From 837191626111e84c0fb27b5052d21ab29b6e41a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 02:33:34 +0000 Subject: add a few, fix a few, add a few, fix a few... (This used to be commit 5ffb96527ef3bf9f271633a219dcaa02471e4e80) --- docs/docbook/manpages/winbindd.8.sgml | 502 ++++++++++++++++++++++++++++++++++ 1 file changed, 502 insertions(+) create mode 100644 docs/docbook/manpages/winbindd.8.sgml (limited to 'docs/docbook/manpages/winbindd.8.sgml') diff --git a/docs/docbook/manpages/winbindd.8.sgml b/docs/docbook/manpages/winbindd.8.sgml new file mode 100644 index 0000000000..5b53e504cd --- /dev/null +++ b/docs/docbook/manpages/winbindd.8.sgml @@ -0,0 +1,502 @@ + + + + + winbindd + 8 + + + + + winbindd + Name Service Switch daemon for resolving names + from NT servers + + + + + nmblookup + -d debuglevel + -i + -S + -r + -A + -h + -B <broadcast address> + -U <unicast address> + -d <debug level> + -s <smb config file> + -i <NetBIOS scope> + -T + name + + + + + DESCRIPTION + + This tool is part of the + Samba suite version 3.0 and describes functionality not + yet implemented in the main version of Samba. + + winbindd is a daemon that provides + a service for the Name Service Switch capability that is present + in most modern C libraries. The Name Service Switch allows user + and system information to be obtained from different databases + services such as NIS or DNS. The exact behaviour can be configured + throught the /etc/nsswitch.conf file. + Users and groups are allocated as they are resolved to a range + of user and group ids specified by the administrator of the + Samba system. + + The service provided by winbindd is called `winbind' and + can be used to resolve user and group information from a + Windows NT server. The service can also provide authentication + services via an associated PAM module. + + The following nsswitch databases are implemented by + the winbindd service: + + + + passwd + User information traditionally stored in + the passwd(5) file and used by + getpwent(3) functions. + + + + group + Group information traditionally stored in + the group(5) file and used by + getgrent(3) functions. + + + + For example, the following simple configuration in the + /etc/nsswitch.conf file can be used to initially + resolve user and group information from /etc/passwd + and /etc/group and then from the + Windows NT server. + + +passwd: files winbind +group: files winbind + + + + + + OPTIONS + + + + -d debuglevel + Sets the debuglevel to an integer between + 0 and 100. 0 is for no debugging and 100 is for reams and + reams. To submit a bug report to the Samba Team, use debug + level 100 (see BUGS.txt). + + + + -i + Tells winbindd to not + become a daemon and detach from the current terminal. This + option is used by developers when interactive debugging + of winbindd is required. + + + + + + + NAME AND ID RESOLUTION + + Users and groups on a Windows NT server are assigned + a relative id (rid) which is unique for the domain when the + user or group is created. To convert the Windows NT user or group + into a unix user or group, a mapping between rids and unix user + and group ids is required. This is one of the jobs that + winbindd performs. + + As winbindd users and groups are resolved from a server, user + and group ids are allocated from a specified range. This + is done on a first come, first served basis, although all existing + users and groups will be mapped as soon as a client performs a user + or group enumeration command. The allocated unix ids are stored + in a database file under the Samba lock directory and will be + remembered. + + WARNING: The rid to unix id database is the only location + where the user and group mappings are stored by winbindd. If this + file is deleted or corrupted, there is no way for winbindd to + determine which user and group ids correspond to Windows NT user + and group rids. + + + + + CONFIGURATION + + Configuration of the winbindd daemon + is done through configuration parameters in the smb.conf(5) + file. All parameters should be specified in the + [global] section of smb.conf. + + + + winbind separator + The winbind separator option allows you + to specify how NT domain names and user names are combined + into unix user names when presented to users. By default, + winbindd will use the traditional '\' + separator so that the unix user names look like + DOMAIN\username. In some cases this separator character may + cause problems as the '\' character has special meaning in + unix shells. In that case you can use the winbind separator + option to specify an alternative sepataror character. Good + alternatives may be '/' (although that conflicts + with the unix directory separator) or a '+ 'character. + The '+' character appears to be the best choice for 100% + compatibility with existing unix utilities, but may be an + aesthetically bad choice depending on your taste. + + Default: winbind separator = \ + + Example: winbind separator = + + + + + + winbind uid + The winbind uid parameter specifies the + range of user ids that are allocated by the winbindd daemon. + This range of ids should have no existing local or nis users + within it as strange conflicts can occur otherwise. + + Default: winbind uid = <empty string> + + Example: winbind uid = 10000-20000 + + + + + + winbind gid + The winbind gid parameter specifies the + range of group ids that are allocated by the winbindd daemon. + This range of group ids should have no existing local or nis + groups within it as strange conflicts can occur otherwise. + + Default: winbind gid = <empty string> + + Example: winbind gid = 10000-20000 + + + + + + winbind cache time + This parameter specifies the number of + seconds the winbindd daemon will cache user and group information + before querying a Windows NT server again. When a item in the + cache is older than this time winbindd will ask the domain + controller for the sequence number of the servers account database. + If the sequence number has not changed then the cached item is + marked as valid for a further winbind cache time + seconds. Otherwise the item is fetched from the + server. This means that as long as the account database is not + actively changing winbindd will only have to send one sequence + number query packet every winbind cache time + seconds. + + Default: winbind cache time = 15 + + + + + winbind enum users + On large installations it may be necessary + to suppress the enumeration of users through the + setpwent(), getpwent() and + endpwent() group of system calls. If + the winbind enum users parameter is false, + calls to the getpwent system call will not + return any data. + + Warning: Turning off user enumeration + may cause some programs to behave oddly. For example, the finger + program relies on having access to the full user list when + searching for matching usernames. + + Default: winbind enum users = yes + + + + + winbind enum groups + On large installations it may be necessary + to suppress the enumeration of groups through the + setgrent(), getgrent() and + endgrent() group of system calls. If + the winbind enum groups parameter is + false, calls to the getgrent() system + call will not return any data. + + Warning: Turning off group + enumeration may cause some programs to behave oddly. + + + Default: winbind enum groups = no + + + + + + + template homedir + When filling out the user information + for a Windows NT user, the winbindd daemon + uses this parameter to fill in the home directory for that user. + If the string %D is present it is + substituted with the user's Windows NT domain name. If the + string %U is present it is substituted + with the user's Windows NT user name. + + Default: template homedir = /home/%D/%U + + + + + + template shell + When filling out the user information for + a Windows NT user, the winbindd daemon + uses this parameter to fill in the shell for that user. + + + Default: template shell = /bin/false + + + + + + + + EXAMPLE SETUP + + To setup winbindd for user and group lookups plus + authentication from a domain controller use something like the + following setup. This was tested on a RedHat 6.2 Linux box. + + In /etc/nsswitch.conf put the + following: + + +passwd: files winbind +group: files winbind + + + In /etc/pam.d/* replace the + auth lines with something like this: + + + +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_nologin.so +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok + + + + Note in particular the use of the sufficient + keyword and the use_first_pass keyword. + + Now replace the account lines with this: + + account required /lib/security/pam_winbind.so + + + The next step is to join the domain. To do that use the + samedit program like this: + + samedit -S '*' -W DOMAIN -UAdministrator + + The username after the -U can be any Domain + user that has administrator priviliges on the machine. Next from + within samedit, run the command: + + createuser MACHINE$ -j DOMAIN -L + + This assumes your domain is called "DOMAIN" and your Samba + workstation is called "MACHINE". + + Next copy libnss_winbind.so.2 to + /lib and pam_winbind.so + to /lib/security. + + Finally, setup a smb.conf containing directives like the + following: + + +[global] + winbind separator = + + winbind cache time = 10 + template shell = /bin/bash + template homedir = /home/%D/%U + winbind uid = 10000-20000 + winbind gid = 10000-20000 + workgroup = DOMAIN + security = domain + password server = * + + + + Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands getent passwd and getent group + to confirm the correct operation of winbindd. + + + + + Notes + + The following notes are useful when configuring and + running winbindd: + + nmbd must be running on the local machine + for winbindd to work. winbindd + queries the list of trusted domains for the Windows NT server + on startup and when a SIGHUP is received. Thus, for a running + winbindd to become aware of new trust relationships between + servers, it must be sent a SIGHUP signal. + + Client processes resolving names through the winbindd + nsswitch module read an environment variable named + $WINBINDD_DOMAIN. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains. + + PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system. + + If more than one UNIX machine is running winbindd, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine. + + If the the Windows NT RID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost. + + + + + Signals + + The following signals can be used to manipulate the + winbindd daemon. + + + + SIGHUP + Reload the smb.conf(5) + file and apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded. + + + + SIGUSR1 + The SIGUSR1 signal will cause + winbindd to write status information to the winbind + log file including information about the number of user and + group ids allocated by winbindd. + + Log files are stored in the filename specified by the + log file parameter. + + + + + + Files + + + + /etc/nsswitch.conf(5) + Name service switch configuration file. + + + + + /tmp/.winbindd/pipe + The UNIX pipe over which clients communicate with + the winbindd program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the /tmp/.winbindd directory + and /tmp/.winbindd/pipe file are owned by + root. + + + + /lib/libnss_winbind.so.X + Implementation of name service switch library. + + + + + $LOCKDIR/winbindd_idmap.tdb + Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the --with-lockdir option. + This directory is by default /usr/local/samba/var/locks + . + + + + $LOCKDIR/winbindd_cache.tdb + Storage for cached user and group information. + + + + + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet. + + + + SEE ALSO + + nsswitch.conf(5), + samba(7), + wbinfo(1), + smb.conf(5) + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + wbinfo and winbindd + were written by Tim Potter. + + The conversion to DocBook for Samba 2.2 was done + by Gerald Carter + + + -- cgit