diff options
| author | Gerald Carter <jerry@samba.org> | 2003-09-09 02:58:53 +0000 | 
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2003-09-09 02:58:53 +0000 | 
| commit | 99bde6889d3d8b7a9e950c86c30e82662e1dacdd (patch) | |
| tree | bb7d34722e3b2b98ae7e36c11f4e7e4d4538b6fb /docs/htmldocs/winbind.html | |
| parent | a50367ee119d0acf1bcaaf93f8c6fcc8fa68c999 (diff) | |
| download | samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.tar.gz samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.tar.bz2 samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.zip | |
syncing files from 3.0 into HEAD again
(This used to be commit bca0bba209255d0effbae6a3d3b6d298f0952c3a)
Diffstat (limited to 'docs/htmldocs/winbind.html')
| -rw-r--r-- | docs/htmldocs/winbind.html | 163 | 
1 files changed, 76 insertions, 87 deletions
| diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index 567e882367..1ee1de9f2f 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -1,14 +1,38 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Integrated Logon Support using Winbind</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="VFS.html" title="Chapter 20. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Integrated Logon Support using Winbind</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Integrated Logon Support using Winbind</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="winbind.html#id2979695">Features and Benefits</a></dt><dt><a href="winbind.html#id2979724">Introduction</a></dt><dt><a href="winbind.html#id2979795">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2979856">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2979886">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2979914">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2979949">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2979971">Name Service Switch</a></dt><dt><a href="winbind.html#id2980108">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2980179">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2980214">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2980242">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2980271">Introduction</a></dt><dt><a href="winbind.html#id2980346">Requirements</a></dt><dt><a href="winbind.html#id2980438">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2982058">Conclusion</a></dt><dt><a href="winbind.html#id2982077">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979695"></a>Features and Benefits</h2></div></div><div></div></div><p>Integration of UNIX and Microsoft Windows NT through  -	a unified logon has been considered a "holy grail" in heterogeneous  -	computing environments for a long time. We present  -	<span class="emphasis"><em>winbind</em></span>, a component of the Samba suite  -	of programs as a solution to the unified logon problem. Winbind  -	uses a UNIX implementation  -	of Microsoft RPC calls, Pluggable Authentication Modules, and the Name  -	Service Switch to allow Windows NT domain users to appear and operate  -	as UNIX users on a UNIX machine. This paper describes the winbind  -	system, explaining the functionality it provides, how it is configured,  -	and how it works internally.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979724"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have  +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Winbind: Use of Domain Accounts</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="VFS.html" title="Chapter 20. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Winbind: Use of Domain Accounts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Winbind: Use of Domain Accounts</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Trostel</span></h3><div class="affiliation"><span class="orgname">SNAP<br></span><div class="address"><p><tt class="email"><<a href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="winbind.html#id2941150">Features and Benefits</a></dt><dt><a href="winbind.html#id2941246">Introduction</a></dt><dt><a href="winbind.html#id2941324">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2941400">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2941431">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2941460">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2941493">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2941516">Name Service Switch</a></dt><dt><a href="winbind.html#id2941652">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2941724">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2941757">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2941785">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2941792">Introduction</a></dt><dt><a href="winbind.html#id2941859">Requirements</a></dt><dt><a href="winbind.html#id2941953">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2943561">Conclusion</a></dt><dt><a href="winbind.html#id2943580">Common Errors</a></dt><dd><dl><dt><a href="winbind.html#id2943633">NSCD Problem Warning</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941150"></a>Features and Benefits</h2></div></div><div></div></div><p> +	Integration of UNIX and Microsoft Windows NT through a unified logon has +	been considered a "holy grail" in heterogeneous computing environments for +	a long time. +	</p><p> +	There is one other facility without which UNIX and Microsoft Windows network +	interoperability would suffer greatly. It is imperative that there be a +	mechanism for sharing files across UNIX systems and to be able to assign +	domain user and group ownerships with integrity. +	</p><p> +	<span class="emphasis"><em>winbind</em></span> is a component of the Samba suite of programs +	solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft +	RPC calls, Pluggable Authentication Modules, and the Name Service Switch to +	allow Windows NT domain users to appear and operate as UNIX users on a UNIX +	machine. This chapter describes the winbind system, explaining the functionality +	it provides, how it is configured, and how it works internally. +	</p><p> +	Winbind provides three separate functions: +	</p><div class="itemizedlist"><ul type="disc"><li><p> +		Authentication of user credentials (via PAM) +		</p></li><li><p> +		Identity resolution (via NSS)` +		</p></li><li><p> +		Windindd maintains a database called winbind_idmap.tdb in which it stores +		mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only +		for users and groups that do not have a local UID/GID. It stored the UID/GID +		allocated from the idmap uid/gid range that it has mapped to the NT SID. +		If <i class="parameter"><tt>idmap backend</tt></i> has been specified as ldapsam:url +		then instead of using a local mapping winbindd will obtain this information +		from the LDAP database. +		</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +	If winbindd is not running, then smbd (which calls winbindd) will fall back to +	using purely local information from /etc/passwd and /etc/group and no dynamic +	mapping will be used. +	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941246"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have   	different models for representing user and group information and   	use different technologies for implementing them. This fact has   	made it difficult to integrate the two systems in a satisfactory  @@ -29,7 +53,7 @@  	tasks for the system administrator when maintaining users and   	groups on either system. The winbind system provides a simple   	and elegant solution to all three components of the unified logon  -	problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979795"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by  +	problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941324"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by   	allowing a UNIX box to become a full member of a NT domain. Once   	this is done the UNIX box will see NT users and groups as if   	they were native UNIX users and groups, allowing the NT domain  @@ -53,7 +77,7 @@  	to provide authentication via a NT domain to any PAM enabled   	applications. This capability solves the problem of synchronizing   	passwords between systems since all passwords are stored in a single  -	location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979856"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an  +	location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941400"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an   		existing NT based domain infrastructure into which they wish   		to put UNIX workstations or servers. Winbind will allow these   		organizations to deploy UNIX workstations without having to  @@ -63,12 +87,12 @@  		be used is as a central part of UNIX based appliances. Appliances   		that provide file and print services to Microsoft based networks   		will be able to use Winbind to provide seamless integration of  -		the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979886"></a>How Winbind Works</h2></div></div><div></div></div><p>The winbind system is designed around a client/server  +		the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941431"></a>How Winbind Works</h2></div></div><div></div></div><p>The winbind system is designed around a client/server   	architecture. A long running <b class="command">winbindd</b> daemon   	listens on a UNIX domain socket waiting for requests  	to arrive. These requests are generated by the NSS and PAM   	clients and processed sequentially.</p><p>The technologies used to implement winbind are described  -	in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979914"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway  +	in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941460"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway   		by various Samba Team members to decode various aspects of   		the Microsoft Remote Procedure Call (MSRPC) system. This   		system is used for most network related operations between  @@ -81,7 +105,7 @@  		users or groups. Other MSRPC calls can be used to authenticate   		NT domain users and to change user passwords. By directly querying   		a Windows PDC for user and group information, winbind maps the  -		NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979949"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p> +		NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941493"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p>                  Since late 2001, Samba has gained the ability to                  interact with Microsoft Windows 2000 using its 'Native                  Mode' protocols, rather than the NT4 RPC services. @@ -90,7 +114,7 @@                  same way as a Win2k client would, and in so doing                  provide a much more efficient and                  effective winbind implementation.   -                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979971"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is  +                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941516"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is   		present in many UNIX operating systems. It allows system   		information such as hostnames, mail aliases and user information   		to be resolved from different sources. For example, a standalone  @@ -112,7 +136,7 @@  		the C library looks in <tt class="filename">/etc/nsswitch.conf</tt>   		for a line which matches the service type being requested, for   		example the "passwd" service type is used when user or group names  -		are looked up. This	config line species which implementations  +		are looked up. This	config line specifies which implementations   		of that service should be tried and in what order. If the passwd   		config line is:</p><pre class="programlisting">  passwd: files example @@ -127,7 +151,7 @@ passwd: files example  		is to put <tt class="filename">libnss_winbind.so</tt> in <tt class="filename">/lib/</tt>   		then add "winbind" into <tt class="filename">/etc/nsswitch.conf</tt> at   		the appropriate place. The C library will then call Winbind to  -		resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980108"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM,  +		resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941652"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM,   		is a system for abstracting authentication and authorization   		technologies. With a PAM module it is possible to specify different   		authentication methods for different system applications without  @@ -152,7 +176,7 @@ passwd: files example  		is copied to <tt class="filename">/lib/security/</tt> and the PAM   		control files for relevant services are updated to allow   		authentication via winbind. See the PAM documentation -		for more details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980179"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT  +		for more details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941724"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT   		is it allocated a numerical relative identifier (RID). This is   		slightly different to UNIX which has a range of numbers that are   		used to identify users, and the same range in which to identify  @@ -165,7 +189,7 @@ passwd: files example  		time, winbind will have mapped all Windows NT users and groups  		to UNIX user ids and group ids.</p><p>The results of this mapping are stored persistently in   		an ID mapping database held in a tdb database). This ensures that  -		RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980214"></a>Result Caching</h3></div></div><div></div></div><p>An active system can generate a lot of user and group  +		RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941757"></a>Result Caching</h3></div></div><div></div></div><p>An active system can generate a lot of user and group   		name lookups. To reduce the network cost of these lookups winbind   		uses a caching scheme based on the SAM sequence number supplied   		by NT domain controllers.  User or group information returned  @@ -176,23 +200,12 @@ passwd: files example  		the PDC and compared against the sequence number of the cached entry.   		If the sequence numbers do not match, then the cached information   		is discarded and up to date information is requested directly  -		from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2980242"></a>Installation and Configuration</h2></div></div><div></div></div><p> -Many thanks to John Trostel <a href="mailto:jtrostel@snapserver.com" target="_top">jtrostel@snapserver.com</a> -for providing the HOWTO for this section. -</p><p> -This HOWTO describes how to get winbind services up and running  -to control access and authenticate users on your Linux box using  -the winbind services which come with SAMBA 3.0. -</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980271"></a>Introduction</h3></div></div><div></div></div><p> +		from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941785"></a>Installation and Configuration</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941792"></a>Introduction</h3></div></div><div></div></div><p>  This section describes the procedures used to get winbind up and  -running on a RedHat 7.1 system.  Winbind is capable of providing access  +running.  Winbind is capable of providing access   and authentication control for Windows Domain users through an NT   or Win2K PDC for 'regular' services, such as telnet a nd ftp, as  well for SAMBA services. -</p><p> -This HOWTO has been written from a 'RedHat-centric' perspective, so if  -you are using another distribution, you may have to modify the instructions  -somewhat to fit the way your distribution works.  </p><div class="itemizedlist"><ul type="disc"><li><p>  	<span class="emphasis"><em>Why should I to this?</em></span>  	</p><p>This allows the SAMBA administrator to rely on the  @@ -208,7 +221,7 @@ somewhat to fit the way your distribution works.  	SAMBA server, this HOWTO is for you.  That said, I am no NT or PAM   	expert, so you may find a better or easier way to accomplish   	these tasks. -	</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980346"></a>Requirements</h3></div></div><div></div></div><p> +	</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941859"></a>Requirements</h3></div></div><div></div></div><p>  If you have a Samba configuration file that you are currently   using... <span class="emphasis"><em>BACK IT UP!</em></span>  If your system already uses PAM,   <span class="emphasis"><em>back up the <tt class="filename">/etc/pam.d</tt> directory  @@ -235,33 +248,18 @@ winbind modules, you should have at least the pam libraries resident  on your system.  For recent RedHat systems (7.1, for instance), that   means <tt class="filename">pam-0.74-22</tt>.  For best results, it is helpful to also  install the development packages in <tt class="filename">pam-devel-0.74-22</tt>. -</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980438"></a>Testing Things Out</h3></div></div><div></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941953"></a>Testing Things Out</h3></div></div><div></div></div><p>  Before starting, it is probably best to kill off all the SAMBA   related daemons running on your server.  Kill off all <span class="application">smbd</span>,   <span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may   be running.  To use PAM, you will want to make sure that you have the  -standard PAM package (for RedHat) which supplies the <tt class="filename">/etc/pam.d</tt>  +standard PAM package which supplies the <tt class="filename">/etc/pam.d</tt>   directory structure, including the pam modules are used by pam-aware   services, several pam libraries, and the <tt class="filename">/usr/doc</tt>   and <tt class="filename">/usr/man</tt> entries for pam.  Winbind built better   in SAMBA if the pam-devel package was also installed.  This package includes   the header files needed to compile pam-aware applications.  -</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980500"></a>Configure and compile SAMBA</h4></div></div><div></div></div><p> -The configuration and compilation of SAMBA is pretty straightforward. -The first three steps may not be necessary depending upon -whether or not you have previously built the Samba binaries. -</p><pre class="screen"> -<tt class="prompt">root# </tt><b class="command">autoconf</b> -<tt class="prompt">root# </tt><b class="command">make clean</b> -<tt class="prompt">root# </tt><b class="command">rm config.cache</b> -<tt class="prompt">root# </tt><b class="command">./configure</b> -<tt class="prompt">root# </tt><b class="command">make</b> -<tt class="prompt">root# </tt><b class="command">make install</b> -</pre><p> -This will, by default, install SAMBA in <tt class="filename">/usr/local/samba</tt>. -See the main SAMBA documentation if you want to install SAMBA somewhere else. -It will also build the winbindd executable and libraries.  -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980613"></a>Configure <tt class="filename">nsswitch.conf</tt> and the  +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942015"></a>Configure <tt class="filename">nsswitch.conf</tt> and the   winbind libraries on Linux and Solaris</h4></div></div><div></div></div><p>  The libraries needed to run the <span class="application">winbindd</span> daemon   through nsswitch need to be copied to their proper locations, so @@ -296,7 +294,7 @@ is faster (and you don't need to reboot) if you do it manually:  </p><p>  This makes <tt class="filename">libnss_winbind</tt> available to winbindd   and echos back a check to you. -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980820"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX)</p><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942224"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX)</p><p>  The winbind AIX identification module gets built as libnss_winbind.so in the  nsswitch directory of the samba source.  This file can be copied to  /usr/lib/security, and the AIX naming convention would indicate that it @@ -316,40 +314,25 @@ Programming Concepts for AIX": <a href="http://publibn.boulder.ibm.com/doc_  Chapter 18. Loadable Authentication Module Programming Interface</a>   and more information on administering the  modules at <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm" target="_top">  "System Management Guide: Operating System and Devices"</a>. -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980900"></a>Configure smb.conf</h4></div></div><div></div></div><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942302"></a>Configure smb.conf</h4></div></div><div></div></div><p>  Several parameters are needed in the smb.conf file to control   the behavior of <span class="application">winbindd</span>. Configure   <tt class="filename">smb.conf</tt> These are described in more detail in   the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> man page.  My   <tt class="filename">smb.conf</tt> file was modified to  include the following entries in the [global] section: -</p><pre class="programlisting"> -[global] -     <...> -     # separate domain and username with '+', like DOMAIN+username -     <a href="winbindd.8.html#WINBINDSEPARATOR" target="_top">winbind separator</a> = + -     # use uids from 10000 to 20000 for domain users -     <a href="winbindd.8.html#WINBINDUID" target="_top">idmap uid</a> = 10000-20000 -     # use gids from 10000 to 20000 for domain groups -     <a href="winbindd.8.html#WINBINDGID" target="_top">idmap gid</a> = 10000-20000 -     # allow enumeration of winbind users and groups -     <a href="winbindd.8.html#WINBINDENUMUSERS" target="_top">winbind enum users</a> = yes -     <a href="winbindd.8.html#WINBINDENUMGROUP" target="_top">winbind enum groups</a> = yes -     # give winbind users a real shell (only needed if they have telnet access) -     <a href="winbindd.8.html#TEMPLATEHOMEDIR" target="_top">template homedir</a> = /home/winnt/%D/%U -     <a href="winbindd.8.html#TEMPLATESHELL" target="_top">template shell</a> = /bin/bash -</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981017"></a>Join the SAMBA server to the PDC domain</h4></div></div><div></div></div><p> +</p><div class="example"><a name="id2942349"></a><p class="title"><b>Example 21.1. smb.conf for winbind set-up</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td>#  separate domain and username with '+', like DOMAIN+username</td></tr><tr><td><i class="parameter"><tt>winbind separator = +</tt></i></td></tr><tr><td>#  use uids from 10000 to 20000 for domain users</td></tr><tr><td><i class="parameter"><tt>idmap uid = 10000-20000</tt></i></td></tr><tr><td>#  use gids from 10000 to 20000 for domain groups</td></tr><tr><td><i class="parameter"><tt>winbind gid = 10000-20000</tt></i></td></tr><tr><td>#  allow enumeration of winbind users and groups</td></tr><tr><td><i class="parameter"><tt>winbind enum users = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>winbind enum groups = yes</tt></i></td></tr><tr><td>#  give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><i class="parameter"><tt>template homedir = /home/winnt/%D/%U</tt></i></td></tr><tr><td><i class="parameter"><tt>template shell = /bin/bash</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942460"></a>Join the SAMBA server to the PDC domain</h4></div></div><div></div></div><p>  Enter the following command to make the SAMBA server join the   PDC domain, where <i class="replaceable"><tt>DOMAIN</tt></i> is the name of   your Windows domain and <i class="replaceable"><tt>Administrator</tt></i> is   a domain user who has administrative privileges in the domain.  </p><p> -<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/net join -S PDC -U Administrator</tt></b> +<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</tt></b>  </p><p>  The proper response to the command should be: "Joined the domain   <i class="replaceable"><tt>DOMAIN</tt></i>" where <i class="replaceable"><tt>DOMAIN</tt></i>   is your DOMAIN name. -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981071"></a>Start up the winbindd daemon and test it!</h4></div></div><div></div></div><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942516"></a>Start up the winbindd daemon and test it!</h4></div></div><div></div></div><p>  Eventually, you will want to modify your smb startup script to   automatically invoke the winbindd daemon when the other parts of   SAMBA start, but it is possible to test out just the winbind @@ -391,8 +374,7 @@ your PDC.  For example, I get the following response:  	CEO+krbtgt  	CEO+TsInternetUser  </pre><p> -Obviously, I have named my domain 'CEO' and my <i class="parameter"><tt>winbind -separator</tt></i> is '+'. +	Obviously, I have named my domain 'CEO' and my <a class="indexterm" name="id2942662"></a><i class="parameter"><tt>winbind separator</tt></i> is '+'.  </p><p>  You can do the same sort of thing to get group information from   the PDC: @@ -421,7 +403,7 @@ directories and default shells.  The same thing can be done for groups with the command  </p><p>  <tt class="prompt">root# </tt><b class="userinput"><tt>getent group</tt></b> -</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981312"></a>Fix the init.d startup scripts</h4></div></div><div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981320"></a>Linux</h5></div></div><div></div></div><p> +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2942766"></a>Fix the init.d startup scripts</h4></div></div><div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2942773"></a>Linux</h5></div></div><div></div></div><p>  The <span class="application">winbindd</span> daemon needs to start up after the   <span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running.    To accomplish this task, you need to modify the startup scripts of your system. @@ -487,7 +469,7 @@ stop() {          echo ""          return $RETVAL  } -</pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981482"></a>Solaris</h5></div></div><div></div></div><p>Winbind doesn't work on Solaris 9, see the <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Portability</a> chapter for details.</p><p>On Solaris, you need to modify the  +</pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2942942"></a>Solaris</h5></div></div><div></div></div><p>Winbind doesn't work on Solaris 9, see the <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Portability</a> chapter for details.</p><p>On Solaris, you need to modify the   <tt class="filename">/etc/init.d/samba.server</tt> startup script. It usually   only starts smbd and nmbd but should now start winbindd too. If you   have samba installed in <tt class="filename">/usr/local/samba/bin</tt>,  @@ -550,11 +532,11 @@ in the script above with:  </p><pre class="programlisting">  	/usr/local/samba/bin/winbindd -B  </pre><p> -</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981600"></a>Restarting</h5></div></div><div></div></div><p> +</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2943053"></a>Restarting</h5></div></div><div></div></div><p>  If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you  should be able to connect to the samba server as a domain member just as  if you were a local user. -</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981637"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p> +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2943089"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p>  If you have made it this far, you know that winbindd and samba are working  together.  If you want to use winbind to provide authentication for other   services, keep reading.  The pam configuration files need to be altered in @@ -574,7 +556,7 @@ your other pam security modules.  On my RedHat system, this was the  modules reside in <tt class="filename">/usr/lib/security</tt>.  </p><p>  <tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</tt></b> -</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981743"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p> +</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2943196"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p>  The <tt class="filename">/etc/pam.d/samba</tt> file does not need to be changed. I   just left this file as it was:  </p><pre class="programlisting"> @@ -601,7 +583,7 @@ have individual directories for the domain users already present on  the server, or change the home directory template to a general  directory for all domain users.  These can be easily set using   the <tt class="filename">smb.conf</tt> global entry  -<i class="parameter"><tt>template homedir</tt></i>. +<a class="indexterm" name="id2943302"></a><i class="parameter"><tt>template homedir</tt></i>.  </p><p>  The <tt class="filename">/etc/pam.d/ftp</tt> file can be changed   to allow winbind ftp access in a manner similar to the @@ -634,10 +616,10 @@ same way.  It now looks like this:  In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p>   lines as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p>  above it, to disallow root logins over the network.  I also added a  -<b class="command">sufficient /lib/security/pam_unix.so use_first_pass</b> +</p><pre class="programlisting">sufficient /lib/security/pam_unix.so use_first_pass</pre><p>  line after the <b class="command">winbind.so</b> line to get rid of annoying   double prompts for passwords. -</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981966"></a>Solaris-specific configuration</h5></div></div><div></div></div><p> +</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2943437"></a>Solaris-specific configuration</h5></div></div><div></div></div><p>  The /etc/pam.conf needs to be changed. I changed this file so that my Domain  users can logon both locally as well as telnet.The following are the changes  that I made.You can customize the pam.conf file as per your requirements,but @@ -709,15 +691,15 @@ annoying double prompts for passwords.  </p><p>  Now restart your Samba and try connecting through your application that you  configured in the pam.conf. -</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982058"></a>Conclusion</h2></div></div><div></div></div><p>The winbind system, through the use of the Name Service  +</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943561"></a>Conclusion</h2></div></div><div></div></div><p>The winbind system, through the use of the Name Service   	Switch, Pluggable Authentication Modules, and appropriate   	Microsoft RPC calls have allowed us to provide seamless   	integration of Microsoft Windows NT domain users on a  	UNIX system. The result is a great reduction in the administrative  -	cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982077"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current  +	cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943580"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current   	released version that we hope to overcome in future   	releases:</p><div class="itemizedlist"><ul type="disc"><li><p>Winbind is currently only available for  -		the Linux, Solaris and IRIX operating systems, although ports to other operating  +		the Linux, Solaris, AIX and IRIX operating systems, although ports to other operating   		systems are certainly possible. For such ports to be feasible,   		we require the C library of the target operating system to   		support the Name Service Switch and Pluggable Authentication @@ -729,4 +711,11 @@ configured in the pam.conf.  		containing this information is corrupted or destroyed.</p></li><li><p>Currently the winbind PAM module does not take   		into account possible workstation and logon time restrictions   		that may be been set for Windows NT users, this is -		instead up to the PDC to enforce.</p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 20. Stackable VFS modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 22. Advanced Network Management</td></tr></table></div></body></html> +		instead up to the PDC to enforce.</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943633"></a>NSCD Problem Warning</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +	Do NOT under ANY circumstances run <b class="command">nscd</b> on any system +	on which <b class="command">winbind</b> is running. +	</p></div><p> +	If <b class="command">nscd</b> is running on the UNIX/Linux system, then +	even though NSSWITCH is correctly configured it will NOT be possible to resolve +	domain users and groups for file and directory controls. +	</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 20. Stackable VFS modules </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 22. Advanced Network Management</td></tr></table></div></body></html> | 
