From 9a43d69ac4000d6b7b5a07089f22af4451ea4b31 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 02:34:22 +0000 Subject: autogenerated files.... (This used to be commit edb0e5df4c7053a7163d32bba7ecf893a67523ca) --- docs/htmldocs/winbindd.8.html | 1194 +++++++++++++++++++++++++++++------------ 1 file changed, 860 insertions(+), 334 deletions(-) (limited to 'docs/htmldocs/winbindd.8.html') diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index 2caa9ccf01..a98b7a2864 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -1,245 +1,594 @@ - - - - - -winbindd (8) - - - - - -
- -

winbindd (8)

-

Samba

-

13 Jun 2000

- - - -

-

NAME

- winbindd - Name Service Switch daemon for resolving names from NT servers -

-

SYNOPSIS

- -

winbindd [-d debuglevel] [-i] -

-

DESCRIPTION

- -

This program is part of the Samba suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. -

winbindd is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS. The exact behaviour can -be configured throught the /etc/nsswitch.conf file. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system. -

The service provided by winbindd is called `winbind' and can be -used to resolve user and group information from a Windows NT server. -The service can also provide authentication services via an associated -PAM module. -

The following nsswitch databases are implemented by the winbindd -service: -

-

passwd
-

User information traditionally stored in the passwd(5) file and used by -getpwent(3) functions. -

group
-

Group information traditionally stored in the group(5) file and used by -getgrent(3) functions. -

-

For example, the following simple configuration in the -/etc/nsswitch.conf file can be used to initially resolve user and group -information from /etc/passwd and /etc/group and then from the -Windows NT server. -

-
-  passwd:         files winbind
-  group:          files winbind
-
-
- -

-

OPTIONS

- -

The following options are available to the winbindd daemon: -

-

-

-d debuglevel
-Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging -and 100 is for reams and reams. To submit a bug report to the Samba Team, -use debug level 100 (see BUGS.txt). -

-

-i
-Tells winbindd to not become a daemon and detach from the current terminal. -This option is used by developers when interactive debugging of winbindd is -required. -

-

-

NAME AND ID RESOLUTION

- -

Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required. This is one of the -jobs that winbindd performs. -

As winbindd users and groups are resolved from a server, user and group -ids are allocated from a specified range. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered. -

WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by winbindd. If this file is deleted or -corrupted, there is no way for winbindd to determine which user and -group ids correspond to Windows NT user and group rids. -

-

CONFIGURATION

- -

Configuration of the winbindd daemon is done through configuration -parameters in the smb.conf file. All parameters -should be specified in the [global] section of -smb.conf. -

-

winbind separator
-

The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users. By default winbind will use the traditional \ separator so -that the unix user names look like DOMAIN\username. In some cases -this separator character may cause problems as the \ character has -special meaning in unix shells. In that case you can use the winbind -separator option to specify an alternative sepataror character. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste. -

Default: - winbind separator = \ -

Example: - winbind separator = + -

winbind uid
-

The winbind uid parameter specifies the range of user ids that are -allocated by the winbindd daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. -

Default: - winbind uid = <empty string> -

Example: - winbind uid = 10000-20000 -

winbind gid
-

The winbind gid parameter specifies the range of group ids that are -allocated by the winbindd daemon. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise. -

Default: - winbind gid = <empty string> -

Example: - winbind gid = 10000-20000 -

winbind cache time
-

This parameter specifies the number of seconds the winbindd daemon will -cache user and group information before querying a Windows NT server -again. When a item in the cache is older than this time winbindd will ask -the domain controller for the sequence number of the servers account -database. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds. Otherwise the -item is fetched from the server. This means that as long as the account -database is not actively changing winbindd will only have to send one -sequence number query packet every "winbind cache time" seconds. -

Default: - winbind cache time = 15 -

winbind enum users
-

On large installations it may be necessary to suppress the enumeration of -users through the setpwent, getpwent and endpwent group of -system calls. If the winbind enum users parameter is false, calls to -the getpwent system call will not return any data. -

Warning: Turning off user enumeration may cause some programs to behave -oddly. For example, the finger program relies on having access to the full -user list when searching for matching usernames. -

Default: - winbind enum users = true -

winbind enum groups
-

On large installations it may be necessary to suppress the enumeration of -groups through the setgrent, getgrent and endgrent group of -system calls. If the winbind enum groups parameter is false, calls to -the getgrent system call will not return any data. -

Warning: Turning off group enumeration may cause some programs to behave -oddly. -

Default: - winbind enum groups = true -

template homedir
-

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the home directory for -that user. If the string %D is present it is substituted with the -user's Windows NT domain name. If the string %U is present it is -substituted with the user's Windows NT user name. -

Default: - template homedir = /home/%D/%U -

template shell
-

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the shell for that user. -

Default: - template shell = /bin/false -

-

-

EXAMPLE SETUP

- -

To setup winbindd for user and group lookups plus authentication from -a domain controller use something like the following setup. This was -tested on a RedHat 6.2 Linux box. -

In /etc/nsswitch.conf put the following: -

-
-   passwd:     files winbind
-   group:      files winbind
-
-
- -

In /etc/pam.d/* replace the auth lines with something like this: -

-
-	auth       required	/lib/security/pam_securetty.so
-	auth       required	/lib/security/pam_nologin.so
-	auth       sufficient	/lib/security/pam_winbind.so
-	auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
-
-
- -

Note in particular the use of the sufficient keyword and the -use_first_pass keyword. -

Now replace the account lines with this: -

-
-	account    required	/lib/security/pam_winbind.so
-
-
- -

The next step is to join the domain. To do that use the samedit -program like this: -

-
-	samedit -S '*' -W DOMAIN -UAdministrator
-
-
- -

The username after the -U can be any Domain user that has administrator -priviliges on the machine. Next from within samedit, run the command: -

-
-	createuser MACHINE$ -j DOMAIN -L
-
-
- -

This assumes your domain is called DOMAIN and your Samba workstation -is called MACHINE. -

Next copy libnss_winbind.so.2 to /lib and pam_winbind.so to -/lib/security. -

Finally, setup a smb.conf containing directives like the following: -

-
-  [global]
-        winbind separator = +
+winbindd

winbindd

Name

winbindd -- Name Service Switch daemon for resolving names + from NT servers

Synopsis

nmblookup [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}

DESCRIPTION

This tool is part of the Samba suite version 3.0 and describes functionality not + yet implemented in the main version of Samba.

winbindd is a daemon that provides + a service for the Name Service Switch capability that is present + in most modern C libraries. The Name Service Switch allows user + and system information to be obtained from different databases + services such as NIS or DNS. The exact behaviour can be configured + throught the /etc/nsswitch.conf file. + Users and groups are allocated as they are resolved to a range + of user and group ids specified by the administrator of the + Samba system.

The service provided by winbindd is called `winbind' and + can be used to resolve user and group information from a + Windows NT server. The service can also provide authentication + services via an associated PAM module.

The following nsswitch databases are implemented by + the winbindd service:

passwd

User information traditionally stored in + the passwd(5) file and used by + getpwent(3) functions.

group

Group information traditionally stored in + the group(5) file and used by + getgrent(3) functions.

For example, the following simple configuration in the + /etc/nsswitch.conf file can be used to initially + resolve user and group information from /etc/passwd + and /etc/group and then from the + Windows NT server.

passwd:         files winbind
+group:          files winbind
+	

OPTIONS

-d debuglevel

Sets the debuglevel to an integer between + 0 and 100. 0 is for no debugging and 100 is for reams and + reams. To submit a bug report to the Samba Team, use debug + level 100 (see BUGS.txt).

-i

Tells winbindd to not + become a daemon and detach from the current terminal. This + option is used by developers when interactive debugging + of winbindd is required.

NAME AND ID RESOLUTION

Users and groups on a Windows NT server are assigned + a relative id (rid) which is unique for the domain when the + user or group is created. To convert the Windows NT user or group + into a unix user or group, a mapping between rids and unix user + and group ids is required. This is one of the jobs that winbindd performs.

As winbindd users and groups are resolved from a server, user + and group ids are allocated from a specified range. This + is done on a first come, first served basis, although all existing + users and groups will be mapped as soon as a client performs a user + or group enumeration command. The allocated unix ids are stored + in a database file under the Samba lock directory and will be + remembered.

WARNING: The rid to unix id database is the only location + where the user and group mappings are stored by winbindd. If this + file is deleted or corrupted, there is no way for winbindd to + determine which user and group ids correspond to Windows NT user + and group rids.

CONFIGURATION

Configuration of the winbindd daemon + is done through configuration parameters in the smb.conf(5) + file. All parameters should be specified in the + [global] section of smb.conf.

winbind separator

The winbind separator option allows you + to specify how NT domain names and user names are combined + into unix user names when presented to users. By default, + winbindd will use the traditional '\' + separator so that the unix user names look like + DOMAIN\username. In some cases this separator character may + cause problems as the '\' character has special meaning in + unix shells. In that case you can use the winbind separator + option to specify an alternative sepataror character. Good + alternatives may be '/' (although that conflicts + with the unix directory separator) or a '+ 'character. + The '+' character appears to be the best choice for 100% + compatibility with existing unix utilities, but may be an + aesthetically bad choice depending on your taste.

Default: winbind separator = \ +

Example: winbind separator = +

winbind uid

The winbind uid parameter specifies the + range of user ids that are allocated by the winbindd daemon. + This range of ids should have no existing local or nis users + within it as strange conflicts can occur otherwise.

Default: winbind uid = <empty string> +

Example: winbind uid = 10000-20000

winbind gid

The winbind gid parameter specifies the + range of group ids that are allocated by the winbindd daemon. + This range of group ids should have no existing local or nis + groups within it as strange conflicts can occur otherwise.

Default: winbind gid = <empty string> +

Example: winbind gid = 10000-20000 +

winbind cache time

This parameter specifies the number of + seconds the winbindd daemon will cache user and group information + before querying a Windows NT server again. When a item in the + cache is older than this time winbindd will ask the domain + controller for the sequence number of the servers account database. + If the sequence number has not changed then the cached item is + marked as valid for a further winbind cache time + seconds. Otherwise the item is fetched from the + server. This means that as long as the account database is not + actively changing winbindd will only have to send one sequence + number query packet every winbind cache time + seconds.

Default: winbind cache time = 15 +

winbind enum users

On large installations it may be necessary + to suppress the enumeration of users through the setpwent(), getpwent() and + endpwent() group of system calls. If + the winbind enum users parameter is false, + calls to the getpwent system call will not + return any data.

Warning: Turning off user enumeration + may cause some programs to behave oddly. For example, the finger + program relies on having access to the full user list when + searching for matching usernames.

Default: winbind enum users = yes

winbind enum groups

On large installations it may be necessary + to suppress the enumeration of groups through the setgrent(), getgrent() and + endgrent() group of system calls. If + the winbind enum groups parameter is + false, calls to the getgrent() system + call will not return any data.

Warning: Turning off group + enumeration may cause some programs to behave oddly. +

Default: winbind enum groups = no +

template homedir

When filling out the user information + for a Windows NT user, the winbindd daemon + uses this parameter to fill in the home directory for that user. + If the string %D is present it is + substituted with the user's Windows NT domain name. If the + string %U is present it is substituted + with the user's Windows NT user name.

Default: template homedir = /home/%D/%U +

template shell

When filling out the user information for + a Windows NT user, the winbindd daemon + uses this parameter to fill in the shell for that user. +

Default: template shell = /bin/false +

EXAMPLE SETUP

To setup winbindd for user and group lookups plus + authentication from a domain controller use something like the + following setup. This was tested on a RedHat 6.2 Linux box.

In /etc/nsswitch.conf put the + following:

passwd:     files winbind
+group:      files winbind
+	

In /etc/pam.d/* replace the + auth lines with something like this:

auth       required	/lib/security/pam_securetty.so
+auth       required	/lib/security/pam_nologin.so
+auth       sufficient	/lib/security/pam_winbind.so
+auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
+	

Note in particular the use of the sufficient + keyword and the use_first_pass keyword.

Now replace the account lines with this:

account required /lib/security/pam_winbind.so +

The next step is to join the domain. To do that use the + samedit program like this:

samedit -S '*' -W DOMAIN -UAdministrator

The username after the -U can be any Domain + user that has administrator priviliges on the machine. Next from + within samedit, run the command:

createuser MACHINE$ -j DOMAIN -L

This assumes your domain is called "DOMAIN" and your Samba + workstation is called "MACHINE".

Next copy libnss_winbind.so.2 to + /lib and pam_winbind.so + to /lib/security.

Finally, setup a smb.conf containing directives like the + following:

[global]
+	winbind separator = +
         winbind cache time = 10
         template shell = /bin/bash
         template homedir = /home/%D/%U
@@ -248,95 +597,272 @@ is called MACHINE.
         workgroup = DOMAIN
         security = domain
         password server = *
-
-
- -

Now start winbindd and you should find that your user and group -database is expanded to include your NT users and groups, and that you -can login to your unix box as a domain user, using the DOMAIN+user -syntax for the username. You may wish to use the commands "getent -passwd" and "getent group" to confirm the correct operation of -winbindd. -

-

NOTES

- -

The following notes are useful when configuring and running winbindd: -

-

-nmbd must be running on the local machine for -winbindd to work. -

-winbindd queries the list of trusted domains for the Windows NT server -on startup and when a SIGHUP is received. Thus, for a running winbindd -to become aware of new trust relationships between servers, it must be sent -a SIGHUP signal. -

-Client processes resolving names through the winbindd nsswitch module -read an environment variable named WINBINDD_DOMAIN. If this variable -contains a comma separated list of Windows NT domain names, then winbindd -will only resolve users and groups within those Windows NT domains. -

-PAM is really easy to misconfigure. Make sure you know what you are doing -when modifying PAM configuration files. It is possible to set up PAM -such that you can no longer log into your system. -

-If more than one UNIX machine is running winbindd, then in general the -user and groups ids allocated by winbindd will not be the same. The -user and group ids will only be valid for the local machine. -

-If the the Windows NT RID to UNIX user and group id mapping file -is damaged or destroyed then the mappings will be lost. -

-

-

SIGNALS

- -

The following signals can be used to manipulate the winbindd daemon. -

-

SIGHUP
-

Reload the smb.conf file and apply any parameter changes to the running -version of winbindd. This signal also clears any cached user and group -information. The list of other domains trusted by winbindd is also -reloaded. -

SIGUSR1
-

The SIGUSR1 signal will cause winbindd to write status information -to the winbind log file including information about the number of user and -group ids allocated by winbindd. -

Log files are stored in the filename specified by the log file parameter. -

-

-

FILES

- -

The following files are relevant to the operation of the winbindd -daemon. -

-

/etc/nsswitch.conf(5)
-

Name service switch configuration file. -

/tmp/.winbindd/pipe
-

The UNIX pipe over which clients communicate with the winbindd program. -For security reasons, the winbind client will only attempt to connect to the -winbindd daemon if both the /tmp/.winbindd directory and -/tmp/.winbindd/pipe file are owned by root. -

/lib/libnss_winbind.so.X
-

Implementation of name service switch library. -

$LOCKDIR/winbindd_idmap.tdb
-

Storage for the Windows NT rid to UNIX user/group id mapping. The lock -directory is specified when Samba is initially compiled using the ---with-lockdir option. This directory is by default -/usr/local/samba/var/locks. -

$LOCKDIR/winbindd_cache.tdb
-

Storage for cached user and group information. -

-

-

SEE ALSO

- -

samba(7), smb.conf(5), -nsswitch.conf(5), wbinfo(1) -

-

AUTHOR

- -

The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. -

winbindd was written by Tim Potter. - - +

Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands getent passwd and getent group + to confirm the correct operation of winbindd.

Notes

The following notes are useful when configuring and + running winbindd:

nmbd must be running on the local machine + for winbindd to work. winbindd + queries the list of trusted domains for the Windows NT server + on startup and when a SIGHUP is received. Thus, for a running winbindd to become aware of new trust relationships between + servers, it must be sent a SIGHUP signal.

Client processes resolving names through the winbindd + nsswitch module read an environment variable named $WINBINDD_DOMAIN. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains.

PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system.

If more than one UNIX machine is running winbindd, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine.

If the the Windows NT RID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost.

Signals

The following signals can be used to manipulate the + winbindd daemon.

SIGHUP

Reload the smb.conf(5) + file and apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded.

SIGUSR1

The SIGUSR1 signal will cause winbindd to write status information to the winbind + log file including information about the number of user and + group ids allocated by winbindd.

Log files are stored in the filename specified by the + log file parameter.

Files

/etc/nsswitch.conf(5)

Name service switch configuration file.

/tmp/.winbindd/pipe

The UNIX pipe over which clients communicate with + the winbindd program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the /tmp/.winbindd directory + and /tmp/.winbindd/pipe file are owned by + root.

/lib/libnss_winbind.so.X

Implementation of name service switch library. +

$LOCKDIR/winbindd_idmap.tdb

Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the --with-lockdir option. + This directory is by default /usr/local/samba/var/locks + .

$LOCKDIR/winbindd_cache.tdb

Storage for cached user and group information. +

VERSION

This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet.

SEE ALSO

nsswitch.conf(5), + samba(7), + wbinfo(1), + smb.conf(5)

AUTHOR

The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

wbinfo and winbindd + were written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done + by Gerald Carter

\ No newline at end of file -- cgit