winbindd

Name

winbindd — Name Service Switch daemon for resolving names - from NT servers

Synopsis

winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]

DESCRIPTION

This program is part of the Samba(7) suite.

winbindd is a daemon that provides - a service for the Name Service Switch capability that is present - in most modern C libraries. The Name Service Switch allows user - and system information to be obtained from different databases - services such as NIS or DNS. The exact behaviour can be configured - throught the /etc/nsswitch.conf file. - Users and groups are allocated as they are resolved to a range - of user and group ids specified by the administrator of the - Samba system.

The service provided by winbindd is called `winbind' and - can be used to resolve user and group information from a - Windows NT server. The service can also provide authentication - services via an associated PAM module.

- The pam_winbind module in the 2.2.2 release only - supports the auth and account - module-types. The latter simply - performs a getpwnam() to verify that the system can obtain a uid for the - user. If the libnss_winbind library has been correctly - installed, this should always succeed. -

The following nsswitch databases are implemented by - the winbindd service:

hosts: User information traditionally stored in - the hosts(5) file and used by - gethostbyname(3) functions. Names are - resolved through the WINS server or by broadcast. -
passwd: User information traditionally stored in - the passwd(5) file and used by - getpwent(3) functions.
group: Group information traditionally stored in - the group(5) file and used by - getgrent(3) functions.

For example, the following simple configuration in the - /etc/nsswitch.conf file can be used to initially - resolve user and group information from /etc/passwd - and /etc/group and then from the - Windows NT server. -

-passwd:         files winbind
-group:          files winbind
-

The following simple configuration in the - /etc/nsswitch.conf file can be used to initially - resolve hostnames from /etc/hosts and then from the - WINS server.

OPTIONS

-F

If specified, this parameter causes - the main winbindd process to not daemonize, - i.e. double-fork and disassociate with the terminal. - Child processes are still created as normal to service - each connection request, but the main process does not - exit. This operation mode is suitable for running - winbindd under process supervisors such - as supervise and svscan - from Daniel J. Bernstein's daemontools - package, or the AIX process monitor. -

-S

If specified, this parameter causes - winbindd to log to standard output rather - than a file.

-V

Prints the program version number. -

-s <configuration file>

The file specified contains the -configuration details required by the server. The -information in this file includes server-specific -information such as what printcap file to use, as well -as descriptions of all the services that the server is -to provide. See smb.conf for more information. -The default configuration file name is determined at -compile time.

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

The higher this value, the more detail will be -logged to the log files about the activities of the -server. At level 0, only critical errors and serious -warnings will be logged. Level 1 is a reasonable level for -day-to-day running - it generates a small amount of -information about operations carried out.

Levels above 1 will generate considerable -amounts of log data, and should only be used when -investigating a problem. Levels above 3 are designed for -use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic.

Note that specifying this parameter here will -override the log level parameter -in the smb.conf file.

-l|--logfile=logbasename

File name for log/debug files. The extension -".client" will be appended. The log file is -never removed by the client. -

-h|--help

Print a summary of command line options. -

-i

Tells winbindd to not - become a daemon and detach from the current terminal. This - option is used by developers when interactive debugging - of winbindd is required. - winbindd also logs to standard output, - as if the -S parameter had been given. -

-n

Disable caching. This means winbindd will - always have to wait for a response from the domain controller - before it can respond to a client and this thus makes things - slower. The results will however be more accurate, since - results from the cache might not be up-to-date. This - might also temporarily hang winbindd if the DC doesn't respond. -

-Y

Single daemon mode. This means winbindd will run - as a single process (the mode of operation in Samba 2.2). Winbindd's - default behavior is to launch a child process that is responsible for - updating expired cache entries. -

NAME AND ID RESOLUTION

Users and groups on a Windows NT server are assigned - a relative id (rid) which is unique for the domain when the - user or group is created. To convert the Windows NT user or group - into a unix user or group, a mapping between rids and unix user - and group ids is required. This is one of the jobs that - winbindd performs.

As winbindd users and groups are resolved from a server, user - and group ids are allocated from a specified range. This - is done on a first come, first served basis, although all existing - users and groups will be mapped as soon as a client performs a user - or group enumeration command. The allocated unix ids are stored - in a database file under the Samba lock directory and will be - remembered.

WARNING: The rid to unix id database is the only location - where the user and group mappings are stored by winbindd. If this - file is deleted or corrupted, there is no way for winbindd to - determine which user and group ids correspond to Windows NT user - and group rids.

CONFIGURATION

Configuration of the winbindd daemon - is done through configuration parameters in the smb.conf(5) file. All parameters should be specified in the - [global] section of smb.conf.

- winbind separator
- idmap uid
- idmap gid
- winbind cache time
- winbind enum users
- winbind enum groups
- template homedir
- template shell
- winbind use default domain

EXAMPLE SETUP

To setup winbindd for user and group lookups plus - authentication from a domain controller use something like the - following setup. This was tested on a RedHat 6.2 Linux box.

In /etc/nsswitch.conf put the - following: -

-passwd:     files winbind
-group:      files winbind
-

In /etc/pam.d/* replace the - auth lines with something like this: -

-auth       required	/lib/security/pam_securetty.so
-auth       required	/lib/security/pam_nologin.so
-auth       sufficient	/lib/security/pam_winbind.so
-auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
-

Note in particular the use of the sufficient - keyword and the use_first_pass keyword.

Now replace the account lines with this:

account required /lib/security/pam_winbind.so -

The next step is to join the domain. To do that use the - net program like this:

net join -S PDC -U Administrator

The username after the -U can be any - Domain user that has administrator privileges on the machine. - Substitute the name or IP of your PDC for "PDC".

Next copy libnss_winbind.so to - /lib and pam_winbind.so - to /lib/security. A symbolic link needs to be - made from /lib/libnss_winbind.so to - /lib/libnss_winbind.so.2. If you are using an - older version of glibc then the target of the link should be - /lib/libnss_winbind.so.1.

Finally, setup a smb.conf(5) containing directives like the - following: -

-[global]
-	winbind separator = +
-        winbind cache time = 10
-        template shell = /bin/bash
-        template homedir = /home/%D/%U
-        idmap uid = 10000-20000
-        idmap gid = 10000-20000
-        workgroup = DOMAIN
-        security = domain
-        password server = *
-

Now start winbindd and you should find that your user and - group database is expanded to include your NT users and groups, - and that you can login to your unix box as a domain user, using - the DOMAIN+user syntax for the username. You may wish to use the - commands getent passwd and getent group - to confirm the correct operation of winbindd.

NOTES

The following notes are useful when configuring and - running winbindd:

nmbd(8) must be running on the local machine - for winbindd to work. winbindd queries - the list of trusted domains for the Windows NT server - on startup and when a SIGHUP is received. Thus, for a running - winbindd to become aware of new trust relationships between - servers, it must be sent a SIGHUP signal.

PAM is really easy to misconfigure. Make sure you know what - you are doing when modifying PAM configuration files. It is possible - to set up PAM such that you can no longer log into your system.

If more than one UNIX machine is running winbindd, - then in general the user and groups ids allocated by winbindd will not - be the same. The user and group ids will only be valid for the local - machine.

If the the Windows NT RID to UNIX user and group id mapping - file is damaged or destroyed then the mappings will be lost.

SIGNALS

The following signals can be used to manipulate the - winbindd daemon.

SIGHUP

Reload the smb.conf(5) file and - apply any parameter changes to the running - version of winbindd. This signal also clears any cached - user and group information. The list of other domains trusted - by winbindd is also reloaded.

SIGUSR2

The SIGUSR2 signal will cause - winbindd to write status information to the winbind - log file including information about the number of user and - group ids allocated by winbindd.

Log files are stored in the filename specified by the - log file parameter.

FILES

/etc/nsswitch.conf(5): Name service switch configuration file.
/tmp/.winbindd/pipe: The UNIX pipe over which clients communicate with - the winbindd program. For security reasons, the - winbind client will only attempt to connect to the winbindd daemon - if both the /tmp/.winbindd directory - and /tmp/.winbindd/pipe file are owned by - root.
$LOCKDIR/winbindd_privilaged/pipe: The UNIX pipe over which 'privilaged' clients - communicate with the winbindd program. For security - reasons, access to some winbindd functions - like those needed by - the ntlm_auth utility - is restricted. By default, - only users in the 'root' group will get this access, however the administrator - may change the group permissions on $LOCKDIR/winbindd_privilaged to allow - programs like 'squid' to use ntlm_auth. - Note that the winbind client will only attempt to connect to the winbindd daemon - if both the $LOCKDIR/winbindd_privilaged directory - and $LOCKDIR/winbindd_privilaged/pipe file are owned by - root.
/lib/libnss_winbind.so.X: Implementation of name service switch library. -
$LOCKDIR/winbindd_idmap.tdb: Storage for the Windows NT rid to UNIX user/group - id mapping. The lock directory is specified when Samba is initially - compiled using the --with-lockdir option. - This directory is by default /usr/local/samba/var/locks -.
$LOCKDIR/winbindd_cache.tdb: Storage for cached user and group information. -

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.

wbinfo and winbindd were - written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done - by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.