diff options
Diffstat (limited to 'docs/htmldocs/winbindd.8.html')
| -rw-r--r-- | docs/htmldocs/winbindd.8.html | 386 |
1 files changed, 285 insertions, 101 deletions
diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index 3aecf62509..1ecb08cdb4 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -1,11 +1,10 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >winbindd</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.77"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -16,8 +15,8 @@ ALINK="#0000FF" ><H1 ><A NAME="WINBINDD" -></A ->winbindd</H1 +>winbindd</A +></H1 ><DIV CLASS="REFNAMEDIV" ><A @@ -38,7 +37,7 @@ NAME="AEN8" ><B CLASS="COMMAND" >winbindd</B -> [-i] [-d <debug level>] [-s <smb config file>]</P +> [-i] [-d <debug level>] [-s <smb config file>]</P ></DIV ><DIV CLASS="REFSECT1" @@ -93,13 +92,13 @@ CLASS="PARAMETER" >account</I ></TT > - module-types. The latter simply + module-types. The latter is simply performs a getpwnam() to verify that the system can obtain a uid for the user. If the <TT CLASS="FILENAME" >libnss_winbind</TT > library has been correctly - installed, this should always succeed. + installed, this should always suceed. </P ><P >The following nsswitch databases are implemented by @@ -171,11 +170,20 @@ CLASS="FILENAME" > and then from the Windows NT server. </P ><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD ><PRE CLASS="PROGRAMLISTING" >passwd: files winbind group: files winbind </PRE +></TD +></TR +></TABLE ></P ><P >The following simple configuration in the @@ -279,130 +287,279 @@ CLASS="FILENAME" [global] section of smb.conf. </P ><P ></P -><UL -><LI +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>winbind separator</DT +><DD ><P -><A -HREF="smb.conf.5.html#WINBINDSEPARATOR" -TARGET="_top" -> <TT -CLASS="PARAMETER" -><I ->winbind separator</I -></TT -></A +>The winbind separator option allows you + to specify how NT domain names and user names are combined + into unix user names when presented to users. By default, + <B +CLASS="COMMAND" +>winbindd</B +> will use the traditional '\' + separator so that the unix user names look like + DOMAIN\username. In some cases this separator character may + cause problems as the '\' character has special meaning in + unix shells. In that case you can use the winbind separator + option to specify an alternative separator character. Good + alternatives may be '/' (although that conflicts + with the unix directory separator) or a '+ 'character. + The '+' character appears to be the best choice for 100% + compatibility with existing unix utilities, but may be an + aesthetically bad choice depending on your taste. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind separator = \ </B +> + </P +><P +>Example: <B +CLASS="COMMAND" +>winbind separator = + </B ></P -></LI -><LI +></DD +><DT +>winbind uid</DT +><DD ><P -><A -HREF="smb.conf.5.html#WINBINDUID" -TARGET="_top" -> <TT -CLASS="PARAMETER" -><I ->winbind uid</I -></TT -></A +>The winbind uid parameter specifies the + range of user ids that are allocated by the winbindd daemon. + This range of ids should have no existing local or NIS users + within it as strange conflicts can occur otherwise. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind uid = <empty string> + </B ></P -></LI -><LI ><P -><A -HREF="smb.conf.5.html#WINBINDGID" -TARGET="_top" -> <TT +>Example: <B +CLASS="COMMAND" +>winbind uid = 10000-20000</B +></P +></DD +><DT +>winbind gid</DT +><DD +><P +>The winbind gid parameter specifies the + range of group ids that are allocated by the winbindd daemon. + This range of group ids should have no existing local or NIS + groups within it as strange conflicts can occur otherwise.</P +><P +>Default: <B +CLASS="COMMAND" +>winbind gid = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>winbind gid = 10000-20000 + </B +> </P +></DD +><DT +>winbind cache time</DT +><DD +><P +>This parameter specifies the number of + seconds the winbindd daemon will cache user and group information + before querying a Windows NT server again. When a item in the + cache is older than this time winbindd will ask the domain + controller for the sequence number of the server's account database. + If the sequence number has not changed then the cached item is + marked as valid for a further <TT CLASS="PARAMETER" ><I ->winbind gid</I +>winbind cache time + </I ></TT -></A -></P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#WINBINDCACHETIME" -TARGET="_top" -> <TT +> seconds. Otherwise the item is fetched from the + server. This means that as long as the account database is not + actively changing winbindd will only have to send one sequence + number query packet every <TT CLASS="PARAMETER" ><I ->winbind cache time</I +>winbind cache time + </I ></TT -></A -></P -></LI -><LI +> seconds. </P ><P -><A -HREF="smb.conf.5.html#WINBINDENUMUSERS" -TARGET="_top" -> <TT +>Default: <B +CLASS="COMMAND" +>winbind cache time = 15</B +> + </P +></DD +><DT +>winbind enum users</DT +><DD +><P +>On large installations it may be necessary + to suppress the enumeration of users through the <B +CLASS="COMMAND" +> setpwent()</B +>, <B +CLASS="COMMAND" +>getpwent()</B +> and + <B +CLASS="COMMAND" +>endpwent()</B +> group of system calls. If + the <TT CLASS="PARAMETER" ><I >winbind enum users</I ></TT -></A +> parameter is false, + calls to the <B +CLASS="COMMAND" +>getpwent</B +> system call will not + return any data. </P +><P +><EM +>Warning:</EM +> Turning off user enumeration + may cause some programs to behave oddly. For example, the <B +CLASS="COMMAND" +>finger</B +> + program relies on having access to the full user list when + searching for matching usernames. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind enum users = yes </B ></P -></LI -><LI +></DD +><DT +>winbind enum groups</DT +><DD ><P -><A -HREF="smb.conf.5.html#WINBINDENUMGROUPS" -TARGET="_top" -> <TT +>On large installations it may be necessary + to suppress the enumeration of groups through the <B +CLASS="COMMAND" +> setgrent()</B +>, <B +CLASS="COMMAND" +>getgrent()</B +> and + <B +CLASS="COMMAND" +>endgrent()</B +> group of system calls. If + the <TT CLASS="PARAMETER" ><I >winbind enum groups</I ></TT -></A -></P -></LI -><LI +> parameter is + false, calls to the <B +CLASS="COMMAND" +>getgrent()</B +> system + call will not return any data. </P +><P +><EM +>Warning:</EM +> Turning off group + enumeration may cause some programs to behave oddly. + </P ><P -><A -HREF="smb.conf.5.html#TEMPLATEHOMEDIR" -TARGET="_top" -> <TT +>Default: <B +CLASS="COMMAND" +>winbind enum groups = no </B +> + </P +></DD +><DT +>template homedir</DT +><DD +><P +>When filling out the user information + for a Windows NT user, the <B +CLASS="COMMAND" +>winbindd</B +> daemon + uses this parameter to fill in the home directory for that user. + If the string <TT CLASS="PARAMETER" ><I ->template homedir</I +>%D</I ></TT -></A -></P -></LI -><LI -><P -><A -HREF="smb.conf.5.html#TEMPLATESHELL" -TARGET="_top" -> <TT +> is present it is + substituted with the user's Windows NT domain name. If the + string <TT CLASS="PARAMETER" ><I ->template shell</I +>%U</I ></TT -></A +> is present it is substituted + with the user's Windows NT user name. </P +><P +>Default: <B +CLASS="COMMAND" +>template homedir = /home/%D/%U </B +> + </P +></DD +><DT +>template shell</DT +><DD +><P +>When filling out the user information for + a Windows NT user, the <B +CLASS="COMMAND" +>winbindd</B +> daemon + uses this parameter to fill in the shell for that user. + </P +><P +>Default: <B +CLASS="COMMAND" +>template shell = /bin/false </B +> + </P +></DD +><DT +>winbind use default domain</DT +><DD +><P +>This parameter specifies whether the <B +CLASS="COMMAND" +>winbindd</B +> + daemon should operate on users without domain component in their username. + Users without a domain component are treated as is part of the winbindd server's + own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail + function in a way much closer to the way they would in a native unix system.</P +><P +>Default: <B +CLASS="COMMAND" +>winbind use default domain = <falseg> + </B ></P -></LI -><LI ><P -><A -HREF="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN" -TARGET="_top" -> <TT -CLASS="PARAMETER" -><I ->winbind use default domain</I -></TT -></A +>Example: <B +CLASS="COMMAND" +>winbind use default domain = true</B ></P -></LI -></UL +></DD +></DL +></DIV ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN118" +NAME="AEN167" ></A ><H2 >EXAMPLE SETUP</H2 @@ -417,11 +574,20 @@ CLASS="FILENAME" > put the following:</P ><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD ><PRE CLASS="PROGRAMLISTING" >passwd: files winbind group: files winbind </PRE +></TD +></TR +></TABLE ></P ><P >In <TT @@ -435,6 +601,12 @@ CLASS="PARAMETER" ></TT > lines with something like this: </P ><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD ><PRE CLASS="PROGRAMLISTING" >auth required /lib/security/pam_securetty.so @@ -442,6 +614,9 @@ auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok </PRE +></TD +></TR +></TABLE ></P ><P >Note in particular the use of the <TT @@ -522,6 +697,12 @@ CLASS="FILENAME" > containing directives like the following: </P ><P +><TABLE +BORDER="0" +BGCOLOR="#E0E0E0" +WIDTH="100%" +><TR +><TD ><PRE CLASS="PROGRAMLISTING" >[global] @@ -535,6 +716,9 @@ CLASS="PROGRAMLISTING" security = domain password server = * </PRE +></TD +></TR +></TABLE ></P ><P >Now start winbindd and you should find that your user and @@ -553,7 +737,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN157" +NAME="AEN206" ></A ><H2 >NOTES</H2 @@ -611,7 +795,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN173" +NAME="AEN222" ></A ><H2 >SIGNALS</H2 @@ -662,7 +846,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN190" +NAME="AEN239" ></A ><H2 >FILES</H2 @@ -738,7 +922,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN219" +NAME="AEN268" ></A ><H2 >VERSION</H2 @@ -749,7 +933,7 @@ NAME="AEN219" ><DIV CLASS="REFSECT1" ><A -NAME="AEN222" +NAME="AEN271" ></A ><H2 >SEE ALSO</H2 @@ -777,7 +961,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN229" +NAME="AEN278" ></A ><H2 >AUTHOR</H2 |