summaryrefslogtreecommitdiff
path: root/docs/htmldocs/winbindd.8.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/winbindd.8.html')
-rw-r--r--docs/htmldocs/winbindd.8.html1194
1 files changed, 860 insertions, 334 deletions
diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html
index 2caa9ccf01..a98b7a2864 100644
--- a/docs/htmldocs/winbindd.8.html
+++ b/docs/htmldocs/winbindd.8.html
@@ -1,245 +1,594 @@
-
-
-
-
-
-<html><head><title>winbindd (8)</title>
-
-<link rev="made" href="mailto:samba-bugs@samba.org">
-</head>
-<body>
-
-<hr>
-
-<h1>winbindd (8)</h1>
-<h2>Samba</h2>
-<h2>13 Jun 2000</h2>
-
-
-
-<p><a name="NAME"></a>
-<h2>NAME</h2>
- winbindd - Name Service Switch daemon for resolving names from NT servers
-<p><a name="SYNOPSIS"></a>
-<h2>SYNOPSIS</h2>
-
-<p><strong>winbindd</strong> [<a href="winbindd.8.html#minusd">-d debuglevel</a>] [<a href="winbindd.8.html#minusi">-i</a>]
-<p><a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
-
-<p>This program is part of the <strong>Samba</strong> suite version 3.0 and describes
-functionality not yet implemented in the main version of Samba.
-<p><strong>winbindd</strong> is a daemon that provides a service for the Name Service
-Switch capability that is present in most modern C libraries. The Name
-Service Switch allows user and system information to be obtained from
-different databases services such as NIS or DNS. The exact behaviour can
-be configured throught the <code>/etc/nsswitch.conf</code> file. Users and groups
-are allocated as they are resolved to a range of user and group ids
-specified by the administrator of the Samba system.
-<p>The service provided by <strong>winbindd</strong> is called `winbind' and can be
-used to resolve user and group information from a Windows NT server.
-The service can also provide authentication services via an associated
-PAM module.
-<p>The following nsswitch databases are implemented by the <strong>winbindd</strong>
-service:
-<p><dl>
-<p><p></p><dt><strong>passwd</strong><dd>
-<p>User information traditionally stored in the <strong>passwd(5)</strong> file and used by
-<strong>getpwent(3)</strong> functions.
-<p><p></p><dt><strong>group</strong><dd>
-<p>Group information traditionally stored in the <strong>group(5)</strong> file and used by
-<strong>getgrent(3)</strong> functions.
-<p></dl>
-<p>For example, the following simple configuration in the
-<code>/etc/nsswitch.conf</code> file can be used to initially resolve user and group
-information from <code>/etc/passwd</code> and <code>/etc/group</code> and then from the
-Windows NT server.
-<p><pre>
-
- passwd: files winbind
- group: files winbind
-
-</pre>
-
-<p><a name="OPTIONS"></a>
-<h2>OPTIONS</h2>
-
-<p>The following options are available to the <strong>winbindd</strong> daemon:
-<p><dl>
-<p><a name="minusd"></a>
-<p></p><dt><strong><strong>-d debuglevel</strong></strong><dd>
-Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging
-and 100 is for reams and reams. To submit a bug report to the Samba Team,
-use debug level 100 (see <strong>BUGS.txt</strong>).
-<p><a name="minusi"></a>
-<p></p><dt><strong><strong>-i</strong></strong><dd>
-Tells <strong>winbindd</strong> to not become a daemon and detach from the current terminal.
-This option is used by developers when interactive debugging of <strong>winbindd</strong> is
-required.
-<p></dl>
-<p><a name="NAMEANDIDRESOLUTION"></a>
-<h2>NAME AND ID RESOLUTION</h2>
-
-<p>Users and groups on a Windows NT server are assigned a relative id (rid)
-which is unique for the domain when the user or group is created. To
-convert the Windows NT user or group into a unix user or group, a mapping
-between rids and unix user and group ids is required. This is one of the
-jobs that <strong>winbindd</strong> performs.
-<p>As <strong>winbindd</strong> users and groups are resolved from a server, user and group
-ids are allocated from a specified range. This is done on a first come,
-first served basis, although all existing users and groups will be mapped
-as soon as a client performs a user or group enumeration command. The
-allocated unix ids are stored in a database file under the Samba lock
-directory and will be remembered.
-<p>WARNING: The rid to unix id database is the only location where the user
-and group mappings are stored by <strong>winbindd</strong>. If this file is deleted or
-corrupted, there is no way for <strong>winbindd</strong> to determine which user and
-group ids correspond to Windows NT user and group rids.
-<p><a name="CONFIGURATION"></a>
-<h2>CONFIGURATION</h2>
-
-<p>Configuration of the <strong>winbindd</strong> daemon is done through configuration
-parameters in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file. All parameters
-should be specified in the [global] section of
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a>.
-<p><dl>
-<p><p></p><dt><strong>winbind separator</strong><dd>
-<p>The winbind separator option allows you to specify how NT domain names
-and user names are combined into unix user names when presented to
-users. By default winbind will use the traditional \ separator so
-that the unix user names look like DOMAIN\username. In some cases
-this separator character may cause problems as the \ character has
-special meaning in unix shells. In that case you can use the winbind
-separator option to specify an alternative sepataror character. Good
-alternatives may be / (although that conflicts with the unix directory
-separator) or a + character. The + character appears to be the best
-choice for 100% compatibility with existing unix utilities, but may be
-an aesthetically bad choice depending on your taste.
-<p><strong>Default:</strong>
-<code> winbind separator = \</code>
-<p><strong>Example:</strong>
-<code> winbind separator = +</code>
-<p><p></p><dt><strong>winbind uid</strong><dd>
-<p>The winbind uid parameter specifies the range of user ids that are
-allocated by the <strong>winbindd</strong> daemon. This range of
-ids should have no existing local or nis users within it as strange
-conflicts can occur otherwise.
-<p><strong>Default:</strong>
-<code> winbind uid = &lt;empty string&gt;</code>
-<p><strong>Example:</strong>
-<code> winbind uid = 10000-20000</code>
-<p><p></p><dt><strong>winbind gid</strong><dd>
-<p>The winbind gid parameter specifies the range of group ids that are
-allocated by the <strong>winbindd</strong> daemon. This range of group ids should have
-no existing local or nis groups within it as strange conflicts can occur
-otherwise.
-<p><strong>Default:</strong>
-<code> winbind gid = &lt;empty string&gt;</code>
-<p><strong>Example:</strong>
-<code> winbind gid = 10000-20000</code>
-<p><p></p><dt><strong>winbind cache time</strong><dd>
-<p>This parameter specifies the number of seconds the <strong>winbindd</strong> daemon will
-cache user and group information before querying a Windows NT server
-again. When a item in the cache is older than this time <strong>winbindd</strong> will ask
-the domain controller for the sequence number of the servers account
-database. If the sequence number has not changed then the cached item is
-marked as valid for a further "winbind cache time" seconds. Otherwise the
-item is fetched from the server. This means that as long as the account
-database is not actively changing <strong>winbindd</strong> will only have to send one
-sequence number query packet every "winbind cache time" seconds.
-<p><strong>Default:</strong>
-<code> winbind cache time = 15</code>
-<p><p></p><dt><strong>winbind enum users</strong><dd>
-<p>On large installations it may be necessary to suppress the enumeration of
-users through the <code>setpwent</code>, <code>getpwent</code> and <code>endpwent</code> group of
-system calls. If the <code>winbind enum users</code> parameter is false, calls to
-the <code>getpwent</code> system call will not return any data.
-<p>Warning: Turning off user enumeration may cause some programs to behave
-oddly. For example, the finger program relies on having access to the full
-user list when searching for matching usernames.
-<p><strong>Default:</strong>
-<code> winbind enum users = true</code>
-<p><p></p><dt><strong>winbind enum groups</strong><dd>
-<p>On large installations it may be necessary to suppress the enumeration of
-groups through the <code>setgrent</code>, <code>getgrent</code> and <code>endgrent</code> group of
-system calls. If the <code>winbind enum groups</code> parameter is false, calls to
-the <code>getgrent</code> system call will not return any data.
-<p>Warning: Turning off group enumeration may cause some programs to behave
-oddly.
-<p><strong>Default:</strong>
-<code> winbind enum groups = true</code>
-<p><p></p><dt><strong>template homedir</strong><dd>
-<p>When filling out the user information for a Windows NT user, the
-<strong>winbindd</strong> daemon uses this parameter to fill in the home directory for
-that user. If the string <code>%D</code> is present it is substituted with the
-user's Windows NT domain name. If the string <code>%U</code> is present it is
-substituted with the user's Windows NT user name.
-<p><strong>Default:</strong>
-<code> template homedir = /home/%D/%U</code>
-<p><p></p><dt><strong>template shell</strong><dd>
-<p>When filling out the user information for a Windows NT user, the
-<strong>winbindd</strong> daemon uses this parameter to fill in the shell for that user.
-<p><strong>Default:</strong>
-<code> template shell = /bin/false</code>
-<p></dl>
-<p><a name="EXAMPLESETUP"></a>
-<h2>EXAMPLE SETUP</h2>
-
-<p>To setup <strong>winbindd</strong> for user and group lookups plus authentication from
-a domain controller use something like the following setup. This was
-tested on a RedHat 6.2 Linux box.
-<p>In <code>/etc/nsswitch.conf</code> put the following:
-<pre>
-
- passwd: files winbind
- group: files winbind
-
-</pre>
-
-<p>In <code>/etc/pam.d/*</code> replace the <code>auth</code> lines with something like this:
-<pre>
-
- auth required /lib/security/pam_securetty.so
- auth required /lib/security/pam_nologin.so
- auth sufficient /lib/security/pam_winbind.so
- auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
-
-</pre>
-
-<p>Note in particular the use of the <code>sufficient</code> keyword and the
-<code>use_first_pass</code> keyword.
-<p>Now replace the account lines with this:
-<pre>
-
- account required /lib/security/pam_winbind.so
-
-</pre>
-
-<p>The next step is to join the domain. To do that use the samedit
-program like this:
-<pre>
-
- samedit -S '*' -W DOMAIN -UAdministrator
-
-</pre>
-
-<p>The username after the -U can be any Domain user that has administrator
-priviliges on the machine. Next from within samedit, run the command:
-<pre>
-
- createuser MACHINE$ -j DOMAIN -L
-
-</pre>
-
-<p>This assumes your domain is called <code>DOMAIN</code> and your Samba workstation
-is called <code>MACHINE</code>.
-<p>Next copy <code>libnss_winbind.so.2</code> to <code>/lib</code> and <code>pam_winbind.so</code> to
-<code>/lib/security</code>.
-<p>Finally, setup a smb.conf containing directives like the following:
-<pre>
-
- [global]
- winbind separator = +
+<HTML
+><HEAD
+><TITLE
+>winbindd</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="WINBINDD"
+>winbindd</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN5"
+></A
+><H2
+>Name</H2
+>winbindd&nbsp;--&nbsp;Name Service Switch daemon for resolving names
+ from NT servers</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>nmblookup</B
+> [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B &lt;broadcast address&gt;] [-U &lt;unicast address&gt;] [-d &lt;debug level&gt;] [-s &lt;smb config file&gt;] [-i &lt;NetBIOS scope&gt;] [-T] {name}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN24"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>This tool is part of the <A
+HREF="samba.7.html"
+TARGET="_top"
+> Samba</A
+> suite version 3.0 and describes functionality not
+ yet implemented in the main version of Samba.</P
+><P
+><B
+CLASS="COMMAND"
+>winbindd</B
+> is a daemon that provides
+ a service for the Name Service Switch capability that is present
+ in most modern C libraries. The Name Service Switch allows user
+ and system information to be obtained from different databases
+ services such as NIS or DNS. The exact behaviour can be configured
+ throught the <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+> file.
+ Users and groups are allocated as they are resolved to a range
+ of user and group ids specified by the administrator of the
+ Samba system.</P
+><P
+>The service provided by winbindd is called `winbind' and
+ can be used to resolve user and group information from a
+ Windows NT server. The service can also provide authentication
+ services via an associated PAM module. </P
+><P
+>The following nsswitch databases are implemented by
+ the winbindd service: </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>passwd</DT
+><DD
+><P
+>User information traditionally stored in
+ the <TT
+CLASS="FILENAME"
+>passwd(5)</TT
+> file and used by
+ <B
+CLASS="COMMAND"
+>getpwent(3)</B
+> functions. </P
+></DD
+><DT
+>group</DT
+><DD
+><P
+>Group information traditionally stored in
+ the <TT
+CLASS="FILENAME"
+>group(5)</TT
+> file and used by
+ <B
+CLASS="COMMAND"
+>getgrent(3)</B
+> functions. </P
+></DD
+></DL
+></DIV
+><P
+>For example, the following simple configuration in the
+ <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+> file can be used to initially
+ resolve user and group information from <TT
+CLASS="FILENAME"
+>/etc/passwd
+ </TT
+> and <TT
+CLASS="FILENAME"
+>/etc/group</TT
+> and then from the
+ Windows NT server. </P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>passwd: files winbind
+group: files winbind
+ </PRE
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN52"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-d debuglevel</DT
+><DD
+><P
+>Sets the debuglevel to an integer between
+ 0 and 100. 0 is for no debugging and 100 is for reams and
+ reams. To submit a bug report to the Samba Team, use debug
+ level 100 (see BUGS.txt). </P
+></DD
+><DT
+>-i</DT
+><DD
+><P
+>Tells <B
+CLASS="COMMAND"
+>winbindd</B
+> to not
+ become a daemon and detach from the current terminal. This
+ option is used by developers when interactive debugging
+ of <B
+CLASS="COMMAND"
+>winbindd</B
+> is required. </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN65"
+></A
+><H2
+>NAME AND ID RESOLUTION</H2
+><P
+>Users and groups on a Windows NT server are assigned
+ a relative id (rid) which is unique for the domain when the
+ user or group is created. To convert the Windows NT user or group
+ into a unix user or group, a mapping between rids and unix user
+ and group ids is required. This is one of the jobs that <B
+CLASS="COMMAND"
+> winbindd</B
+> performs. </P
+><P
+>As winbindd users and groups are resolved from a server, user
+ and group ids are allocated from a specified range. This
+ is done on a first come, first served basis, although all existing
+ users and groups will be mapped as soon as a client performs a user
+ or group enumeration command. The allocated unix ids are stored
+ in a database file under the Samba lock directory and will be
+ remembered. </P
+><P
+>WARNING: The rid to unix id database is the only location
+ where the user and group mappings are stored by winbindd. If this
+ file is deleted or corrupted, there is no way for winbindd to
+ determine which user and group ids correspond to Windows NT user
+ and group rids. </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN71"
+></A
+><H2
+>CONFIGURATION</H2
+><P
+>Configuration of the <B
+CLASS="COMMAND"
+>winbindd</B
+> daemon
+ is done through configuration parameters in the <TT
+CLASS="FILENAME"
+>smb.conf(5)
+ </TT
+> file. All parameters should be specified in the
+ [global] section of smb.conf. </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>winbind separator</DT
+><DD
+><P
+>The winbind separator option allows you
+ to specify how NT domain names and user names are combined
+ into unix user names when presented to users. By default,
+ <B
+CLASS="COMMAND"
+>winbindd</B
+> will use the traditional '\'
+ separator so that the unix user names look like
+ DOMAIN\username. In some cases this separator character may
+ cause problems as the '\' character has special meaning in
+ unix shells. In that case you can use the winbind separator
+ option to specify an alternative sepataror character. Good
+ alternatives may be '/' (although that conflicts
+ with the unix directory separator) or a '+ 'character.
+ The '+' character appears to be the best choice for 100%
+ compatibility with existing unix utilities, but may be an
+ aesthetically bad choice depending on your taste. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind separator = \ </B
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind separator = + </B
+></P
+></DD
+><DT
+>winbind uid</DT
+><DD
+><P
+>The winbind uid parameter specifies the
+ range of user ids that are allocated by the winbindd daemon.
+ This range of ids should have no existing local or nis users
+ within it as strange conflicts can occur otherwise. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind uid = &lt;empty string&gt;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind uid = 10000-20000</B
+></P
+></DD
+><DT
+>winbind gid</DT
+><DD
+><P
+>The winbind gid parameter specifies the
+ range of group ids that are allocated by the winbindd daemon.
+ This range of group ids should have no existing local or nis
+ groups within it as strange conflicts can occur otherwise.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind gid = &lt;empty string&gt;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind gid = 10000-20000
+ </B
+> </P
+></DD
+><DT
+>winbind cache time</DT
+><DD
+><P
+>This parameter specifies the number of
+ seconds the winbindd daemon will cache user and group information
+ before querying a Windows NT server again. When a item in the
+ cache is older than this time winbindd will ask the domain
+ controller for the sequence number of the servers account database.
+ If the sequence number has not changed then the cached item is
+ marked as valid for a further <TT
+CLASS="PARAMETER"
+><I
+>winbind cache time
+ </I
+></TT
+> seconds. Otherwise the item is fetched from the
+ server. This means that as long as the account database is not
+ actively changing winbindd will only have to send one sequence
+ number query packet every <TT
+CLASS="PARAMETER"
+><I
+>winbind cache time
+ </I
+></TT
+> seconds. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind cache time = 15</B
+>
+ </P
+></DD
+><DT
+>winbind enum users</DT
+><DD
+><P
+>On large installations it may be necessary
+ to suppress the enumeration of users through the <B
+CLASS="COMMAND"
+> setpwent()</B
+>, <B
+CLASS="COMMAND"
+>getpwent()</B
+> and
+ <B
+CLASS="COMMAND"
+>endpwent()</B
+> group of system calls. If
+ the <TT
+CLASS="PARAMETER"
+><I
+>winbind enum users</I
+></TT
+> parameter is false,
+ calls to the <B
+CLASS="COMMAND"
+>getpwent</B
+> system call will not
+ return any data. </P
+><P
+><I
+CLASS="EMPHASIS"
+>Warning:</I
+> Turning off user enumeration
+ may cause some programs to behave oddly. For example, the finger
+ program relies on having access to the full user list when
+ searching for matching usernames. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind enum users = yes </B
+></P
+></DD
+><DT
+>winbind enum groups</DT
+><DD
+><P
+>On large installations it may be necessary
+ to suppress the enumeration of groups through the <B
+CLASS="COMMAND"
+> setgrent()</B
+>, <B
+CLASS="COMMAND"
+>getgrent()</B
+> and
+ <B
+CLASS="COMMAND"
+>endgrent()</B
+> group of system calls. If
+ the <TT
+CLASS="PARAMETER"
+><I
+>winbind enum groups</I
+></TT
+> parameter is
+ false, calls to the <B
+CLASS="COMMAND"
+>getgrent()</B
+> system
+ call will not return any data. </P
+><P
+><I
+CLASS="EMPHASIS"
+>Warning:</I
+> Turning off group
+ enumeration may cause some programs to behave oddly.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind enum groups = no </B
+>
+ </P
+></DD
+><DT
+>template homedir</DT
+><DD
+><P
+>When filling out the user information
+ for a Windows NT user, the <B
+CLASS="COMMAND"
+>winbindd</B
+> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <TT
+CLASS="PARAMETER"
+><I
+>%D</I
+></TT
+> is present it is
+ substituted with the user's Windows NT domain name. If the
+ string <TT
+CLASS="PARAMETER"
+><I
+>%U</I
+></TT
+> is present it is substituted
+ with the user's Windows NT user name. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>template homedir = /home/%D/%U </B
+>
+ </P
+></DD
+><DT
+>template shell</DT
+><DD
+><P
+>When filling out the user information for
+ a Windows NT user, the <B
+CLASS="COMMAND"
+>winbindd</B
+> daemon
+ uses this parameter to fill in the shell for that user.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>template shell = /bin/false </B
+>
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN152"
+></A
+><H2
+>EXAMPLE SETUP</H2
+><P
+>To setup winbindd for user and group lookups plus
+ authentication from a domain controller use something like the
+ following setup. This was tested on a RedHat 6.2 Linux box. </P
+><P
+>In <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+> put the
+ following:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>passwd: files winbind
+group: files winbind
+ </PRE
+></P
+><P
+>In <TT
+CLASS="FILENAME"
+>/etc/pam.d/*</TT
+> replace the
+ <TT
+CLASS="PARAMETER"
+><I
+>auth</I
+></TT
+> lines with something like this: </P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>auth required /lib/security/pam_securetty.so
+auth required /lib/security/pam_nologin.so
+auth sufficient /lib/security/pam_winbind.so
+auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
+ </PRE
+></P
+><P
+>Note in particular the use of the <TT
+CLASS="PARAMETER"
+><I
+>sufficient</I
+></TT
+>
+ keyword and the <TT
+CLASS="PARAMETER"
+><I
+>use_first_pass</I
+></TT
+> keyword. </P
+><P
+>Now replace the account lines with this: </P
+><P
+><B
+CLASS="COMMAND"
+>account required /lib/security/pam_winbind.so
+ </B
+></P
+><P
+>The next step is to join the domain. To do that use the
+ <B
+CLASS="COMMAND"
+>samedit</B
+> program like this: </P
+><P
+><B
+CLASS="COMMAND"
+>samedit -S '*' -W DOMAIN -UAdministrator</B
+></P
+><P
+>The username after the <TT
+CLASS="PARAMETER"
+><I
+>-U</I
+></TT
+> can be any Domain
+ user that has administrator priviliges on the machine. Next from
+ within <B
+CLASS="COMMAND"
+>samedit</B
+>, run the command: </P
+><P
+><B
+CLASS="COMMAND"
+>createuser MACHINE$ -j DOMAIN -L</B
+></P
+><P
+>This assumes your domain is called "DOMAIN" and your Samba
+ workstation is called "MACHINE". </P
+><P
+>Next copy <TT
+CLASS="FILENAME"
+>libnss_winbind.so.2</TT
+> to
+ <TT
+CLASS="FILENAME"
+>/lib</TT
+> and <TT
+CLASS="FILENAME"
+>pam_winbind.so</TT
+>
+ to <TT
+CLASS="FILENAME"
+>/lib/security</TT
+>.</P
+><P
+>Finally, setup a smb.conf containing directives like the
+ following: </P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>[global]
+ winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
@@ -248,95 +597,272 @@ is called <code>MACHINE</code>.
workgroup = DOMAIN
security = domain
password server = *
-
-</pre>
-
-<p>Now start <strong>winbindd</strong> and you should find that your user and group
-database is expanded to include your NT users and groups, and that you
-can login to your unix box as a domain user, using the <code>DOMAIN+user</code>
-syntax for the username. You may wish to use the commands "getent
-passwd" and "getent group" to confirm the correct operation of
-<strong>winbindd</strong>.
-<p><a name="NOTES"></a>
-<h2>NOTES</h2>
-
-<p>The following notes are useful when configuring and running <strong>winbindd</strong>:
-<p><dl>
-<p><p></p><dt><strong></strong><dd>
-<a href="nmbd.8.html"><strong>nmbd</strong></a> must be running on the local machine for
-<strong>winbindd</strong> to work.
-<p><p></p><dt><strong></strong><dd>
-<strong>winbindd</strong> queries the list of trusted domains for the Windows NT server
-on startup and when a SIGHUP is received. Thus, for a running <strong>winbindd</strong>
-to become aware of new trust relationships between servers, it must be sent
-a SIGHUP signal.
-<p><p></p><dt><strong></strong><dd>
-Client processes resolving names through the <strong>winbindd</strong> nsswitch module
-read an environment variable named <code>WINBINDD_DOMAIN</code>. If this variable
-contains a comma separated list of Windows NT domain names, then <strong>winbindd</strong>
-will only resolve users and groups within those Windows NT domains.
-<p><p></p><dt><strong></strong><dd>
-PAM is really easy to misconfigure. Make sure you know what you are doing
-when modifying PAM configuration files. It is possible to set up PAM
-such that you can no longer log into your system.
-<p><p></p><dt><strong></strong><dd>
-If more than one UNIX machine is running <strong>winbindd</strong>, then in general the
-user and groups ids allocated by <strong>winbindd</strong> will not be the same. The
-user and group ids will only be valid for the local machine.
-<p><p></p><dt><strong></strong><dd>
-If the the Windows NT RID to UNIX user and group id mapping file
-is damaged or destroyed then the mappings will be lost.
-<p></dl>
-<p><a name="SIGNALS"></a>
-<h2>SIGNALS</h2>
-
-<p>The following signals can be used to manipulate the <strong>winbindd</strong> daemon.
-<p><dl>
-<p><p></p><dt><strong><code>SIGHUP</code></strong><dd>
-<p>Reload the <code>smb.conf</code> file and apply any parameter changes to the running
-version of <strong>winbindd</strong>. This signal also clears any cached user and group
-information. The list of other domains trusted by <strong>winbindd</strong> is also
-reloaded.
-<p><p></p><dt><strong><code>SIGUSR1</code></strong><dd>
-<p>The <code>SIGUSR1</code> signal will cause <strong>winbindd</strong> to write status information
-to the winbind log file including information about the number of user and
-group ids allocated by <strong>winbindd</strong>.
-<p>Log files are stored in the filename specified by the <strong>log file</strong> parameter.
-<p></dl>
-<p><a name="FILES"></a>
-<h2>FILES</h2>
-
-<p>The following files are relevant to the operation of the <strong>winbindd</strong>
-daemon.
-<p><dl>
-<p><p></p><dt><strong>/etc/nsswitch.conf(5)</strong><dd>
-<p>Name service switch configuration file.
-<p><p></p><dt><strong>/tmp/.winbindd/pipe</strong><dd>
-<p>The UNIX pipe over which clients communicate with the <strong>winbindd</strong> program.
-For security reasons, the winbind client will only attempt to connect to the
-<strong>winbindd</strong> daemon if both the <code>/tmp/.winbindd</code> directory and
-<code>/tmp/.winbindd/pipe</code> file are owned by root.
-<p><p></p><dt><strong>/lib/libnss_winbind.so.X</strong><dd>
-<p>Implementation of name service switch library.
-<p><p></p><dt><strong>$LOCKDIR/winbindd_idmap.tdb</strong><dd>
-<p>Storage for the Windows NT rid to UNIX user/group id mapping. The lock
-directory is specified when Samba is initially compiled using the
-<code>--with-lockdir</code> option. This directory is by default
-<code>/usr/local/samba/var/locks</code>.
-<p><p></p><dt><strong>$LOCKDIR/winbindd_cache.tdb</strong><dd>
-<p>Storage for cached user and group information.
-<p></dl>
-<p><a name="SEEALSO"></a>
-<h2>SEE ALSO</h2>
-
-<p><a href="samba.7.html"><strong>samba(7)</strong></a>, <a href="smb.conf.5.html"><strong>smb.conf(5)</strong></a>,
-<strong>nsswitch.conf(5)</strong>, <a href="wbinfo.1.html"><strong>wbinfo(1)</strong></a>
-<p><a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
-
-<p>The original Samba software and related utilities were created by
-Andrew Tridgell. Samba is now developed by the Samba Team as an Open
-Source project.
-<p><strong>winbindd</strong> was written by Tim Potter.
-</body>
-</html>
+ </PRE
+></P
+><P
+>Now start winbindd and you should find that your user and
+ group database is expanded to include your NT users and groups,
+ and that you can login to your unix box as a domain user, using
+ the DOMAIN+user syntax for the username. You may wish to use the
+ commands <B
+CLASS="COMMAND"
+>getent passwd</B
+> and <B
+CLASS="COMMAND"
+>getent group
+ </B
+> to confirm the correct operation of winbindd.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN191"
+></A
+><H2
+>Notes</H2
+><P
+>The following notes are useful when configuring and
+ running <B
+CLASS="COMMAND"
+>winbindd</B
+>: </P
+><P
+><B
+CLASS="COMMAND"
+>nmbd</B
+> must be running on the local machine
+ for <B
+CLASS="COMMAND"
+>winbindd</B
+> to work. <B
+CLASS="COMMAND"
+>winbindd</B
+>
+ queries the list of trusted domains for the Windows NT server
+ on startup and when a SIGHUP is received. Thus, for a running <B
+CLASS="COMMAND"
+> winbindd</B
+> to become aware of new trust relationships between
+ servers, it must be sent a SIGHUP signal. </P
+><P
+>Client processes resolving names through the <B
+CLASS="COMMAND"
+>winbindd</B
+>
+ nsswitch module read an environment variable named <TT
+CLASS="PARAMETER"
+><I
+> $WINBINDD_DOMAIN</I
+></TT
+>. If this variable contains a comma separated
+ list of Windows NT domain names, then winbindd will only resolve users
+ and groups within those Windows NT domains. </P
+><P
+>PAM is really easy to misconfigure. Make sure you know what
+ you are doing when modifying PAM configuration files. It is possible
+ to set up PAM such that you can no longer log into your system. </P
+><P
+>If more than one UNIX machine is running <B
+CLASS="COMMAND"
+>winbindd</B
+>,
+ then in general the user and groups ids allocated by winbindd will not
+ be the same. The user and group ids will only be valid for the local
+ machine.</P
+><P
+>If the the Windows NT RID to UNIX user and group id mapping
+ file is damaged or destroyed then the mappings will be lost. </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN207"
+></A
+><H2
+>Signals</H2
+><P
+>The following signals can be used to manipulate the
+ <B
+CLASS="COMMAND"
+>winbindd</B
+> daemon. </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>SIGHUP</DT
+><DD
+><P
+>Reload the <TT
+CLASS="FILENAME"
+>smb.conf(5)</TT
+>
+ file and apply any parameter changes to the running
+ version of winbindd. This signal also clears any cached
+ user and group information. The list of other domains trusted
+ by winbindd is also reloaded. </P
+></DD
+><DT
+>SIGUSR1</DT
+><DD
+><P
+>The SIGUSR1 signal will cause <B
+CLASS="COMMAND"
+> winbindd</B
+> to write status information to the winbind
+ log file including information about the number of user and
+ group ids allocated by <B
+CLASS="COMMAND"
+>winbindd</B
+>.</P
+><P
+>Log files are stored in the filename specified by the
+ log file parameter.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN224"
+></A
+><H2
+>Files</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf(5)</TT
+></DT
+><DD
+><P
+>Name service switch configuration file.</P
+></DD
+><DT
+>/tmp/.winbindd/pipe</DT
+><DD
+><P
+>The UNIX pipe over which clients communicate with
+ the <B
+CLASS="COMMAND"
+>winbindd</B
+> program. For security reasons, the
+ winbind client will only attempt to connect to the winbindd daemon
+ if both the <TT
+CLASS="FILENAME"
+>/tmp/.winbindd</TT
+> directory
+ and <TT
+CLASS="FILENAME"
+>/tmp/.winbindd/pipe</TT
+> file are owned by
+ root. </P
+></DD
+><DT
+>/lib/libnss_winbind.so.X</DT
+><DD
+><P
+>Implementation of name service switch library.
+ </P
+></DD
+><DT
+>$LOCKDIR/winbindd_idmap.tdb</DT
+><DD
+><P
+>Storage for the Windows NT rid to UNIX user/group
+ id mapping. The lock directory is specified when Samba is initially
+ compiled using the <TT
+CLASS="FILENAME"
+>--with-lockdir</TT
+> option.
+ This directory is by default <TT
+CLASS="FILENAME"
+>/usr/local/samba/var/locks
+ </TT
+>. </P
+></DD
+><DT
+>$LOCKDIR/winbindd_cache.tdb</DT
+><DD
+><P
+>Storage for cached user and group information.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN253"
+></A
+><H2
+>VERSION</H2
+><P
+>This man page is correct for version 2.2 of
+ the Samba suite. winbindd is however not available in
+ stable release of Samba as of yet.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN256"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><TT
+CLASS="FILENAME"
+>nsswitch.conf(5)</TT
+>,
+ <A
+HREF="samba.7.html"
+TARGET="_top"
+>samba(7)</A
+>,
+ <A
+HREF="wbinfo.1.html"
+TARGET="_top"
+>wbinfo(1)</A
+>,
+ <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+>smb.conf(5)</A
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN263"
+></A
+><H2
+>AUTHOR</H2
+><P
+>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</P
+><P
+><B
+CLASS="COMMAND"
+>wbinfo</B
+> and <B
+CLASS="COMMAND"
+>winbindd</B
+>
+ were written by Tim Potter.</P
+><P
+>The conversion to DocBook for Samba 2.2 was done
+ by Gerald Carter</P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file