From 20967627378194121bc48bf387838b8bd7682478 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Mar 2003 16:48:14 +0000 Subject: Regenerate (This used to be commit 25db62e3101dbcae8e9daee3cb16430297afa223) --- docs/htmldocs/winbind.html | 298 ++++++++++++++++++++++----------------------- 1 file changed, 144 insertions(+), 154 deletions(-) (limited to 'docs/htmldocs/winbind.html') diff --git a/docs/htmldocs/winbind.html b/docs/htmldocs/winbind.html index d587696817..991876796e 100644 --- a/docs/htmldocs/winbind.html +++ b/docs/htmldocs/winbind.html @@ -5,7 +5,7 @@ >Unified Logons between Windows NT and UNIX using Winbind

14.1. Abstract

14.1. Abstract

Integration of UNIX and Microsoft Windows NT through a unified logon has been considered a "holy grail" in heterogeneous @@ -107,9 +107,9 @@ CLASS="SECT1" >

14.2. Introduction

14.2. Introduction

It is well known that UNIX and Microsoft Windows NT have different models for representing user and group information and @@ -161,9 +161,9 @@ CLASS="SECT1" >

14.3. What Winbind Provides

14.3. What Winbind Provides

Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of a NT domain. Once @@ -203,9 +203,9 @@ CLASS="SECT2" >

14.3.1. Target Uses

14.3.1. Target Uses

Winbind is targeted at organizations that have an existing NT based domain infrastructure into which they wish @@ -227,9 +227,9 @@ CLASS="SECT1" >

14.4. How Winbind Works

14.4. How Winbind Works

The winbind system is designed around a client/server architecture. A long running

14.4.1. Microsoft Remote Procedure Calls

14.4.1. Microsoft Remote Procedure Calls

Over the last few years, efforts have been underway by various Samba Team members to decode various aspects of @@ -273,9 +273,9 @@ CLASS="SECT2" >

14.4.2. Microsoft Active Directory Services

14.4.2. Microsoft Active Directory Services

Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its 'Native @@ -292,9 +292,9 @@ CLASS="SECT2" >

14.4.3. Name Service Switch

14.4.3. Name Service Switch

The Name Service Switch, or NSS, is a feature that is present in many UNIX operating systems. It allows system @@ -372,9 +372,9 @@ CLASS="SECT2" >

14.4.4. Pluggable Authentication Modules

14.4.4. Pluggable Authentication Modules

Pluggable Authentication Modules, also known as PAM, is a system for abstracting authentication and authorization @@ -421,9 +421,9 @@ CLASS="SECT2" >

14.4.5. User and Group ID Allocation

14.4.5. User and Group ID Allocation

When a user or group is created under Windows NT is it allocated a numerical relative identifier (RID). This is @@ -447,9 +447,9 @@ CLASS="SECT2" >

14.4.6. Result Caching

14.4.6. Result Caching

An active system can generate a lot of user and group name lookups. To reduce the network cost of these lookups winbind @@ -470,9 +470,9 @@ CLASS="SECT1" >

14.5. Installation and Configuration

14.5. Installation and Configuration

Many thanks to John Trostel

14.5.1. Introduction

14.5.1. Introduction

This HOWTO describes the procedures used to get winbind up and running on my RedHat 7.1 system. Winbind is capable of providing access @@ -556,9 +556,9 @@ CLASS="SECT2" >

14.5.2. Requirements

14.5.2. Requirements

If you have a samba configuration file that you are currently using...

14.5.3. Testing Things Out

14.5.3. Testing Things Out

Before starting, it is probably best to kill off all the SAMBA related daemons running on your server. Kill off all

14.5.3.1. Configure and compile SAMBA

14.5.3.1. Configure and compile SAMBA

The configuration and compilation of SAMBA is pretty straightforward. The first three steps may not be necessary depending upon @@ -681,44 +681,44 @@ whether or not you have previously built the Samba binaries.

root#root# autoconf
-root#root# make clean
-root#root# rm config.cache
-root#root# ./configure
-root#root# make
-root#root# make install

14.5.3.2. Configure nsswitch.conf and the -winbind libraries

The libraries needed to run the daemon through nsswitch need to be copied to their proper locations, so

root#root# cp ../samba/source/nsswitch/libnss_winbind.so /lib

I also found it necessary to make the following symbolic link:

root#root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

And, in the case of Sun solaris:

root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 -root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 -root#root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2

root#root# /sbin/ldconfig -v | grep winbind

14.5.3.3. Configure smb.conf

14.5.3.3. Configure smb.conf

Several parameters are needed in the smb.conf file to control the behavior of

[global]
-     <...>
+     <...>
      # separate domain and username with '+', like DOMAIN+username
      

14.5.3.4. Join the SAMBA server to the PDC domain

14.5.3.4. Join the SAMBA server to the PDC domain

Enter the following command to make the SAMBA server join the -PDC domain, where DOMAINDOMAIN is the name of -your Windows domain and AdministratorAdministrator is a domain user who has administrative privileges in the domain.

root#root# /usr/local/samba/bin/net join -S PDC -U Administrator

The proper response to the command should be: "Joined the domain -DOMAIN" where DOMAIN" where DOMAINDOMAIN is your DOMAIN name.

14.5.3.5. Start up the winbindd daemon and test it!

14.5.3.5. Start up the winbindd daemon and test it!

Eventually, you will want to modify your smb startup script to automatically invoke the winbindd daemon when the other parts of @@ -973,9 +965,9 @@ SAMBA start, but it is possible to test out just the winbind portion first. To start up winbind services, enter the following command as root:

root#root# /usr/local/samba/bin/winbinddI'm always paranoid and like to make sure the daemon is really running...

root#root# ps -ae | grep winbinddNow... for the real test, try to get some information about the users on your PDC

root#root# /usr/local/samba/bin/wbinfo -u

Obviously, I have named my domain 'CEO' and my Obviously, I have named my domain 'CEO' and my winbind -separator is '+'.

You can do the same sort of thing to get group information from @@ -1034,9 +1024,9 @@ the PDC:

root#root# /usr/local/samba/bin/wbinfo -g

root#root# getent passwd

The same thing can be done for groups with the command

root#root# getent group

14.5.3.6. Fix the init.d startup scripts

14.5.3.6. Fix the init.d startup scripts

14.5.3.6.1. Linux

14.5.3.6.1. Linux

The

14.5.3.6.2. Solaris

14.5.3.6.2. Solaris

On solaris, you need to modify the

14.5.3.6.3. Restarting

14.5.3.6.3. Restarting

If you restart the

14.5.3.7. Configure Winbind and PAM

14.5.3.7. Configure Winbind and PAM

If you have made it this far, you know that winbindd and samba are working together. If you want to use winbind to provide authentication for other @@ -1305,9 +1295,9 @@ CLASS="FILENAME" > directory by invoking the command

root#root# make nsswitch/pam_winbind.so/usr/lib/security.

root#root# cp ../samba/source/nsswitch/pam_winbind.so /lib/security

14.5.3.7.1. Linux/FreeBSD-specific PAM configuration

14.5.3.7.1. Linux/FreeBSD-specific PAM configuration

The

14.5.3.7.2. Solaris-specific configuration

14.5.3.7.2. Solaris-specific configuration

The /etc/pam.conf needs to be changed. I changed this file so that my Domain users can logon both locally as well as telnet.The following are the changes @@ -1559,9 +1549,9 @@ CLASS="SECT1" >

14.6. Limitations

14.6. Limitations

Winbind has a number of limitations in its current released version that we hope to overcome in future @@ -1601,9 +1591,9 @@ CLASS="SECT1" >

14.7. Conclusion

14.7. Conclusion

The winbind system, through the use of the Name Service Switch, Pluggable Authentication Modules, and appropriate -- cgit