diff options
Diffstat (limited to 'docs/htmldocs/winbind.html')
| -rw-r--r-- | docs/htmldocs/winbind.html | 277 |
1 files changed, 105 insertions, 172 deletions
diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index 991876796e..1558512a61 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -5,7 +5,8 @@ >Unified Logons between Windows NT and UNIX using Winbind</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -16,8 +17,8 @@ REL="PREVIOUS" TITLE="Printing Support" HREF="printing.html"><LINK REL="NEXT" -TITLE="Improved browsing in samba" -HREF="improved-browsing.html"></HEAD +TITLE="Passdb MySQL plugin" +HREF="pdb-mysql.html"></HEAD ><BODY CLASS="CHAPTER" BGCOLOR="#FFFFFF" @@ -59,7 +60,7 @@ WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A -HREF="improved-browsing.html" +HREF="pdb-mysql.html" ACCESSKEY="N" >Next</A ></TD @@ -72,17 +73,13 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="WINBIND" -></A ->Chapter 14. Unified Logons between Windows NT and UNIX using Winbind</H1 +NAME="WINBIND">Chapter 15. Unified Logons between Windows NT and UNIX using Winbind</H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN2263" ->14.1. Abstract</A -></H1 +NAME="AEN2225">15.1. Abstract</H1 ><P >Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous @@ -107,9 +104,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN2267" ->14.2. Introduction</A -></H1 +NAME="AEN2229">15.2. Introduction</H1 ><P >It is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -161,9 +156,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN2280" ->14.3. What Winbind Provides</A -></H1 +NAME="AEN2242">15.3. What Winbind Provides</H1 ><P >Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -203,9 +196,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2287" ->14.3.1. Target Uses</A -></H2 +NAME="AEN2249">15.3.1. Target Uses</H2 ><P >Winbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -227,9 +218,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN2291" ->14.4. How Winbind Works</A -></H1 +NAME="AEN2253">15.4. How Winbind Works</H1 ><P >The winbind system is designed around a client/server architecture. A long running <B @@ -247,11 +236,9 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2296" ->14.4.1. Microsoft Remote Procedure Calls</A -></H2 +NAME="AEN2258">15.4.1. Microsoft Remote Procedure Calls</H2 ><P ->Over the last few years, efforts have been underway +>Over the last two years, efforts have been underway by various Samba Team members to decode various aspects of the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network related operations between @@ -273,28 +260,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2300" ->14.4.2. Microsoft Active Directory Services</A -></H2 -><P -> Since late 2001, Samba has gained the ability to - interact with Microsoft Windows 2000 using its 'Native - Mode' protocols, rather than the NT4 RPC services. - Using LDAP and Kerberos, a domain member running - winbind can enumerate users and groups in exactly the - same way as a Win2k client would, and in so doing - provide a much more efficient and - effective winbind implementation. - </P -></DIV -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN2303" ->14.4.3. Name Service Switch</A -></H2 +NAME="AEN2262">15.4.2. Name Service Switch</H2 ><P >The Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -372,9 +338,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2319" ->14.4.4. Pluggable Authentication Modules</A -></H2 +NAME="AEN2278">15.4.3. Pluggable Authentication Modules</H2 ><P >Pluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -421,9 +385,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2327" ->14.4.5. User and Group ID Allocation</A -></H2 +NAME="AEN2286">15.4.4. User and Group ID Allocation</H2 ><P >When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -447,9 +409,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2331" ->14.4.6. Result Caching</A -></H2 +NAME="AEN2290">15.4.5. Result Caching</H2 ><P >An active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -470,9 +430,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN2334" ->14.5. Installation and Configuration</A -></H1 +NAME="AEN2293">15.5. Installation and Configuration</H1 ><P >Many thanks to John Trostel <A HREF="mailto:jtrostel@snapserver.com" @@ -497,9 +455,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2341" ->14.5.1. Introduction</A -></H2 +NAME="AEN2300">15.5.1. Introduction</H2 ><P >This HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -556,9 +512,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2354" ->14.5.2. Requirements</A -></H2 +NAME="AEN2313">15.5.2. Requirements</H2 ><P >If you have a samba configuration file that you are currently using... <SPAN @@ -626,9 +580,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN2368" ->14.5.3. Testing Things Out</A -></H2 +NAME="AEN2327">15.5.3. Testing Things Out</H2 ><P >Before starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all <B @@ -671,9 +623,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN2379" ->14.5.3.1. Configure and compile SAMBA</A -></H3 +NAME="AEN2338">15.5.3.1. Configure and compile SAMBA</H3 ><P >The configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -681,44 +631,44 @@ whether or not you have previously built the Samba binaries.</P ><P ><PRE CLASS="PROGRAMLISTING" -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >autoconf</B > -<SAMP +<TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >make clean</B > -<SAMP +<TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >rm config.cache</B > -<SAMP +<TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" ->./configure</B +>./configure --with-winbind</B > -<SAMP +<TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >make</B > -<SAMP +<TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >make install</B @@ -737,13 +687,11 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN2398" ->14.5.3.2. Configure <TT +NAME="AEN2357">15.5.3.2. Configure <TT CLASS="FILENAME" >nsswitch.conf</TT > and the -winbind libraries</A -></H3 +winbind libraries</H3 ><P >The libraries needed to run the <B CLASS="COMMAND" @@ -751,9 +699,9 @@ CLASS="COMMAND" > daemon through nsswitch need to be copied to their proper locations, so</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >cp ../samba/source/nsswitch/libnss_winbind.so /lib</B @@ -761,9 +709,9 @@ CLASS="COMMAND" ><P >I also found it necessary to make the following symbolic link:</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B @@ -771,23 +719,23 @@ CLASS="COMMAND" ><P >And, in the case of Sun solaris:</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</B > -<SAMP +<TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</B > -<SAMP +<TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</B @@ -823,9 +771,9 @@ CLASS="COMMAND" your system reboots, but it is faster (and you don't need to reboot) if you do it manually:</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >/sbin/ldconfig -v | grep winbind</B @@ -842,9 +790,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN2431" ->14.5.3.3. Configure smb.conf</A -></H3 +NAME="AEN2390">15.5.3.3. Configure smb.conf</H3 ><P >Several parameters are needed in the smb.conf file to control the behavior of <B @@ -917,36 +863,42 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN2447" ->14.5.3.4. Join the SAMBA server to the PDC domain</A -></H3 +NAME="AEN2406">15.5.3.4. Join the SAMBA server to the PDC domain</H3 ><P >Enter the following command to make the SAMBA server join the -PDC domain, where <VAR +PDC domain, where <TT CLASS="REPLACEABLE" ->DOMAIN</VAR +><I +>DOMAIN</I +></TT > is the name of -your Windows domain and <VAR +your Windows domain and <TT CLASS="REPLACEABLE" ->Administrator</VAR +><I +>Administrator</I +></TT > is a domain user who has administrative privileges in the domain.</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" ->/usr/local/samba/bin/net join -S PDC -U Administrator</B +>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</B ></P ><P >The proper response to the command should be: "Joined the domain -<VAR +<TT CLASS="REPLACEABLE" ->DOMAIN</VAR ->" where <VAR +><I +>DOMAIN</I +></TT +>" where <TT CLASS="REPLACEABLE" ->DOMAIN</VAR +><I +>DOMAIN</I +></TT > is your DOMAIN name.</P ></DIV @@ -955,9 +907,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN2458" ->14.5.3.5. Start up the winbindd daemon and test it!</A -></H3 +NAME="AEN2417">15.5.3.5. Start up the winbindd daemon and test it!</H3 ><P >Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -965,9 +915,9 @@ SAMBA start, but it is possible to test out just the winbind portion first. To start up winbind services, enter the following command as root:</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >/usr/local/samba/bin/winbindd</B @@ -976,9 +926,9 @@ CLASS="COMMAND" >I'm always paranoid and like to make sure the daemon is really running...</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >ps -ae | grep winbindd</B @@ -991,9 +941,9 @@ CLASS="COMMAND" >Now... for the real test, try to get some information about the users on your PDC</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >/usr/local/samba/bin/wbinfo -u</B @@ -1013,10 +963,12 @@ CEO+krbtgt CEO+TsInternetUser</PRE ></P ><P ->Obviously, I have named my domain 'CEO' and my <VAR +>Obviously, I have named my domain 'CEO' and my <TT CLASS="PARAMETER" +><I >winbind -separator</VAR +separator</I +></TT > is '+'.</P ><P >You can do the same sort of thing to get group information from @@ -1024,9 +976,9 @@ the PDC:</P ><P ><PRE CLASS="PROGRAMLISTING" -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >/usr/local/samba/bin/wbinfo -g</B @@ -1046,9 +998,9 @@ CEO+Group Policy Creator Owners</PRE lists of both local and PDC users and groups. Try the following command:</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >getent passwd</B @@ -1063,9 +1015,9 @@ directories and default shells.</P ><P >The same thing can be done for groups with the command</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >getent group</B @@ -1076,17 +1028,13 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN2494" ->14.5.3.6. Fix the init.d startup scripts</A -></H3 +NAME="AEN2453">15.5.3.6. Fix the init.d startup scripts</H3 ><DIV CLASS="SECT4" ><H4 CLASS="SECT4" ><A -NAME="AEN2496" ->14.5.3.6.1. Linux</A -></H4 +NAME="AEN2455">15.5.3.6.1. Linux</H4 ><P >The <B CLASS="COMMAND" @@ -1180,9 +1128,7 @@ CLASS="SECT4" ><H4 CLASS="SECT4" ><A -NAME="AEN2513" ->14.5.3.6.2. Solaris</A -></H4 +NAME="AEN2472">15.5.3.6.2. Solaris</H4 ><P >On solaris, you need to modify the <TT @@ -1251,9 +1197,7 @@ CLASS="SECT4" ><H4 CLASS="SECT4" ><A -NAME="AEN2520" ->14.5.3.6.3. Restarting</A -></H4 +NAME="AEN2479">15.5.3.6.3. Restarting</H4 ><P >If you restart the <B CLASS="COMMAND" @@ -1275,9 +1219,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN2526" ->14.5.3.7. Configure Winbind and PAM</A -></H3 +NAME="AEN2485">15.5.3.7. Configure Winbind and PAM</H3 ><P >If you have made it this far, you know that winbindd and samba are working together. If you want to use winbind to provide authentication for other @@ -1295,9 +1237,9 @@ CLASS="FILENAME" > directory by invoking the command</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >make nsswitch/pam_winbind.so</B @@ -1321,9 +1263,9 @@ CLASS="FILENAME" >/usr/lib/security</TT >.</P ><P -><SAMP +><TT CLASS="PROMPT" ->root#</SAMP +>root#</TT > <B CLASS="COMMAND" >cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B @@ -1333,9 +1275,7 @@ CLASS="SECT4" ><H4 CLASS="SECT4" ><A -NAME="AEN2543" ->14.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A -></H4 +NAME="AEN2502">15.5.3.7.1. Linux/FreeBSD-specific PAM configuration</H4 ><P >The <TT CLASS="FILENAME" @@ -1462,9 +1402,7 @@ CLASS="SECT4" ><H4 CLASS="SECT4" ><A -NAME="AEN2576" ->14.5.3.7.2. Solaris-specific configuration</A -></H4 +NAME="AEN2535">15.5.3.7.2. Solaris-specific configuration</H4 ><P >The /etc/pam.conf needs to be changed. I changed this file so that my Domain users can logon both locally as well as telnet.The following are the changes @@ -1538,7 +1476,7 @@ dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 >I also added a try_first_pass line after the winbind.so line to get rid of annoying double prompts for passwords.</P ><P ->Now restart your Samba and try connecting through your application that you +>Now restart your Samba & try connecting through your application that you configured in the pam.conf.</P ></DIV ></DIV @@ -1549,9 +1487,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN2583" ->14.6. Limitations</A -></H1 +NAME="AEN2542">15.6. Limitations</H1 ><P >Winbind has a number of limitations in its current released version that we hope to overcome in future @@ -1562,7 +1498,7 @@ NAME="AEN2583" ><LI ><P >Winbind is currently only available for - the Linux, Solaris and IRIX operating systems, although ports to other operating + the Linux operating system, although ports to other operating systems are certainly possible. For such ports to be feasible, we require the C library of the target operating system to support the Name Service Switch and Pluggable Authentication @@ -1581,8 +1517,7 @@ NAME="AEN2583" ><P >Currently the winbind PAM module does not take into account possible workstation and logon time restrictions - that may be been set for Windows NT users, this is - instead up to the PDC to enforce.</P + that may be been set for Windows NT users.</P ></LI ></UL ></DIV @@ -1591,9 +1526,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN2593" ->14.7. Conclusion</A -></H1 +NAME="AEN2552">15.7. Conclusion</H1 ><P >The winbind system, through the use of the Name Service Switch, Pluggable Authentication Modules, and appropriate @@ -1637,7 +1570,7 @@ WIDTH="33%" ALIGN="right" VALIGN="top" ><A -HREF="improved-browsing.html" +HREF="pdb-mysql.html" ACCESSKEY="N" >Next</A ></TD @@ -1661,7 +1594,7 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Improved browsing in samba</TD +>Passdb MySQL plugin</TD ></TR ></TABLE ></DIV |