| blob | e0489c43c483615fe971e3c1666ddc64bb160820 |
3 ]>
6 <refmeta>
9 </refmeta>
12 <refnamediv>
14 <refpurpose>Name Service Switch daemon for resolving names
15 from NT servers</refpurpose>
16 </refnamediv>
18 <refsynopsisdiv>
19 <cmdsynopsis>
28 </cmdsynopsis>
29 </refsynopsisdiv>
31 <refsect1>
38 a service for the Name Service Switch capability that is present
39 in most modern C libraries. The Name Service Switch allows user
40 and system information to be obtained from different databases
41 services such as NIS or DNS. The exact behaviour can be configured
43 Users and groups are allocated as they are resolved to a range
44 of user and group ids specified by the administrator of the
45 Samba system.</para>
48 can be used to resolve user and group information from a
49 Windows NT server. The service can also provide authentication
50 services via an associated PAM module. </para>
52 <para>
55 module-types. The latter simply
56 performs a getpwnam() to verify that the system can obtain a uid for the
58 installed, this should always succeed.
59 </para>
61 <para>The following nsswitch databases are implemented by
62 the winbindd service: </para>
64 <variablelist>
65 <varlistentry>
67 <listitem><para>User information traditionally stored in
70 resolved through the WINS server or by broadcast.
71 </para></listitem>
72 </varlistentry>
74 <varlistentry>
76 <listitem><para>User information traditionally stored in
79 </varlistentry>
81 <varlistentry>
83 <listitem><para>Group information traditionally stored in
86 </varlistentry>
87 </variablelist>
89 <para>For example, the following simple configuration in the
91 resolve user and group information from <filename>/etc/passwd
93 Windows NT server.
94 <programlisting>
95 passwd: files winbind
96 group: files winbind
97 </programlisting></para>
99 <para>The following simple configuration in the
102 WINS server.</para>
104 </refsect1>
107 <refsect1>
110 <variablelist>
111 <varlistentry>
113 <listitem><para>If specified, this parameter causes
115 i.e. double-fork and disassociate with the terminal.
116 Child processes are still created as normal to service
117 each connection request, but the main process does not
118 exit. This operation mode is suitable for running
122 package, or the AIX process monitor.
123 </para></listitem>
124 </varlistentry>
126 <varlistentry>
128 <listitem><para>If specified, this parameter causes
130 than a file.</para></listitem>
131 </varlistentry>
133 &popt.common.samba;
134 &stdarg.help;
136 <varlistentry>
139 become a daemon and detach from the current terminal. This
140 option is used by developers when interactive debugging
144 </para></listitem>
145 </varlistentry>
147 <varlistentry>
149 <listitem><para>Disable caching. This means winbindd will
150 always have to wait for a response from the domain controller
151 before it can respond to a client and this thus makes things
152 slower. The results will however be more accurate, since
153 results from the cache might not be up-to-date. This
154 might also temporarily hang winbindd if the DC doesn't respond.
155 </para></listitem>
156 </varlistentry>
158 <varlistentry>
160 <listitem><para>Dual daemon mode. This means winbindd will run
161 as 2 threads. The first will answer all requests from the cache,
162 thus making responses to clients faster. The other will
163 update the cache for the query that the first has just responded.
164 Advantage of this is that responses stay accurate and are faster.
165 </para></listitem>
166 </varlistentry>
168 </variablelist>
169 </refsect1>
172 <refsect1>
175 <para>Users and groups on a Windows NT server are assigned
176 a relative id (rid) which is unique for the domain when the
177 user or group is created. To convert the Windows NT user or group
178 into a unix user or group, a mapping between rids and unix user
179 and group ids is required. This is one of the jobs that <command>
182 <para>As winbindd users and groups are resolved from a server, user
183 and group ids are allocated from a specified range. This
184 is done on a first come, first served basis, although all existing
185 users and groups will be mapped as soon as a client performs a user
186 or group enumeration command. The allocated unix ids are stored
187 in a database file under the Samba lock directory and will be
188 remembered. </para>
190 <para>WARNING: The rid to unix id database is the only location
191 where the user and group mappings are stored by winbindd. If this
192 file is deleted or corrupted, there is no way for winbindd to
193 determine which user and group ids correspond to Windows NT user
194 and group rids. </para>
195 </refsect1>
198 <refsect1>
202 is done through configuration parameters in the <citerefentry>
204 </citerefentry> file. All parameters should be specified in the
205 [global] section of smb.conf. </para>
207 <itemizedlist>
226 </itemizedlist>
227 </refsect1>
230 <refsect1>
233 <para>To setup winbindd for user and group lookups plus
234 authentication from a domain controller use something like the
238 following:
239 <programlisting>
240 passwd: files winbind
241 group: files winbind
242 </programlisting></para>
245 auth</parameter> lines with something like this:
246 <programlisting>
247 auth required /lib/security/pam_securetty.so
248 auth required /lib/security/pam_nologin.so
249 auth sufficient /lib/security/pam_winbind.so
250 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
251 </programlisting></para>
259 <para><command>account required /lib/security/pam_winbind.so
260 </command></para>
262 <para>The next step is to join the domain. To do that use the
268 Domain user that has administrator privileges on the machine.
276 older version of glibc then the target of the link should be
281 following:
282 <programlisting>
283 [global]
284 winbind separator = +
285 winbind cache time = 10
286 template shell = /bin/bash
287 template homedir = /home/%D/%U
290 workgroup = DOMAIN
291 security = domain
292 password server = *
293 </programlisting></para>
296 <para>Now start winbindd and you should find that your user and
297 group database is expanded to include your NT users and groups,
298 and that you can login to your unix box as a domain user, using
299 the DOMAIN+user syntax for the username. You may wish to use the
302 </refsect1>
305 <refsect1>
308 <para>The following notes are useful when configuring and
314 the list of trusted domains for the Windows NT server
315 on startup and when a SIGHUP is received. Thus, for a running <command>
316 winbindd</command> to become aware of new trust relationships between
317 servers, it must be sent a SIGHUP signal. </para>
319 <para>PAM is really easy to misconfigure. Make sure you know what
320 you are doing when modifying PAM configuration files. It is possible
321 to set up PAM such that you can no longer log into your system. </para>
324 then in general the user and groups ids allocated by winbindd will not
325 be the same. The user and group ids will only be valid for the local
326 machine.</para>
328 <para>If the the Windows NT RID to UNIX user and group id mapping
329 file is damaged or destroyed then the mappings will be lost. </para>
330 </refsect1>
333 <refsect1>
336 <para>The following signals can be used to manipulate the
339 <variablelist>
340 <varlistentry>
344 apply any parameter changes to the running
345 version of winbindd. This signal also clears any cached
346 user and group information. The list of other domains trusted
347 by winbindd is also reloaded. </para></listitem>
348 </varlistentry>
350 <varlistentry>
353 winbindd</command> to write status information to the winbind
354 log file including information about the number of user and
357 <para>Log files are stored in the filename specified by the
358 log file parameter.</para></listitem>
359 </varlistentry>
360 </variablelist>
361 </refsect1>
363 <refsect1>
366 <variablelist>
367 <varlistentry>
370 </listitem>
371 </varlistentry>
373 <varlistentry>
375 <listitem><para>The UNIX pipe over which clients communicate with
377 winbind client will only attempt to connect to the winbindd daemon
380 root. </para></listitem>
381 </varlistentry>
383 <varlistentry>
385 <listitem><para>The UNIX pipe over which 'privilaged' clients
387 reasons, access to some winbindd functions - like those needed by
389 only users in the 'root' group will get this access, however the administrator
390 may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
391 programs like 'squid' to use ntlm_auth.
392 Note that the winbind client will only attempt to connect to the winbindd daemon
395 root. </para></listitem>
396 </varlistentry>
398 <varlistentry>
400 <listitem><para>Implementation of name service switch library.
401 </para></listitem>
402 </varlistentry>
404 <varlistentry>
406 <listitem><para>Storage for the Windows NT rid to UNIX user/group
407 id mapping. The lock directory is specified when Samba is initially
409 This directory is by default <filename>/usr/local/samba/var/locks
411 </varlistentry>
413 <varlistentry>
415 <listitem><para>Storage for cached user and group information.
416 </para></listitem>
417 </varlistentry>
418 </variablelist>
419 </refsect1>
422 <refsect1>
426 the Samba suite.</para>
427 </refsect1>
429 <refsect1>
439 </refsect1>
441 <refsect1>
444 <para>The original Samba software and related utilities
445 were created by Andrew Tridgell. Samba is now developed
446 by the Samba Team as an Open Source project similar
447 to the way the Linux kernel is developed.</para>
450 written by Tim Potter.</para>
453 by Gerald Carter. The conversion to DocBook XML 4.2 for
455 </refsect1>
457 </refentry>