diff options
Diffstat (limited to 'docs/docbook/projdoc/winbind.xml')
-rw-r--r-- | docs/docbook/projdoc/winbind.xml | 167 |
1 files changed, 83 insertions, 84 deletions
diff --git a/docs/docbook/projdoc/winbind.xml b/docs/docbook/projdoc/winbind.xml index cb6a56687d..524f05ffa2 100644 --- a/docs/docbook/projdoc/winbind.xml +++ b/docs/docbook/projdoc/winbind.xml @@ -6,11 +6,10 @@ <firstname>Tim</firstname><surname>Potter</surname> <affiliation> <orgname>Samba Team</orgname> - <address><email>tpot@linuxcare.com.au</email></address> + <address><email>tpot@samba.org</email></address> </affiliation> </author> &author.tridge; - &author.jht; <author> <firstname>Naag</firstname><surname>Mummaneni</surname> <affiliation> @@ -18,14 +17,15 @@ </affiliation> </author> &author.jelmer; + &author.jht; </authorgroup> <pubdate>27 June 2002</pubdate> </chapterinfo> -<title>Unified Logons between Windows NT and UNIX using Winbind</title> +<title>Integrated Logon Support using Winbind</title> <sect1> - <title>Abstract</title> + <title>Features and Benefits</title> <para>Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous @@ -223,7 +223,9 @@ of that service should be tried and in what order. If the passwd config line is:</para> - <para><command>passwd: files example</command></para> + <para><programlisting> +passwd: files example + </programlisting></para> <para>then the C library will first load a module called <filename>/lib/libnss_files.so</filename> followed by @@ -337,8 +339,8 @@ the winbind services which come with SAMBA 3.0. <title>Introduction</title> <para> -This HOWTO describes the procedures used to get winbind up and -running on my RedHat 7.1 system. Winbind is capable of providing access +This section describes the procedures used to get winbind up and +running on a RedHat 7.1 system. Winbind is capable of providing access and authentication control for Windows Domain users through an NT or Win2K PDC for 'regular' services, such as telnet a nd ftp, as well for SAMBA services. @@ -386,7 +388,7 @@ somewhat to fit the way your distribution works. <title>Requirements</title> <para> -If you have a samba configuration file that you are currently +If you have a Samba configuration file that you are currently using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM, <emphasis>back up the <filename>/etc/pam.d</filename> directory contents!</emphasis> If you haven't already made a boot disk, @@ -394,8 +396,8 @@ contents!</emphasis> If you haven't already made a boot disk, </para> <para> -Messing with the pam configuration files can make it nearly impossible -to log in to yourmachine. That's why you want to be able to boot back +Messing with the PAM configuration files can make it nearly impossible +to log in to your machine. That's why you want to be able to boot back into your machine in single user mode and restore your <filename>/etc/pam.d</filename> back to the original state they were in if you get frustrated with the way things are going. ;-) @@ -428,17 +430,15 @@ install the development packages in <filename>pam-devel-0.74-22</filename>. <para> Before starting, it is probably best to kill off all the SAMBA -related daemons running on your server. Kill off all <command>smbd</command>, -<command>nmbd</command>, and <command>winbindd</command> processes that may +related daemons running on your server. Kill off all &smbd;, +&nmbd;, and &winbindd; processes that may be running. To use PAM, you will want to make sure that you have the standard PAM package (for RedHat) which supplies the <filename>/etc/pam.d</filename> directory structure, including the pam modules are used by pam-aware services, several pam libraries, and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, -my RedHat system has both <filename>pam-0.74-22</filename> and -<filename>pam-devel-0.74-22</filename> RPMs installed. +the header files needed to compile pam-aware applications. </para> <sect3> @@ -450,14 +450,14 @@ The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries. </para> -<para><programlisting> -<prompt>root#</prompt> <command>autoconf</command> -<prompt>root#</prompt> <command>make clean</command> -<prompt>root#</prompt> <command>rm config.cache</command> -<prompt>root#</prompt> <command>./configure</command> -<prompt>root#</prompt> <command>make</command> -<prompt>root#</prompt> <command>make install</command> -</programlisting></para> +<para><screen> +&rootprompt;<command>autoconf</command> +&rootprompt;<command>make clean</command> +&rootprompt;<command>rm config.cache</command> +&rootprompt;<command>./configure</command> +&rootprompt;<command>make</command> +&rootprompt;<command>make install</command> +</screen></para> <para> @@ -473,12 +473,14 @@ It will also build the winbindd executable and libraries. winbind libraries on Linux and Solaris</title> <para> -The libraries needed to run the <command>winbindd</command> daemon +The libraries needed to run the &winbindd; daemon through nsswitch need to be copied to their proper locations, so </para> <para> -<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command> +<screen> +&rootprompt;<userinput>cp ../samba/source/nsswitch/libnss_winbind.so /lib</userinput> +</screen> </para> <para> @@ -486,19 +488,19 @@ I also found it necessary to make the following symbolic link: </para> <para> -<prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command> +&rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput> </para> -<para>And, in the case of Sun solaris:</para> -<para> -<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput> -<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput> -<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput> -</para> +<para>And, in the case of Sun Solaris:</para> +<screen> +&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput> +&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput> +&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput> +</screen> <para> Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to -allow user and group entries to be visible from the <command>winbindd</command> +allow user and group entries to be visible from the &winbindd; daemon. My <filename>/etc/nsswitch.conf</filename> file look like this after editing: </para> @@ -517,7 +519,7 @@ is faster (and you don't need to reboot) if you do it manually: </para> <para> -<prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command> +&rootprompt;<userinput>/sbin/ldconfig -v | grep winbind</userinput> </para> <para> @@ -566,11 +568,11 @@ url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/ia <para> Several parameters are needed in the smb.conf file to control -the behavior of <command>winbindd</command>. Configure -<filename>smb.conf</filename> These are described in more detail in +the behavior of &winbindd;. Configure +&smb.conf; These are described in more detail in the <citerefentry><refentrytitle>winbindd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> man page. My -<filename>smb.conf</filename> file was modified to +&smb.conf; file was modified to include the following entries in the [global] section: </para> @@ -580,9 +582,9 @@ include the following entries in the [global] section: # separate domain and username with '+', like DOMAIN+username <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = + # use uids from 10000 to 20000 for domain users - <ulink url="winbindd.8.html#WINBINDUID">winbind uid</ulink> = 10000-20000 + <ulink url="winbindd.8.html#WINBINDUID">idmap uid</ulink> = 10000-20000 # use gids from 10000 to 20000 for domain groups - <ulink url="winbindd.8.html#WINBINDGID">winbind gid</ulink> = 10000-20000 + <ulink url="winbindd.8.html#WINBINDGID">idmap gid</ulink> = 10000-20000 # allow enumeration of winbind users and groups <ulink url="winbindd.8.html#WINBINDENUMUSERS">winbind enum users</ulink> = yes <ulink url="winbindd.8.html#WINBINDENUMGROUP">winbind enum groups</ulink> = yes @@ -606,7 +608,7 @@ a domain user who has administrative privileges in the domain. <para> -<prompt>root#</prompt> <command>/usr/local/samba/bin/net join -S PDC -U Administrator</command> +&rootprompt;<userinput>/usr/local/samba/bin/net join -S PDC -U Administrator</userinput> </para> @@ -631,7 +633,7 @@ command as root: </para> <para> -<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command> +&rootprompt;<userinput>/usr/local/samba/bin/winbindd</userinput> </para> <para> @@ -640,11 +642,11 @@ run as 2 processes. The first will answer all requests from the cache, thus making responses to clients faster. The other will update the cache for the query that the first has just responded. Advantage of this is that responses stay accurate and are faster. -You can enable dual daemon mode by adding '-B' to the commandline: +You can enable dual daemon mode by adding <option>-B</option> to the commandline: </para> <para> -<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd -B</command> +&rootprompt;<userinput>/usr/local/samba/bin/winbindd -B</userinput> </para> <para> @@ -653,14 +655,14 @@ is really running... </para> <para> -<prompt>root#</prompt> <command>ps -ae | grep winbindd</command> +&rootprompt;<userinput>ps -ae | grep winbindd</userinput> </para> <para> This command should produce output like this, if the daemon is running </para> -<para> +<screen> 3025 ? 00:00:00 winbindd -</para> +</screen> <para> Now... for the real test, try to get some information about the @@ -668,7 +670,7 @@ users on your PDC </para> <para> -<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command> +&rootprompt;<userinput>/usr/local/samba/bin/wbinfo -u</userinput> </para> <para> @@ -676,14 +678,14 @@ This should echo back a list of users on your Windows users on your PDC. For example, I get the following response: </para> -<para><programlisting> +<para><screen> CEO+Administrator CEO+burdell CEO+Guest CEO+jt-ad CEO+krbtgt CEO+TsInternetUser -</programlisting></para> +</screen></para> <para> Obviously, I have named my domain 'CEO' and my <parameter>winbind @@ -695,8 +697,8 @@ You can do the same sort of thing to get group information from the PDC: </para> -<para><programlisting> -<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command> +<para><screen> +&rootprompt;<userinput>/usr/local/samba/bin/wbinfo -g</userinput> CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -706,7 +708,7 @@ the PDC: CEO+Schema Admins CEO+Enterprise Admins CEO+Group Policy Creator Owners -</programlisting></para> +</screen></para> <para> The function 'getent' can now be used to get unified @@ -715,7 +717,7 @@ Try the following command: </para> <para> -<prompt>root#</prompt> <command>getent passwd</command> +&rootprompt;<userinput>getent passwd</userinput> </para> <para> @@ -729,7 +731,7 @@ The same thing can be done for groups with the command </para> <para> -<prompt>root#</prompt> <command>getent group</command> +&rootprompt;<userinput>getent group</userinput> </para> </sect3> @@ -742,14 +744,13 @@ The same thing can be done for groups with the command <title>Linux</title> <para> -The <command>winbindd</command> daemon needs to start up after the -<command>smbd</command> and <command>nmbd</command> daemons are running. +The &winbindd; daemon needs to start up after the +&smbd; and &nmbd; daemons are running. To accomplish this task, you need to modify the startup scripts of your system. They are located at <filename>/etc/init.d/smb</filename> in RedHat and <filename>/etc/init.d/samba</filename> in Debian. script to add commands to invoke this daemon in the proper sequence. My -startup script starts up <command>smbd</command>, -<command>nmbd</command>, and <command>winbindd</command> from the +startup script starts up &smbd;, &nmbd;, and &winbindd; from the <filename>/usr/local/samba/bin</filename> directory directly. The 'start' function in the script looks like this: </para> @@ -822,9 +823,9 @@ stop() { <sect4> <title>Solaris</title> -<para>Winbind doesn't work on solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para> +<para>Winbind doesn't work on Solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para> -<para>On solaris, you need to modify the +<para>On Solaris, you need to modify the <filename>/etc/init.d/samba.server</filename> startup script. It usually only starts smbd and nmbd but should now start winbindd too. If you have samba installed in <filename>/usr/local/samba/bin</filename>, @@ -898,8 +899,7 @@ in the script above with: <sect4> <title>Restarting</title> <para> -If you restart the <command>smbd</command>, <command>nmbd</command>, -and <command>winbindd</command> daemons at this point, you +If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you should be able to connect to the samba server as a domain member just as if you were a local user. </para> @@ -924,7 +924,7 @@ by invoking the command </para> <para> -<prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command> +&rootprompt;<userinput>make nsswitch/pam_winbind.so</userinput> </para> <para> @@ -936,7 +936,7 @@ modules reside in <filename>/usr/lib/security</filename>. </para> <para> -<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command> +&rootprompt;<userinput>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</userinput> </para> <sect4> @@ -944,7 +944,7 @@ modules reside in <filename>/usr/lib/security</filename>. <para> The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I -just left this fileas it was: +just left this file as it was: </para> @@ -981,8 +981,8 @@ For ftp services to work properly, you will also need to either have individual directories for the domain users already present on the server, or change the home directory template to a general directory for all domain users. These can be easily set using -the <filename>smb.conf</filename> global entry -<command>template homedir</command>. +the &smb.conf; global entry +<parameter>template homedir</parameter>. </para> <para> @@ -1022,8 +1022,8 @@ same way. It now looks like this: </programlisting></para> <para> -In this case, I added the <command>auth sufficient /lib/security/pam_winbind.so</command> -lines as before, but also added the <command>required pam_securetty.so</command> +In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting> +lines as before, but also added the <programlisting>required pam_securetty.so</programlisting> above it, to disallow root logins over the network. I also added a <command>sufficient /lib/security/pam_unix.so use_first_pass</command> line after the <command>winbind.so</command> line to get rid of annoying @@ -1124,7 +1124,19 @@ configured in the pam.conf. </sect1> <sect1> - <title>Limitations</title> +<title>Conclusion</title> + + <para>The winbind system, through the use of the Name Service + Switch, Pluggable Authentication Modules, and appropriate + Microsoft RPC calls have allowed us to provide seamless + integration of Microsoft Windows NT domain users on a + UNIX system. The result is a great reduction in the administrative + cost of running a mixed UNIX and NT network.</para> + +</sect1> + +<sect1> +<title>Common Errors</title> <para>Winbind has a number of limitations in its current released version that we hope to overcome in future @@ -1137,7 +1149,7 @@ configured in the pam.conf. we require the C library of the target operating system to support the Name Service Switch and Pluggable Authentication Modules systems. This is becoming more common as NSS and - PAM gain support among UNIX vendors.</para></listitem> + PAM gain support among UNIX vendors.</para></listitem> <listitem><para>The mappings of Windows NT RIDs to UNIX ids is not made algorithmically and depends on the order in which @@ -1153,17 +1165,4 @@ configured in the pam.conf. </itemizedlist> </sect1> - -<sect1> - <title>Conclusion</title> - - <para>The winbind system, through the use of the Name Service - Switch, Pluggable Authentication Modules, and appropriate - Microsoft RPC calls have allowed us to provide seamless - integration of Microsoft Windows NT domain users on a - UNIX system. The result is a great reduction in the administrative - cost of running a mixed UNIX and NT network.</para> - -</sect1> - </chapter> |