diff options
Diffstat (limited to 'docs/htmldocs/winbindd.8.html')
| -rw-r--r-- | docs/htmldocs/winbindd.8.html | 449 |
1 files changed, 212 insertions, 237 deletions
diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index df490a054b..fb8c9c0458 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -1,11 +1,12 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <HTML ><HEAD ><TITLE >winbindd</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -15,9 +16,7 @@ VLINK="#840084" ALINK="#0000FF" ><H1 ><A -NAME="WINBINDD.8" -></A ->winbindd</H1 +NAME="WINBINDD">winbindd</H1 ><DIV CLASS="REFNAMEDIV" ><A @@ -30,15 +29,13 @@ NAME="AEN5" ><DIV CLASS="REFSYNOPSISDIV" ><A -NAME="AEN8" -></A -><H2 +NAME="AEN8"><H2 >Synopsis</H2 ><P ><B CLASS="COMMAND" >winbindd</B -> [-F] [-S] [-i] [-B] [-d <debug level>] [-s <smb config file>] [-n]</P +> [-F] [-S] [-i] [-B] [-d <debug level>] [-s <smb config file>] [-n]</P ></DIV ><DIV CLASS="REFSECT1" @@ -48,12 +45,10 @@ NAME="AEN18" ><H2 >DESCRIPTION</H2 ><P ->This program is part of the <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->Samba</SPAN ->(7)</SPAN +>This program is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A > suite.</P ><P ><B @@ -84,12 +79,16 @@ CLASS="COMMAND" CLASS="FILENAME" >pam_winbind</TT > module in the 2.2.2 release only - supports the <VAR + supports the <TT CLASS="PARAMETER" ->auth</VAR -> and <VAR +><I +>auth</I +></TT +> and <TT CLASS="PARAMETER" ->account</VAR +><I +>account</I +></TT > module-types. The latter simply performs a getpwnam() to verify that the system can obtain a uid for the @@ -167,11 +166,22 @@ CLASS="FILENAME" CLASS="FILENAME" >/etc/group</TT > and then from the - Windows NT server. -<PRE + Windows NT server. </P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE CLASS="PROGRAMLISTING" >passwd: files winbind -group: files winbind</PRE +group: files winbind + </PRE +></TD +></TR +></TABLE ></P ><P >The following simple configuration in the @@ -188,7 +198,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN62" +NAME="AEN61" ></A ><H2 >OPTIONS</H2 @@ -240,90 +250,13 @@ CLASS="COMMAND" than a file.</P ></DD ><DT ->-V</DT -><DD -><P ->Prints the version number for -<B -CLASS="COMMAND" ->smbd</B ->.</P -></DD -><DT ->-s <configuration file></DT -><DD -><P ->The file specified contains the -configuration details required by the server. The -information in this file includes server-specific -information such as what printcap file to use, as well -as descriptions of all the services that the server is -to provide. See <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5)</TT -></A -> for more information. -The default configuration file name is determined at -compile time.</P -></DD -><DT ->-d|--debug=debuglevel</DT +>-d debuglevel</DT ><DD ><P -><VAR -CLASS="REPLACEABLE" ->debuglevel</VAR -> is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.</P -><P ->The higher this value, the more detail will be -logged to the log files about the activities of the -server. At level 0, only critical errors and serious -warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of -information about operations carried out.</P -><P ->Levels above 1 will generate considerable -amounts of log data, and should only be used when -investigating a problem. Levels above 3 are designed for -use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic.</P -><P ->Note that specifying this parameter here will -override the <A -HREF="smb.conf.5.html#loglevel" -TARGET="_top" ->log -level</A -> parameter in the <A -HREF="smb.conf.5.html" -TARGET="_top" -><TT -CLASS="FILENAME" ->smb.conf(5)</TT -></A -> file.</P -></DD -><DT ->-l|--logfile=logbasename</DT -><DD -><P ->File name for log/debug files. The extension -<CODE -CLASS="CONSTANT" ->".client"</CODE -> will be appended. The log file is -never removed by the client.</P -></DD -><DT ->-h|--help</DT -><DD -><P ->Print a summary of command line options.</P +>Sets the debuglevel to an integer between + 0 and 100. 0 is for no debugging and 100 is for reams and + reams. To submit a bug report to the Samba Team, use debug + level 100 (see BUGS.txt). </P ></DD ><DT >-i</DT @@ -369,16 +302,26 @@ CLASS="COMMAND" as 2 threads. The first will answer all requests from the cache, thus making responses to clients faster. The other will update the cache for the query that the first has just responded. - Advantage of this is that responses stay accurate and are faster. + Advantage of this is that responses are accurate and fast. </P ></DD +><DT +>-s|--conf=smb.conf</DT +><DD +><P +>Specifies the location of the all-important + <TT +CLASS="FILENAME" +>smb.conf</TT +> file. </P +></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN126" +NAME="AEN103" ></A ><H2 >NAME AND ID RESOLUTION</H2 @@ -409,7 +352,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN132" +NAME="AEN109" ></A ><H2 >CONFIGURATION</H2 @@ -418,12 +361,10 @@ NAME="AEN132" CLASS="COMMAND" >winbindd</B > daemon - is done through configuration parameters in the <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->smb.conf</SPAN ->(5)</SPAN + is done through configuration parameters in the <TT +CLASS="FILENAME" +>smb.conf(5) + </TT > file. All parameters should be specified in the [global] section of smb.conf. </P ><P @@ -434,9 +375,11 @@ CLASS="REFENTRYTITLE" ><A HREF="smb.conf.5.html#WINBINDSEPARATOR" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->winbind separator</VAR +><I +>winbind separator</I +></TT ></A ></P ></LI @@ -445,9 +388,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#WINBINDUID" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->winbind uid</VAR +><I +>winbind uid</I +></TT ></A ></P ></LI @@ -456,9 +401,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#WINBINDGID" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->winbind gid</VAR +><I +>winbind gid</I +></TT ></A ></P ></LI @@ -467,9 +414,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#WINBINDCACHETIME" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->winbind cache time</VAR +><I +>winbind cache time</I +></TT ></A ></P ></LI @@ -478,9 +427,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#WINBINDENUMUSERS" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->winbind enum users</VAR +><I +>winbind enum users</I +></TT ></A ></P ></LI @@ -489,9 +440,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#WINBINDENUMGROUPS" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->winbind enum groups</VAR +><I +>winbind enum groups</I +></TT ></A ></P ></LI @@ -500,9 +453,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#TEMPLATEHOMEDIR" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->template homedir</VAR +><I +>template homedir</I +></TT ></A ></P ></LI @@ -511,9 +466,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#TEMPLATESHELL" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->template shell</VAR +><I +>template shell</I +></TT ></A ></P ></LI @@ -522,9 +479,11 @@ CLASS="PARAMETER" ><A HREF="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->winbind use default domain</VAR +><I +>winbind use default domain</I +></TT ></A ></P ></LI @@ -533,7 +492,7 @@ CLASS="PARAMETER" ><DIV CLASS="REFSECT1" ><A -NAME="AEN176" +NAME="AEN151" ></A ><H2 >EXAMPLE SETUP</H2 @@ -546,35 +505,64 @@ NAME="AEN176" CLASS="FILENAME" >/etc/nsswitch.conf</TT > put the - following: -<PRE + following:</P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE CLASS="PROGRAMLISTING" >passwd: files winbind -group: files winbind</PRE +group: files winbind + </PRE +></TD +></TR +></TABLE ></P ><P >In <TT CLASS="FILENAME" >/etc/pam.d/*</TT -> replace the <VAR +> replace the + <TT CLASS="PARAMETER" -> auth</VAR -> lines with something like this: -<PRE +><I +>auth</I +></TT +> lines with something like this: </P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE CLASS="PROGRAMLISTING" >auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok</PRE +auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok + </PRE +></TD +></TR +></TABLE ></P ><P ->Note in particular the use of the <VAR +>Note in particular the use of the <TT CLASS="PARAMETER" ->sufficient - </VAR -> keyword and the <VAR +><I +>sufficient</I +></TT +> + keyword and the <TT CLASS="PARAMETER" ->use_first_pass</VAR +><I +>use_first_pass</I +></TT > keyword. </P ><P >Now replace the account lines with this: </P @@ -588,20 +576,24 @@ CLASS="COMMAND" >The next step is to join the domain. To do that use the <B CLASS="COMMAND" ->net</B +>smbpasswd</B > program like this: </P ><P ><B CLASS="COMMAND" ->net join -S PDC -U Administrator</B +>smbpasswd -j DOMAIN -r PDC -U + Administrator</B ></P ><P ->The username after the <VAR +>The username after the <TT CLASS="PARAMETER" ->-U</VAR +><I +>-U</I +></TT > can be any Domain user that has administrator privileges on the machine. - Substitute the name or IP of your PDC for "PDC".</P + Substitute your domain name for "DOMAIN" and the name of your PDC + for "PDC".</P ><P >Next copy <TT CLASS="FILENAME" @@ -612,9 +604,9 @@ CLASS="FILENAME" >/lib</TT > and <TT CLASS="FILENAME" ->pam_winbind.so - </TT -> to <TT +>pam_winbind.so</TT +> + to <TT CLASS="FILENAME" >/lib/security</TT >. A symbolic link needs to be @@ -632,15 +624,19 @@ CLASS="FILENAME" >/lib/libnss_winbind.so.1</TT >.</P ><P ->Finally, setup a <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->smb.conf</SPAN ->(5)</SPAN +>Finally, setup a <TT +CLASS="FILENAME" +>smb.conf</TT > containing directives like the - following: -<PRE + following: </P +><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD +><PRE CLASS="PROGRAMLISTING" >[global] winbind separator = + @@ -651,7 +647,11 @@ CLASS="PROGRAMLISTING" winbind gid = 10000-20000 workgroup = DOMAIN security = domain - password server = *</PRE + password server = * + </PRE +></TD +></TR +></TABLE ></P ><P >Now start winbindd and you should find that your user and @@ -670,7 +670,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN214" +NAME="AEN190" ></A ><H2 >NOTES</H2 @@ -681,12 +681,9 @@ CLASS="COMMAND" >winbindd</B >: </P ><P -><SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->nmbd</SPAN ->(8)</SPAN +><B +CLASS="COMMAND" +>nmbd</B > must be running on the local machine for <B CLASS="COMMAND" @@ -694,14 +691,25 @@ CLASS="COMMAND" > to work. <B CLASS="COMMAND" >winbindd</B -> queries - the list of trusted domains for the Windows NT server +> + queries the list of trusted domains for the Windows NT server on startup and when a SIGHUP is received. Thus, for a running <B CLASS="COMMAND" > winbindd</B > to become aware of new trust relationships between servers, it must be sent a SIGHUP signal. </P ><P +>Client processes resolving names through the <B +CLASS="COMMAND" +>winbindd</B +> + nsswitch module read an environment variable named <TT +CLASS="ENVAR" +> $WINBINDD_DOMAIN</TT +>. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains. </P +><P >PAM is really easy to misconfigure. Make sure you know what you are doing when modifying PAM configuration files. It is possible to set up PAM such that you can no longer log into your system. </P @@ -720,7 +728,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN229" +NAME="AEN206" ></A ><H2 >SIGNALS</H2 @@ -739,14 +747,11 @@ CLASS="VARIABLELIST" >SIGHUP</DT ><DD ><P ->Reload the <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->smb.conf</SPAN ->(5)</SPAN -> file and - apply any parameter changes to the running +>Reload the <TT +CLASS="FILENAME" +>smb.conf(5)</TT +> + file and apply any parameter changes to the running version of winbindd. This signal also clears any cached user and group information. The list of other domains trusted by winbindd is also reloaded. </P @@ -774,7 +779,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN248" +NAME="AEN223" ></A ><H2 >FILES</H2 @@ -813,34 +818,6 @@ CLASS="FILENAME" root. </P ></DD ><DT ->$LOCKDIR/winbindd_privilaged/pipe</DT -><DD -><P ->The UNIX pipe over which 'privilaged' clients - communicate with the <B -CLASS="COMMAND" ->winbindd</B -> program. For security - reasons, access to some winbindd functions - like those needed by - the <B -CLASS="COMMAND" ->ntlm_auth</B -> utility - is restricted. By default, - only users in the 'root' group will get this access, however the administrator - may change the group permissions on $LOCKDIR/winbindd_privilaged to allow - programs like 'squid' to use ntlm_auth. - Note that the winbind client will only attempt to connect to the winbindd daemon - if both the <TT -CLASS="FILENAME" ->$LOCKDIR/winbindd_privilaged</TT -> directory - and <TT -CLASS="FILENAME" ->$LOCKDIR/winbindd_privilaged/pipe</TT -> file are owned by - root. </P -></DD -><DT >/lib/libnss_winbind.so.X</DT ><DD ><P @@ -853,9 +830,11 @@ CLASS="FILENAME" ><P >Storage for the Windows NT rid to UNIX user/group id mapping. The lock directory is specified when Samba is initially - compiled using the <VAR + compiled using the <TT CLASS="PARAMETER" ->--with-lockdir</VAR +><I +>--with-lockdir</I +></TT > option. This directory is by default <TT CLASS="FILENAME" @@ -876,7 +855,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN285" +NAME="AEN252" ></A ><H2 >VERSION</H2 @@ -887,7 +866,7 @@ NAME="AEN285" ><DIV CLASS="REFSECT1" ><A -NAME="AEN288" +NAME="AEN255" ></A ><H2 >SEE ALSO</H2 @@ -895,30 +874,27 @@ NAME="AEN288" ><TT CLASS="FILENAME" >nsswitch.conf(5)</TT ->, <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->Samba</SPAN ->(7)</SPAN ->, <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->wbinfo</SPAN ->(8)</SPAN ->, <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->smb.conf</SPAN ->(5)</SPAN +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, + <A +HREF="wbinfo.1.html" +TARGET="_top" +>wbinfo(1)</A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A ></P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN301" +NAME="AEN262" ></A ><H2 >AUTHOR</H2 @@ -934,12 +910,11 @@ CLASS="COMMAND" > and <B CLASS="COMMAND" >winbindd</B -> were - written by Tim Potter.</P +> + were written by Tim Potter.</P ><P >The conversion to DocBook for Samba 2.2 was done - by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.</P + by Gerald Carter</P ></DIV ></BODY ></HTML |