1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
7 <firstname>Tim</firstname><surname>Potter</surname>
9 <orgname>Samba Team</orgname>
10 <address><email>tpot@linuxcare.com.au</email></address>
15 <firstname>Naag</firstname><surname>Mummaneni</surname>
17 <address><email>getnag@rediffmail.com</email></address>
19 <contrib>Notes for Solaris</contrib>
22 <firstname>John</firstname><surname>Trostel</surname>
24 <orgname>SNAP</orgname>
25 <address><email>jtrostel@snapserver.com</email></address>
31 <pubdate>June 15, 2005</pubdate>
34 <title>Winbind: Use of Domain Accounts</title>
37 <title>Features and Benefits</title>
40 <indexterm><primary>holy grail</primary></indexterm>
41 <indexterm><primary>heterogeneous computing</primary></indexterm>
42 Integration of UNIX and Microsoft Windows NT through a unified logon has
43 been considered a <quote>holy grail</quote> in heterogeneous computing environments for
48 <indexterm><primary>interoperability</primary></indexterm>
49 <indexterm><primary>domain user</primary></indexterm>
50 <indexterm><primary>domain group</primary></indexterm>
51 <indexterm><primary>group ownership</primary></indexterm>
52 There is one other facility without which UNIX and Microsoft Windows network
53 interoperability would suffer greatly. It is imperative that there be a
54 mechanism for sharing files across UNIX systems and to be able to assign
55 domain user and group ownerships with integrity.
59 <indexterm><primary>Pluggable Authentication Modules</primary><see>PAM</see></indexterm>
60 <indexterm><primary>winbind</primary></indexterm>
61 <indexterm><primary>NSS</primary></indexterm>
62 <indexterm><primary>RPC</primary></indexterm>
63 <emphasis>winbind</emphasis> is a component of the Samba suite of programs that
64 solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
65 RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to
66 allow Windows NT domain users to appear and operate as UNIX users on a UNIX
67 machine. This chapter describes the Winbind system, the functionality
68 it provides, how it is configured, and how it works internally.
72 Winbind provides three separate functions:
77 <indexterm><primary>ADS</primary></indexterm>
78 <indexterm><primary>NT4 domain</primary></indexterm>
79 Authentication of user credentials (via PAM). This makes it possible to
80 log onto a UNIX/Linux system using user and group accounts from a Windows
81 NT4 (including a Samba domain) or an Active Directory domain.
85 <indexterm><primary>identity resolution</primary></indexterm>
86 <indexterm><primary>NSS</primary></indexterm>
87 Identity resolution (via NSS). This is the default when winbind is not used.
91 <indexterm><primary>UID</primary></indexterm>
92 <indexterm><primary>GID</primary></indexterm>
93 <indexterm><primary>SID</primary></indexterm>
94 <indexterm><primary>idmap uid</primary></indexterm>
95 <indexterm><primary>idmap gid</primary></indexterm>
96 <indexterm><primary>idmap backend</primary></indexterm>
97 <indexterm><primary></primary>LDAP</indexterm>
98 Winbind maintains a database called winbind_idmap.tdb in which it stores
99 mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only
100 for users and groups that do not have a local UID/GID. It stores the UID/GID
101 allocated from the idmap uid/gid range that it has mapped to the NT SID.
102 If <parameter>idmap backend</parameter> has been specified as <constant>ldap:ldap://hostname[:389]</constant>,
103 then instead of using a local mapping, Winbind will obtain this information
104 from the LDAP database.
109 <indexterm><primary>winbindd</primary></indexterm>
110 <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
111 <indexterm><primary>/etc/passwd</primary></indexterm>
112 <indexterm><primary>/etc/group</primary></indexterm>
113 <indexterm><primary>smbd</primary></indexterm>
114 <indexterm><primary>NSS</primary></indexterm>
115 If <command>winbindd</command> is not running, smbd (which calls <command>winbindd</command>) will fall back to
116 using purely local information from <filename>/etc/passwd</filename> and <filename>/etc/group</filename> and no dynamic
117 mapping will be used. On an operating system that has beeb enabled with the NSS,
118 the resolution of user and group information will be accomplished via NSS.
122 <figure id="winbind_idmap">
123 <title>Winbind Idmap</title>
124 <imagefile scale="50">idmap_winbind_no_loop</imagefile>
131 <title>Introduction</title>
133 <para>It is well known that UNIX and Microsoft Windows NT have
134 different models for representing user and group information and
135 use different technologies for implementing them. This fact has
136 made it difficult to integrate the two systems in a satisfactory
140 <indexterm><primary>synchronization problems</primary></indexterm>
141 <indexterm><primary>passwords</primary></indexterm>
142 One common solution in use today has been to create
143 identically named user accounts on both the UNIX and Windows systems
144 and use the Samba suite of programs to provide file and print services
145 between the two. This solution is far from perfect, however, because
146 adding and deleting users on both sets of machines becomes a chore,
147 and two sets of passwords are required &smbmdash; both of which
148 can lead to synchronization problems between the UNIX and Windows
149 systems and confusion for users.</para>
151 <para>We divide the unified logon problem for UNIX machines into
152 three smaller problems:</para>
155 <listitem><para>Obtaining Windows NT user and group information.
158 <listitem><para>Authenticating Windows NT users.
161 <listitem><para>Password changing for Windows NT users.
167 <indexterm><primary>unified logon</primary></indexterm>
168 <indexterm><primary>duplication of information</primary></indexterm>
169 Ideally, a prospective solution to the unified logon problem
170 would satisfy all the above components without duplication of
171 information on the UNIX machines and without creating additional
172 tasks for the system administrator when maintaining users and
173 groups on either system. The Winbind system provides a simple
174 and elegant solution to all three components of the unified logon
180 <title>What Winbind Provides</title>
183 <indexterm><primary>Windows account management</primary></indexterm>
184 <indexterm><primary>UNIX users</primary></indexterm>
185 <indexterm><primary>UNIX groups</primary></indexterm>
186 <indexterm><primary>NT domain</primary></indexterm>
187 Winbind unifies UNIX and Windows NT account management by
188 allowing a UNIX box to become a full member of an NT domain. Once
189 this is done, the UNIX box will see NT users and groups as if
190 they were <quote>native</quote> UNIX users and groups, allowing the NT domain
191 to be used in much the same manner that NIS+ is used within
192 UNIX-only environments.</para>
195 <indexterm><primary>Winbind hooks</primary></indexterm>
196 <indexterm><primary>domain controller</primary></indexterm>
197 <indexterm><primary>NSS</primary></indexterm>
198 <indexterm><primary>redirection</primary></indexterm>
199 The end result is that whenever a
200 program on the UNIX machine asks the operating system to look up
201 a user or group name, the query will be resolved by asking the
202 NT domain controller for the specified domain to do the lookup.
203 Because Winbind hooks into the operating system at a low level
204 (via the NSS name resolution modules in the C library), this
205 redirection to the NT domain controller is completely
209 <indexterm><primary>user and group</primary></indexterm>
210 <indexterm><primary>domain user</primary></indexterm>
211 Users on the UNIX machine can then use NT user and group
212 names as they would <quote>native</quote> UNIX names. They can chown files
213 so they are owned by NT domain users or even login to the
214 UNIX machine and run a UNIX X-Window session as a domain user.</para>
217 <indexterm><primary>domain controller</primary></indexterm>
218 The only obvious indication that Winbind is being used is
219 that user and group names take the form <constant>DOMAIN\user</constant> and
220 <constant>DOMAIN\group</constant>. This is necessary because it allows Winbind to determine
221 that redirection to a domain controller is wanted for a particular
222 lookup and which trusted domain is being referenced.</para>
225 <indexterm><primary>PAM-enabled</primary></indexterm>
226 <indexterm><primary>domain controller</primary></indexterm>
227 Additionally, Winbind provides an authentication service that hooks into the PAM system
228 to provide authentication via an NT domain to any PAM-enabled
229 applications. This capability solves the problem of synchronizing
230 passwords between systems, since all passwords are stored in a single
231 location (on the domain controller).</para>
234 <title>Target Uses</title>
237 <indexterm><primary>infrastructure</primary></indexterm>
238 Winbind is targeted at organizations that have an
239 existing NT-based domain infrastructure into which they wish
240 to put UNIX workstations or servers. Winbind will allow these
241 organizations to deploy UNIX workstations without having to
242 maintain a separate account infrastructure. This greatly
243 simplifies the administrative overhead of deploying UNIX
244 workstations into an NT-based organization.</para>
247 <indexterm><primary>Appliances</primary></indexterm>
248 <indexterm><primary>Winbind</primary></indexterm>
249 Another interesting way in which we expect Winbind to
250 be used is as a central part of UNIX-based appliances. Appliances
251 that provide file and print services to Microsoft-based networks
252 will be able to use Winbind to provide seamless integration of
253 the appliance into the domain.</para>
257 <title>Handling of Foreign SIDs</title>
260 <indexterm><primary>foreign SID</primary></indexterm>
261 The term <emphasis>foreign SID</emphasis> is often met with the reaction that it
262 is not relevant to a particular environment. The following documents an interchange
263 that took place on the Samba mailing list. It is a good example of the confusion
264 often expressed regarding the use of winbind.
268 <indexterm><primary>local domain</primary></indexterm>
269 Fact: Winbind is needed to handle users who use workstations that are NOT part
274 <indexterm><primary>PDC</primary></indexterm>
275 Response: <quote>Why? I've used Samba with workstations that are not part of my domains
276 lots of times without using winbind. I though winbind was for using Samba as a member server
277 in a domain controlled by another Samba/Windows PDC.</quote>
281 <indexterm><primary>UID</primary></indexterm>
282 <indexterm><primary>GID</primary></indexterm>
283 <indexterm><primary>foreign user</primary></indexterm>
284 If the Samba server will be accessed from a domain other than the local Samba domain, or
285 if there will be access from machines that are not local domain members, winbind will
286 permit the allocation of UIDs and GIDs from the assigned pool that will keep the identity
287 of the foreign user separate from users that are members of the Samba domain.
291 <indexterm><primary>PDC</primary></indexterm>
292 <indexterm><primary>domain member</primary></indexterm>
293 <indexterm><primary>domain non-member</primary></indexterm>
294 <indexterm><primary>SID</primary></indexterm>
295 This means that winbind is eminently useful in cases where a single
296 Samba PDC on a local network is combined with both domain member and domain non-member workstations.
297 If winbind is not used, the user george on a Windows workstation that is not a domain
298 member will be able to access the files of a user called george in the account database
299 of the Samba server that is acting as a PDC. When winbind is used, the default condition
300 is that the local user george will be treated as the account DOMAIN\george and the
301 foreign (non-member of the domain) account will be treated as MACHINE\george because
302 each has a different SID.
311 <title>How Winbind Works</title>
314 <indexterm><primary>winbindd</primary></indexterm>
315 <indexterm><primary>UNIX domain socket</primary></indexterm>
316 <indexterm><primary>NSS</primary></indexterm>
317 <indexterm><primary>PAM</primary></indexterm>
318 The Winbind system is designed around a client/server
319 architecture. A long-running <command>winbindd</command> daemon
320 listens on a UNIX domain socket waiting for requests
321 to arrive. These requests are generated by the NSS and PAM
322 clients and are processed sequentially.</para>
324 <para>The technologies used to implement Winbind are described
325 in detail below.</para>
328 <title>Microsoft Remote Procedure Calls</title>
331 <indexterm><primary>Microsoft Remote Procedure Call</primary><see>MSRPC</see></indexterm>
332 <indexterm><primary>PDC</primary></indexterm>
333 <indexterm><primary>remote management</primary></indexterm>
334 <indexterm><primary>user authentication</primary></indexterm>
335 <indexterm><primary>print spooling</primary></indexterm>
336 Over the last few years, efforts have been underway
337 by various Samba Team members to decode various aspects of
338 the Microsoft Remote Procedure Call (MSRPC) system. This
339 system is used for most network-related operations between
340 Windows NT machines, including remote management, user authentication,
341 and print spooling. Although initially this work was done
342 to aid the implementation of Primary Domain Controller (PDC)
343 functionality in Samba, it has also yielded a body of code that
344 can be used for other purposes.</para>
347 <indexterm><primary>MSRPC</primary></indexterm>
348 <indexterm><primary>enumerate domain users</primary></indexterm>
349 <indexterm><primary>enumerate domain groups</primary></indexterm>
350 Winbind uses various MSRPC calls to enumerate domain users
351 and groups and to obtain detailed information about individual
352 users or groups. Other MSRPC calls can be used to authenticate
353 NT domain users and to change user passwords. By directly querying
354 a Windows PDC for user and group information, Winbind maps the
355 NT account information onto UNIX user and group names.</para>
359 <title>Microsoft Active Directory Services</title>
362 <indexterm><primary>LDAP</primary></indexterm>
363 <indexterm><primary>Kerberos</primary></indexterm>
364 <indexterm><primary>Winbind</primary></indexterm>
365 <indexterm><primary>native mode</primary></indexterm>
366 Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its <quote>native
367 mode</quote> protocols rather than the NT4 RPC services. Using LDAP and Kerberos, a domain member running
368 Winbind can enumerate users and groups in exactly the same way as a Windows 200x client would, and in so doing
369 provide a much more efficient and effective Winbind implementation.
374 <title>Name Service Switch</title>
377 <indexterm><primary>NSS</primary></indexterm>
378 <indexterm><primary>networked workstation</primary></indexterm>
379 <indexterm><primary>NIS</primary></indexterm>
380 <indexterm><primary>DNS</primary></indexterm>
381 The NSS is a feature that is present in many UNIX operating systems. It allows system
382 information such as hostnames, mail aliases, and user information
383 to be resolved from different sources. For example, a standalone
384 UNIX workstation may resolve system information from a series of
385 flat files stored on the local file system. A networked workstation
386 may first attempt to resolve system information from local files,
387 and then consult an NIS database for user information or a DNS server
388 for hostname information.</para>
391 <indexterm><primary>NSS</primary></indexterm>
392 <indexterm><primary>MSRPC</primary></indexterm>
393 <indexterm><primary>trusted domain</primary></indexterm>
394 <indexterm><primary>local users</primary></indexterm>
395 <indexterm><primary>local groups</primary></indexterm>
396 The NSS application programming interface allows Winbind
397 to present itself as a source of system information when
398 resolving UNIX usernames and groups. Winbind uses this interface
399 and information obtained from a Windows NT server using MSRPC
400 calls to provide a new source of account enumeration. Using standard
401 UNIX library calls, you can enumerate the users and groups on
402 a UNIX machine running Winbind and see all users and groups in
403 an NT domain plus any trusted domain as though they were local
404 users and groups.</para>
407 <indexterm><primary>NSS</primary></indexterm>
408 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
409 <indexterm><primary>passwd</primary></indexterm>
410 The primary control file for NSS is <filename>/etc/nsswitch.conf</filename>.
411 When a UNIX application makes a request to do a lookup,
412 the C library looks in <filename>/etc/nsswitch.conf</filename>
413 for a line that matches the service type being requested; for
414 example, the <quote>passwd</quote> service type is used when user or group names
415 are looked up. This config line specifies which implementations
416 of that service should be tried and in what order. If the passwd
419 passwd: files example
421 <indexterm><primary>/lib/libnss_files.so</primary></indexterm>
422 <indexterm><primary>/lib/libnss_example.so</primary></indexterm>
423 <indexterm><primary>resolver functions</primary></indexterm>
424 then the C library will first load a module called
425 <filename>/lib/libnss_files.so</filename> followed by
426 the module <filename>/lib/libnss_example.so</filename>. The
427 C library will dynamically load each of these modules in turn
428 and call resolver functions within the modules to try to resolve
429 the request. Once the request is resolved, the C library returns the
430 result to the application.</para>
433 <indexterm><primary>NSS</primary></indexterm>
434 <indexterm><primary>libnss_winbind.so</primary></indexterm>
435 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
436 This NSS interface provides an easy way for Winbind
437 to hook into the operating system. All that needs to be done
438 is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
439 then add <quote>winbind</quote> into <filename>/etc/nsswitch.conf</filename> at
440 the appropriate place. The C library will then call Winbind to
441 resolve user and group names.</para>
445 <title>Pluggable Authentication Modules</title>
448 <indexterm><primary>PAM</primary></indexterm>
449 <indexterm><primary>authentication methods</primary></indexterm>
450 <indexterm><primary>authorization</primary></indexterm>
451 <indexterm><primary>NIS database</primary></indexterm>
452 PAMs provide a system for abstracting authentication and authorization
453 technologies. With a PAM module, it is possible to specify different
454 authentication methods for different system applications without
455 having to recompile these applications. PAM is also useful
456 for implementing a particular policy for authorization. For example,
457 a system administrator may only allow console logins from users
458 stored in the local password file but only allow users resolved from
459 an NIS database to log in over the network.</para>
462 <indexterm><primary>PAM</primary></indexterm>
463 <indexterm><primary>Winbind</primary></indexterm>
464 <indexterm><primary>authentication management</primary></indexterm>
465 <indexterm><primary>password management</primary></indexterm>
466 <indexterm><primary>PDC</primary></indexterm>
467 Winbind uses the authentication management and password
468 management PAM interface to integrate Windows NT users into a
469 UNIX system. This allows Windows NT users to log in to a UNIX
470 machine and be authenticated against a suitable PDC.
471 These users can also change their passwords and have
472 this change take effect directly on the PDC.
476 <indexterm><primary>PAM</primary></indexterm>
477 <indexterm><primary>/etc/pam.d/</primary></indexterm>
478 <indexterm><primary>pam_winbind.so</primary></indexterm>
479 <indexterm><primary>/lib/security/</primary></indexterm>
480 PAM is configured by providing control files in the directory
481 <filename>/etc/pam.d/</filename> for each of the services that
482 require authentication. When an authentication request is made
483 by an application, the PAM code in the C library looks up this
484 control file to determine what modules to load to do the
485 authentication check and in what order. This interface makes adding
486 a new authentication service for Winbind very easy: simply copy
487 the <filename>pam_winbind.so</filename> module
488 to <filename>/lib/security/</filename>, and the PAM
489 control files for relevant services are updated to allow
490 authentication via Winbind. See the PAM documentation
491 in <link linkend="pam">PAM-Based Distributed Authentication</link>, for more information.</para>
496 <title>User and Group ID Allocation</title>
499 <indexterm><primary>RID</primary></indexterm>
500 <indexterm><primary>Winbind</primary></indexterm>
501 <indexterm><primary>UNIX ID</primary></indexterm>
502 When a user or group is created under Windows NT/200x,
503 it is allocated a numerical relative identifier (RID). This is
504 slightly different from UNIX, which has a range of numbers that are
505 used to identify users and the same range used to identify
506 groups. It is Winbind's job to convert RIDs to UNIX ID numbers and
507 vice versa. When Winbind is configured, it is given part of the UNIX
508 user ID space and a part of the UNIX group ID space in which to
509 store Windows NT users and groups. If a Windows NT user is
510 resolved for the first time, it is allocated the next UNIX ID from
511 the range. The same process applies for Windows NT groups. Over
512 time, Winbind will have mapped all Windows NT users and groups
513 to UNIX user IDs and group IDs.</para>
516 <indexterm><primary>ID mapping database</primary></indexterm>
517 <indexterm><primary>tdb</primary></indexterm>
518 <indexterm><primary>UNIX ID</primary></indexterm>
519 <indexterm><primary>RID</primary></indexterm>
520 The results of this mapping are stored persistently in
521 an ID mapping database held in a tdb database. This ensures that
522 RIDs are mapped to UNIX IDs in a consistent way.</para>
527 <title>Result Caching</title>
530 <indexterm><primary>SAM</primary></indexterm>
531 <indexterm><primary>caching scheme</primary></indexterm>
532 <indexterm><primary>Winbind</primary></indexterm>
533 <indexterm><primary>ADS</primary></indexterm>
534 <indexterm><primary>PDC</primary></indexterm>
535 An active directory system can generate a lot of user and group
536 name lookups. To reduce the network cost of these lookups, Winbind
537 uses a caching scheme based on the SAM sequence number supplied
538 by NT domain controllers. User or group information returned
539 by a PDC is cached by Winbind along with a sequence number also
540 returned by the PDC. This sequence number is incremented by
541 Windows NT whenever any user or group information is modified. If
542 a cached entry has expired, the sequence number is requested from
543 the PDC and compared against the sequence number of the cached entry.
544 If the sequence numbers do not match, then the cached information
545 is discarded and up-to-date information is requested directly
552 <title>Installation and Configuration</title>
555 <title>Introduction</title>
558 <indexterm><primary>Winbind</primary></indexterm>
559 <indexterm><primary>PDC</primary></indexterm>
560 <indexterm><primary>authentication control</primary></indexterm>
561 This section describes the procedures used to get Winbind up and
562 running. Winbind is capable of providing access
563 and authentication control for Windows Domain users through an NT
564 or Windows 200x PDC for regular services, such as telnet and ftp, as
565 well for Samba services.
571 <emphasis>Why should I do this?</emphasis>
574 <para>This allows the Samba administrator to rely on the
575 authentication mechanisms on the Windows NT/200x PDC for the authentication
576 of domain members. Windows NT/200x users no longer need to have separate
577 accounts on the Samba server.
583 <emphasis>Who should be reading this document?</emphasis>
587 This document is designed for system administrators. If you are
588 implementing Samba on a file server and wish to (fairly easily)
589 integrate existing Windows NT/200x users from your PDC onto the
590 Samba server, this document is for you.
598 <title>Requirements</title>
601 If you have a Samba configuration file that you are currently using, <emphasis>BACK IT UP!</emphasis>
602 If your system already uses PAM, <emphasis>back up the <filename>/etc/pam.d</filename> directory
603 contents!</emphasis> If you haven't already made a boot disk, <emphasis>MAKE ONE NOW!</emphasis>
607 Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's
608 why you want to be able to boot back into your machine in single-user mode and restore your
609 <filename>/etc/pam.d</filename> to the original state it was in if you get frustrated with the
610 way things are going.
614 The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <ulink
615 url="http://samba.org/">main Samba Web page</ulink>, or better yet, your closest Samba mirror site for
616 instructions on downloading the source code.
620 To allow domain users the ability to access Samba shares and files, as well as potentially other services
621 provided by your Samba machine, PAM must be set up properly on your
622 machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
623 on your system. Please refer the PAM Web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
628 <title>Testing Things Out</title>
631 Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
632 Kill off all &smbd;, &nmbd;, and &winbindd; processes that may be running. To use PAM,
633 make sure that you have the standard PAM package that supplies the <filename>/etc/pam.d</filename>
634 directory structure, including the PAM modules that are used by PAM-aware services, several PAM libraries,
635 and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for PAM. Winbind is built
636 better in Samba if the pam-devel package is also installed. This package includes the header files
637 needed to compile PAM-aware applications.
641 <title>Configure <filename>nsswitch.conf</filename> and the Winbind Libraries on Linux and Solaris</title>
644 PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install
645 the <filename>pam-devel</filename> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3
646 may auto-install the Winbind files into their correct locations on your system, so before you get too far down
647 the track, be sure to check if the following configuration is really
648 necessary. You may only need to configure
649 <filename>/etc/nsswitch.conf</filename>.
653 The libraries needed to run the &winbindd; daemon through nsswitch need to be copied to their proper locations:
658 &rootprompt;<userinput>cp ../samba/source/nsswitch/libnss_winbind.so /lib</userinput>
663 I also found it necessary to make the following symbolic link:
667 &rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
670 <para>And, in the case of Sun Solaris:</para>
672 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
673 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
674 &rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
678 Now, as root, you need to edit <filename>/etc/nsswitch.conf</filename> to
679 allow user and group entries to be visible from the &winbindd;
680 daemon. My <filename>/etc/nsswitch.conf</filename> file looked like
684 <para><programlisting>
685 passwd: files winbind
688 </programlisting></para>
691 The libraries needed by the <command>winbindd</command> daemon will be automatically
692 entered into the <command>ldconfig</command> cache the next time
693 your system reboots, but it is faster (and you do not need to reboot) if you do it manually:
697 &rootprompt;<userinput>/sbin/ldconfig -v | grep winbind</userinput>
701 This makes <filename>libnss_winbind</filename> available to winbindd
702 and echos back a check to you.
708 <title>NSS Winbind on AIX</title>
710 <para>(This section is only for those running AIX.)</para>
713 The Winbind AIX identification module gets built as <filename>libnss_winbind.so</filename> in the
714 nsswitch directory of the Samba source. This file can be copied to <filename>/usr/lib/security</filename>,
715 and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:
718 program = /usr/lib/security/WINBIND
721 can then be added to <filename>/usr/lib/security/methods.cfg</filename>. This module only supports
722 identification, but there have been reports of success using the standard Winbind PAM module for
723 authentication. Use caution configuring loadable authentication modules, since misconfiguration can make
724 it impossible to log on to the system. Information regarding the AIX authentication module API can
725 be found in the <quote>Kernel Extensions and Device Support Programming Concepts for AIX</quote> document that
726 describes the <ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
727 Loadable Authentication Module Programming Interface</ulink> for AIX. Further information on administering the modules
728 can be found in the <ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm">System
729 Management Guide: Operating System and Devices.</ulink>
734 <title>Configure smb.conf</title>
737 Several parameters are needed in the &smb.conf; file to control the behavior of &winbindd;. These
738 are described in more detail in the <citerefentry><refentrytitle>winbindd</refentrytitle>
739 <manvolnum>8</manvolnum></citerefentry> man page. My &smb.conf; file, as shown in <link
740 linkend="winbindcfg">Example 23.5.1</link>, was modified to include the necessary entries in the [global] section.
743 <example id="winbindcfg">
744 <title>smb.conf for Winbind Setup</title>
746 <smbconfsection name="[global]"/>
747 <smbconfcomment> separate domain and username with '\', like DOMAIN\username</smbconfcomment>
748 <smbconfoption name="winbind separator">\</smbconfoption>
749 <smbconfcomment> use uids from 10000 to 20000 for domain users</smbconfcomment>
750 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
751 <smbconfcomment> use gids from 10000 to 20000 for domain groups</smbconfcomment>
752 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
753 <smbconfcomment> allow enumeration of winbind users and groups</smbconfcomment>
754 <smbconfoption name="winbind enum users">yes</smbconfoption>
755 <smbconfoption name="winbind enum groups">yes</smbconfoption>
756 <smbconfcomment> give winbind users a real shell (only needed if they have telnet access)</smbconfcomment>
757 <smbconfoption name="template homedir">/home/winnt/%D/%U</smbconfoption>
758 <smbconfoption name="template shell">/bin/bash</smbconfoption>
766 <title>Join the Samba Server to the PDC Domain</title>
769 All machines that will participate in domain security should be members of
770 the domain. This applies also to the PDC and all BDCs.
774 The process of joining a domain requires the use of the <command>net rpc join</command>
775 command. This process communicates with the domain controller it will register with
776 (usually the PDC) via MS DCE RPC. This means, of course, that the <command>smbd</command>
777 process must be running on the target domain controller. It is therefore necessary to temporarily
778 start Samba on a PDC so that it can join its own domain.
782 Enter the following command to make the Samba server join the
783 domain, where <replaceable>PDC</replaceable> is the name of
784 your PDC and <replaceable>Administrator</replaceable> is
785 a domain user who has administrative privileges in the domain.
789 Before attempting to join a machine to the domain, verify that Samba is running
790 on the target domain controller (usually PDC) and that it is capable of being reached via ports
791 137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx).
795 &rootprompt;<userinput>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</userinput>
799 The proper response to the command should be <quote>Joined the domain
800 <replaceable>DOMAIN</replaceable></quote> where <replaceable>DOMAIN</replaceable>
807 <title>Starting and Testing the <command>winbindd</command> Daemon</title>
810 Eventually, you will want to modify your Samba startup script to
811 automatically invoke the winbindd daemon when the other parts of
812 Samba start, but it is possible to test out just the Winbind
813 portion first. To start up Winbind services, enter the following
818 &rootprompt;<userinput>/usr/local/samba/sbin/winbindd</userinput>
822 The command to start up Winbind services assumes that Samba has been installed in the <filename>/usr/local/samba</filename>
823 directory tree. You may need to search for the location of Samba files if this is not the
824 location of <command>winbindd</command> on your system.
828 Winbindd can now also run in <quote>dual daemon mode</quote>. This will make it
829 run as two processes. The first will answer all requests from the cache,
830 thus making responses to clients faster. The other will
831 update the cache for the query to which the first has just responded.
832 The advantage of this is that responses stay accurate and are faster.
833 You can enable dual daemon mode by adding <option>-B</option> to the command line:
837 &rootprompt;<userinput>/usr/local/samba/sbin/winbindd -B</userinput>
841 I'm always paranoid and like to make sure the daemon is really running.
845 &rootprompt;<userinput>ps -ae | grep winbindd</userinput>
848 This command should produce output like the following if the daemon is running.
852 3025 ? 00:00:00 winbindd
856 Now, for the real test, try to get some information about the users on your PDC:
860 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -u</userinput>
864 This should echo back a list of users on your Windows users on
865 your PDC. For example, I get the following response:
878 Obviously, I have named my domain <quote>CEO</quote> and my <smbconfoption name="winbind separator"/> is <quote>\</quote>.
882 You can do the same sort of thing to get group information from the PDC:
886 &rootprompt;<userinput>/usr/local/samba/bin/wbinfo -g</userinput>
891 CEO\Domain Controllers
894 CEO\Enterprise Admins
895 CEO\Group Policy Creator Owners
899 The function <command>getent</command> can now be used to get unified
900 lists of both local and PDC users and groups. Try the following command:
904 &rootprompt;<userinput>getent passwd</userinput>
908 You should get a list that looks like your <filename>/etc/passwd</filename>
909 list followed by the domain users with their new UIDs, GIDs, home
910 directories, and default shells.
914 The same thing can be done for groups with the command:
918 &rootprompt;<userinput>getent group</userinput>
925 <title>Fix the init.d Startup Scripts</title>
931 The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running.
932 To accomplish this task, you need to modify the startup scripts of your system.
933 They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and in
934 <filename>/etc/init.d/samba</filename> in Debian Linux. Edit your
935 script to add commands to invoke this daemon in the proper sequence. My
936 startup script starts up &smbd;, &nmbd;, and &winbindd; from the
937 <filename>/usr/local/samba/bin</filename> directory directly. The <command>start</command>
938 function in the script looks like this:
941 <para><programlisting>
944 echo -n $"Starting $KIND services: "
945 daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
949 echo -n $"Starting $KIND services: "
950 daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
954 echo -n $"Starting $KIND services: "
955 daemon /usr/local/samba/sbin/winbindd
958 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
959 touch /var/lock/subsys/smb || RETVAL=1
962 </programlisting></para>
964 <para>If you would like to run winbindd in dual daemon mode, replace
967 daemon /usr/local/samba/sbin/winbindd
970 in the example above with:
973 daemon /usr/local/samba/sbin/winbindd -B
978 The <command>stop</command> function has a corresponding entry to shut down the
979 services and looks like this:
982 <para><programlisting>
985 echo -n $"Shutting down $KIND services: "
990 echo -n $"Shutting down $KIND services: "
995 echo -n $"Shutting down $KIND services: "
998 [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
999 rm -f /var/lock/subsys/smb
1003 </programlisting></para>
1007 <title>Solaris</title>
1010 Winbind does not work on Solaris 9; see <link linkend="winbind-solaris9">Winbind on Solaris 9 section</link>
1015 On Solaris, you need to modify the <filename>/etc/init.d/samba.server</filename> startup script. It
1016 usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in
1017 <filename>/usr/local/samba/bin</filename>, the file could contains something like this:
1026 if [ ! -d /usr/bin ]
1027 then # /usr not mounted
1031 killproc() { # kill the named process(es)
1032 pid=`/usr/bin/ps -e |
1033 /usr/bin/grep -w $1 |
1034 /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
1035 [ "$pid" != "" ] && kill $pid
1038 # Start/stop processes required for Samba server
1044 # Edit these lines to suit your installation (paths, workgroup, host)
1047 /usr/local/samba/bin/smbd -D -s \
1048 /usr/local/samba/smb.conf
1051 /usr/local/samba/bin/nmbd -D -l \
1052 /usr/local/samba/var/log -s /usr/local/samba/smb.conf
1054 echo Starting Winbind Daemon
1055 /usr/local/samba/sbin/winbindd
1065 echo "Usage: /etc/init.d/samba.server { start | stop }"
1068 </programlisting></para>
1071 Again, if you would like to run Samba in dual daemon mode, replace:
1073 /usr/local/samba/sbin/winbindd
1075 in the script above with:
1077 /usr/local/samba/sbin/winbindd -B
1084 <title>Restarting</title>
1086 If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
1087 should be able to connect to the Samba server as a domain member just as
1088 if you were a local user.
1094 <title>Configure Winbind and PAM</title>
1097 If you have made it this far, you know that <command>winbindd</command> and Samba are working
1098 together. If you want to use Winbind to provide authentication for other
1099 services, keep reading. The PAM configuration files need to be altered in
1100 this step. (Did you remember to make backups of your original
1101 <filename>/etc/pam.d</filename> files? If not, do it now.)
1105 You will need a PAM module to use winbindd with these other services. This
1106 module will be compiled in the <filename>../source/nsswitch</filename> directory
1107 by invoking the command:
1111 &rootprompt;<userinput>make nsswitch/pam_winbind.so</userinput>
1115 from the <filename>../source</filename> directory. The
1116 <filename>pam_winbind.so</filename> file should be copied to the location of
1117 your other PAM security modules. On my Red Hat system, this was the
1118 <filename>/lib/security</filename> directory. On Solaris, the PAM security
1119 modules reside in <filename>/usr/lib/security</filename>.
1123 &rootprompt;<userinput>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</userinput>
1127 <title>Linux/FreeBSD-Specific PAM Configuration</title>
1130 The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
1131 just left this file as it was:
1135 <para><programlisting>
1136 auth required /lib/security/pam_stack.so service=system-auth
1137 account required /lib/security/pam_stack.so service=system-auth
1138 </programlisting></para>
1141 The other services that I modified to allow the use of Winbind
1142 as an authentication service were the normal login on the console (or a terminal
1143 session), telnet logins, and ftp service. In order to enable these
1144 services, you may first need to change the entries in
1145 <filename>/etc/xinetd.d</filename> (or <filename>/etc/inetd.conf</filename>).
1146 Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need
1147 to change the lines in <filename>/etc/xinetd.d/telnet</filename>
1148 and <filename>/etc/xinetd.d/wu-ftp</filename> from
1151 <para><programlisting>
1157 </programlisting></para>
1160 For ftp services to work properly, you will also need to either
1161 have individual directories for the domain users already present on
1162 the server or change the home directory template to a general
1163 directory for all domain users. These can be easily set using
1164 the &smb.conf; global entry
1165 <smbconfoption name="template homedir"/>.
1169 <para>The directory in <smbconfoption name="template homedir"/> is not created automatically! Use pam_mkhomedir or pre-create
1170 the directories of users to make sure users can log in on UNIX with
1171 their own home directory.
1176 The <filename>/etc/pam.d/ftp</filename> file can be changed
1177 to allow Winbind ftp access in a manner similar to the
1178 samba file. My <filename>/etc/pam.d/ftp</filename> file was
1179 changed to look like this:
1181 auth required /lib/security/pam_listfile.so item=user sense=deny \
1182 file=/etc/ftpusers onerr=succeed
1183 auth sufficient /lib/security/pam_winbind.so
1184 auth required /lib/security/pam_stack.so service=system-auth
1185 auth required /lib/security/pam_shells.so
1186 account sufficient /lib/security/pam_winbind.so
1187 account required /lib/security/pam_stack.so service=system-auth
1188 session required /lib/security/pam_stack.so service=system-auth
1189 </programlisting></para>
1192 The <filename>/etc/pam.d/login</filename> file can be changed in nearly the
1193 same way. It now looks like this:
1195 auth required /lib/security/pam_securetty.so
1196 auth sufficient /lib/security/pam_winbind.so
1197 auth sufficient /lib/security/pam_unix.so use_first_pass
1198 auth required /lib/security/pam_stack.so service=system-auth
1199 auth required /lib/security/pam_nologin.so
1200 account sufficient /lib/security/pam_winbind.so
1201 account required /lib/security/pam_stack.so service=system-auth
1202 password required /lib/security/pam_stack.so service=system-auth
1203 session required /lib/security/pam_stack.so service=system-auth
1204 session optional /lib/security/pam_console.so
1205 </programlisting></para>
1208 In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
1209 lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
1210 above it to disallow root logins over the network. I also added a
1211 <programlisting>sufficient /lib/security/pam_unix.so use_first_pass</programlisting>
1212 line after the <command>winbind.so</command> line to get rid of annoying
1213 double prompts for passwords.
1219 <title>Solaris-Specific Configuration</title>
1222 The <filename>/etc/pam.conf</filename> needs to be changed. I changed this file so my Domain
1223 users can log on both locally as well as with telnet. The following are the changes
1224 that I made. You can customize the <filename>pam.conf</filename> file as per your requirements, but
1225 be sure of those changes because in the worst case it will leave your system
1226 nearly impossible to boot.
1229 <para><programlisting>
1231 #ident "@(#)pam.conf 1.14 99/09/16 SMI"
1233 # Copyright (c) 1996-1999, Sun Microsystems, Inc.
1234 # All Rights Reserved.
1238 # Authentication management
1240 login auth required /usr/lib/security/pam_winbind.so
1241 login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1242 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
1244 rlogin auth sufficient /usr/lib/security/pam_winbind.so
1245 rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1246 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1248 dtlogin auth sufficient /usr/lib/security/pam_winbind.so
1249 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1251 rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
1252 other auth sufficient /usr/lib/security/pam_winbind.so
1253 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
1255 # Account management
1257 login account sufficient /usr/lib/security/pam_winbind.so
1258 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
1259 login account required /usr/lib/security/$ISA/pam_unix.so.1
1261 dtlogin account sufficient /usr/lib/security/pam_winbind.so
1262 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
1263 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
1265 other account sufficient /usr/lib/security/pam_winbind.so
1266 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
1267 other account required /usr/lib/security/$ISA/pam_unix.so.1
1269 # Session management
1271 other session required /usr/lib/security/$ISA/pam_unix.so.1
1273 # Password management
1275 #other password sufficient /usr/lib/security/pam_winbind.so
1276 other password required /usr/lib/security/$ISA/pam_unix.so.1
1277 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
1279 # Support for Kerberos V5 authentication (uncomment to use Kerberos)
1281 #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1282 #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1283 #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1284 #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1285 #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
1286 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
1287 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
1288 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
1289 </programlisting></para>
1292 I also added a <parameter>try_first_pass</parameter> line after the <filename>winbind.so</filename>
1293 line to get rid of annoying double prompts for passwords.
1297 Now restart your Samba and try connecting through your application that you
1298 configured in the pam.conf.
1310 <title>Conclusion</title>
1312 <para>The Winbind system, through the use of the NSS,
1313 PAMs, and appropriate
1314 Microsoft RPC calls, have allowed us to provide seamless
1315 integration of Microsoft Windows NT domain users on a
1316 UNIX system. The result is a great reduction in the administrative
1317 cost of running a mixed UNIX and NT network.</para>
1322 <title>Common Errors</title>
1324 <para>Winbind has a number of limitations in its current
1325 released version that we hope to overcome in future
1329 <listitem><para>Winbind is currently only available for
1330 the Linux, Solaris, AIX, and IRIX operating systems, although ports to other operating
1331 systems are certainly possible. For such ports to be feasible,
1332 we require the C library of the target operating system to
1333 support the NSS and PAM
1334 systems. This is becoming more common as NSS and
1335 PAM gain support among UNIX vendors.</para></listitem>
1337 <listitem><para>The mappings of Windows NT RIDs to UNIX IDs
1338 is not made algorithmically and depends on the order in which
1339 unmapped users or groups are seen by Winbind. It may be difficult
1340 to recover the mappings of RID to UNIX ID if the file
1341 containing this information is corrupted or destroyed.</para>
1344 <listitem><para>Currently the Winbind PAM module does not take
1345 into account possible workstation and logon time restrictions
1346 that may be set for Windows NT users; this is
1347 instead up to the PDC to enforce.</para></listitem>
1351 <title>NSCD Problem Warning</title>
1353 <?latex \nopagebreak ?>
1356 Do not under any circumstances run <command>nscd</command> on any system
1357 on which <command>winbindd</command> is running.
1361 If <command>nscd</command> is running on the UNIX/Linux system, then
1362 even though NSSWITCH is correctly configured, it will not be possible to resolve
1363 domain users and groups for file and directory controls.
1369 <title>Winbind Is Not Resolving Users and Groups</title>
1372 My &smb.conf; file is correctly configured. I have specified
1373 <smbconfoption name="idmap uid">12000</smbconfoption>,
1374 and <smbconfoption name="idmap gid">3000-3500</smbconfoption>
1375 and <command>winbind</command> is running. When I do the following, it all works fine.
1379 &rootprompt;<userinput>wbinfo -u</userinput>
1386 &rootprompt;<userinput>wbinfo -g</userinput>
1387 MIDEARTH\Domain Users
1388 MIDEARTH\Domain Admins
1389 MIDEARTH\Domain Guests
1393 &rootprompt;<userinput>getent passwd</userinput>
1394 root:x:0:0:root:/root:/bin/bash
1395 bin:x:1:1:bin:/bin:/bin/bash
1397 maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
1401 But the following command just fails:
1404 &rootprompt;<userinput>chown maryo a_file</userinput>
1405 chown: `maryo': invalid user
1408 This is driving me nuts! What can be wrong?
1412 Same problem as the one above.
1413 Your system is likely running <command>nscd</command>, the name service
1414 caching daemon. Shut it down, do not restart it! You will find your problem resolved.