diff options
Diffstat (limited to 'docs/yodldocs/winbindd.8.yo')
-rw-r--r-- | docs/yodldocs/winbindd.8.yo | 400 |
1 files changed, 0 insertions, 400 deletions
diff --git a/docs/yodldocs/winbindd.8.yo b/docs/yodldocs/winbindd.8.yo deleted file mode 100644 index 59547d76d3..0000000000 --- a/docs/yodldocs/winbindd.8.yo +++ /dev/null @@ -1,400 +0,0 @@ -mailto(samba-bugs@samba.org) -manpage(winbindd htmlcommand((8)))(8)(13 Jun 2000)(Samba)(SAMBA) - -label(NAME) -manpagename(winbindd)(Name Service Switch daemon for resolving names from NT servers) - -label(SYNOPSIS) -manpagesynopsis() - -bf(winbindd) [link(-d debuglevel)(minusd)] [link(-i)(minusi)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. - -bf(winbindd) is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS. The exact behaviour can -be configured throught the tt(/etc/nsswitch.conf) file. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system. - -The service provided by bf(winbindd) is called `winbind' and can be -used to resolve user and group information from a Windows NT server. -The service can also provide authentication services via an associated -PAM module. - -The following nsswitch databases are implemented by the bf(winbindd) -service: - -startdit() - -dit(passwd) - -User information traditionally stored in the bf(passwd(5)) file and used by -bf(getpwent(3)) functions. - -dit(group) - -Group information traditionally stored in the bf(group(5)) file and used by -bf(getgrent(3)) functions. - -enddit() - -For example, the following simple configuration in the -tt(/etc/nsswitch.conf) file can be used to initially resolve user and group -information from tt(/etc/passwd) and tt(/etc/group) and then from the -Windows NT server. - -verb( - passwd: files winbind - group: files winbind -) - -label(OPTIONS) -manpageoptions() - -The following options are available to the bf(winbindd) daemon: - -startdit() - -label(minusd) -dit(bf(-d debuglevel)) -Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging -and 100 is for reams and reams. To submit a bug report to the Samba Team, -use debug level 100 (see bf(BUGS.txt)). - -label(minusi) -dit(bf(-i)) -Tells bf(winbindd) to not become a daemon and detach from the current terminal. -This option is used by developers when interactive debugging of bf(winbindd) is -required. - -enddit() - -label(NAMEANDIDRESOLUTION) -manpagesection(NAME AND ID RESOLUTION) - -Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required. This is one of the -jobs that bf(winbindd) performs. - -As bf(winbindd) users and groups are resolved from a server, user and group -ids are allocated from a specified range. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered. - -WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by bf(winbindd). If this file is deleted or -corrupted, there is no way for bf(winbindd) to determine which user and -group ids correspond to Windows NT user and group rids. - -label(CONFIGURATION) -manpagesection(CONFIGURATION) - -Configuration of the bf(winbindd) daemon is done through configuration -parameters in the url(bf(smb.conf))(smb.conf.5.html) file. All parameters -should be specified in the [global] section of -url(bf(smb.conf))(smb.conf.5.html). - -startdit() - -dit(winbind separator) - -The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users. By default winbind will use the traditional \ separator so -that the unix user names look like DOMAIN\username. In some cases -this separator character may cause problems as the \ character has -special meaning in unix shells. In that case you can use the winbind -separator option to specify an alternative sepataror character. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste. - - bf(Default:) -tt( winbind separator = \) - - bf(Example:) -tt( winbind separator = +) - -dit(winbind uid) - -The winbind uid parameter specifies the range of user ids that are -allocated by the bf(winbindd) daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. - - bf(Default:) -tt( winbind uid = <empty string>) - - bf(Example:) -tt( winbind uid = 10000-20000) - -dit(winbind gid) - -The winbind gid parameter specifies the range of group ids that are -allocated by the bf(winbindd) daemon. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise. - - bf(Default:) -tt( winbind gid = <empty string>) - - bf(Example:) -tt( winbind gid = 10000-20000) - -dit(winbind cache time) - -This parameter specifies the number of seconds the bf(winbindd) daemon will -cache user and group information before querying a Windows NT server -again. When a item in the cache is older than this time bf(winbindd) will ask -the domain controller for the sequence number of the servers account -database. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds. Otherwise the -item is fetched from the server. This means that as long as the account -database is not actively changing bf(winbindd) will only have to send one -sequence number query packet every "winbind cache time" seconds. - - bf(Default:) -tt( winbind cache time = 15) - -dit(winbind enum users) - -On large installations it may be necessary to suppress the enumeration of -users through the tt(setpwent), tt(getpwent) and tt(endpwent) group of -system calls. If the tt(winbind enum users) parameter is false, calls to -the tt(getpwent) system call will not return any data. - -Warning: Turning off user enumeration may cause some programs to behave -oddly. For example, the finger program relies on having access to the full -user list when searching for matching usernames. - - bf(Default:) -tt( winbind enum users = true) - -dit(winbind enum groups) - -On large installations it may be necessary to suppress the enumeration of -groups through the tt(setgrent), tt(getgrent) and tt(endgrent) group of -system calls. If the tt(winbind enum groups) parameter is false, calls to -the tt(getgrent) system call will not return any data. - -Warning: Turning off group enumeration may cause some programs to behave -oddly. - - bf(Default:) -tt( winbind enum groups = true) - -dit(template homedir) - -When filling out the user information for a Windows NT user, the -bf(winbindd) daemon uses this parameter to fill in the home directory for -that user. If the string tt(%D) is present it is substituted with the -user's Windows NT domain name. If the string tt(%U) is present it is -substituted with the user's Windows NT user name. - - bf(Default:) -tt( template homedir = /home/%D/%U) - -dit(template shell) - -When filling out the user information for a Windows NT user, the -bf(winbindd) daemon uses this parameter to fill in the shell for that user. - - bf(Default:) -tt( template shell = /bin/false) - -enddit() - - -label(EXAMPLESETUP) -manpagesection(EXAMPLE SETUP) - -To setup bf(winbindd) for user and group lookups plus authentication from -a domain controller use something like the following setup. This was -tested on a RedHat 6.2 Linux box. - -In tt(/etc/nsswitch.conf) put the following: -verb( - passwd: files winbind - group: files winbind -) - -In tt(/etc/pam.d/*) replace the tt(auth) lines with something like this: -verb( - auth required /lib/security/pam_securetty.so - auth required /lib/security/pam_nologin.so - auth sufficient /lib/security/pam_winbind.so - auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok -) - -Note in particular the use of the tt(sufficient) keyword and the -tt(use_first_pass) keyword. - -Now replace the account lines with this: -verb( - account required /lib/security/pam_winbind.so -) - -The next step is to join the domain. To do that use the samedit -program like this: -verb( - samedit -S '*' -W DOMAIN -UAdministrator -) - -The username after the -U can be any Domain user that has administrator -priviliges on the machine. Next from within samedit, run the command: -verb( - createuser MACHINE$ -j DOMAIN -L -) - -This assumes your domain is called tt(DOMAIN) and your Samba workstation -is called tt(MACHINE). - -Next copy tt(libnss_winbind.so.2) to tt(/lib) and tt(pam_winbind.so) to -tt(/lib/security). - -Finally, setup a smb.conf containing directives like the following: -verb( - [global] - winbind separator = + - winbind cache time = 10 - template shell = /bin/bash - template homedir = /home/%D/%U - winbind uid = 10000-20000 - winbind gid = 10000-20000 - workgroup = DOMAIN - security = domain - password server = * -) - -Now start bf(winbindd) and you should find that your user and group -database is expanded to include your NT users and groups, and that you -can login to your unix box as a domain user, using the tt(DOMAIN+user) -syntax for the username. You may wish to use the commands "getent -passwd" and "getent group" to confirm the correct operation of -bf(winbindd). - -label(NOTES) -manpagesection(NOTES) - -The following notes are useful when configuring and running bf(winbindd): - -startdit() - -dit() -url(bf(nmbd))(nmbd.8.html) must be running on the local machine for -bf(winbindd) to work. - -dit() -bf(winbindd) queries the list of trusted domains for the Windows NT server -on startup and when a SIGHUP is received. Thus, for a running bf(winbindd) -to become aware of new trust relationships between servers, it must be sent -a SIGHUP signal. - -dit() -Client processes resolving names through the bf(winbindd) nsswitch module -read an environment variable named tt(WINBINDD_DOMAIN). If this variable -contains a comma separated list of Windows NT domain names, then bf(winbindd) -will only resolve users and groups within those Windows NT domains. - -dit() -PAM is really easy to misconfigure. Make sure you know what you are doing -when modifying PAM configuration files. It is possible to set up PAM -such that you can no longer log into your system. - -dit() -If more than one UNIX machine is running bf(winbindd), then in general the -user and groups ids allocated by bf(winbindd) will not be the same. The -user and group ids will only be valid for the local machine. - -dit() -If the the Windows NT RID to UNIX user and group id mapping file -is damaged or destroyed then the mappings will be lost. - -enddit() - -label(SIGNALS) -manpagesection(SIGNALS) - -The following signals can be used to manipulate the bf(winbindd) daemon. - -startdit() - -dit(tt(SIGHUP)) - -Reload the tt(smb.conf) file and apply any parameter changes to the running -version of bf(winbindd). This signal also clears any cached user and group -information. The list of other domains trusted by bf(winbindd) is also -reloaded. - -dit(tt(SIGUSR1)) - -The tt(SIGUSR1) signal will cause bf(winbindd) to write status information -to the winbind log file including information about the number of user and -group ids allocated by bf(winbindd). - -Log files are stored in the filename specified by the bf(log file) parameter. - -enddit() - -label(FILES) -manpagefiles() - -The following files are relevant to the operation of the bf(winbindd) -daemon. - -startdit() - -dit(/etc/nsswitch.conf(5)) - -Name service switch configuration file. - -dit(/tmp/.winbindd/pipe) - -The UNIX pipe over which clients communicate with the bf(winbindd) program. -For security reasons, the winbind client will only attempt to connect to the -bf(winbindd) daemon if both the tt(/tmp/.winbindd) directory and -tt(/tmp/.winbindd/pipe) file are owned by root. - -dit(/lib/libnss_winbind.so.X) - -Implementation of name service switch library. - -dit($LOCKDIR/winbindd_idmap.tdb) - -Storage for the Windows NT rid to UNIX user/group id mapping. The lock -directory is specified when Samba is initially compiled using the -tt(--with-lockdir) option. This directory is by default -tt(/usr/local/samba/var/locks). - -dit($LOCKDIR/winbindd_cache.tdb) - -Storage for cached user and group information. - -enddit() - -label(SEEALSO) -manpageseealso() - -url(bf(samba(7)))(samba.7.html), url(bf(smb.conf(5)))(smb.conf.5.html), -bf(nsswitch.conf(5)), url(bf(wbinfo(1)))(wbinfo.1.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. - -bf(winbindd) was written by Tim Potter. |