diff options
Diffstat (limited to 'docs/docbook/manpages/winbindd.8.sgml')
| -rw-r--r-- | docs/docbook/manpages/winbindd.8.sgml | 455 |
1 files changed, 0 insertions, 455 deletions
diff --git a/docs/docbook/manpages/winbindd.8.sgml b/docs/docbook/manpages/winbindd.8.sgml deleted file mode 100644 index ccef2fa623..0000000000 --- a/docs/docbook/manpages/winbindd.8.sgml +++ /dev/null @@ -1,455 +0,0 @@ -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -<refentry id="winbindd"> - -<refmeta> - <refentrytitle>winbindd</refentrytitle> - <manvolnum>8</manvolnum> -</refmeta> - - -<refnamediv> - <refname>winbindd</refname> - <refpurpose>Name Service Switch daemon for resolving names - from NT servers</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>winbindd</command> - <arg choice="opt">-F</arg> - <arg choice="opt">-S</arg> - <arg choice="opt">-i</arg> - <arg choice="opt">-B</arg> - <arg choice="opt">-d <debug level></arg> - <arg choice="opt">-s <smb config file></arg> - <arg choice="opt">-n</arg> - </cmdsynopsis> -</refsynopsisdiv> - -<refsect1> - <title>DESCRIPTION</title> - - <para>This program is part of the <ulink url="samba.7.html"> - Samba</ulink> suite.</para> - - <para><command>winbindd</command> is a daemon that provides - a service for the Name Service Switch capability that is present - in most modern C libraries. The Name Service Switch allows user - and system information to be obtained from different databases - services such as NIS or DNS. The exact behaviour can be configured - throught the <filename>/etc/nsswitch.conf</filename> file. - Users and groups are allocated as they are resolved to a range - of user and group ids specified by the administrator of the - Samba system.</para> - - <para>The service provided by <command>winbindd</command> is called `winbind' and - can be used to resolve user and group information from a - Windows NT server. The service can also provide authentication - services via an associated PAM module. </para> - - <para> - The <filename>pam_winbind</filename> module in the 2.2.2 release only - supports the <parameter>auth</parameter> and <parameter>account</parameter> - module-types. The latter simply - performs a getpwnam() to verify that the system can obtain a uid for the - user. If the <filename>libnss_winbind</filename> library has been correctly - installed, this should always succeed. - </para> - - <para>The following nsswitch databases are implemented by - the winbindd service: </para> - - <variablelist> - <varlistentry> - <term>hosts</term> - <listitem><para>User information traditionally stored in - the <filename>hosts(5)</filename> file and used by - <command>gethostbyname(3)</command> functions. Names are - resolved through the WINS server or by broadcast. - </para></listitem> - </varlistentry> - - <varlistentry> - <term>passwd</term> - <listitem><para>User information traditionally stored in - the <filename>passwd(5)</filename> file and used by - <command>getpwent(3)</command> functions. </para></listitem> - </varlistentry> - - <varlistentry> - <term>group</term> - <listitem><para>Group information traditionally stored in - the <filename>group(5)</filename> file and used by - <command>getgrent(3)</command> functions. </para></listitem> - </varlistentry> - </variablelist> - - <para>For example, the following simple configuration in the - <filename>/etc/nsswitch.conf</filename> file can be used to initially - resolve user and group information from <filename>/etc/passwd - </filename> and <filename>/etc/group</filename> and then from the - Windows NT server. </para> - - <para><programlisting> -passwd: files winbind -group: files winbind - </programlisting></para> - - <para>The following simple configuration in the - <filename>/etc/nsswitch.conf</filename> file can be used to initially - resolve hostnames from <filename>/etc/hosts</filename> and then from the - WINS server.</para> - -</refsect1> - - -<refsect1> - <title>OPTIONS</title> - - <variablelist> - <varlistentry> - <term>-F</term> - <listitem><para>If specified, this parameter causes - the main <command>winbindd</command> process to not daemonize, - i.e. double-fork and disassociate with the terminal. - Child processes are still created as normal to service - each connection request, but the main process does not - exit. This operation mode is suitable for running - <command>winbindd</command> under process supervisors such - as <command>supervise</command> and <command>svscan</command> - from Daniel J. Bernstein's <command>daemontools</command> - package, or the AIX process monitor. - </para></listitem> - </varlistentry> - - <varlistentry> - <term>-S</term> - <listitem><para>If specified, this parameter causes - <command>winbindd</command> to log to standard output rather - than a file.</para></listitem> - </varlistentry> - - <varlistentry> - <term>-d debuglevel</term> - <listitem><para>Sets the debuglevel to an integer between - 0 and 100. 0 is for no debugging and 100 is for reams and - reams. To submit a bug report to the Samba Team, use debug - level 100 (see BUGS.txt). </para></listitem> - </varlistentry> - - <varlistentry> - <term>-i</term> - <listitem><para>Tells <command>winbindd</command> to not - become a daemon and detach from the current terminal. This - option is used by developers when interactive debugging - of <command>winbindd</command> is required. - <command>winbindd</command> also logs to standard output, - as if the <command>-S</command> parameter had been given. - </para></listitem> - </varlistentry> - - <varlistentry> - <term>-n</term> - <listitem><para>Disable caching. This means winbindd will - always have to wait for a response from the domain controller - before it can respond to a client and this thus makes things - slower. The results will however be more accurate, since - results from the cache might not be up-to-date. This - might also temporarily hang winbindd if the DC doesn't respond. - </para></listitem> - </varlistentry> - - <varlistentry> - <term>-B</term> - <listitem><para>Dual daemon mode. This means winbindd will run - as 2 threads. The first will answer all requests from the cache, - thus making responses to clients faster. The other will - update the cache for the query that the first has just responded. - Advantage of this is that responses are accurate and fast. - </para></listitem> - </varlistentry> - - <varlistentry> - <term>-s|--conf=smb.conf</term> - <listitem><para>Specifies the location of the all-important - <filename>smb.conf</filename> file. </para></listitem> - </varlistentry> - </variablelist> -</refsect1> - - -<refsect1> - <title>NAME AND ID RESOLUTION</title> - - <para>Users and groups on a Windows NT server are assigned - a relative id (rid) which is unique for the domain when the - user or group is created. To convert the Windows NT user or group - into a unix user or group, a mapping between rids and unix user - and group ids is required. This is one of the jobs that <command> - winbindd</command> performs. </para> - - <para>As winbindd users and groups are resolved from a server, user - and group ids are allocated from a specified range. This - is done on a first come, first served basis, although all existing - users and groups will be mapped as soon as a client performs a user - or group enumeration command. The allocated unix ids are stored - in a database file under the Samba lock directory and will be - remembered. </para> - - <para>WARNING: The rid to unix id database is the only location - where the user and group mappings are stored by winbindd. If this - file is deleted or corrupted, there is no way for winbindd to - determine which user and group ids correspond to Windows NT user - and group rids. </para> -</refsect1> - - -<refsect1> - <title>CONFIGURATION</title> - - <para>Configuration of the <command>winbindd</command> daemon - is done through configuration parameters in the <filename>smb.conf(5) - </filename> file. All parameters should be specified in the - [global] section of smb.conf. </para> - - <itemizedlist> - <listitem><para><ulink url="smb.conf.5.html#WINBINDSEPARATOR"> - <parameter>winbind separator</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#WINBINDUID"> - <parameter>winbind uid</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#WINBINDGID"> - <parameter>winbind gid</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#WINBINDCACHETIME"> - <parameter>winbind cache time</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#WINBINDENUMUSERS"> - <parameter>winbind enum users</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#WINBINDENUMGROUPS"> - <parameter>winbind enum groups</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#TEMPLATEHOMEDIR"> - <parameter>template homedir</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#TEMPLATESHELL"> - <parameter>template shell</parameter></ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN"> - <parameter>winbind use default domain</parameter></ulink></para></listitem> - </itemizedlist> -</refsect1> - - -<refsect1> - <title>EXAMPLE SETUP</title> - - <para>To setup winbindd for user and group lookups plus - authentication from a domain controller use something like the - following setup. This was tested on a RedHat 6.2 Linux box. </para> - - <para>In <filename>/etc/nsswitch.conf</filename> put the - following:</para> - - <para><programlisting> -passwd: files winbind -group: files winbind - </programlisting></para> - - <para>In <filename>/etc/pam.d/*</filename> replace the - <parameter>auth</parameter> lines with something like this: </para> - - - <para><programlisting> -auth required /lib/security/pam_securetty.so -auth required /lib/security/pam_nologin.so -auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok - </programlisting></para> - - - <para>Note in particular the use of the <parameter>sufficient</parameter> - keyword and the <parameter>use_first_pass</parameter> keyword. </para> - - <para>Now replace the account lines with this: </para> - - <para><command>account required /lib/security/pam_winbind.so - </command></para> - - <para>The next step is to join the domain. To do that use the - <command>smbpasswd</command> program like this: </para> - - <para><command>smbpasswd -j DOMAIN -r PDC -U - Administrator</command></para> - - <para>The username after the <parameter>-U</parameter> can be any - Domain user that has administrator privileges on the machine. - Substitute your domain name for "DOMAIN" and the name of your PDC - for "PDC".</para> - - <para>Next copy <filename>libnss_winbind.so</filename> to - <filename>/lib</filename> and <filename>pam_winbind.so</filename> - to <filename>/lib/security</filename>. A symbolic link needs to be - made from <filename>/lib/libnss_winbind.so</filename> to - <filename>/lib/libnss_winbind.so.2</filename>. If you are using an - older version of glibc then the target of the link should be - <filename>/lib/libnss_winbind.so.1</filename>.</para> - - <para>Finally, setup a <filename>smb.conf</filename> containing directives like the - following: </para> - - <para><programlisting> -[global] - winbind separator = + - winbind cache time = 10 - template shell = /bin/bash - template homedir = /home/%D/%U - winbind uid = 10000-20000 - winbind gid = 10000-20000 - workgroup = DOMAIN - security = domain - password server = * - </programlisting></para> - - - <para>Now start winbindd and you should find that your user and - group database is expanded to include your NT users and groups, - and that you can login to your unix box as a domain user, using - the DOMAIN+user syntax for the username. You may wish to use the - commands <command>getent passwd</command> and <command>getent group - </command> to confirm the correct operation of winbindd.</para> -</refsect1> - - -<refsect1> - <title>NOTES</title> - - <para>The following notes are useful when configuring and - running <command>winbindd</command>: </para> - - <para><command>nmbd</command> must be running on the local machine - for <command>winbindd</command> to work. <command>winbindd</command> - queries the list of trusted domains for the Windows NT server - on startup and when a SIGHUP is received. Thus, for a running <command> - winbindd</command> to become aware of new trust relationships between - servers, it must be sent a SIGHUP signal. </para> - - <para>Client processes resolving names through the <command>winbindd</command> - nsswitch module read an environment variable named <envar> - $WINBINDD_DOMAIN</envar>. If this variable contains a comma separated - list of Windows NT domain names, then winbindd will only resolve users - and groups within those Windows NT domains. </para> - - <para>PAM is really easy to misconfigure. Make sure you know what - you are doing when modifying PAM configuration files. It is possible - to set up PAM such that you can no longer log into your system. </para> - - <para>If more than one UNIX machine is running <command>winbindd</command>, - then in general the user and groups ids allocated by winbindd will not - be the same. The user and group ids will only be valid for the local - machine.</para> - - <para>If the the Windows NT RID to UNIX user and group id mapping - file is damaged or destroyed then the mappings will be lost. </para> -</refsect1> - - -<refsect1> - <title>SIGNALS</title> - - <para>The following signals can be used to manipulate the - <command>winbindd</command> daemon. </para> - - <variablelist> - <varlistentry> - <term>SIGHUP</term> - <listitem><para>Reload the <filename>smb.conf(5)</filename> - file and apply any parameter changes to the running - version of winbindd. This signal also clears any cached - user and group information. The list of other domains trusted - by winbindd is also reloaded. </para></listitem> - </varlistentry> - - <varlistentry> - <term>SIGUSR1</term> - <listitem><para>The SIGUSR1 signal will cause <command> - winbindd</command> to write status information to the winbind - log file including information about the number of user and - group ids allocated by <command>winbindd</command>.</para> - - <para>Log files are stored in the filename specified by the - log file parameter.</para></listitem> - </varlistentry> - </variablelist> -</refsect1> - -<refsect1> - <title>FILES</title> - - <variablelist> - <varlistentry> - <term><filename>/etc/nsswitch.conf(5)</filename></term> - <listitem><para>Name service switch configuration file.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>/tmp/.winbindd/pipe</term> - <listitem><para>The UNIX pipe over which clients communicate with - the <command>winbindd</command> program. For security reasons, the - winbind client will only attempt to connect to the winbindd daemon - if both the <filename>/tmp/.winbindd</filename> directory - and <filename>/tmp/.winbindd/pipe</filename> file are owned by - root. </para></listitem> - </varlistentry> - - <varlistentry> - <term>/lib/libnss_winbind.so.X</term> - <listitem><para>Implementation of name service switch library. - </para></listitem> - </varlistentry> - - <varlistentry> - <term>$LOCKDIR/winbindd_idmap.tdb</term> - <listitem><para>Storage for the Windows NT rid to UNIX user/group - id mapping. The lock directory is specified when Samba is initially - compiled using the <parameter>--with-lockdir</parameter> option. - This directory is by default <filename>/usr/local/samba/var/locks - </filename>. </para></listitem> - </varlistentry> - - <varlistentry> - <term>$LOCKDIR/winbindd_cache.tdb</term> - <listitem><para>Storage for cached user and group information. - </para></listitem> - </varlistentry> - </variablelist> -</refsect1> - - -<refsect1> - <title>VERSION</title> - - <para>This man page is correct for version 3.0 of - the Samba suite.</para> -</refsect1> - -<refsect1> - <title>SEE ALSO</title> - - <para><filename>nsswitch.conf(5)</filename>, - <ulink url="samba.7.html">samba(7)</ulink>, - <ulink url="wbinfo.1.html">wbinfo(1)</ulink>, - <ulink url="smb.conf.5.html">smb.conf(5)</ulink></para> -</refsect1> - -<refsect1> - <title>AUTHOR</title> - - <para>The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.</para> - - <para><command>wbinfo</command> and <command>winbindd</command> - were written by Tim Potter.</para> - - <para>The conversion to DocBook for Samba 2.2 was done - by Gerald Carter</para> -</refsect1> - -</refentry> |