1155 systems are certainly possible. For such ports to be feasible,
1156 we require the C library of the target operating system to
1157 support the Name Service Switch and Pluggable Authentication
1158 Modules systems. This is becoming more common as NSS and
1159 PAM gain support among UNIX vendors.</para></listitem>
1161 <listitem><para>The mappings of Windows NT RIDs to UNIX IDs
1162 is not made algorithmically and depends on the order in which
1163 unmapped users or groups are seen by Winbind. It may be difficult
1164 to recover the mappings of RID to UNIX ID mapping if the file
1165 containing this information is corrupted or destroyed.</para>
1168 <listitem><para>Currently the Winbind PAM module does not take
1169 into account possible workstation and logon time restrictions
1170 that may be set for Windows NT users, this is
1171 instead up to the PDC to enforce.</para></listitem>
1175 <title>NSCD Problem Warning</title>
1177 <?latex \nopagebreak ?>
1180 Do not under any circumstances run <command>nscd</command> on any system
1181 on which <command>winbindd</command> is running.
1185 If <command>nscd</command> is running on the UNIX/Linux system, then
1186 even though NSSWITCH is correctly configured it will not be possible to resolve
1187 domain users and groups for file and directory controls.
1193 <title>Winbind Is Not Resolving Users and Groups</title>
1196 My &smb.conf; file is correctly configured. I have specified
1197 <smbconfoption><name>idmap uid</name><value>12000</value></smbconfoption>,
1198 and <smbconfoption><name>idmap gid</name><value>3000-3500</value></smbconfoption>
1199 and <command>winbind</command> is running. When I do the following it all works fine.
1203 &rootprompt;<userinput>wbinfo -u</userinput>
1210 &rootprompt;<userinput>wbinfo -g</userinput>
1211 MIDEARTH+Domain Users
1212 MIDEARTH+Domain Admins
1213 MIDEARTH+Domain Guests
1217 &rootprompt;<userinput>getent passwd</userinput>
1218 root:x:0:0:root:/root:/bin/bash
1219 bin:x:1:1:bin:/bin:/bin/bash
1221 maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
1225 But the following command just fails:
1227 &rootprompt;<userinput>chown maryo a_file</userinput>
1228 chown: `maryo': invalid user
1230 This is driving me nuts! What can be wrong?
1234 Same problem as the one above.
1235 Your system is likely running <command>nscd</command>, the name service
1236 caching daemon. Shut it down, do not restart it! You will find your problem resolved.