From 9a43d69ac4000d6b7b5a07089f22af4451ea4b31 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 02:34:22 +0000 Subject: autogenerated files.... (This used to be commit edb0e5df4c7053a7163d32bba7ecf893a67523ca) --- docs/htmldocs/winbindd.8.html | 1194 +++++++++++++++++++++++++++++------------ 1 file changed, 860 insertions(+), 334 deletions(-) (limited to 'docs/htmldocs/winbindd.8.html') diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index 2caa9ccf01..a98b7a2864 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -1,245 +1,594 @@ - - - - - -winbindd (8) - - - - - -
- -

winbindd (8)

-

Samba

-

13 Jun 2000

- - - -

-

NAME

- winbindd - Name Service Switch daemon for resolving names from NT servers -

-

SYNOPSIS

- -

winbindd [-d debuglevel] [-i] -

-

DESCRIPTION

- -

This program is part of the Samba suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. -

winbindd is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS. The exact behaviour can -be configured throught the /etc/nsswitch.conf file. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system. -

The service provided by winbindd is called `winbind' and can be -used to resolve user and group information from a Windows NT server. -The service can also provide authentication services via an associated -PAM module. -

The following nsswitch databases are implemented by the winbindd -service: -

-

passwd
-

User information traditionally stored in the passwd(5) file and used by -getpwent(3) functions. -

group
-

Group information traditionally stored in the group(5) file and used by -getgrent(3) functions. -

-

For example, the following simple configuration in the -/etc/nsswitch.conf file can be used to initially resolve user and group -information from /etc/passwd and /etc/group and then from the -Windows NT server. -

-
-  passwd:         files winbind
-  group:          files winbind
-
-
- -

-

OPTIONS

- -

The following options are available to the winbindd daemon: -

-

-

-d debuglevel
-Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging -and 100 is for reams and reams. To submit a bug report to the Samba Team, -use debug level 100 (see BUGS.txt). -

-

-i
-Tells winbindd to not become a daemon and detach from the current terminal. -This option is used by developers when interactive debugging of winbindd is -required. -

-

-

NAME AND ID RESOLUTION

- -

Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required. This is one of the -jobs that winbindd performs. -

As winbindd users and groups are resolved from a server, user and group -ids are allocated from a specified range. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered. -

WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by winbindd. If this file is deleted or -corrupted, there is no way for winbindd to determine which user and -group ids correspond to Windows NT user and group rids. -

-

CONFIGURATION

- -

Configuration of the winbindd daemon is done through configuration -parameters in the smb.conf file. All parameters -should be specified in the [global] section of -smb.conf. -

-

winbind separator
-

The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users. By default winbind will use the traditional \ separator so -that the unix user names look like DOMAIN\username. In some cases -this separator character may cause problems as the \ character has -special meaning in unix shells. In that case you can use the winbind -separator option to specify an alternative sepataror character. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste. -

Default: - winbind separator = \ -

Example: - winbind separator = + -

winbind uid
-

The winbind uid parameter specifies the range of user ids that are -allocated by the winbindd daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. -

Default: - winbind uid = <empty string> -

Example: - winbind uid = 10000-20000 -

winbind gid
-

The winbind gid parameter specifies the range of group ids that are -allocated by the winbindd daemon. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise. -

Default: - winbind gid = <empty string> -

Example: - winbind gid = 10000-20000 -

winbind cache time
-

This parameter specifies the number of seconds the winbindd daemon will -cache user and group information before querying a Windows NT server -again. When a item in the cache is older than this time winbindd will ask -the domain controller for the sequence number of the servers account -database. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds. Otherwise the -item is fetched from the server. This means that as long as the account -database is not actively changing winbindd will only have to send one -sequence number query packet every "winbind cache time" seconds. -

Default: - winbind cache time = 15 -

winbind enum users
-

On large installations it may be necessary to suppress the enumeration of -users through the setpwent, getpwent and endpwent group of -system calls. If the winbind enum users parameter is false, calls to -the getpwent system call will not return any data. -

Warning: Turning off user enumeration may cause some programs to behave -oddly. For example, the finger program relies on having access to the full -user list when searching for matching usernames. -

Default: - winbind enum users = true -

winbind enum groups
-

On large installations it may be necessary to suppress the enumeration of -groups through the setgrent, getgrent and endgrent group of -system calls. If the winbind enum groups parameter is false, calls to -the getgrent system call will not return any data. -

Warning: Turning off group enumeration may cause some programs to behave -oddly. -

Default: - winbind enum groups = true -

template homedir
-

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the home directory for -that user. If the string %D is present it is substituted with the -user's Windows NT domain name. If the string %U is present it is -substituted with the user's Windows NT user name. -

Default: - template homedir = /home/%D/%U -

template shell
-

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the shell for that user. -

Default: - template shell = /bin/false -

-

-

EXAMPLE SETUP

- -

To setup winbindd for user and group lookups plus authentication from -a domain controller use something like the following setup. This was -tested on a RedHat 6.2 Linux box. -

In /etc/nsswitch.conf put the following: -

-
-   passwd:     files winbind
-   group:      files winbind
-
-
- -

In /etc/pam.d/* replace the auth lines with something like this: -

-
-	auth       required	/lib/security/pam_securetty.so
-	auth       required	/lib/security/pam_nologin.so
-	auth       sufficient	/lib/security/pam_winbind.so
-	auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
-
-
- -

Note in particular the use of the sufficient keyword and the -use_first_pass keyword. -

Now replace the account lines with this: -

-
-	account    required	/lib/security/pam_winbind.so
-
-
- -

The next step is to join the domain. To do that use the samedit -program like this: -

-
-	samedit -S '*' -W DOMAIN -UAdministrator
-
-
- -

The username after the -U can be any Domain user that has administrator -priviliges on the machine. Next from within samedit, run the command: -

-
-	createuser MACHINE$ -j DOMAIN -L
-
-
- -

This assumes your domain is called DOMAIN and your Samba workstation -is called MACHINE. -

Next copy libnss_winbind.so.2 to /lib and pam_winbind.so to -/lib/security. -

Finally, setup a smb.conf containing directives like the following: -

-
-  [global]
-        winbind separator = +
+winbindd
winbindd
Name
winbindd -- Name Service Switch daemon for resolving names 
+	from NT servers
Synopsis
nmblookup  [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}
DESCRIPTION
This tool is part of the 	Samba suite version 3.0 and describes functionality not 
+	yet implemented in the main version of Samba.
winbindd is a daemon that provides 
+	a service for the Name Service Switch capability that is present 
+	in most modern C libraries.  The Name Service Switch allows user 
+	and system information to be obtained from different databases 
+	services such as NIS or DNS.  The exact behaviour can be configured 
+	throught the /etc/nsswitch.conf file.  
+	Users and groups are allocated as they are resolved to a range 
+	of user and group ids specified by the administrator of the 
+	Samba system.
The service provided by winbindd is called `winbind' and 
+	can be used to resolve user and group information from a 
+	Windows NT server. The service can also provide authentication
+	services via an associated PAM module. 
The following nsswitch databases are implemented by 
+	the winbindd service: 
passwd
User information traditionally stored in 
+		the passwd(5) file and used by 
+		getpwent(3) functions. 
group
Group information traditionally stored in 
+		the group(5) file and used by 		
+		getgrent(3) functions. 
For example, the following simple configuration in the
+	/etc/nsswitch.conf file can be used to initially 
+	resolve user and group information from /etc/passwd
+	 and /etc/group and then from the 
+	Windows NT server. 
passwd:         files winbind
+group:          files winbind
+	
OPTIONS
-d debuglevel
Sets the debuglevel to an integer between 
+		0 and 100. 0 is for no debugging and 100 is for reams and 
+		reams. To submit a bug report to the Samba Team, use debug 
+		level 100 (see BUGS.txt).   
-i
Tells winbindd to not 
+		become a daemon and detach from the current terminal. This 
+		option is used by developers when interactive debugging 
+		of winbindd is required. 
NAME AND ID RESOLUTION
Users and groups on a Windows NT server are assigned 
+	a relative id (rid) which is unique for the domain when the 
+	user or group is created.  To convert the Windows NT user or group 
+	into a unix user or group, a mapping between rids and unix user 
+	and group ids is required.  This is one of the jobs that 	winbindd performs. 
As winbindd users and groups are resolved from a server, user 
+	and group ids are allocated from a specified range.  This
+	is done on a first come, first served basis, although all existing 
+	users and groups will be mapped as soon as a client performs a user 
+	or group enumeration command.  The allocated unix ids are stored 
+	in a database file under the Samba lock directory and will be 
+	remembered. 
WARNING: The rid to unix id database is the only location 
+	where the user and group mappings are stored by winbindd.  If this 
+	file is deleted or corrupted, there is no way for winbindd to 
+	determine which user and group ids correspond to Windows NT user 
+	and group rids. 
CONFIGURATION
Configuration of the winbindd daemon 
+	is done through configuration parameters in the smb.conf(5)
+	 file.  All parameters should be specified in the 
+	[global] section of smb.conf. 
winbind separator
The winbind separator option allows you 
+		to specify how NT domain names and user names are combined 
+		into unix user names when presented to users. By default, 
+		winbindd will use the traditional '\' 
+		separator so that the unix user names look like 
+		DOMAIN\username. In some cases this separator character may 
+		cause problems as the '\' character has special meaning in 
+		unix shells.  In that case you can use the winbind separator 
+		option to specify an alternative sepataror character. Good 
+		alternatives may be '/' (although that conflicts
+		with the unix directory separator) or a '+ 'character. 
+		The '+' character appears to be the best choice for 100% 
+		compatibility with existing unix utilities, but may be an 
+		aesthetically bad choice depending on your taste. 
Default: winbind separator = \ 
+		
Example: winbind separator = + 
winbind uid
The winbind uid parameter specifies the 
+		range of user ids that are allocated by the winbindd daemon.  
+		This range of ids should have no existing local or nis users 
+		within it as strange conflicts can occur otherwise. 
Default: winbind uid = <empty string> 
+		
Example: winbind uid = 10000-20000
winbind gid
The winbind gid parameter specifies the 
+		range of group ids that are allocated by the winbindd daemon.  
+		This range of group ids should have no existing local or nis 
+		groups within it as strange conflicts can occur otherwise.
Default: winbind gid = <empty string>
+		
Example: winbind gid = 10000-20000
+		 
winbind cache time
This parameter specifies the number of 
+		seconds the winbindd daemon will cache user and group information 
+		before querying a Windows NT server again. When a item in the 
+		cache is older than this time winbindd will ask the domain 
+		controller for the sequence number of the servers account database. 
+		If the sequence number has not changed then the cached item is 
+		marked as valid for a further winbind cache time
+		 seconds.  Otherwise the item is fetched from the 
+		server. This means that as long as the account database is not 
+		actively changing winbindd will only have to send one sequence 
+		number query packet every winbind cache time
+		 seconds. 
Default: winbind cache time = 15
+		
winbind enum users
On large installations it may be necessary 
+		to suppress the enumeration of users through the 		setpwent(), getpwent() and 
+		endpwent() group of system calls.  If 
+		the winbind enum users parameter is false, 
+		calls to the getpwent system call will not 
+		return any data. 
Warning: Turning off user enumeration 
+		may cause some programs to behave oddly.  For example, the finger 
+		program relies on having access to the full user list when 
+		searching  for matching usernames. 
Default: winbind enum users = yes 
winbind enum groups
On large installations it may be necessary 
+		to suppress the enumeration of groups through the 		setgrent(), getgrent() and 
+		endgrent() group of system calls.  If 
+		the winbind enum groups parameter is 
+		false, calls to the getgrent() system 
+		call will not return any data. 
Warning: Turning off group 
+		enumeration may cause some programs to behave oddly. 
+		
Default: winbind enum groups = no 
+		
template homedir
When filling out the user information 
+		for a Windows NT user, the winbindd daemon 
+		uses this parameter to fill in the home directory for that user.  
+		If the string %D is present it is 
+		substituted with the user's Windows NT domain name.  If the 
+		string %U is present it is substituted
+		with the user's Windows NT user name. 
Default: template homedir = /home/%D/%U 
+		
template shell
When filling out the user information for 
+ 		a Windows NT user, the winbindd daemon 
+		uses this parameter to fill in the shell for that user. 
+		
Default: template shell = /bin/false 
+		
EXAMPLE SETUP
To setup winbindd for user and group lookups plus 
+	authentication from a domain controller use something like the 
+	following setup. This was tested on a RedHat 6.2 Linux box. 
In /etc/nsswitch.conf put the 
+	following:
passwd:     files winbind
+group:      files winbind
+	
In /etc/pam.d/* replace the 
+	auth lines with something like this: 
auth       required	/lib/security/pam_securetty.so
+auth       required	/lib/security/pam_nologin.so
+auth       sufficient	/lib/security/pam_winbind.so
+auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
+	
Note in particular the use of the sufficient 
+	keyword and the use_first_pass keyword. 
Now replace the account lines with this: 
account    required	/lib/security/pam_winbind.so
+	
The next step is to join the domain. To do that use the 
+	samedit program like this:  
samedit -S '*' -W DOMAIN -UAdministrator
The username after the -U can be any Domain 
+	user that has administrator priviliges on the machine. Next from 
+	within samedit, run the command: 
createuser MACHINE$ -j DOMAIN -L
This assumes your domain is called "DOMAIN" and your Samba 
+	workstation is called "MACHINE". 
Next copy libnss_winbind.so.2 to 
+	/lib and pam_winbind.so
+	to /lib/security.
Finally, setup a smb.conf containing directives like the 
+	following:  
[global]
+	winbind separator = +
         winbind cache time = 10
         template shell = /bin/bash
         template homedir = /home/%D/%U
@@ -248,95 +597,272 @@ is called MACHINE.
         workgroup = DOMAIN
         security = domain
         password server = *
-
-

-
-
Now start winbindd and you should find that your user and group
-database is expanded to include your NT users and groups, and that you
-can login to your unix box as a domain user, using the DOMAIN+user
-syntax for the username. You may wish to use the commands "getent
-passwd" and "getent group" to confirm the correct operation of
-winbindd. 
-

-
NOTES

-    
-
The following notes are useful when configuring and running winbindd:
-

-

-nmbd must be running on the local machine for
-winbindd to work.
-

-winbindd queries the list of trusted domains for the Windows NT server
-on startup and when a SIGHUP is received.  Thus, for a running winbindd
-to become aware of new trust relationships between servers, it must be sent
-a SIGHUP signal.
-
 
-Client processes resolving names through the winbindd nsswitch module
-read an environment variable named WINBINDD_DOMAIN.  If this variable
-contains a comma separated list of Windows NT domain names, then winbindd
-will only resolve users and groups within those Windows NT domains.
-

-PAM is really easy to misconfigure.  Make sure you know what you are doing
-when modifying PAM configuration files.  It is possible to set up PAM
-such that you can no longer log into your system.
-

-If more than one UNIX machine is running winbindd, then in general the
-user and groups ids allocated by winbindd will not be the same.  The
-user and group ids will only be valid for the local machine.  
-

-If the the Windows NT RID to UNIX user and group id mapping file
-is damaged or destroyed then the mappings will be lost.
-

-

-
SIGNALS

-    
-
The following signals can be used to manipulate the winbindd daemon.
-

-
SIGHUP

-
Reload the smb.conf file and apply any parameter changes to the running
-version of winbindd.  This signal also clears any cached user and group
-information.  The list of other domains trusted by winbindd is also
-reloaded. 
-
SIGUSR1

-
The SIGUSR1 signal will cause winbindd to write status information
-to the winbind log file including information about the number of user and
-group ids allocated by winbindd.
-
Log files are stored in the filename specified by the log file parameter.
-

-

-
FILES

-    
-
The following files are relevant to the operation of the winbindd
-daemon.
-

-
/etc/nsswitch.conf(5)

-
Name service switch configuration file.
-
/tmp/.winbindd/pipe

-
The UNIX pipe over which clients communicate with the winbindd program.
-For security reasons, the winbind client will only attempt to connect to the
-winbindd daemon if both the /tmp/.winbindd directory and
-/tmp/.winbindd/pipe file are owned by root.
-
/lib/libnss_winbind.so.X

-
Implementation of name service switch library. 
-
$LOCKDIR/winbindd_idmap.tdb

-
Storage for the Windows NT rid to UNIX user/group id mapping.  The lock
-directory is specified when Samba is initially compiled using the
---with-lockdir option.  This directory is by default
-/usr/local/samba/var/locks.
-
$LOCKDIR/winbindd_cache.tdb

-
Storage for cached user and group information.
-

-

-
SEE ALSO

-    
-
samba(7), smb.conf(5), 
-nsswitch.conf(5), wbinfo(1)
-

-
AUTHOR

-    
-
The original Samba software and related utilities were created by
-Andrew Tridgell. Samba is now developed by the Samba Team as an Open
-Source project.
-
winbindd was written by Tim Potter.
-
-
+

Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands getent passwd and getent group + to confirm the correct operation of winbindd.

Notes

The following notes are useful when configuring and + running winbindd:

nmbd must be running on the local machine + for winbindd to work. winbindd + queries the list of trusted domains for the Windows NT server + on startup and when a SIGHUP is received. Thus, for a running winbindd to become aware of new trust relationships between + servers, it must be sent a SIGHUP signal.

Client processes resolving names through the winbindd + nsswitch module read an environment variable named $WINBINDD_DOMAIN. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains.

PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system.

If more than one UNIX machine is running winbindd, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine.

If the the Windows NT RID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost.

Signals

The following signals can be used to manipulate the + winbindd daemon.

SIGHUP

Reload the smb.conf(5) + file and apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded.

SIGUSR1

The SIGUSR1 signal will cause winbindd to write status information to the winbind + log file including information about the number of user and + group ids allocated by winbindd.

Log files are stored in the filename specified by the + log file parameter.

Files

/etc/nsswitch.conf(5)

Name service switch configuration file.

/tmp/.winbindd/pipe

The UNIX pipe over which clients communicate with + the winbindd program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the /tmp/.winbindd directory + and /tmp/.winbindd/pipe file are owned by + root.

/lib/libnss_winbind.so.X

Implementation of name service switch library. +

$LOCKDIR/winbindd_idmap.tdb

Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the --with-lockdir option. + This directory is by default /usr/local/samba/var/locks + .

$LOCKDIR/winbindd_cache.tdb

Storage for cached user and group information. +

VERSION

This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet.

SEE ALSO

nsswitch.conf(5), + samba(7), + wbinfo(1), + smb.conf(5)

AUTHOR

The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

wbinfo and winbindd + were written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done + by Gerald Carter

\ No newline at end of file -- cgit