From 9a43d69ac4000d6b7b5a07089f22af4451ea4b31 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 02:34:22 +0000 Subject: autogenerated files.... (This used to be commit edb0e5df4c7053a7163d32bba7ecf893a67523ca) --- docs/htmldocs/smbtar.1.html | 482 ++++++++++++----- docs/htmldocs/swat.8.html | 548 ++++++++++++++----- docs/htmldocs/winbindd.8.html | 1194 +++++++++++++++++++++++++++++------------ 3 files changed, 1612 insertions(+), 612 deletions(-) (limited to 'docs/htmldocs') diff --git a/docs/htmldocs/smbtar.1.html b/docs/htmldocs/smbtar.1.html index 68aab355ed..5e13ef3577 100644 --- a/docs/htmldocs/smbtar.1.html +++ b/docs/htmldocs/smbtar.1.html @@ -1,130 +1,352 @@ - - - - - - -smbtar (1) - - - - - -
- -

smbtar (1)

-

Samba

-

23 Oct 1998

- - - -

-

NAME

- smbtar - shell script for backing up SMB/CIFS shares directly to UNIX tape drives -

-

SYNOPSIS

- -

smbtar -s server [-p password] [-x service] [-X] [-d directory] [-u user] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l log level] [-v] filenames -

-

DESCRIPTION

- -

This program is part of the Samba suite. -

smbtar is a very small shell script on top of -smbclient which dumps SMB shares directly -to tape. -

-

OPTIONS

- -

-

-

-s server
The SMB/CIFS server that the share resides upon. -

-

-x service
The share name on the server to connect -to. The default is backup. -

-

-X
Exclude mode. Exclude filenames... from tar create or -restore. -

-

-d directory
Change to initial directory before restoring -/ backing up files. -

-

-v
Verbose mode. -

-

-p password
The password to use to access a share. Default: -none -

-

-u user
The user id to connect as. Default: UNIX login name. -

-

-t tape
Tape device. May be regular file or tape -device. Default: TAPE environmental variable; if not set, a file -called tar.out. -

-

-b blocksize
Blocking factor. Defaults to 20. See tar (1) -for a fuller explanation. -

-

-N filename
Backup only files newer than filename. Could be -used (for example) on a log file to implement incremental backups. -

-

-i
Incremental mode; tar files are only backed up if they -have the archive bit set. The archive bit is reset after each file is -read. -

-

-r
Restore. Files are restored to the share from the tar -file. -

-

-l log level
Log (debug) level. Corresponds to the --d flag of smbclient -(1). -

-

-

ENVIRONMENT VARIABLES

- -

The TAPE variable specifies the default tape device to write to. May -be overridden with the -t option. -

-

BUGS

- -

The smbtar script has different options from ordinary tar and tar -called from smbclient. -

-

CAVEATS

- -

Sites that are more careful about security may not like the way the -script handles PC passwords. Backup and restore work on entire shares, -should work on file lists. smbtar works best with GNU tar and may -not work well with other versions. -

-

VERSION

- -

This man page is correct for version 2.0 of the Samba suite. -

-

SEE ALSO

- -

smbclient (1), smb.conf -(5) -

-

DIAGNOSTICS

- -

See the DIAGNOSTICS section for -the smbclient command. -

-

AUTHOR

- -

The original Samba software and related utilities were created by -Andrew Tridgell samba@samba.org. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -

Ricky Poulten poultenr@logica.co.uk wrote the tar extension and -this man page. The smbtar script was heavily rewritten and -improved by Martin Kraemer Martin.Kraemer@mch.sni.de. Many -thanks to everyone who suggested extensions, improvements, bug fixes, -etc. The man page sources were converted to YODL format (another -excellent piece of Open Source software available at -ftp://ftp.icce.rug.nl/pub/unix/) -and updated for the Samba2.0 release by Jeremy Allison, -samba@samba.org. -

See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -

- +smbtar

smbtar

Name

smbtar -- shell script for backing up SMB/CIFS shares + directly to UNIX tape drives

Synopsis

smbtar {-s server} [-p password] [-x services] [-X] [-d directory] [-u user] [-t tape] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l loglevel] [-v] {filenames}

DESCRIPTION

This tool is part of the Samba suite.

smbtar is a very small shell script on top + of smbclient(1) + which dumps SMB shares directly to tape.

OPTIONS

-s server

The SMB/CIFS server that the share resides + upon.

-x service

The share name on the server to connect to. + The default is "backup".

-X

Exclude mode. Exclude filenames... from tar + create or restore.

-d directory

Change to initial directory + before restoring / backing up files.

-v

Verbose mode.

-p password

The password to use to access a share. + Default: none

-u user

The user id to connect as. Default: + UNIX login name.

-t tape

Tape device. May be regular file or tape + device. Default: $TAPE environmental + variable; if not set, a file called tar.out + .

-b blocksize

Blocking factor. Defaults to 20. See + tar(1) for a fuller explanation.

-N filename

Backup only files newer than filename. Could + be used (for example) on a log file to implement incremental + backups.

-i

Incremental mode; tar files are only backed + up if they have the archive bit set. The archive bit is reset + after each file is read.

-r

Restore. Files are restored to the share + from the tar file.

-l log level

Log (debug) level. Corresponds to the + -d flag of smbclient(1) + .

ENVIRONMENT VARIABLES

The $TAPE variable specifies the + default tape device to write to. May be overridden + with the -t option.

BUGS

The smbtar script has different + options from ordinary tar and tar called from smbclient.

CAVEATS

Sites that are more careful about security may not like + the way the script handles PC passwords. Backup and restore work + on entire shares, should work on file lists. smbtar works best + with GNU tar and may not work well with other versions.

DIAGNOSTICS

See the DIAGNOSTICS section for the + smbclient(1) + command.

VERSION

This man page is correct for version 2.2 of + the Samba suite.

SEE ALSO

smbd(8), + smbclient(1), + smb.conf(5), +

AUTHOR

The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

Ricky Poulten + wrote the tar extension and this man page. The smbtar + script was heavily rewritten and improved by Martin Kraemer. Many + thanks to everyone who suggested extensions, improvements, bug + fixes, etc. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter.

\ No newline at end of file diff --git a/docs/htmldocs/swat.8.html b/docs/htmldocs/swat.8.html index 12d83247fd..2c0d016399 100644 --- a/docs/htmldocs/swat.8.html +++ b/docs/htmldocs/swat.8.html @@ -1,148 +1,400 @@ - - - - - - -swat (8) - - - - - -
- -

swat (8)

-

Samba

-

23 Oct 1998

- - - -

-

NAME

- swat - Samba Web Administration Tool -

-

SYNOPSIS

- -

swat [-s smb config file] [-a] -

-

DESCRIPTION

- -

This program is part of the Samba suite. -

swat allows a Samba administrator to configure the complex -smb.conf file via a Web browser. In -addition, a swat configuration page has help links to all the -configurable options in the smb.conf file -allowing an administrator to easily look up the effects of any change. -

swat is run from inetd -

-

OPTIONS

- -

-

-

-s smb configuration file
The default configuration file path is -determined at compile time. -

The file specified contains the configuration details required by the -smbd server. This is the file that swat will -modify. The information in this file includes server-specific -information such as what printcap file to use, as well as descriptions -of all the services that the server is to provide. See smb.conf -(5) for more information. -

-

-a
-

This option disables authentication and puts swat in demo mode. In -that mode anyone will be able to modify the -smb.conf file. -

Do NOT enable this option on a production server. -

-

-

INSTALLATION

- -

After you compile SWAT you need to run "make install" to install the -swat binary and the various help files and images. A default install -would put these in: -

-
-/usr/local/samba/bin/swat
-/usr/local/samba/swat/images/*
-/usr/local/samba/swat/help/*
-
-
- -

-

INETD INSTALLATION

- -

You need to edit your /etc/inetd.conf and /etc/services to -enable SWAT to be launched via inetd. -

In /etc/services you need to add a line like this: -

swat 901/tcp -

Note for NIS/YP users - you may need to rebuild the NIS service maps -rather than alter your local /etc/services file. -

the choice of port number isn't really important except that it should -be less than 1024 and not currently used (using a number above 1024 -presents an obscure security hole depending on the implementation -details of your inetd daemon). -

In /etc/inetd.conf you should add a line like this: -

swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat -

One you have edited /etc/services and /etc/inetd.conf you need -to send a HUP signal to inetd. To do this use "kill -1 PID" where -PID is the process ID of the inetd daemon. -

-

LAUNCHING

- -

To launch swat just run your favorite web browser and point it at -http://localhost:901/. -

Note that you can attach to swat from any IP connected machine but -connecting from a remote machine leaves your connection open to -password sniffing as passwords will be sent in the clear over the -wire. -

FILES

- -

/etc/inetd.conf -

This file must contain suitable startup information for the -meta-daemon. -

/etc/services -

This file must contain a mapping of service name (e.g., swat) to -service port (e.g., 901) and protocol type (e.g., tcp). -

/usr/local/samba/lib/smb.conf -

This is the default location of the smb.conf server configuration -file that swat edits. Other common places that systems install -this file are /usr/samba/lib/smb.conf and /etc/smb.conf. -

This file describes all the services the server is to make available -to clients. See smb.conf (5) for more information. -

-

WARNINGS

- -

swat will rewrite your smb.conf file. It -will rearrange the entries and delete all comments, -"include=" and -"copy=" options. If you have a -carefully crafted smb.conf then back it up -or don't use swat! -

-

VERSION

- -

This man page is correct for version 2.0 of the Samba suite. -

-

SEE ALSO

- -

inetd (8), nmbd (8), -smb.conf (5). -

-

AUTHOR

- -

The original Samba software and related utilities were created by -Andrew Tridgell (samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -

The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -ftp://ftp.icce.rug.nl/pub/unix/) -and updated for the Samba2.0 release by Jeremy Allison. -samba@samba.org. -

See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. - - +swat

swat

Name

swat -- Samba Web Administration Tool

Synopsis

nmblookup [-s <smb config file>] [-a]

DESCRIPTION

This tool is part of the Samba suite.

swat allows a Samba administrator to + configure the complex smb.conf(5) file via a Web browser. In addition, + a swat configuration page has help links + to all the configurable options in the smb.conf file allowing an + administrator to easily look up the effects of any change.

swat is run from inetd

OPTIONS

-s smb configuration file

The default configuration file path is + determined at compile time. The file specified contains + the configuration details required by the smbd + server. This is the file that swat will modify. + The information in this file includes server-specific + information such as what printcap file to use, as well as + descriptions of all the services that the server is to provide. + See smb.conf for more information. +

-a

This option disables authentication and puts + swat in demo mode. In that mode anyone will be able to modify + the smb.conf file.

Do NOT enable this option on a production + server.

INSTALLATION

After you compile SWAT you need to run make install + to install the swat binary + and the various help files and images. A default install would put + these in:

Inetd Installation

You need to edit your /etc/inetd.conf + and /etc/services + to enable SWAT to be launched via inetd.

In /etc/services you need to + add a line like this:

swat 901/tcp

Note for NIS/YP users - you may need to rebuild the + NIS service maps rather than alter your local /etc/services file.

the choice of port number isn't really important + except that it should be less than 1024 and not currently + used (using a number above 1024 presents an obscure security + hole depending on the implementation details of your + inetd daemon).

In /etc/inetd.conf you should + add a line like this:

swat stream tcp nowait.400 root + /usr/local/samba/bin/swat swat

One you have edited /etc/services + and /etc/inetd.conf you need to send a + HUP signal to inetd. To do this use kill -1 PID + where PID is the process ID of the inetd daemon.

Launching

To launch swat just run your favorite web browser and + point it at "http://localhost:901/".

Note that you can attach to swat from any IP connected + machine but connecting from a remote machine leaves your + connection open to password sniffing as passwords will be sent + in the clear over the wire.

FILES

/etc/inetd.conf

This file must contain suitable startup + information for the meta-daemon.

/etc/services

This file must contain a mapping of service name + (e.g., swat) to service port (e.g., 901) and protocol type + (e.g., tcp).

/usr/local/samba/lib/smb.conf

This is the default location of the smb.conf(5) + server configuration file that swat edits. Other + common places that systems install this file are /usr/samba/lib/smb.conf and /etc/smb.conf + . This file describes all the services the server + is to make available to clients.

WANRNIGS

swat will rewrite your smb.conf + file. It will rearrange the entries and delete all + comments, include= and copy=" + options. If you have a carefully crafted smb.conf then back it up or don't use swat!

VERSION

This man page is correct for version 2.2 of + the Samba suite.

SEE ALSO

inetd(5), + smbd(8), + smb.conf(5) +

AUTHOR

The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter

\ No newline at end of file diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index 2caa9ccf01..a98b7a2864 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -1,245 +1,594 @@ - - - - - -winbindd (8) - - - - - -
- -

winbindd (8)

-

Samba

-

13 Jun 2000

- - - -

-

NAME

- winbindd - Name Service Switch daemon for resolving names from NT servers -

-

SYNOPSIS

- -

winbindd [-d debuglevel] [-i] -

-

DESCRIPTION

- -

This program is part of the Samba suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. -

winbindd is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS. The exact behaviour can -be configured throught the /etc/nsswitch.conf file. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system. -

The service provided by winbindd is called `winbind' and can be -used to resolve user and group information from a Windows NT server. -The service can also provide authentication services via an associated -PAM module. -

The following nsswitch databases are implemented by the winbindd -service: -

-

passwd
-

User information traditionally stored in the passwd(5) file and used by -getpwent(3) functions. -

group
-

Group information traditionally stored in the group(5) file and used by -getgrent(3) functions. -

-

For example, the following simple configuration in the -/etc/nsswitch.conf file can be used to initially resolve user and group -information from /etc/passwd and /etc/group and then from the -Windows NT server. -

-
-  passwd:         files winbind
-  group:          files winbind
-
-
- -

-

OPTIONS

- -

The following options are available to the winbindd daemon: -

-

-

-d debuglevel
-Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging -and 100 is for reams and reams. To submit a bug report to the Samba Team, -use debug level 100 (see BUGS.txt). -

-

-i
-Tells winbindd to not become a daemon and detach from the current terminal. -This option is used by developers when interactive debugging of winbindd is -required. -

-

-

NAME AND ID RESOLUTION

- -

Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required. This is one of the -jobs that winbindd performs. -

As winbindd users and groups are resolved from a server, user and group -ids are allocated from a specified range. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered. -

WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by winbindd. If this file is deleted or -corrupted, there is no way for winbindd to determine which user and -group ids correspond to Windows NT user and group rids. -

-

CONFIGURATION

- -

Configuration of the winbindd daemon is done through configuration -parameters in the smb.conf file. All parameters -should be specified in the [global] section of -smb.conf. -

-

winbind separator
-

The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users. By default winbind will use the traditional \ separator so -that the unix user names look like DOMAIN\username. In some cases -this separator character may cause problems as the \ character has -special meaning in unix shells. In that case you can use the winbind -separator option to specify an alternative sepataror character. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste. -

Default: - winbind separator = \ -

Example: - winbind separator = + -

winbind uid
-

The winbind uid parameter specifies the range of user ids that are -allocated by the winbindd daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. -

Default: - winbind uid = <empty string> -

Example: - winbind uid = 10000-20000 -

winbind gid
-

The winbind gid parameter specifies the range of group ids that are -allocated by the winbindd daemon. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise. -

Default: - winbind gid = <empty string> -

Example: - winbind gid = 10000-20000 -

winbind cache time
-

This parameter specifies the number of seconds the winbindd daemon will -cache user and group information before querying a Windows NT server -again. When a item in the cache is older than this time winbindd will ask -the domain controller for the sequence number of the servers account -database. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds. Otherwise the -item is fetched from the server. This means that as long as the account -database is not actively changing winbindd will only have to send one -sequence number query packet every "winbind cache time" seconds. -

Default: - winbind cache time = 15 -

winbind enum users
-

On large installations it may be necessary to suppress the enumeration of -users through the setpwent, getpwent and endpwent group of -system calls. If the winbind enum users parameter is false, calls to -the getpwent system call will not return any data. -

Warning: Turning off user enumeration may cause some programs to behave -oddly. For example, the finger program relies on having access to the full -user list when searching for matching usernames. -

Default: - winbind enum users = true -

winbind enum groups
-

On large installations it may be necessary to suppress the enumeration of -groups through the setgrent, getgrent and endgrent group of -system calls. If the winbind enum groups parameter is false, calls to -the getgrent system call will not return any data. -

Warning: Turning off group enumeration may cause some programs to behave -oddly. -

Default: - winbind enum groups = true -

template homedir
-

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the home directory for -that user. If the string %D is present it is substituted with the -user's Windows NT domain name. If the string %U is present it is -substituted with the user's Windows NT user name. -

Default: - template homedir = /home/%D/%U -

template shell
-

When filling out the user information for a Windows NT user, the -winbindd daemon uses this parameter to fill in the shell for that user. -

Default: - template shell = /bin/false -

-

-

EXAMPLE SETUP

- -

To setup winbindd for user and group lookups plus authentication from -a domain controller use something like the following setup. This was -tested on a RedHat 6.2 Linux box. -

In /etc/nsswitch.conf put the following: -

-
-   passwd:     files winbind
-   group:      files winbind
-
-
- -

In /etc/pam.d/* replace the auth lines with something like this: -

-
-	auth       required	/lib/security/pam_securetty.so
-	auth       required	/lib/security/pam_nologin.so
-	auth       sufficient	/lib/security/pam_winbind.so
-	auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
-
-
- -

Note in particular the use of the sufficient keyword and the -use_first_pass keyword. -

Now replace the account lines with this: -

-
-	account    required	/lib/security/pam_winbind.so
-
-
- -

The next step is to join the domain. To do that use the samedit -program like this: -

-
-	samedit -S '*' -W DOMAIN -UAdministrator
-
-
- -

The username after the -U can be any Domain user that has administrator -priviliges on the machine. Next from within samedit, run the command: -

-
-	createuser MACHINE$ -j DOMAIN -L
-
-
- -

This assumes your domain is called DOMAIN and your Samba workstation -is called MACHINE. -

Next copy libnss_winbind.so.2 to /lib and pam_winbind.so to -/lib/security. -

Finally, setup a smb.conf containing directives like the following: -

-
-  [global]
-        winbind separator = +
+winbindd
winbindd
Name
winbindd -- Name Service Switch daemon for resolving names 
+	from NT servers
Synopsis
nmblookup  [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}
DESCRIPTION
This tool is part of the 	Samba suite version 3.0 and describes functionality not 
+	yet implemented in the main version of Samba.
winbindd is a daemon that provides 
+	a service for the Name Service Switch capability that is present 
+	in most modern C libraries.  The Name Service Switch allows user 
+	and system information to be obtained from different databases 
+	services such as NIS or DNS.  The exact behaviour can be configured 
+	throught the /etc/nsswitch.conf file.  
+	Users and groups are allocated as they are resolved to a range 
+	of user and group ids specified by the administrator of the 
+	Samba system.
The service provided by winbindd is called `winbind' and 
+	can be used to resolve user and group information from a 
+	Windows NT server. The service can also provide authentication
+	services via an associated PAM module. 
The following nsswitch databases are implemented by 
+	the winbindd service: 
passwd
User information traditionally stored in 
+		the passwd(5) file and used by 
+		getpwent(3) functions. 
group
Group information traditionally stored in 
+		the group(5) file and used by 		
+		getgrent(3) functions. 
For example, the following simple configuration in the
+	/etc/nsswitch.conf file can be used to initially 
+	resolve user and group information from /etc/passwd
+	 and /etc/group and then from the 
+	Windows NT server. 
passwd:         files winbind
+group:          files winbind
+	
OPTIONS
-d debuglevel
Sets the debuglevel to an integer between 
+		0 and 100. 0 is for no debugging and 100 is for reams and 
+		reams. To submit a bug report to the Samba Team, use debug 
+		level 100 (see BUGS.txt).   
-i
Tells winbindd to not 
+		become a daemon and detach from the current terminal. This 
+		option is used by developers when interactive debugging 
+		of winbindd is required. 
NAME AND ID RESOLUTION
Users and groups on a Windows NT server are assigned 
+	a relative id (rid) which is unique for the domain when the 
+	user or group is created.  To convert the Windows NT user or group 
+	into a unix user or group, a mapping between rids and unix user 
+	and group ids is required.  This is one of the jobs that 	winbindd performs. 
As winbindd users and groups are resolved from a server, user 
+	and group ids are allocated from a specified range.  This
+	is done on a first come, first served basis, although all existing 
+	users and groups will be mapped as soon as a client performs a user 
+	or group enumeration command.  The allocated unix ids are stored 
+	in a database file under the Samba lock directory and will be 
+	remembered. 
WARNING: The rid to unix id database is the only location 
+	where the user and group mappings are stored by winbindd.  If this 
+	file is deleted or corrupted, there is no way for winbindd to 
+	determine which user and group ids correspond to Windows NT user 
+	and group rids. 
CONFIGURATION
Configuration of the winbindd daemon 
+	is done through configuration parameters in the smb.conf(5)
+	 file.  All parameters should be specified in the 
+	[global] section of smb.conf. 
winbind separator
The winbind separator option allows you 
+		to specify how NT domain names and user names are combined 
+		into unix user names when presented to users. By default, 
+		winbindd will use the traditional '\' 
+		separator so that the unix user names look like 
+		DOMAIN\username. In some cases this separator character may 
+		cause problems as the '\' character has special meaning in 
+		unix shells.  In that case you can use the winbind separator 
+		option to specify an alternative sepataror character. Good 
+		alternatives may be '/' (although that conflicts
+		with the unix directory separator) or a '+ 'character. 
+		The '+' character appears to be the best choice for 100% 
+		compatibility with existing unix utilities, but may be an 
+		aesthetically bad choice depending on your taste. 
Default: winbind separator = \ 
+		
Example: winbind separator = + 
winbind uid
The winbind uid parameter specifies the 
+		range of user ids that are allocated by the winbindd daemon.  
+		This range of ids should have no existing local or nis users 
+		within it as strange conflicts can occur otherwise. 
Default: winbind uid = <empty string> 
+		
Example: winbind uid = 10000-20000
winbind gid
The winbind gid parameter specifies the 
+		range of group ids that are allocated by the winbindd daemon.  
+		This range of group ids should have no existing local or nis 
+		groups within it as strange conflicts can occur otherwise.
Default: winbind gid = <empty string>
+		
Example: winbind gid = 10000-20000
+		 
winbind cache time
This parameter specifies the number of 
+		seconds the winbindd daemon will cache user and group information 
+		before querying a Windows NT server again. When a item in the 
+		cache is older than this time winbindd will ask the domain 
+		controller for the sequence number of the servers account database. 
+		If the sequence number has not changed then the cached item is 
+		marked as valid for a further winbind cache time
+		 seconds.  Otherwise the item is fetched from the 
+		server. This means that as long as the account database is not 
+		actively changing winbindd will only have to send one sequence 
+		number query packet every winbind cache time
+		 seconds. 
Default: winbind cache time = 15
+		
winbind enum users
On large installations it may be necessary 
+		to suppress the enumeration of users through the 		setpwent(), getpwent() and 
+		endpwent() group of system calls.  If 
+		the winbind enum users parameter is false, 
+		calls to the getpwent system call will not 
+		return any data. 
Warning: Turning off user enumeration 
+		may cause some programs to behave oddly.  For example, the finger 
+		program relies on having access to the full user list when 
+		searching  for matching usernames. 
Default: winbind enum users = yes 
winbind enum groups
On large installations it may be necessary 
+		to suppress the enumeration of groups through the 		setgrent(), getgrent() and 
+		endgrent() group of system calls.  If 
+		the winbind enum groups parameter is 
+		false, calls to the getgrent() system 
+		call will not return any data. 
Warning: Turning off group 
+		enumeration may cause some programs to behave oddly. 
+		
Default: winbind enum groups = no 
+		
template homedir
When filling out the user information 
+		for a Windows NT user, the winbindd daemon 
+		uses this parameter to fill in the home directory for that user.  
+		If the string %D is present it is 
+		substituted with the user's Windows NT domain name.  If the 
+		string %U is present it is substituted
+		with the user's Windows NT user name. 
Default: template homedir = /home/%D/%U 
+		
template shell
When filling out the user information for 
+ 		a Windows NT user, the winbindd daemon 
+		uses this parameter to fill in the shell for that user. 
+		
Default: template shell = /bin/false 
+		
EXAMPLE SETUP
To setup winbindd for user and group lookups plus 
+	authentication from a domain controller use something like the 
+	following setup. This was tested on a RedHat 6.2 Linux box. 
In /etc/nsswitch.conf put the 
+	following:
passwd:     files winbind
+group:      files winbind
+	
In /etc/pam.d/* replace the 
+	auth lines with something like this: 
auth       required	/lib/security/pam_securetty.so
+auth       required	/lib/security/pam_nologin.so
+auth       sufficient	/lib/security/pam_winbind.so
+auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
+	
Note in particular the use of the sufficient 
+	keyword and the use_first_pass keyword. 
Now replace the account lines with this: 
account    required	/lib/security/pam_winbind.so
+	
The next step is to join the domain. To do that use the 
+	samedit program like this:  
samedit -S '*' -W DOMAIN -UAdministrator
The username after the -U can be any Domain 
+	user that has administrator priviliges on the machine. Next from 
+	within samedit, run the command: 
createuser MACHINE$ -j DOMAIN -L
This assumes your domain is called "DOMAIN" and your Samba 
+	workstation is called "MACHINE". 
Next copy libnss_winbind.so.2 to 
+	/lib and pam_winbind.so
+	to /lib/security.
Finally, setup a smb.conf containing directives like the 
+	following:  
[global]
+	winbind separator = +
         winbind cache time = 10
         template shell = /bin/bash
         template homedir = /home/%D/%U
@@ -248,95 +597,272 @@ is called MACHINE.
         workgroup = DOMAIN
         security = domain
         password server = *
-
-

-
-
Now start winbindd and you should find that your user and group
-database is expanded to include your NT users and groups, and that you
-can login to your unix box as a domain user, using the DOMAIN+user
-syntax for the username. You may wish to use the commands "getent
-passwd" and "getent group" to confirm the correct operation of
-winbindd. 
-

-
NOTES

-    
-
The following notes are useful when configuring and running winbindd:
-

-

-nmbd must be running on the local machine for
-winbindd to work.
-

-winbindd queries the list of trusted domains for the Windows NT server
-on startup and when a SIGHUP is received.  Thus, for a running winbindd
-to become aware of new trust relationships between servers, it must be sent
-a SIGHUP signal.
-
 
-Client processes resolving names through the winbindd nsswitch module
-read an environment variable named WINBINDD_DOMAIN.  If this variable
-contains a comma separated list of Windows NT domain names, then winbindd
-will only resolve users and groups within those Windows NT domains.
-

-PAM is really easy to misconfigure.  Make sure you know what you are doing
-when modifying PAM configuration files.  It is possible to set up PAM
-such that you can no longer log into your system.
-

-If more than one UNIX machine is running winbindd, then in general the
-user and groups ids allocated by winbindd will not be the same.  The
-user and group ids will only be valid for the local machine.  
-

-If the the Windows NT RID to UNIX user and group id mapping file
-is damaged or destroyed then the mappings will be lost.
-

-

-
SIGNALS

-    
-
The following signals can be used to manipulate the winbindd daemon.
-

-
SIGHUP

-
Reload the smb.conf file and apply any parameter changes to the running
-version of winbindd.  This signal also clears any cached user and group
-information.  The list of other domains trusted by winbindd is also
-reloaded. 
-
SIGUSR1

-
The SIGUSR1 signal will cause winbindd to write status information
-to the winbind log file including information about the number of user and
-group ids allocated by winbindd.
-
Log files are stored in the filename specified by the log file parameter.
-

-

-
FILES

-    
-
The following files are relevant to the operation of the winbindd
-daemon.
-

-
/etc/nsswitch.conf(5)

-
Name service switch configuration file.
-
/tmp/.winbindd/pipe

-
The UNIX pipe over which clients communicate with the winbindd program.
-For security reasons, the winbind client will only attempt to connect to the
-winbindd daemon if both the /tmp/.winbindd directory and
-/tmp/.winbindd/pipe file are owned by root.
-
/lib/libnss_winbind.so.X

-
Implementation of name service switch library. 
-
$LOCKDIR/winbindd_idmap.tdb

-
Storage for the Windows NT rid to UNIX user/group id mapping.  The lock
-directory is specified when Samba is initially compiled using the
---with-lockdir option.  This directory is by default
-/usr/local/samba/var/locks.
-
$LOCKDIR/winbindd_cache.tdb

-
Storage for cached user and group information.
-

-

-
SEE ALSO

-    
-
samba(7), smb.conf(5), 
-nsswitch.conf(5), wbinfo(1)
-

-
AUTHOR

-    
-
The original Samba software and related utilities were created by
-Andrew Tridgell. Samba is now developed by the Samba Team as an Open
-Source project.
-
winbindd was written by Tim Potter.
-
-
+

Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands getent passwd and getent group + to confirm the correct operation of winbindd.

Notes

The following notes are useful when configuring and + running winbindd:

nmbd must be running on the local machine + for winbindd to work. winbindd + queries the list of trusted domains for the Windows NT server + on startup and when a SIGHUP is received. Thus, for a running winbindd to become aware of new trust relationships between + servers, it must be sent a SIGHUP signal.

Client processes resolving names through the winbindd + nsswitch module read an environment variable named $WINBINDD_DOMAIN. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains.

PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system.

If more than one UNIX machine is running winbindd, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine.

If the the Windows NT RID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost.

Signals

The following signals can be used to manipulate the + winbindd daemon.

SIGHUP

Reload the smb.conf(5) + file and apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded.

SIGUSR1

The SIGUSR1 signal will cause winbindd to write status information to the winbind + log file including information about the number of user and + group ids allocated by winbindd.

Log files are stored in the filename specified by the + log file parameter.

Files

/etc/nsswitch.conf(5)

Name service switch configuration file.

/tmp/.winbindd/pipe

The UNIX pipe over which clients communicate with + the winbindd program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the /tmp/.winbindd directory + and /tmp/.winbindd/pipe file are owned by + root.

/lib/libnss_winbind.so.X

Implementation of name service switch library. +

$LOCKDIR/winbindd_idmap.tdb

Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the --with-lockdir option. + This directory is by default /usr/local/samba/var/locks + .

$LOCKDIR/winbindd_cache.tdb

Storage for cached user and group information. +

VERSION

This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet.

SEE ALSO

nsswitch.conf(5), + samba(7), + wbinfo(1), + smb.conf(5)

AUTHOR

The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

wbinfo and winbindd + were written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done + by Gerald Carter

\ No newline at end of file -- cgit