From 9a43d69ac4000d6b7b5a07089f22af4451ea4b31 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 02:34:22 +0000 Subject: autogenerated files.... (This used to be commit edb0e5df4c7053a7163d32bba7ecf893a67523ca) --- docs/htmldocs/smbtar.1.html | 482 ++++++++++++----- docs/htmldocs/swat.8.html | 548 ++++++++++++++----- docs/htmldocs/winbindd.8.html | 1194 +++++++++++++++++++++++++++++------------ docs/manpages/smbtar.1 | 245 +++++---- docs/manpages/swat.8 | 283 +++++----- docs/manpages/winbindd.8 | 748 ++++++++++++-------------- 6 files changed, 2221 insertions(+), 1279 deletions(-) diff --git a/docs/htmldocs/smbtar.1.html b/docs/htmldocs/smbtar.1.html index 68aab355ed..5e13ef3577 100644 --- a/docs/htmldocs/smbtar.1.html +++ b/docs/htmldocs/smbtar.1.html @@ -1,130 +1,352 @@ - - - - - - -smbtar (1) - - - - - -

- -

smbtar (1)

Samba

23 Oct 1998

- - - -

NAME

- smbtar - shell script for backing up SMB/CIFS shares directly to UNIX tape drives -

SYNOPSIS

- -

smbtar -s server [-p password] [-x service] [-X] [-d directory] [-u user] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l log level] [-v] filenames -

DESCRIPTION

- -

This program is part of the Samba suite. -

smbtar is a very small shell script on top of -smbclient which dumps SMB shares directly -to tape. -

OPTIONS

- -

-s server

The SMB/CIFS server that the share resides upon. -

-x service

The share name on the server to connect -to. The default is backup. -

-X

Exclude mode. Exclude filenames... from tar create or -restore. -

-d directory

Change to initial directory before restoring -/ backing up files. -

-v

Verbose mode. -

-p password

The password to use to access a share. Default: -none -

-u user

The user id to connect as. Default: UNIX login name. -

-t tape

Tape device. May be regular file or tape -device. Default: TAPE environmental variable; if not set, a file -called tar.out. -

-b blocksize

Blocking factor. Defaults to 20. See tar (1) -for a fuller explanation. -

-N filename

Backup only files newer than filename. Could be -used (for example) on a log file to implement incremental backups. -

-i

Incremental mode; tar files are only backed up if they -have the archive bit set. The archive bit is reset after each file is -read. -

-r

Restore. Files are restored to the share from the tar -file. -

-l log level

Log (debug) level. Corresponds to the --d flag of smbclient -(1). -

ENVIRONMENT VARIABLES

- -

The TAPE variable specifies the default tape device to write to. May -be overridden with the -t option. -

BUGS

- -

The smbtar script has different options from ordinary tar and tar -called from smbclient. -

CAVEATS

- -

Sites that are more careful about security may not like the way the -script handles PC passwords. Backup and restore work on entire shares, -should work on file lists. smbtar works best with GNU tar and may -not work well with other versions. -

VERSION

- -

This man page is correct for version 2.0 of the Samba suite. -

DIAGNOSTICS

- -

See the DIAGNOSTICS section for -the smbclient command. -

AUTHOR

- -

The original Samba software and related utilities were created by -Andrew Tridgell samba@samba.org. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -

Ricky Poulten poultenr@logica.co.uk wrote the tar extension and -this man page. The smbtar script was heavily rewritten and -improved by Martin Kraemer Martin.Kraemer@mch.sni.de. Many -thanks to everyone who suggested extensions, improvements, bug fixes, -etc. The man page sources were converted to YODL format (another -excellent piece of Open Source software available at -ftp://ftp.icce.rug.nl/pub/unix/) -and updated for the Samba2.0 release by Jeremy Allison, -samba@samba.org. -

See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -

- +smbtar

smbtar

Name

smbtar -- shell script for backing up SMB/CIFS shares + directly to UNIX tape drives

Synopsis

smbtar {-s server} [-p password] [-x services] [-X] [-d directory] [-u user] [-t tape] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l loglevel] [-v] {filenames}

DESCRIPTION

This tool is part of the Samba suite.

smbtar is a very small shell script on top + of smbclient(1) + which dumps SMB shares directly to tape.

OPTIONS

-s server: The SMB/CIFS server that the share resides + upon.
-x service: The share name on the server to connect to. + The default is "backup".
-X: Exclude mode. Exclude filenames... from tar + create or restore.
-d directory: Change to initial directory + before restoring / backing up files.
-v: Verbose mode.
-p password: The password to use to access a share. + Default: none
-u user: The user id to connect as. Default: + UNIX login name.
-t tape: Tape device. May be regular file or tape + device. Default: $TAPE environmental + variable; if not set, a file called tar.out +.
-b blocksize: Blocking factor. Defaults to 20. See + tar(1) for a fuller explanation.
-N filename: Backup only files newer than filename. Could + be used (for example) on a log file to implement incremental + backups.
-i: Incremental mode; tar files are only backed + up if they have the archive bit set. The archive bit is reset + after each file is read.
-r: Restore. Files are restored to the share + from the tar file.
-l log level: Log (debug) level. Corresponds to the + -d flag of smbclient(1) + .

ENVIRONMENT VARIABLES

The $TAPE variable specifies the + default tape device to write to. May be overridden + with the -t option.

BUGS

The smbtar script has different + options from ordinary tar and tar called from smbclient.

CAVEATS

Sites that are more careful about security may not like + the way the script handles PC passwords. Backup and restore work + on entire shares, should work on file lists. smbtar works best + with GNU tar and may not work well with other versions.

DIAGNOSTICS

See the DIAGNOSTICS section for the + smbclient(1) + command.

VERSION

This man page is correct for version 2.2 of + the Samba suite.

AUTHOR

The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

Ricky Poulten + wrote the tar extension and this man page. The smbtar + script was heavily rewritten and improved by Martin Kraemer. Many + thanks to everyone who suggested extensions, improvements, bug + fixes, etc. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter.

\ No newline at end of file diff --git a/docs/htmldocs/swat.8.html b/docs/htmldocs/swat.8.html index 12d83247fd..2c0d016399 100644 --- a/docs/htmldocs/swat.8.html +++ b/docs/htmldocs/swat.8.html @@ -1,148 +1,400 @@ - - - - - - -swat (8) - - - - - -

- -

swat (8)

Samba

23 Oct 1998

- - - -

NAME

- swat - Samba Web Administration Tool -

SYNOPSIS

- -

swat [-s smb config file] [-a] -

DESCRIPTION

- -

This program is part of the Samba suite. -

swat allows a Samba administrator to configure the complex -smb.conf file via a Web browser. In -addition, a swat configuration page has help links to all the -configurable options in the smb.conf file -allowing an administrator to easily look up the effects of any change. -

swat is run from inetd -

OPTIONS

- -

-s smb configuration file

The default configuration file path is -determined at compile time. -

The file specified contains the configuration details required by the -smbd server. This is the file that swat will -modify. The information in this file includes server-specific -information such as what printcap file to use, as well as descriptions -of all the services that the server is to provide. See smb.conf -(5) for more information. -

-a

This option disables authentication and puts swat in demo mode. In -that mode anyone will be able to modify the -smb.conf file. -

Do NOT enable this option on a production server. -

INSTALLATION

- -

After you compile SWAT you need to run "make install" to install the -swat binary and the various help files and images. A default install -would put these in: -

-
-/usr/local/samba/bin/swat
-/usr/local/samba/swat/images/*
-/usr/local/samba/swat/help/*
-
-

- -

INETD INSTALLATION

- -

You need to edit your /etc/inetd.conf and /etc/services to -enable SWAT to be launched via inetd. -

In /etc/services you need to add a line like this: -

swat 901/tcp -

Note for NIS/YP users - you may need to rebuild the NIS service maps -rather than alter your local /etc/services file. -

the choice of port number isn't really important except that it should -be less than 1024 and not currently used (using a number above 1024 -presents an obscure security hole depending on the implementation -details of your inetd daemon). -

In /etc/inetd.conf you should add a line like this: -

swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat -

One you have edited /etc/services and /etc/inetd.conf you need -to send a HUP signal to inetd. To do this use "kill -1 PID" where -PID is the process ID of the inetd daemon. -

LAUNCHING

- -

To launch swat just run your favorite web browser and point it at -http://localhost:901/. -

Note that you can attach to swat from any IP connected machine but -connecting from a remote machine leaves your connection open to -password sniffing as passwords will be sent in the clear over the -wire. -

FILES

- -

/etc/inetd.conf -

This file must contain suitable startup information for the -meta-daemon. -

/etc/services -

This file must contain a mapping of service name (e.g., swat) to -service port (e.g., 901) and protocol type (e.g., tcp). -

/usr/local/samba/lib/smb.conf -

This is the default location of the smb.conf server configuration -file that swat edits. Other common places that systems install -this file are /usr/samba/lib/smb.conf and /etc/smb.conf. -

This file describes all the services the server is to make available -to clients. See smb.conf (5) for more information. -

WARNINGS

- -

swat will rewrite your smb.conf file. It -will rearrange the entries and delete all comments, -"include=" and -"copy=" options. If you have a -carefully crafted smb.conf then back it up -or don't use swat! -

VERSION

- -

This man page is correct for version 2.0 of the Samba suite. -

AUTHOR

- -

The original Samba software and related utilities were created by -Andrew Tridgell (samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -

The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -ftp://ftp.icce.rug.nl/pub/unix/) -and updated for the Samba2.0 release by Jeremy Allison. -samba@samba.org. -

See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. - - +swat

swat

Name

swat -- Samba Web Administration Tool

Synopsis

nmblookup [-s <smb config file>] [-a]

DESCRIPTION

This tool is part of the Samba suite.

swat allows a Samba administrator to + configure the complex smb.conf(5) file via a Web browser. In addition, + a swat configuration page has help links + to all the configurable options in the smb.conf file allowing an + administrator to easily look up the effects of any change.

swat is run from inetd

OPTIONS

-s smb configuration file

The default configuration file path is + determined at compile time. The file specified contains + the configuration details required by the smbd + server. This is the file that swat will modify. + The information in this file includes server-specific + information such as what printcap file to use, as well as + descriptions of all the services that the server is to provide. + See smb.conf for more information. +

-a

This option disables authentication and puts + swat in demo mode. In that mode anyone will be able to modify + the smb.conf file.

Do NOT enable this option on a production + server.

INSTALLATION

After you compile SWAT you need to run make install + to install the swat binary + and the various help files and images. A default install would put + these in:

/usr/local/samba/bin/swat
/usr/local/samba/swat/images/*
/usr/local/samba/swat/help/*

Inetd Installation

You need to edit your /etc/inetd.conf + and /etc/services + to enable SWAT to be launched via inetd.

In /etc/services you need to + add a line like this:

swat 901/tcp

Note for NIS/YP users - you may need to rebuild the + NIS service maps rather than alter your local /etc/services file.

the choice of port number isn't really important + except that it should be less than 1024 and not currently + used (using a number above 1024 presents an obscure security + hole depending on the implementation details of your + inetd daemon).

In /etc/inetd.conf you should + add a line like this:

swat stream tcp nowait.400 root + /usr/local/samba/bin/swat swat

One you have edited /etc/services + and /etc/inetd.conf you need to send a + HUP signal to inetd. To do this use kill -1 PID + where PID is the process ID of the inetd daemon.

Launching

To launch swat just run your favorite web browser and + point it at "http://localhost:901/".

Note that you can attach to swat from any IP connected + machine but connecting from a remote machine leaves your + connection open to password sniffing as passwords will be sent + in the clear over the wire.

FILES

/etc/inetd.conf: This file must contain suitable startup + information for the meta-daemon.
/etc/services: This file must contain a mapping of service name + (e.g., swat) to service port (e.g., 901) and protocol type + (e.g., tcp).
/usr/local/samba/lib/smb.conf: This is the default location of the smb.conf(5) + server configuration file that swat edits. Other + common places that systems install this file are /usr/samba/lib/smb.conf and /etc/smb.conf +. This file describes all the services the server + is to make available to clients.

WANRNIGS

swat will rewrite your smb.conf + file. It will rearrange the entries and delete all + comments, include= and copy=" + options. If you have a carefully crafted smb.conf then back it up or don't use swat!

VERSION

This man page is correct for version 2.2 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter

\ No newline at end of file diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index 2caa9ccf01..a98b7a2864 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -1,245 +1,594 @@ - - - - - -winbindd (8) - - - - - -

- -

winbindd (8)

Samba

13 Jun 2000

- - - -

NAME

- winbindd - Name Service Switch daemon for resolving names from NT servers -

SYNOPSIS

- -

winbindd [-d debuglevel] [-i] -

DESCRIPTION

- -

This program is part of the Samba suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. -

winbindd is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS. The exact behaviour can -be configured throught the /etc/nsswitch.conf file. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system. -

The service provided by winbindd is called `winbind' and can be -used to resolve user and group information from a Windows NT server. -The service can also provide authentication services via an associated -PAM module. -

The following nsswitch databases are implemented by the winbindd -service: -

passwd

User information traditionally stored in the passwd(5) file and used by -getpwent(3) functions. -

group

Group information traditionally stored in the group(5) file and used by -getgrent(3) functions. -

For example, the following simple configuration in the -/etc/nsswitch.conf file can be used to initially resolve user and group -information from /etc/passwd and /etc/group and then from the -Windows NT server. -

-
-  passwd:         files winbind
-  group:          files winbind
-
-

- -

OPTIONS

- -

The following options are available to the winbindd daemon: -

-d debuglevel

-Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging -and 100 is for reams and reams. To submit a bug report to the Samba Team, -use debug level 100 (see BUGS.txt). -

-i

-Tells winbindd to not become a daemon and detach from the current terminal. -This option is used by developers when interactive debugging of winbindd is -required. -

NAME AND ID RESOLUTION

- -

Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required. This is one of the -jobs that winbindd performs. -

As winbindd users and groups are resolved from a server, user and group -ids are allocated from a specified range. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered. -

WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by winbindd. If this file is deleted or -corrupted, there is no way for winbindd to determine which user and -group ids correspond to Windows NT user and group rids. -

CONFIGURATION

- -

Configuration of the winbindd daemon is done through configuration -parameters in the smb.conf file. All parameters -should be specified in the [global] section of -smb.conf. -

winbind separator

The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users. By default winbind will use the traditional \ separator so -that the unix user names look like DOMAIN\username. In some cases -this separator character may cause problems as the \ character has -special meaning in unix shells. In that case you can use the winbind -separator option to specify an alternative sepataror character. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste. -

Default: - winbind separator = \ -

Example: - winbind separator = + -

winbind uid

The winbind uid parameter specifies the range of user ids that are -allocated by the winbindd daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. -

Default: - winbind uid = <empty string> -

Example: - winbind uid = 10000-20000 -

winbind gid

The winbind gid parameter specifies the range of group ids that are -allocated by the winbindd daemon. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise. -

Default: - winbind gid = <empty string> -

Example: - winbind gid = 10000-20000 -

winbind cache time

This parameter specifies the number of seconds the winbindd daemon will -cache user and group information before querying a Windows NT server -again. When a item in the cache is older than this time winbindd will ask -the domain controller for the sequence number of the servers account -database. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds. Otherwise the -item is fetched from the server. This means that as long as the account -database is not actively changing winbindd will only have to send one -sequence number query packet every "winbind cache time" seconds. -

Default: - winbind cache time = 15 -

winbind enum users

On large installations it may be necessary to suppress the enumeration of -users through the setpwent, getpwent and endpwent group of -system calls. If the winbind enum users parameter is false, calls to -the getpwent system call will not return any data. -

Warning: Turning off user enumeration may cause some programs to behave -oddly. For example, the finger program relies on having access to the full -user list when searching for matching usernames. -

Default: - winbind enum users = true -

winbind enum groups

On large installations it may be necessary to suppress the enumeration of -groups through the setgrent, getgrent and endgrent group of -system calls. If the winbind enum groups parameter is false, calls to -the getgrent system call will not return any data. -

Warning: Turning off group enumeration may cause some programs to behave -oddly. -

Default: - winbind enum groups = true -

template homedir

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the home directory for -that user. If the string %D is present it is substituted with the -user's Windows NT domain name. If the string %U is present it is -substituted with the user's Windows NT user name. -

Default: - template homedir = /home/%D/%U -

template shell

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the shell for that user. -

Default: - template shell = /bin/false -

EXAMPLE SETUP

- -

To setup winbindd for user and group lookups plus authentication from -a domain controller use something like the following setup. This was -tested on a RedHat 6.2 Linux box. -

In /etc/nsswitch.conf put the following: -

-
-   passwd:     files winbind
-   group:      files winbind
-
-

- -

In /etc/pam.d/* replace the auth lines with something like this: -

-
-	auth       required	/lib/security/pam_securetty.so
-	auth       required	/lib/security/pam_nologin.so
-	auth       sufficient	/lib/security/pam_winbind.so
-	auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
-
-

- -

Note in particular the use of the sufficient keyword and the -use_first_pass keyword. -

Now replace the account lines with this: -

-
-	account    required	/lib/security/pam_winbind.so
-
-

- -

The next step is to join the domain. To do that use the samedit -program like this: -

-
-	samedit -S '*' -W DOMAIN -UAdministrator
-
-

- -

The username after the -U can be any Domain user that has administrator -priviliges on the machine. Next from within samedit, run the command: -

-
-	createuser MACHINE$ -j DOMAIN -L
-
-

- -

This assumes your domain is called DOMAIN and your Samba workstation -is called MACHINE. -

Next copy libnss_winbind.so.2 to /lib and pam_winbind.so to -/lib/security. -

Finally, setup a smb.conf containing directives like the following: -

-
-  [global]
-        winbind separator = +
+winbinddwinbindd
Namewinbindd -- Name Service Switch daemon for resolving names 
+	from NT servers
Synopsis
nmblookup  [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}
DESCRIPTION
This tool is part of the 	Samba suite version 3.0 and describes functionality not 
+	yet implemented in the main version of Samba.
winbindd is a daemon that provides 
+	a service for the Name Service Switch capability that is present 
+	in most modern C libraries.  The Name Service Switch allows user 
+	and system information to be obtained from different databases 
+	services such as NIS or DNS.  The exact behaviour can be configured 
+	throught the /etc/nsswitch.conf file.  
+	Users and groups are allocated as they are resolved to a range 
+	of user and group ids specified by the administrator of the 
+	Samba system.
The service provided by winbindd is called `winbind' and 
+	can be used to resolve user and group information from a 
+	Windows NT server. The service can also provide authentication
+	services via an associated PAM module. 
The following nsswitch databases are implemented by 
+	the winbindd service: 
passwd
User information traditionally stored in 
+		the passwd(5) file and used by 
+		getpwent(3) functions. 
group
Group information traditionally stored in 
+		the group(5) file and used by 		
+		getgrent(3) functions. 
For example, the following simple configuration in the
+	/etc/nsswitch.conf file can be used to initially 
+	resolve user and group information from /etc/passwd
+	 and /etc/group and then from the 
+	Windows NT server. 
passwd:         files winbind
+group:          files winbind
+	
OPTIONS
-d debuglevel
Sets the debuglevel to an integer between 
+		0 and 100. 0 is for no debugging and 100 is for reams and 
+		reams. To submit a bug report to the Samba Team, use debug 
+		level 100 (see BUGS.txt).   
-i
Tells winbindd to not 
+		become a daemon and detach from the current terminal. This 
+		option is used by developers when interactive debugging 
+		of winbindd is required. 
NAME AND ID RESOLUTION
Users and groups on a Windows NT server are assigned 
+	a relative id (rid) which is unique for the domain when the 
+	user or group is created.  To convert the Windows NT user or group 
+	into a unix user or group, a mapping between rids and unix user 
+	and group ids is required.  This is one of the jobs that 	winbindd performs. 
As winbindd users and groups are resolved from a server, user 
+	and group ids are allocated from a specified range.  This
+	is done on a first come, first served basis, although all existing 
+	users and groups will be mapped as soon as a client performs a user 
+	or group enumeration command.  The allocated unix ids are stored 
+	in a database file under the Samba lock directory and will be 
+	remembered. 
WARNING: The rid to unix id database is the only location 
+	where the user and group mappings are stored by winbindd.  If this 
+	file is deleted or corrupted, there is no way for winbindd to 
+	determine which user and group ids correspond to Windows NT user 
+	and group rids. 
CONFIGURATION
Configuration of the winbindd daemon 
+	is done through configuration parameters in the smb.conf(5)
+	 file.  All parameters should be specified in the 
+	[global] section of smb.conf. 
winbind separator
The winbind separator option allows you 
+		to specify how NT domain names and user names are combined 
+		into unix user names when presented to users. By default, 
+		winbindd will use the traditional '\' 
+		separator so that the unix user names look like 
+		DOMAIN\username. In some cases this separator character may 
+		cause problems as the '\' character has special meaning in 
+		unix shells.  In that case you can use the winbind separator 
+		option to specify an alternative sepataror character. Good 
+		alternatives may be '/' (although that conflicts
+		with the unix directory separator) or a '+ 'character. 
+		The '+' character appears to be the best choice for 100% 
+		compatibility with existing unix utilities, but may be an 
+		aesthetically bad choice depending on your taste. 
Default: winbind separator = \ 
+		
Example: winbind separator = + 
winbind uid
The winbind uid parameter specifies the 
+		range of user ids that are allocated by the winbindd daemon.  
+		This range of ids should have no existing local or nis users 
+		within it as strange conflicts can occur otherwise. 
Default: winbind uid = <empty string> 
+		
Example: winbind uid = 10000-20000
winbind gid
The winbind gid parameter specifies the 
+		range of group ids that are allocated by the winbindd daemon.  
+		This range of group ids should have no existing local or nis 
+		groups within it as strange conflicts can occur otherwise.
Default: winbind gid = <empty string>
+		
Example: winbind gid = 10000-20000
+		 
winbind cache time
This parameter specifies the number of 
+		seconds the winbindd daemon will cache user and group information 
+		before querying a Windows NT server again. When a item in the 
+		cache is older than this time winbindd will ask the domain 
+		controller for the sequence number of the servers account database. 
+		If the sequence number has not changed then the cached item is 
+		marked as valid for a further winbind cache time
+		 seconds.  Otherwise the item is fetched from the 
+		server. This means that as long as the account database is not 
+		actively changing winbindd will only have to send one sequence 
+		number query packet every winbind cache time
+		 seconds. 
Default: winbind cache time = 15
+		
winbind enum users
On large installations it may be necessary 
+		to suppress the enumeration of users through the 		setpwent(), getpwent() and 
+		endpwent() group of system calls.  If 
+		the winbind enum users parameter is false, 
+		calls to the getpwent system call will not 
+		return any data. 
Warning: Turning off user enumeration 
+		may cause some programs to behave oddly.  For example, the finger 
+		program relies on having access to the full user list when 
+		searching  for matching usernames. 
Default: winbind enum users = yes 
winbind enum groups
On large installations it may be necessary 
+		to suppress the enumeration of groups through the 		setgrent(), getgrent() and 
+		endgrent() group of system calls.  If 
+		the winbind enum groups parameter is 
+		false, calls to the getgrent() system 
+		call will not return any data. 
Warning: Turning off group 
+		enumeration may cause some programs to behave oddly. 
+		
Default: winbind enum groups = no 
+		
template homedir
When filling out the user information 
+		for a Windows NT user, the winbindd daemon 
+		uses this parameter to fill in the home directory for that user.  
+		If the string %D is present it is 
+		substituted with the user's Windows NT domain name.  If the 
+		string %U is present it is substituted
+		with the user's Windows NT user name. 
Default: template homedir = /home/%D/%U 
+		
template shell
When filling out the user information for 
+ 		a Windows NT user, the winbindd daemon 
+		uses this parameter to fill in the shell for that user. 
+		
Default: template shell = /bin/false 
+		
EXAMPLE SETUP
To setup winbindd for user and group lookups plus 
+	authentication from a domain controller use something like the 
+	following setup. This was tested on a RedHat 6.2 Linux box. 
In /etc/nsswitch.conf put the 
+	following:
passwd:     files winbind
+group:      files winbind
+	
In /etc/pam.d/* replace the 
+	auth lines with something like this: 
auth       required	/lib/security/pam_securetty.so
+auth       required	/lib/security/pam_nologin.so
+auth       sufficient	/lib/security/pam_winbind.so
+auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
+	
Note in particular the use of the sufficient 
+	keyword and the use_first_pass keyword. 
Now replace the account lines with this: 
account    required	/lib/security/pam_winbind.so
+	
The next step is to join the domain. To do that use the 
+	samedit program like this:  
samedit -S '*' -W DOMAIN -UAdministrator
The username after the -U can be any Domain 
+	user that has administrator priviliges on the machine. Next from 
+	within samedit, run the command: 
createuser MACHINE$ -j DOMAIN -L
This assumes your domain is called "DOMAIN" and your Samba 
+	workstation is called "MACHINE". 
Next copy libnss_winbind.so.2 to 
+	/lib and pam_winbind.so
+	to /lib/security.
Finally, setup a smb.conf containing directives like the 
+	following:  
[global]
+	winbind separator = +
         winbind cache time = 10
         template shell = /bin/bash
         template homedir = /home/%D/%U
@@ -248,95 +597,272 @@ is called MACHINE.
         workgroup = DOMAIN
         security = domain
         password server = *
-
-
-
-Now start winbindd and you should find that your user and group
-database is expanded to include your NT users and groups, and that you
-can login to your unix box as a domain user, using the DOMAIN+user
-syntax for the username. You may wish to use the commands "getent
-passwd" and "getent group" to confirm the correct operation of
-winbindd. 
-

-
NOTES
-    
-The following notes are useful when configuring and running winbindd:
-

-

-nmbd must be running on the local machine for
-winbindd to work.
-

-winbindd queries the list of trusted domains for the Windows NT server
-on startup and when a SIGHUP is received.  Thus, for a running winbindd
-to become aware of new trust relationships between servers, it must be sent
-a SIGHUP signal.
-
 
-Client processes resolving names through the winbindd nsswitch module
-read an environment variable named WINBINDD_DOMAIN.  If this variable
-contains a comma separated list of Windows NT domain names, then winbindd
-will only resolve users and groups within those Windows NT domains.
-

-PAM is really easy to misconfigure.  Make sure you know what you are doing
-when modifying PAM configuration files.  It is possible to set up PAM
-such that you can no longer log into your system.
-

-If more than one UNIX machine is running winbindd, then in general the
-user and groups ids allocated by winbindd will not be the same.  The
-user and group ids will only be valid for the local machine.  
-

-If the the Windows NT RID to UNIX user and group id mapping file
-is damaged or destroyed then the mappings will be lost.
-
-
-
SIGNALS
-    
-The following signals can be used to manipulate the winbindd daemon.
-

-
SIGHUP

-Reload the smb.conf file and apply any parameter changes to the running
-version of winbindd.  This signal also clears any cached user and group
-information.  The list of other domains trusted by winbindd is also
-reloaded. 
-
SIGUSR1

-The SIGUSR1 signal will cause winbindd to write status information
-to the winbind log file including information about the number of user and
-group ids allocated by winbindd.
-
Log files are stored in the filename specified by the log file parameter.
-

-
-
FILES
-    
-The following files are relevant to the operation of the winbindd
-daemon.
-

-
/etc/nsswitch.conf(5)

-Name service switch configuration file.
-
/tmp/.winbindd/pipe

-The UNIX pipe over which clients communicate with the winbindd program.
-For security reasons, the winbind client will only attempt to connect to the
-winbindd daemon if both the /tmp/.winbindd directory and
-/tmp/.winbindd/pipe file are owned by root.
-
/lib/libnss_winbind.so.X

-Implementation of name service switch library. 
-
$LOCKDIR/winbindd_idmap.tdb

-Storage for the Windows NT rid to UNIX user/group id mapping.  The lock
-directory is specified when Samba is initially compiled using the
---with-lockdir option.  This directory is by default
-/usr/local/samba/var/locks.
-
$LOCKDIR/winbindd_cache.tdb

-Storage for cached user and group information.
-

-
-
SEE ALSO
-    
-samba(7), smb.conf(5), 
-nsswitch.conf(5), wbinfo(1)
-

-
AUTHOR
-    
-The original Samba software and related utilities were created by
-Andrew Tridgell. Samba is now developed by the Samba Team as an Open
-Source project.
-
winbindd was written by Tim Potter.
-
-
+

Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands getent passwd and getent group + to confirm the correct operation of winbindd.

Notes

The following notes are useful when configuring and + running winbindd:

nmbd must be running on the local machine + for winbindd to work. winbindd + queries the list of trusted domains for the Windows NT server + on startup and when a SIGHUP is received. Thus, for a running winbindd to become aware of new trust relationships between + servers, it must be sent a SIGHUP signal.

Client processes resolving names through the winbindd + nsswitch module read an environment variable named $WINBINDD_DOMAIN. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains.

PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system.

If more than one UNIX machine is running winbindd, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine.

If the the Windows NT RID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost.

Signals

The following signals can be used to manipulate the + winbindd daemon.

SIGHUP

Reload the smb.conf(5) + file and apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded.

SIGUSR1

The SIGUSR1 signal will cause winbindd to write status information to the winbind + log file including information about the number of user and + group ids allocated by winbindd.

Log files are stored in the filename specified by the + log file parameter.

Files

/etc/nsswitch.conf(5): Name service switch configuration file.
/tmp/.winbindd/pipe: The UNIX pipe over which clients communicate with + the winbindd program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the /tmp/.winbindd directory + and /tmp/.winbindd/pipe file are owned by + root.
/lib/libnss_winbind.so.X: Implementation of name service switch library. +
$LOCKDIR/winbindd_idmap.tdb: Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the --with-lockdir option. + This directory is by default /usr/local/samba/var/locks +.
$LOCKDIR/winbindd_cache.tdb: Storage for cached user and group information. +

VERSION

This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet.

AUTHOR

wbinfo and winbindd + were written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done + by Gerald Carter

\ No newline at end of file diff --git a/docs/manpages/smbtar.1 b/docs/manpages/smbtar.1 index f7979b76b1..ab9f95fcbe 100644 --- a/docs/manpages/smbtar.1 +++ b/docs/manpages/smbtar.1 @@ -1,125 +1,120 @@ -.TH "smbtar " "1" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" -smbtar \- shell script for backing up SMB/CIFS shares directly to UNIX tape drives -.PP -.SH "SYNOPSIS" -.PP -\fBsmbtar\fP -s server [-p password] [-x service] [-X] [-d directory] [-u user] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l log level] [-v] filenames -.PP -.SH "DESCRIPTION" -.PP -This program is part of the \fBSamba\fP suite\&. -.PP -\fBsmbtar\fP is a very small shell script on top of -\fBsmbclient\fP which dumps SMB shares directly -to tape\&. -.PP -.SH "OPTIONS" -.PP -.IP -.IP "\fB-s server\fP" -The SMB/CIFS server that the share resides upon\&. -.IP -.IP "\fB-x service\fP" -The share name on the server to connect -to\&. The default is \f(CWbackup\fP\&. -.IP -.IP "\fB-X\fP" -Exclude mode\&. Exclude filenames\&.\&.\&. from tar create or -restore\&. -.IP -.IP "\fB-d directory\fP" -Change to initial \fIdirectory\fP before restoring -/ backing up files\&. -.IP -.IP "\fB-v\fP" -Verbose mode\&. -.IP -.IP "\fB-p password\fP" -The password to use to access a share\&. Default: -none -.IP -.IP "\fB-u user\fP" -The user id to connect as\&. Default: UNIX login name\&. -.IP -.IP "\fB-t tape\fP" -Tape device\&. May be regular file or tape -device\&. Default: \fITAPE\fP environmental variable; if not set, a file -called \f(CWtar\&.out\fP\&. -.IP -.IP "\fB-b blocksize\fP" -Blocking factor\&. Defaults to 20\&. See \fBtar (1)\fP -for a fuller explanation\&. -.IP -.IP "\fB-N filename\fP" -Backup only files newer than filename\&. Could be -used (for example) on a log file to implement incremental backups\&. -.IP -.IP "\fB-i\fP" -Incremental mode; tar files are only backed up if they -have the archive bit set\&. The archive bit is reset after each file is -read\&. -.IP -.IP "\fB-r\fP" -Restore\&. Files are restored to the share from the tar -file\&. -.IP -.IP "\fB-l log level\fP" -Log (debug) level\&. Corresponds to the -\fB-d\fP flag of \fBsmbclient -(1)\fP\&. -.IP -.PP -.SH "ENVIRONMENT VARIABLES" -.PP -The TAPE variable specifies the default tape device to write to\&. May -be overridden with the \fB-t\fP option\&. -.PP -.SH "BUGS" -.PP -The \fBsmbtar\fP script has different options from ordinary tar and tar -called from \fBsmbclient\fP\&. -.PP -.SH "CAVEATS" -.PP -Sites that are more careful about security may not like the way the -script handles PC passwords\&. Backup and restore work on entire shares, -should work on file lists\&. \fBsmbtar\fP works best with GNU tar and may -not work well with other versions\&. -.PP -.SH "VERSION" -.PP -This man page is correct for version 2\&.0 of the Samba suite\&. -.PP -.SH "SEE ALSO" -.PP -\fBsmbclient (1)\fP, \fBsmb\&.conf -(5)\fP -.PP -.SH "DIAGNOSTICS" -.PP -See the \fBDIAGNOSTICS\fP section for -the \fBsmbclient\fP command\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba\&.org\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.PP -Ricky Poulten poultenr@logica\&.co\&.uk wrote the tar extension and -this man page\&. The \fBsmbtar\fP script was heavily rewritten and -improved by Martin Kraemer Martin\&.Kraemer@mch\&.sni\&.de\&. Many -thanks to everyone who suggested extensions, improvements, bug fixes, -etc\&. The man page sources were converted to YODL format (another -excellent piece of Open Source software available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy Allison, -samba@samba\&.org\&. -.PP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. -.PP +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng . +.TH "SMBTAR" "1" "22 February 2001" "" "" +.SH NAME +smbtar \- shell script for backing up SMB/CIFS shares directly to UNIX tape drives +.SH SYNOPSIS +.sp +\fBsmbtar\fR \fB-s server\fR [ \fB-p password\fR ] [ \fB-x services\fR ] [ \fB-X\fR ] [ \fB-d directory\fR ] [ \fB-u user\fR ] [ \fB-t tape\fR ] [ \fB-t tape\fR ] [ \fB-b blocksize\fR ] [ \fB-N filename\fR ] [ \fB-i\fR ] [ \fB-r\fR ] [ \fB-l loglevel\fR ] [ \fB-v\fR ] \fBfilenames\fR +.SH "DESCRIPTION" +.PP +This tool is part of the Samba suite. +.PP +\fBsmbtar\fR is a very small shell script on top +of \fBsmbclient(1)\fR +which dumps SMB shares directly to tape. +.SH "OPTIONS" +.TP +\fB-s server\fR +The SMB/CIFS server that the share resides +upon. +.TP +\fB-x service\fR +The share name on the server to connect to. +The default is "backup". +.TP +\fB-X\fR +Exclude mode. Exclude filenames... from tar +create or restore. +.TP +\fB-d directory\fR +Change to initial \fIdirectory +\fRbefore restoring / backing up files. +.TP +\fB-v\fR +Verbose mode. +.TP +\fB-p password\fR +The password to use to access a share. +Default: none +.TP +\fB-u user\fR +The user id to connect as. Default: +UNIX login name. +.TP +\fB-t tape\fR +Tape device. May be regular file or tape +device. Default: \fI$TAPE\fR environmental +variable; if not set, a file called \fItar.out +\fR\&. +.TP +\fB-b blocksize\fR +Blocking factor. Defaults to 20. See +\fBtar(1)\fR for a fuller explanation. +.TP +\fB-N filename\fR +Backup only files newer than filename. Could +be used (for example) on a log file to implement incremental +backups. +.TP +\fB-i\fR +Incremental mode; tar files are only backed +up if they have the archive bit set. The archive bit is reset +after each file is read. +.TP +\fB-r\fR +Restore. Files are restored to the share +from the tar file. +.TP +\fB-l log level\fR +Log (debug) level. Corresponds to the +\fI-d\fR flag of \fBsmbclient(1) +\fR\&. +.SH "ENVIRONMENT VARIABLES" +.PP +The \fI$TAPE\fR variable specifies the +default tape device to write to. May be overridden +with the -t option. +.SH "BUGS" +.PP +The \fBsmbtar\fR script has different +options from ordinary tar and tar called from smbclient. +.SH "CAVEATS" +.PP +Sites that are more careful about security may not like +the way the script handles PC passwords. Backup and restore work +on entire shares, should work on file lists. smbtar works best +with GNU tar and may not work well with other versions. +.SH "DIAGNOSTICS" +.PP +See the \fBDIAGNOSTICS\fR section for the +\fBsmbclient(1)\fR + command. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fBsmbd(8)\fR , +\fBsmbclient(1)\fR , +smb.conf(5) , +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +Ricky Poulten +wrote the tar extension and this man page. The \fBsmbtar\fR +script was heavily rewritten and improved by Martin Kraemer . Many +thanks to everyone who suggested extensions, improvements, bug +fixes, etc. The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ ) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter. diff --git a/docs/manpages/swat.8 b/docs/manpages/swat.8 index 3fc450f385..5e6b8a57d8 100644 --- a/docs/manpages/swat.8 +++ b/docs/manpages/swat.8 @@ -1,153 +1,140 @@ -.TH "swat " "8" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng . +.TH "SWAT" "8" "22 February 2001" "" "" +.SH NAME swat \- Samba Web Administration Tool -.PP -.SH "SYNOPSIS" -.PP -\fBswat\fP [-s smb config file] [-a] -.PP -.SH "DESCRIPTION" -.PP -This program is part of the \fBSamba\fP suite\&. -.PP -\fBswat\fP allows a Samba administrator to configure the complex -\fBsmb\&.conf\fP file via a Web browser\&. In -addition, a swat configuration page has help links to all the -configurable options in the \fBsmb\&.conf\fP file -allowing an administrator to easily look up the effects of any change\&. -.PP -\fBswat\fP is run from \fBinetd\fP -.PP -.SH "OPTIONS" -.PP -.IP -.IP "\fB-s smb configuration file\fP" -The default configuration file path is -determined at compile time\&. -.IP -The file specified contains the configuration details required by the -\fBsmbd\fP server\&. This is the file that \fBswat\fP will -modify\&. The information in this file includes server-specific -information such as what printcap file to use, as well as descriptions -of all the services that the server is to provide\&. See smb\&.conf -(5) for more information\&. -.IP -.IP "\fB-a\fP" -.IP -This option disables authentication and puts \fBswat\fP in demo mode\&. In -that mode anyone will be able to modify the -\fBsmb\&.conf\fP file\&. -.IP -Do NOT enable this option on a production server\&. -.IP -.PP -.SH "INSTALLATION" -.PP -After you compile SWAT you need to run \f(CW"make install"\fP to install the -swat binary and the various help files and images\&. A default install -would put these in: -.PP - -.nf - +.SH SYNOPSIS +.sp +\fBnmblookup\fR [ \fB-s \fR ] [ \fB-a\fR ] +.SH "DESCRIPTION" +.PP +This tool is part of the Samba suite. +.PP +\fBswat\fR allows a Samba administrator to +configure the complex \fI smb.conf(5)\fR file via a Web browser. In addition, +a \fBswat\fR configuration page has help links +to all the configurable options in the smb.conf file allowing an +administrator to easily look up the effects of any change. +.PP +swat is run from inetd +.SH "OPTIONS" +.TP +\fB-s smb configuration file\fR +The default configuration file path is +determined at compile time. The file specified contains +the configuration details required by the \fBsmbd +\fRserver. This is the file that swat will modify. +The information in this file includes server-specific +information such as what printcap file to use, as well as +descriptions of all the services that the server is to provide. +See \fIsmb.conf\fR for more information. +.TP +\fB-a\fR +This option disables authentication and puts +swat in demo mode. In that mode anyone will be able to modify +the smb.conf file. +\fBDo NOT enable this option on a production +server. \fR +.SH "INSTALLATION" +.PP +After you compile SWAT you need to run \fBmake install +\fRto install the \fBswat\fR binary +and the various help files and images. A default install would put +these in: +.TP 0.2i +\(bu /usr/local/samba/bin/swat +.TP 0.2i +\(bu /usr/local/samba/swat/images/* +.TP 0.2i +\(bu /usr/local/samba/swat/help/* - -.fi - - -.PP -.SH "INETD INSTALLATION" -.PP -You need to edit your \f(CW/etc/inetd\&.conf\fP and \f(CW/etc/services\fP to -enable \fBSWAT\fP to be launched via inetd\&. -.PP -In \f(CW/etc/services\fP you need to add a line like this: -.PP -\f(CWswat 901/tcp\fP -.PP -Note for NIS/YP users - you may need to rebuild the NIS service maps -rather than alter your local \f(CW/etc/services\fP file\&. -.PP -the choice of port number isn\'t really important except that it should -be less than 1024 and not currently used (using a number above 1024 -presents an obscure security hole depending on the implementation -details of your \fBinetd\fP daemon)\&. -.PP -In \f(CW/etc/inetd\&.conf\fP you should add a line like this: -.PP -\f(CWswat stream tcp nowait\&.400 root /usr/local/samba/bin/swat swat\fP -.PP -One you have edited \f(CW/etc/services\fP and \f(CW/etc/inetd\&.conf\fP you need -to send a HUP signal to inetd\&. To do this use \f(CW"kill -1 PID"\fP where -PID is the process ID of the inetd daemon\&. -.PP -.SH "LAUNCHING" -.PP -To launch \fBswat\fP just run your favorite web browser and point it at -\f(CWhttp://localhost:901/\fP\&. -.PP -\fBNote that you can attach to \fBswat\fP from any IP connected machine but -connecting from a remote machine leaves your connection open to -password sniffing as passwords will be sent in the clear over the -wire\&.\fP -.PP -.SH "FILES" -.PP -\fB/etc/inetd\&.conf\fP -.PP -This file must contain suitable startup information for the -meta-daemon\&. -.PP -\fB/etc/services\fP -.PP -This file must contain a mapping of service name (e\&.g\&., swat) to -service port (e\&.g\&., 901) and protocol type (e\&.g\&., tcp)\&. -.PP -\fB/usr/local/samba/lib/smb\&.conf\fP -.PP -This is the default location of the \fIsmb\&.conf\fP server configuration -file that \fBswat\fP edits\&. Other common places that systems install -this file are \fI/usr/samba/lib/smb\&.conf\fP and \fI/etc/smb\&.conf\fP\&. -.PP -This file describes all the services the server is to make available -to clients\&. See \fBsmb\&.conf (5)\fP for more information\&. -.PP -.SH "WARNINGS" -.PP -\fBswat\fP will rewrite your \fBsmb\&.conf\fP file\&. It -will rearrange the entries and delete all comments, -\fB"include="\fP and -\fB"copy="\fP options\&. If you have a -carefully crafted \fBsmb\&.conf\fP then back it up -or don\'t use \fBswat\fP! -.PP -.SH "VERSION" -.PP -This man page is correct for version 2\&.0 of the Samba suite\&. -.PP -.SH "SEE ALSO" -.PP -\fBinetd (8)\fP, \fBnmbd (8)\fP, -\fBsmb\&.conf (5)\fP\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell (samba@samba\&.org)\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.PP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy Allison\&. -samba@samba\&.org\&. -.PP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +.SS "INETD INSTALLATION" +.PP +You need to edit your \fI/etc/inetd.conf +\fRand \fI/etc/services\fR +to enable SWAT to be launched via inetd. +.PP +In \fI/etc/services\fR you need to +add a line like this: +.PP +\fBswat 901/tcp\fR +.PP +Note for NIS/YP users - you may need to rebuild the +NIS service maps rather than alter your local \fI /etc/services\fR file. +.PP +the choice of port number isn't really important +except that it should be less than 1024 and not currently +used (using a number above 1024 presents an obscure security +hole depending on the implementation details of your +\fBinetd\fR daemon). +.PP +In \fI/etc/inetd.conf\fR you should +add a line like this: +.PP +\fBswat stream tcp nowait.400 root +/usr/local/samba/bin/swat swat\fR +.PP +One you have edited \fI/etc/services\fR +and \fI/etc/inetd.conf\fR you need to send a +HUP signal to inetd. To do this use \fBkill -1 PID +\fRwhere PID is the process ID of the inetd daemon. +.SS "LAUNCHING" +.PP +To launch swat just run your favorite web browser and +point it at "http://localhost:901/". +.PP +Note that you can attach to swat from any IP connected +machine but connecting from a remote machine leaves your +connection open to password sniffing as passwords will be sent +in the clear over the wire. +.SH "FILES" +.TP +\fB\fI/etc/inetd.conf\fB\fR +This file must contain suitable startup +information for the meta-daemon. +.TP +\fB\fI/etc/services\fB\fR +This file must contain a mapping of service name +(e.g., swat) to service port (e.g., 901) and protocol type +(e.g., tcp). +.TP +\fB\fI/usr/local/samba/lib/smb.conf\fB\fR +This is the default location of the \fIsmb.conf(5) +\fRserver configuration file that swat edits. Other +common places that systems install this file are \fI /usr/samba/lib/smb.conf\fR and \fI/etc/smb.conf +\fR\&. This file describes all the services the server +is to make available to clients. +.SH "WANRNIGS" +.PP +\fBswat\fR will rewrite your \fIsmb.conf +\fRfile. It will rearrange the entries and delete all +comments, \fIinclude=\fR and \fIcopy=" +\fRoptions. If you have a carefully crafted \fI smb.conf\fR then back it up or don't use swat! +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fBinetd(5)\fR, +\fBsmbd(8)\fR , +smb.conf(5) +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ ) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter diff --git a/docs/manpages/winbindd.8 b/docs/manpages/winbindd.8 index 6f76699e3f..efdaf76bd8 100644 --- a/docs/manpages/winbindd.8 +++ b/docs/manpages/winbindd.8 @@ -1,296 +1,266 @@ -.TH "winbindd " "8" "13 Jun 2000" "Samba" "SAMBA" -.PP -.SH "NAME" -winbindd \- Name Service Switch daemon for resolving names from NT servers -.PP -.SH "SYNOPSIS" -.PP -\fBwinbindd\fP [-d debuglevel] [-i] -.PP -.SH "DESCRIPTION" -.PP -This program is part of the \fBSamba\fP suite version 3\&.0 and describes -functionality not yet implemented in the main version of Samba\&. -.PP -\fBwinbindd\fP is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries\&. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS\&. The exact behaviour can -be configured throught the \f(CW/etc/nsswitch\&.conf\fP file\&. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system\&. -.PP -The service provided by \fBwinbindd\fP is called `winbind\' and can be -used to resolve user and group information from a Windows NT server\&. -The service can also provide authentication services via an associated -PAM module\&. -.PP -The following nsswitch databases are implemented by the \fBwinbindd\fP -service: -.PP -.IP -.IP "passwd" -.IP -User information traditionally stored in the \fBpasswd(5)\fP file and used by -\fBgetpwent(3)\fP functions\&. -.IP -.IP "group" -.IP -Group information traditionally stored in the \fBgroup(5)\fP file and used by -\fBgetgrent(3)\fP functions\&. -.IP -.PP +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng . +.TH "WINBINDD" "8" "22 February 2001" "" "" +.SH NAME +winbindd \- Name Service Switch daemon for resolving names from NT servers +.SH SYNOPSIS +.sp +\fBnmblookup\fR [ \fB-d debuglevel\fR ] [ \fB-i\fR ] [ \fB-S\fR ] [ \fB-r\fR ] [ \fB-A\fR ] [ \fB-h\fR ] [ \fB-B \fR ] [ \fB-U \fR ] [ \fB-d \fR ] [ \fB-s \fR ] [ \fB-i \fR ] [ \fB-T\fR ] \fBname\fR +.SH "DESCRIPTION" +.PP +This tool is part of the Samba suite version 3.0 and describes functionality not +yet implemented in the main version of Samba. +.PP +\fBwinbindd\fR is a daemon that provides +a service for the Name Service Switch capability that is present +in most modern C libraries. The Name Service Switch allows user +and system information to be obtained from different databases +services such as NIS or DNS. The exact behaviour can be configured +throught the \fI/etc/nsswitch.conf\fR file. +Users and groups are allocated as they are resolved to a range +of user and group ids specified by the administrator of the +Samba system. +.PP +The service provided by winbindd is called `winbind' and +can be used to resolve user and group information from a +Windows NT server. The service can also provide authentication +services via an associated PAM module. +.PP +The following nsswitch databases are implemented by +the winbindd service: +.TP +\fBpasswd\fR +User information traditionally stored in +the \fIpasswd(5)\fR file and used by +\fBgetpwent(3)\fR functions. +.TP +\fBgroup\fR +Group information traditionally stored in +the \fIgroup(5)\fR file and used by +\fBgetgrent(3)\fR functions. +.PP For example, the following simple configuration in the -\f(CW/etc/nsswitch\&.conf\fP file can be used to initially resolve user and group -information from \f(CW/etc/passwd\fP and \f(CW/etc/group\fP and then from the -Windows NT server\&. -.PP +\fI/etc/nsswitch.conf\fR file can be used to initially +resolve user and group information from \fI/etc/passwd +\fRand \fI/etc/group\fR and then from the +Windows NT server. +.PP +.PP +.sp +.nf +passwd: files winbind +group: files winbind + +.sp +.fi +.PP +.SH "OPTIONS" +.TP +\fB-d debuglevel\fR +Sets the debuglevel to an integer between +0 and 100. 0 is for no debugging and 100 is for reams and +reams. To submit a bug report to the Samba Team, use debug +level 100 (see BUGS.txt). +.TP +\fB-i\fR +Tells \fBwinbindd\fR to not +become a daemon and detach from the current terminal. This +option is used by developers when interactive debugging +of \fBwinbindd\fR is required. +.SH "NAME AND ID RESOLUTION" +.PP +Users and groups on a Windows NT server are assigned +a relative id (rid) which is unique for the domain when the +user or group is created. To convert the Windows NT user or group +into a unix user or group, a mapping between rids and unix user +and group ids is required. This is one of the jobs that \fB winbindd\fR performs. +.PP +As winbindd users and groups are resolved from a server, user +and group ids are allocated from a specified range. This +is done on a first come, first served basis, although all existing +users and groups will be mapped as soon as a client performs a user +or group enumeration command. The allocated unix ids are stored +in a database file under the Samba lock directory and will be +remembered. +.PP +WARNING: The rid to unix id database is the only location +where the user and group mappings are stored by winbindd. If this +file is deleted or corrupted, there is no way for winbindd to +determine which user and group ids correspond to Windows NT user +and group rids. +.SH "CONFIGURATION" +.PP +Configuration of the \fBwinbindd\fR daemon +is done through configuration parameters in the \fIsmb.conf(5) +\fRfile. All parameters should be specified in the +[global] section of smb.conf. +.TP +\fBwinbind separator\fR +The winbind separator option allows you +to specify how NT domain names and user names are combined +into unix user names when presented to users. By default, +\fBwinbindd\fR will use the traditional '\\' +separator so that the unix user names look like +DOMAIN\\username. In some cases this separator character may +cause problems as the '\\' character has special meaning in +unix shells. In that case you can use the winbind separator +option to specify an alternative sepataror character. Good +alternatives may be '/' (although that conflicts +with the unix directory separator) or a '+ 'character. +The '+' character appears to be the best choice for 100% +compatibility with existing unix utilities, but may be an +aesthetically bad choice depending on your taste. -.nf - +Default: \fBwinbind separator = \\ \fR - passwd: files winbind - group: files winbind +Example: \fBwinbind separator = + \fR +.TP +\fBwinbind uid\fR +The winbind uid parameter specifies the +range of user ids that are allocated by the winbindd daemon. +This range of ids should have no existing local or nis users +within it as strange conflicts can occur otherwise. -.fi - +Default: \fBwinbind uid = +\fR +Example: \fBwinbind uid = 10000-20000\fR +.TP +\fBwinbind gid\fR +The winbind gid parameter specifies the +range of group ids that are allocated by the winbindd daemon. +This range of group ids should have no existing local or nis +groups within it as strange conflicts can occur otherwise. -.PP -.SH "OPTIONS" -.PP -The following options are available to the \fBwinbindd\fP daemon: -.PP -.IP -.IP "\fB-d debuglevel\fP" -Sets the debuglevel to an integer between 0 and 100\&. 0 is for no debugging -and 100 is for reams and reams\&. To submit a bug report to the Samba Team, -use debug level 100 (see \fBBUGS\&.txt\fP)\&. -.IP -.IP "\fB-i\fP" -Tells \fBwinbindd\fP to not become a daemon and detach from the current terminal\&. -This option is used by developers when interactive debugging of \fBwinbindd\fP is -required\&. -.IP -.PP -.SH "NAME AND ID RESOLUTION" -.PP -Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created\&. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required\&. This is one of the -jobs that \fBwinbindd\fP performs\&. -.PP -As \fBwinbindd\fP users and groups are resolved from a server, user and group -ids are allocated from a specified range\&. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command\&. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered\&. -.PP -WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by \fBwinbindd\fP\&. If this file is deleted or -corrupted, there is no way for \fBwinbindd\fP to determine which user and -group ids correspond to Windows NT user and group rids\&. -.PP -.SH "CONFIGURATION" -.PP -Configuration of the \fBwinbindd\fP daemon is done through configuration -parameters in the \fBsmb\&.conf\fP file\&. All parameters -should be specified in the [global] section of -\fBsmb\&.conf\fP\&. -.PP -.IP -.IP "winbind separator" -.IP -The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users\&. By default winbind will use the traditional \e separator so -that the unix user names look like DOMAIN\eusername\&. In some cases -this separator character may cause problems as the \e character has -special meaning in unix shells\&. In that case you can use the winbind -separator option to specify an alternative sepataror character\&. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character\&. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste\&. -.IP -\fBDefault:\fP -\f(CW winbind separator = \e\fP -.IP -\fBExample:\fP -\f(CW winbind separator = +\fP -.IP -.IP "winbind uid" -.IP -The winbind uid parameter specifies the range of user ids that are -allocated by the \fBwinbindd\fP daemon\&. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise\&. -.IP -\fBDefault:\fP -\f(CW winbind uid = \fP -.IP -\fBExample:\fP -\f(CW winbind uid = 10000-20000\fP -.IP -.IP "winbind gid" -.IP -The winbind gid parameter specifies the range of group ids that are -allocated by the \fBwinbindd\fP daemon\&. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise\&. -.IP -\fBDefault:\fP -\f(CW winbind gid = \fP -.IP -\fBExample:\fP -\f(CW winbind gid = 10000-20000\fP -.IP -.IP "winbind cache time" -.IP -This parameter specifies the number of seconds the \fBwinbindd\fP daemon will -cache user and group information before querying a Windows NT server -again\&. When a item in the cache is older than this time \fBwinbindd\fP will ask -the domain controller for the sequence number of the servers account -database\&. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds\&. Otherwise the -item is fetched from the server\&. This means that as long as the account -database is not actively changing \fBwinbindd\fP will only have to send one -sequence number query packet every "winbind cache time" seconds\&. -.IP -\fBDefault:\fP -\f(CW winbind cache time = 15\fP -.IP -.IP "winbind enum users" -.IP -On large installations it may be necessary to suppress the enumeration of -users through the \f(CWsetpwent\fP, \f(CWgetpwent\fP and \f(CWendpwent\fP group of -system calls\&. If the \f(CWwinbind enum users\fP parameter is false, calls to -the \f(CWgetpwent\fP system call will not return any data\&. -.IP -Warning: Turning off user enumeration may cause some programs to behave -oddly\&. For example, the finger program relies on having access to the full -user list when searching for matching usernames\&. -.IP -\fBDefault:\fP -\f(CW winbind enum users = true\fP -.IP -.IP "winbind enum groups" -.IP -On large installations it may be necessary to suppress the enumeration of -groups through the \f(CWsetgrent\fP, \f(CWgetgrent\fP and \f(CWendgrent\fP group of -system calls\&. If the \f(CWwinbind enum groups\fP parameter is false, calls to -the \f(CWgetgrent\fP system call will not return any data\&. -.IP -Warning: Turning off group enumeration may cause some programs to behave -oddly\&. -.IP -\fBDefault:\fP -\f(CW winbind enum groups = true\fP -.IP -.IP "template homedir" -.IP -When filling out the user information for a Windows NT user, the -\fBwinbindd\fP daemon uses this parameter to fill in the home directory for -that user\&. If the string \f(CW%D\fP is present it is substituted with the -user\'s Windows NT domain name\&. If the string \f(CW%U\fP is present it is -substituted with the user\'s Windows NT user name\&. -.IP -\fBDefault:\fP -\f(CW template homedir = /home/%D/%U\fP -.IP -.IP "template shell" -.IP -When filling out the user information for a Windows NT user, the -\fBwinbindd\fP daemon uses this parameter to fill in the shell for that user\&. -.IP -\fBDefault:\fP -\f(CW template shell = /bin/false\fP -.IP -.PP -.SH "EXAMPLE SETUP" -.PP -To setup \fBwinbindd\fP for user and group lookups plus authentication from -a domain controller use something like the following setup\&. This was -tested on a RedHat 6\&.2 Linux box\&. -.PP -In \f(CW/etc/nsswitch\&.conf\fP put the following: +Default: \fBwinbind gid = +\fR +Example: \fBwinbind gid = 10000-20000 +\fR.TP +\fBwinbind cache time\fR +This parameter specifies the number of +seconds the winbindd daemon will cache user and group information +before querying a Windows NT server again. When a item in the +cache is older than this time winbindd will ask the domain +controller for the sequence number of the servers account database. +If the sequence number has not changed then the cached item is +marked as valid for a further \fIwinbind cache time +\fRseconds. Otherwise the item is fetched from the +server. This means that as long as the account database is not +actively changing winbindd will only have to send one sequence +number query packet every \fIwinbind cache time +\fRseconds. -.nf - +Default: \fBwinbind cache time = 15\fR +.TP +\fBwinbind enum users\fR +On large installations it may be necessary +to suppress the enumeration of users through the \fB setpwent()\fR, \fBgetpwent()\fR and +\fBendpwent()\fR group of system calls. If +the \fIwinbind enum users\fR parameter is false, +calls to the \fBgetpwent\fR system call will not +return any data. - passwd: files winbind - group: files winbind +\fBWarning:\fR Turning off user enumeration +may cause some programs to behave oddly. For example, the finger +program relies on having access to the full user list when +searching for matching usernames. -.fi - +Default: \fBwinbind enum users = yes \fR +.TP +\fBwinbind enum groups\fR +On large installations it may be necessary +to suppress the enumeration of groups through the \fB setgrent()\fR, \fBgetgrent()\fR and +\fBendgrent()\fR group of system calls. If +the \fIwinbind enum groups\fR parameter is +false, calls to the \fBgetgrent()\fR system +call will not return any data. -.PP -In \f(CW/etc/pam\&.d/*\fP replace the \f(CWauth\fP lines with something like this: +\fBWarning:\fR Turning off group +enumeration may cause some programs to behave oddly. -.nf - +Default: \fBwinbind enum groups = no \fR +.TP +\fBtemplate homedir\fR +When filling out the user information +for a Windows NT user, the \fBwinbindd\fR daemon +uses this parameter to fill in the home directory for that user. +If the string \fI%D\fR is present it is +substituted with the user's Windows NT domain name. If the +string \fI%U\fR is present it is substituted +with the user's Windows NT user name. - auth required /lib/security/pam_securetty\&.so - auth required /lib/security/pam_nologin\&.so - auth sufficient /lib/security/pam_winbind\&.so - auth required /lib/security/pam_pwdb\&.so use_first_pass shadow nullok +Default: \fBtemplate homedir = /home/%D/%U \fR +.TP +\fBtemplate shell\fR +When filling out the user information for +a Windows NT user, the \fBwinbindd\fR daemon +uses this parameter to fill in the shell for that user. -.fi - - -.PP -Note in particular the use of the \f(CWsufficient\fP keyword and the -\f(CWuse_first_pass\fP keyword\&. -.PP -Now replace the account lines with this: - -.nf - - - account required /lib/security/pam_winbind\&.so - -.fi - - -.PP -The next step is to join the domain\&. To do that use the samedit -program like this: - -.nf - - - samedit -S \'*\' -W DOMAIN -UAdministrator - -.fi - - -.PP -The username after the -U can be any Domain user that has administrator -priviliges on the machine\&. Next from within samedit, run the command: - -.nf - - - createuser MACHINE$ -j DOMAIN -L - -.fi - - -.PP -This assumes your domain is called \f(CWDOMAIN\fP and your Samba workstation -is called \f(CWMACHINE\fP\&. -.PP -Next copy \f(CWlibnss_winbind\&.so\&.2\fP to \f(CW/lib\fP and \f(CWpam_winbind\&.so\fP to -\f(CW/lib/security\fP\&. -.PP -Finally, setup a smb\&.conf containing directives like the following: - -.nf - - - [global] - winbind separator = + +Default: \fBtemplate shell = /bin/false \fR +.SH "EXAMPLE SETUP" +.PP +To setup winbindd for user and group lookups plus +authentication from a domain controller use something like the +following setup. This was tested on a RedHat 6.2 Linux box. +.PP +In \fI/etc/nsswitch.conf\fR put the +following: +.PP +.sp +.nf +passwd: files winbind +group: files winbind + +.sp +.fi +.PP +In \fI/etc/pam.d/*\fR replace the +\fIauth\fR lines with something like this: +.PP +.sp +.nf +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_nologin.so +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok + +.sp +.fi +.PP +Note in particular the use of the \fIsufficient\fR +keyword and the \fIuse_first_pass\fR keyword. +.PP +Now replace the account lines with this: +.PP +\fBaccount required /lib/security/pam_winbind.so +\fR.PP +The next step is to join the domain. To do that use the +\fBsamedit\fR program like this: +.PP +\fBsamedit -S '*' -W DOMAIN -UAdministrator\fR +.PP +The username after the \fI-U\fR can be any Domain +user that has administrator priviliges on the machine. Next from +within \fBsamedit\fR, run the command: +.PP +\fBcreateuser MACHINE$ -j DOMAIN -L\fR +.PP +This assumes your domain is called "DOMAIN" and your Samba +workstation is called "MACHINE". +.PP +Next copy \fIlibnss_winbind.so.2\fR to +\fI/lib\fR and \fIpam_winbind.so\fR +to \fI/lib/security\fR. +.PP +Finally, setup a smb.conf containing directives like the +following: +.PP +.sp +.nf +[global] + winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U @@ -299,117 +269,107 @@ Finally, setup a smb\&.conf containing directives like the following: workgroup = DOMAIN security = domain password server = * + +.sp +.fi +.PP +Now start winbindd and you should find that your user and +group database is expanded to include your NT users and groups, +and that you can login to your unix box as a domain user, using +the DOMAIN+user syntax for the username. You may wish to use the +commands \fBgetent passwd\fR and \fBgetent group +\fRto confirm the correct operation of winbindd. +.SH "NOTES" +.PP +The following notes are useful when configuring and +running \fBwinbindd\fR: +.PP +\fBnmbd\fR must be running on the local machine +for \fBwinbindd\fR to work. \fBwinbindd\fR +queries the list of trusted domains for the Windows NT server +on startup and when a SIGHUP is received. Thus, for a running \fB winbindd\fR to become aware of new trust relationships between +servers, it must be sent a SIGHUP signal. +.PP +Client processes resolving names through the \fBwinbindd\fR +nsswitch module read an environment variable named \fI $WINBINDD_DOMAIN\fR. If this variable contains a comma separated +list of Windows NT domain names, then winbindd will only resolve users +and groups within those Windows NT domains. +.PP +PAM is really easy to misconfigure. Make sure you know what +you are doing when modifying PAM configuration files. It is possible +to set up PAM such that you can no longer log into your system. +.PP +If more than one UNIX machine is running \fBwinbindd\fR, +then in general the user and groups ids allocated by winbindd will not +be the same. The user and group ids will only be valid for the local +machine. +.PP +If the the Windows NT RID to UNIX user and group id mapping +file is damaged or destroyed then the mappings will be lost. +.SH "SIGNALS" +.PP +The following signals can be used to manipulate the +\fBwinbindd\fR daemon. +.TP +\fBSIGHUP\fR +Reload the \fIsmb.conf(5)\fR +file and apply any parameter changes to the running +version of winbindd. This signal also clears any cached +user and group information. The list of other domains trusted +by winbindd is also reloaded. +.TP +\fBSIGUSR1\fR +The SIGUSR1 signal will cause \fB winbindd\fR to write status information to the winbind +log file including information about the number of user and +group ids allocated by \fBwinbindd\fR. -.fi - - -.PP -Now start \fBwinbindd\fP and you should find that your user and group -database is expanded to include your NT users and groups, and that you -can login to your unix box as a domain user, using the \f(CWDOMAIN+user\fP -syntax for the username\&. You may wish to use the commands "getent -passwd" and "getent group" to confirm the correct operation of -\fBwinbindd\fP\&. -.PP -.SH "NOTES" -.PP -The following notes are useful when configuring and running \fBwinbindd\fP: -.PP -.IP -.IP "" -\fBnmbd\fP must be running on the local machine for -\fBwinbindd\fP to work\&. -.IP -.IP "" -\fBwinbindd\fP queries the list of trusted domains for the Windows NT server -on startup and when a SIGHUP is received\&. Thus, for a running \fBwinbindd\fP -to become aware of new trust relationships between servers, it must be sent -a SIGHUP signal\&. -.IP -.IP "" -Client processes resolving names through the \fBwinbindd\fP nsswitch module -read an environment variable named \f(CWWINBINDD_DOMAIN\fP\&. If this variable -contains a comma separated list of Windows NT domain names, then \fBwinbindd\fP -will only resolve users and groups within those Windows NT domains\&. -.IP -.IP "" -PAM is really easy to misconfigure\&. Make sure you know what you are doing -when modifying PAM configuration files\&. It is possible to set up PAM -such that you can no longer log into your system\&. -.IP -.IP "" -If more than one UNIX machine is running \fBwinbindd\fP, then in general the -user and groups ids allocated by \fBwinbindd\fP will not be the same\&. The -user and group ids will only be valid for the local machine\&. -.IP -.IP "" -If the the Windows NT RID to UNIX user and group id mapping file -is damaged or destroyed then the mappings will be lost\&. -.IP -.PP -.SH "SIGNALS" -.PP -The following signals can be used to manipulate the \fBwinbindd\fP daemon\&. -.PP -.IP -.IP "\f(CWSIGHUP\fP" -.IP -Reload the \f(CWsmb\&.conf\fP file and apply any parameter changes to the running -version of \fBwinbindd\fP\&. This signal also clears any cached user and group -information\&. The list of other domains trusted by \fBwinbindd\fP is also -reloaded\&. -.IP -.IP "\f(CWSIGUSR1\fP" -.IP -The \f(CWSIGUSR1\fP signal will cause \fBwinbindd\fP to write status information -to the winbind log file including information about the number of user and -group ids allocated by \fBwinbindd\fP\&. -.IP -Log files are stored in the filename specified by the \fBlog file\fP parameter\&. -.IP -.PP -.SH "FILES" -.PP -The following files are relevant to the operation of the \fBwinbindd\fP -daemon\&. -.PP -.IP -.IP "/etc/nsswitch\&.conf(5)" -.IP -Name service switch configuration file\&. -.IP -.IP "/tmp/\&.winbindd/pipe" -.IP -The UNIX pipe over which clients communicate with the \fBwinbindd\fP program\&. -For security reasons, the winbind client will only attempt to connect to the -\fBwinbindd\fP daemon if both the \f(CW/tmp/\&.winbindd\fP directory and -\f(CW/tmp/\&.winbindd/pipe\fP file are owned by root\&. -.IP -.IP "/lib/libnss_winbind\&.so\&.X" -.IP -Implementation of name service switch library\&. -.IP -.IP "$LOCKDIR/winbindd_idmap\&.tdb" -.IP -Storage for the Windows NT rid to UNIX user/group id mapping\&. The lock -directory is specified when Samba is initially compiled using the -\f(CW--with-lockdir\fP option\&. This directory is by default -\f(CW/usr/local/samba/var/locks\fP\&. -.IP -.IP "$LOCKDIR/winbindd_cache\&.tdb" -.IP -Storage for cached user and group information\&. -.IP -.PP -.SH "SEE ALSO" -.PP -\fBsamba(7)\fP, \fBsmb\&.conf(5)\fP, -\fBnsswitch\&.conf(5)\fP, \fBwbinfo(1)\fP -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open -Source project\&. -.PP -\fBwinbindd\fP was written by Tim Potter\&. +Log files are stored in the filename specified by the +log file parameter. +.SH "FILES" +.TP +\fB\fI/etc/nsswitch.conf(5)\fB\fR +Name service switch configuration file. +.TP +\fB/tmp/.winbindd/pipe\fR +The UNIX pipe over which clients communicate with +the \fBwinbindd\fR program. For security reasons, the +winbind client will only attempt to connect to the winbindd daemon +if both the \fI/tmp/.winbindd\fR directory +and \fI/tmp/.winbindd/pipe\fR file are owned by +root. +.TP +\fB/lib/libnss_winbind.so.X\fR +Implementation of name service switch library. +.TP +\fB$LOCKDIR/winbindd_idmap.tdb\fR +Storage for the Windows NT rid to UNIX user/group +id mapping. The lock directory is specified when Samba is initially +compiled using the \fI--with-lockdir\fR option. +This directory is by default \fI/usr/local/samba/var/locks +\fR\&. +.TP +\fB$LOCKDIR/winbindd_cache.tdb\fR +Storage for cached user and group information. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. winbindd is however not available in +stable release of Samba as of yet. +.SH "SEE ALSO" +.PP +\fInsswitch.conf(5)\fR, +samba(7) , +wbinfo(1) , +smb.conf(5) +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +\fBwbinfo\fR and \fBwinbindd\fR +were written by Tim Potter. +.PP +The conversion to DocBook for Samba 2.2 was done +by Gerald Carter -- cgit