| blob | bfa3b4ff53a1f9806d7d081cfd1a20cc48617a5f |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % globalentities SYSTEM '../entities/global.entities'> %globalentities;
5 ]>
6 <refentry id="winbindd.8">
8 <refmeta>
9 <refentrytitle>winbindd</refentrytitle>
10 <manvolnum>8</manvolnum>
11 </refmeta>
14 <refnamediv>
15 <refname>winbindd</refname>
16 <refpurpose>Name Service Switch daemon for resolving names
17 from NT servers</refpurpose>
18 </refnamediv>
20 <refsynopsisdiv>
21 <cmdsynopsis>
22 <command>winbindd</command>
23 <arg choice="opt">-F</arg>
24 <arg choice="opt">-S</arg>
25 <arg choice="opt">-i</arg>
26 <arg choice="opt">-Y</arg>
27 <arg choice="opt">-d <debug level></arg>
28 <arg choice="opt">-s <smb config file></arg>
29 <arg choice="opt">-n</arg>
30 </cmdsynopsis>
31 </refsynopsisdiv>
33 <refsect1>
34 <title>DESCRIPTION</title>
36 <para>This program is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
37 <manvolnum>7</manvolnum></citerefentry> suite.</para>
39 <para><command>winbindd</command> is a daemon that provides
40 a service for the Name Service Switch capability that is present
41 in most modern C libraries. The Name Service Switch allows user
42 and system information to be obtained from different databases
43 services such as NIS or DNS. The exact behaviour can be configured
44 throught the <filename>/etc/nsswitch.conf</filename> file.
45 Users and groups are allocated as they are resolved to a range
46 of user and group ids specified by the administrator of the
47 Samba system.</para>
49 <para>The service provided by <command>winbindd</command> is called `winbind' and
50 can be used to resolve user and group information from a
51 Windows NT server. The service can also provide authentication
52 services via an associated PAM module. </para>
54 <para>
55 The <filename>pam_winbind</filename> module in the 2.2.2 release only
56 supports the <parameter>auth</parameter> and <parameter>account</parameter>
57 module-types. The latter simply
58 performs a getpwnam() to verify that the system can obtain a uid for the
59 user. If the <filename>libnss_winbind</filename> library has been correctly
60 installed, this should always succeed.
61 </para>
63 <para>The following nsswitch databases are implemented by
64 the winbindd service: </para>
66 <variablelist>
67 <varlistentry>
68 <term>hosts</term>
69 <listitem><para>This feature is only available on IRIX.
70 User information traditionally stored in
71 the <filename>hosts(5)</filename> file and used by
72 <command>gethostbyname(3)</command> functions. Names are
73 resolved through the WINS server or by broadcast.
74 </para></listitem>
75 </varlistentry>
77 <varlistentry>
78 <term>passwd</term>
79 <listitem><para>User information traditionally stored in
80 the <filename>passwd(5)</filename> file and used by
81 <command>getpwent(3)</command> functions. </para></listitem>
82 </varlistentry>
84 <varlistentry>
85 <term>group</term>
86 <listitem><para>Group information traditionally stored in
87 the <filename>group(5)</filename> file and used by
88 <command>getgrent(3)</command> functions. </para></listitem>
89 </varlistentry>
90 </variablelist>
92 <para>For example, the following simple configuration in the
93 <filename>/etc/nsswitch.conf</filename> file can be used to initially
94 resolve user and group information from <filename>/etc/passwd
95 </filename> and <filename>/etc/group</filename> and then from the
96 Windows NT server.
97 <programlisting>
98 passwd: files winbind
99 group: files winbind
100 ## only available on IRIX; Linux users should us libnss_wins.so
101 hosts: files dns winbind
102 </programlisting></para>
104 <para>The following simple configuration in the
105 <filename>/etc/nsswitch.conf</filename> file can be used to initially
106 resolve hostnames from <filename>/etc/hosts</filename> and then from the
107 WINS server.</para>
108 <programlisting>
109 hosts: files wins
110 </programlisting>
112 </refsect1>
115 <refsect1>
116 <title>OPTIONS</title>
118 <variablelist>
119 <varlistentry>
120 <term>-F</term>
121 <listitem><para>If specified, this parameter causes
122 the main <command>winbindd</command> process to not daemonize,
123 i.e. double-fork and disassociate with the terminal.
124 Child processes are still created as normal to service
125 each connection request, but the main process does not
126 exit. This operation mode is suitable for running
127 <command>winbindd</command> under process supervisors such
128 as <command>supervise</command> and <command>svscan</command>
129 from Daniel J. Bernstein's <command>daemontools</command>
130 package, or the AIX process monitor.
131 </para></listitem>
132 </varlistentry>
134 <varlistentry>
135 <term>-S</term>
136 <listitem><para>If specified, this parameter causes
137 <command>winbindd</command> to log to standard output rather
138 than a file.</para></listitem>
139 </varlistentry>
141 &popt.common.samba;
142 &stdarg.help;
144 <varlistentry>
145 <term>-i</term>
146 <listitem><para>Tells <command>winbindd</command> to not
147 become a daemon and detach from the current terminal. This
148 option is used by developers when interactive debugging
149 of <command>winbindd</command> is required.
150 <command>winbindd</command> also logs to standard output,
151 as if the <command>-S</command> parameter had been given.
152 </para></listitem>
153 </varlistentry>
155 <varlistentry>
156 <term>-n</term>
157 <listitem><para>Disable caching. This means winbindd will
158 always have to wait for a response from the domain controller
159 before it can respond to a client and this thus makes things
160 slower. The results will however be more accurate, since
161 results from the cache might not be up-to-date. This
162 might also temporarily hang winbindd if the DC doesn't respond.
163 </para></listitem>
164 </varlistentry>
166 <varlistentry>
167 <term>-Y</term>
168 <listitem><para>Single daemon mode. This means winbindd will run
169 as a single process (the mode of operation in Samba 2.2). Winbindd's
170 default behavior is to launch a child process that is responsible for
171 updating expired cache entries.
172 </para></listitem>
173 </varlistentry>
175 </variablelist>
176 </refsect1>
179 <refsect1>
180 <title>NAME AND ID RESOLUTION</title>
182 <para>Users and groups on a Windows NT server are assigned
183 a relative id (rid) which is unique for the domain when the
184 user or group is created. To convert the Windows NT user or group
185 into a unix user or group, a mapping between rids and unix user
186 and group ids is required. This is one of the jobs that <command>
187 winbindd</command> performs. </para>
189 <para>As winbindd users and groups are resolved from a server, user
190 and group ids are allocated from a specified range. This
191 is done on a first come, first served basis, although all existing
192 users and groups will be mapped as soon as a client performs a user
193 or group enumeration command. The allocated unix ids are stored
194 in a database file under the Samba lock directory and will be
195 remembered. </para>
197 <para>WARNING: The rid to unix id database is the only location
198 where the user and group mappings are stored by winbindd. If this
199 file is deleted or corrupted, there is no way for winbindd to
200 determine which user and group ids correspond to Windows NT user
201 and group rids. </para>
202 </refsect1>
205 <refsect1>
206 <title>CONFIGURATION</title>
208 <para>Configuration of the <command>winbindd</command> daemon
209 is done through configuration parameters in the <citerefentry>
210 <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
211 </citerefentry> file. All parameters should be specified in the
212 [global] section of smb.conf. </para>
214 <itemizedlist>
215 <listitem><para>
216 <smbconfoption><name>winbind separator</name></smbconfoption></para></listitem>
217 <listitem><para>
218 <smbconfoption><name>idmap uid</name></smbconfoption></para></listitem>
219 <listitem><para>
220 <smbconfoption><name>idmap gid</name></smbconfoption></para></listitem>
221 <listitem><para>
222 <smbconfoption><name>winbind cache time</name></smbconfoption></para></listitem>
223 <listitem><para>
224 <smbconfoption><name>winbind enum users</name></smbconfoption></para></listitem>
225 <listitem><para>
226 <smbconfoption><name>winbind enum groups</name></smbconfoption></para></listitem>
227 <listitem><para>
228 <smbconfoption><name>template homedir</name></smbconfoption></para></listitem>
229 <listitem><para>
230 <smbconfoption><name>template shell</name></smbconfoption></para></listitem>
231 <listitem><para>
232 <smbconfoption><name>winbind use default domain</name></smbconfoption></para></listitem>
233 </itemizedlist>
234 </refsect1>
237 <refsect1>
238 <title>EXAMPLE SETUP</title>
240 <para>To setup winbindd for user and group lookups plus
241 authentication from a domain controller use something like the
242 following setup. This was tested on a RedHat 6.2 Linux box. </para>
244 <para>In <filename>/etc/nsswitch.conf</filename> put the
245 following:
246 <programlisting>
247 passwd: files winbind
248 group: files winbind
249 </programlisting></para>
251 <para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
252 auth</parameter> lines with something like this:
253 <programlisting>
254 auth required /lib/security/pam_securetty.so
255 auth required /lib/security/pam_nologin.so
256 auth sufficient /lib/security/pam_winbind.so
257 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
258 </programlisting></para>
261 <para>Note in particular the use of the <parameter>sufficient
262 </parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para>
264 <para>Now replace the account lines with this: </para>
266 <para><command>account required /lib/security/pam_winbind.so
267 </command></para>
269 <para>The next step is to join the domain. To do that use the
270 <command>net</command> program like this: </para>
272 <para><command>net join -S PDC -U Administrator</command></para>
274 <para>The username after the <parameter>-U</parameter> can be any
275 Domain user that has administrator privileges on the machine.
276 Substitute the name or IP of your PDC for "PDC".</para>
278 <para>Next copy <filename>libnss_winbind.so</filename> to
279 <filename>/lib</filename> and <filename>pam_winbind.so
280 </filename> to <filename>/lib/security</filename>. A symbolic link needs to be
281 made from <filename>/lib/libnss_winbind.so</filename> to
282 <filename>/lib/libnss_winbind.so.2</filename>. If you are using an
283 older version of glibc then the target of the link should be
284 <filename>/lib/libnss_winbind.so.1</filename>.</para>
286 <para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle>
287 <manvolnum>5</manvolnum></citerefentry> containing directives like the
288 following:
289 <programlisting>
290 [global]
291 winbind separator = +
292 winbind cache time = 10
293 template shell = /bin/bash
294 template homedir = /home/%D/%U
295 idmap uid = 10000-20000
296 idmap gid = 10000-20000
297 workgroup = DOMAIN
298 security = domain
299 password server = *
300 </programlisting></para>
303 <para>Now start winbindd and you should find that your user and
304 group database is expanded to include your NT users and groups,
305 and that you can login to your unix box as a domain user, using
306 the DOMAIN+user syntax for the username. You may wish to use the
307 commands <command>getent passwd</command> and <command>getent group
308 </command> to confirm the correct operation of winbindd.</para>
309 </refsect1>
312 <refsect1>
313 <title>NOTES</title>
315 <para>The following notes are useful when configuring and
316 running <command>winbindd</command>: </para>
318 <para><citerefentry><refentrytitle>nmbd</refentrytitle>
319 <manvolnum>8</manvolnum></citerefentry> must be running on the local machine
320 for <command>winbindd</command> to work. <command>winbindd</command> queries
321 the list of trusted domains for the Windows NT server
322 on startup and when a SIGHUP is received. Thus, for a running <command>
323 winbindd</command> to become aware of new trust relationships between
324 servers, it must be sent a SIGHUP signal. </para>
326 <para>PAM is really easy to misconfigure. Make sure you know what
327 you are doing when modifying PAM configuration files. It is possible
328 to set up PAM such that you can no longer log into your system. </para>
330 <para>If more than one UNIX machine is running <command>winbindd</command>,
331 then in general the user and groups ids allocated by winbindd will not
332 be the same. The user and group ids will only be valid for the local
333 machine.</para>
335 <para>If the the Windows NT RID to UNIX user and group id mapping
336 file is damaged or destroyed then the mappings will be lost. </para>
337 </refsect1>
340 <refsect1>
341 <title>SIGNALS</title>
343 <para>The following signals can be used to manipulate the
344 <command>winbindd</command> daemon. </para>
346 <variablelist>
347 <varlistentry>
348 <term>SIGHUP</term>
349 <listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle>
350 <manvolnum>5</manvolnum></citerefentry> file and
351 apply any parameter changes to the running
352 version of winbindd. This signal also clears any cached
353 user and group information. The list of other domains trusted
354 by winbindd is also reloaded. </para></listitem>
355 </varlistentry>
357 <varlistentry>
358 <term>SIGUSR2</term>
359 <listitem><para>The SIGUSR2 signal will cause <command>
360 winbindd</command> to write status information to the winbind
361 log file including information about the number of user and
362 group ids allocated by <command>winbindd</command>.</para>
364 <para>Log files are stored in the filename specified by the
365 log file parameter.</para></listitem>
366 </varlistentry>
367 </variablelist>
368 </refsect1>
370 <refsect1>
371 <title>FILES</title>
373 <variablelist>
374 <varlistentry>
375 <term><filename>/etc/nsswitch.conf(5)</filename></term>
376 <listitem><para>Name service switch configuration file.</para>
377 </listitem>
378 </varlistentry>
380 <varlistentry>
381 <term>/tmp/.winbindd/pipe</term>
382 <listitem><para>The UNIX pipe over which clients communicate with
383 the <command>winbindd</command> program. For security reasons, the
384 winbind client will only attempt to connect to the winbindd daemon
385 if both the <filename>/tmp/.winbindd</filename> directory
386 and <filename>/tmp/.winbindd/pipe</filename> file are owned by
387 root. </para></listitem>
388 </varlistentry>
390 <varlistentry>
391 <term>$LOCKDIR/winbindd_privilaged/pipe</term>
392 <listitem><para>The UNIX pipe over which 'privilaged' clients
393 communicate with the <command>winbindd</command> program. For security
394 reasons, access to some winbindd functions - like those needed by
395 the <command>ntlm_auth</command> utility - is restricted. By default,
396 only users in the 'root' group will get this access, however the administrator
397 may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
398 programs like 'squid' to use ntlm_auth.
399 Note that the winbind client will only attempt to connect to the winbindd daemon
400 if both the <filename>$LOCKDIR/winbindd_privilaged</filename> directory
401 and <filename>$LOCKDIR/winbindd_privilaged/pipe</filename> file are owned by
402 root. </para></listitem>
403 </varlistentry>
405 <varlistentry>
406 <term>/lib/libnss_winbind.so.X</term>
407 <listitem><para>Implementation of name service switch library.
408 </para></listitem>
409 </varlistentry>
411 <varlistentry>
412 <term>$LOCKDIR/winbindd_idmap.tdb</term>
413 <listitem><para>Storage for the Windows NT rid to UNIX user/group
414 id mapping. The lock directory is specified when Samba is initially
415 compiled using the <parameter>--with-lockdir</parameter> option.
416 This directory is by default <filename>/usr/local/samba/var/locks
417 </filename>. </para></listitem>
418 </varlistentry>
420 <varlistentry>
421 <term>$LOCKDIR/winbindd_cache.tdb</term>
422 <listitem><para>Storage for cached user and group information.
423 </para></listitem>
424 </varlistentry>
425 </variablelist>
426 </refsect1>
429 <refsect1>
430 <title>VERSION</title>
432 <para>This man page is correct for version 3.0 of
433 the Samba suite.</para>
434 </refsect1>
436 <refsect1>
437 <title>SEE ALSO</title>
439 <para><filename>nsswitch.conf(5)</filename>, <citerefentry>
440 <refentrytitle>Samba</refentrytitle>
441 <manvolnum>7</manvolnum></citerefentry>, <citerefentry>
442 <refentrytitle>wbinfo</refentrytitle>
443 <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
444 <refentrytitle>smb.conf</refentrytitle>
445 <manvolnum>5</manvolnum></citerefentry></para>
446 </refsect1>
448 <refsect1>
449 <title>AUTHOR</title>
451 <para>The original Samba software and related utilities
452 were created by Andrew Tridgell. Samba is now developed
453 by the Samba Team as an Open Source project similar
454 to the way the Linux kernel is developed.</para>
456 <para><command>wbinfo</command> and <command>winbindd</command> were
457 written by Tim Potter.</para>
459 <para>The conversion to DocBook for Samba 2.2 was done
460 by Gerald Carter. The conversion to DocBook XML 4.2 for
461 Samba 3.0 was done by Alexander Bokovoy.</para>
462 </refsect1>
464 </refentry>