1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
|
<?xml version="1.0" encoding="iso8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % globalentities SYSTEM './../global.ent'> %globalentities;
]>
<refentry id="winbindd.8">
<refmeta>
<refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>winbindd</refname>
<refpurpose>Name Service Switch daemon for resolving names
from NT servers</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>winbindd</command>
<arg choice="opt">-F</arg>
<arg choice="opt">-S</arg>
<arg choice="opt">-i</arg>
<arg choice="opt">-Y</arg>
<arg choice="opt">-d <debug level></arg>
<arg choice="opt">-s <smb config file></arg>
<arg choice="opt">-n</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This program is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para><command>winbindd</command> is a daemon that provides
a service for the Name Service Switch capability that is present
in most modern C libraries. The Name Service Switch allows user
and system information to be obtained from different databases
services such as NIS or DNS. The exact behaviour can be configured
throught the <filename>/etc/nsswitch.conf</filename> file.
Users and groups are allocated as they are resolved to a range
of user and group ids specified by the administrator of the
Samba system.</para>
<para>The service provided by <command>winbindd</command> is called `winbind' and
can be used to resolve user and group information from a
Windows NT server. The service can also provide authentication
services via an associated PAM module. </para>
<para>
The <filename>pam_winbind</filename> module in the 2.2.2 release only
supports the <parameter>auth</parameter> and <parameter>account</parameter>
module-types. The latter simply
performs a getpwnam() to verify that the system can obtain a uid for the
user. If the <filename>libnss_winbind</filename> library has been correctly
installed, this should always succeed.
</para>
<para>The following nsswitch databases are implemented by
the winbindd service: </para>
<variablelist>
<varlistentry>
<term>hosts</term>
<listitem><para>User information traditionally stored in
the <filename>hosts(5)</filename> file and used by
<command>gethostbyname(3)</command> functions. Names are
resolved through the WINS server or by broadcast.
</para></listitem>
</varlistentry>
<varlistentry>
<term>passwd</term>
<listitem><para>User information traditionally stored in
the <filename>passwd(5)</filename> file and used by
<command>getpwent(3)</command> functions. </para></listitem>
</varlistentry>
<varlistentry>
<term>group</term>
<listitem><para>Group information traditionally stored in
the <filename>group(5)</filename> file and used by
<command>getgrent(3)</command> functions. </para></listitem>
</varlistentry>
</variablelist>
<para>For example, the following simple configuration in the
<filename>/etc/nsswitch.conf</filename> file can be used to initially
resolve user and group information from <filename>/etc/passwd
</filename> and <filename>/etc/group</filename> and then from the
Windows NT server.
<programlisting>
passwd: files winbind
group: files winbind
</programlisting></para>
<para>The following simple configuration in the
<filename>/etc/nsswitch.conf</filename> file can be used to initially
resolve hostnames from <filename>/etc/hosts</filename> and then from the
WINS server.</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-F</term>
<listitem><para>If specified, this parameter causes
the main <command>winbindd</command> process to not daemonize,
i.e. double-fork and disassociate with the terminal.
Child processes are still created as normal to service
each connection request, but the main process does not
exit. This operation mode is suitable for running
<command>winbindd</command> under process supervisors such
as <command>supervise</command> and <command>svscan</command>
from Daniel J. Bernstein's <command>daemontools</command>
package, or the AIX process monitor.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-S</term>
<listitem><para>If specified, this parameter causes
<command>winbindd</command> to log to standard output rather
than a file.</para></listitem>
</varlistentry>
&popt.common.samba;
&stdarg.help;
<varlistentry>
<term>-i</term>
<listitem><para>Tells <command>winbindd</command> to not
become a daemon and detach from the current terminal. This
option is used by developers when interactive debugging
of <command>winbindd</command> is required.
<command>winbindd</command> also logs to standard output,
as if the <command>-S</command> parameter had been given.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-n</term>
<listitem><para>Disable caching. This means winbindd will
always have to wait for a response from the domain controller
before it can respond to a client and this thus makes things
slower. The results will however be more accurate, since
results from the cache might not be up-to-date. This
might also temporarily hang winbindd if the DC doesn't respond.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-Y</term>
<listitem><para>Single daemon mode. This means winbindd will run
as a single process (the mode of operation in Samba 2.2). Winbindd's
default behavior is to launch a child process that is responsible for
updating expired cache entries.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>NAME AND ID RESOLUTION</title>
<para>Users and groups on a Windows NT server are assigned
a relative id (rid) which is unique for the domain when the
user or group is created. To convert the Windows NT user or group
into a unix user or group, a mapping between rids and unix user
and group ids is required. This is one of the jobs that <command>
winbindd</command> performs. </para>
<para>As winbindd users and groups are resolved from a server, user
and group ids are allocated from a specified range. This
is done on a first come, first served basis, although all existing
users and groups will be mapped as soon as a client performs a user
or group enumeration command. The allocated unix ids are stored
in a database file under the Samba lock directory and will be
remembered. </para>
<para>WARNING: The rid to unix id database is the only location
where the user and group mappings are stored by winbindd. If this
file is deleted or corrupted, there is no way for winbindd to
determine which user and group ids correspond to Windows NT user
and group rids. </para>
</refsect1>
<refsect1>
<title>CONFIGURATION</title>
<para>Configuration of the <command>winbindd</command> daemon
is done through configuration parameters in the <citerefentry>
<refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry> file. All parameters should be specified in the
[global] section of smb.conf. </para>
<itemizedlist>
<listitem><para><ulink url="smb.conf.5.html#WINBINDSEPARATOR">
<parameter>winbind separator</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#WINBINDUID">
<parameter>winbind uid</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#WINBINDGID">
<parameter>winbind gid</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#WINBINDCACHETIME">
<parameter>winbind cache time</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#WINBINDENUMUSERS">
<parameter>winbind enum users</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#WINBINDENUMGROUPS">
<parameter>winbind enum groups</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#TEMPLATEHOMEDIR">
<parameter>template homedir</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#TEMPLATESHELL">
<parameter>template shell</parameter></ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN">
<parameter>winbind use default domain</parameter></ulink></para></listitem>
</itemizedlist>
</refsect1>
<refsect1>
<title>EXAMPLE SETUP</title>
<para>To setup winbindd for user and group lookups plus
authentication from a domain controller use something like the
following setup. This was tested on a RedHat 6.2 Linux box. </para>
<para>In <filename>/etc/nsswitch.conf</filename> put the
following:
<programlisting>
passwd: files winbind
group: files winbind
</programlisting></para>
<para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
auth</parameter> lines with something like this:
<programlisting>
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
</programlisting></para>
<para>Note in particular the use of the <parameter>sufficient
</parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para>
<para>Now replace the account lines with this: </para>
<para><command>account required /lib/security/pam_winbind.so
</command></para>
<para>The next step is to join the domain. To do that use the
<command>net</command> program like this: </para>
<para><command>net join -S PDC -U Administrator</command></para>
<para>The username after the <parameter>-U</parameter> can be any
Domain user that has administrator privileges on the machine.
Substitute the name or IP of your PDC for "PDC".</para>
<para>Next copy <filename>libnss_winbind.so</filename> to
<filename>/lib</filename> and <filename>pam_winbind.so
</filename> to <filename>/lib/security</filename>. A symbolic link needs to be
made from <filename>/lib/libnss_winbind.so</filename> to
<filename>/lib/libnss_winbind.so.2</filename>. If you are using an
older version of glibc then the target of the link should be
<filename>/lib/libnss_winbind.so.1</filename>.</para>
<para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> containing directives like the
following:
<programlisting>
[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = DOMAIN
security = domain
password server = *
</programlisting></para>
<para>Now start winbindd and you should find that your user and
group database is expanded to include your NT users and groups,
and that you can login to your unix box as a domain user, using
the DOMAIN+user syntax for the username. You may wish to use the
commands <command>getent passwd</command> and <command>getent group
</command> to confirm the correct operation of winbindd.</para>
</refsect1>
<refsect1>
<title>NOTES</title>
<para>The following notes are useful when configuring and
running <command>winbindd</command>: </para>
<para><citerefentry><refentrytitle>nmbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> must be running on the local machine
for <command>winbindd</command> to work. <command>winbindd</command> queries
the list of trusted domains for the Windows NT server
on startup and when a SIGHUP is received. Thus, for a running <command>
winbindd</command> to become aware of new trust relationships between
servers, it must be sent a SIGHUP signal. </para>
<para>PAM is really easy to misconfigure. Make sure you know what
you are doing when modifying PAM configuration files. It is possible
to set up PAM such that you can no longer log into your system. </para>
<para>If more than one UNIX machine is running <command>winbindd</command>,
then in general the user and groups ids allocated by winbindd will not
be the same. The user and group ids will only be valid for the local
machine.</para>
<para>If the the Windows NT RID to UNIX user and group id mapping
file is damaged or destroyed then the mappings will be lost. </para>
</refsect1>
<refsect1>
<title>SIGNALS</title>
<para>The following signals can be used to manipulate the
<command>winbindd</command> daemon. </para>
<variablelist>
<varlistentry>
<term>SIGHUP</term>
<listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> file and
apply any parameter changes to the running
version of winbindd. This signal also clears any cached
user and group information. The list of other domains trusted
by winbindd is also reloaded. </para></listitem>
</varlistentry>
<varlistentry>
<term>SIGUSR1</term>
<listitem><para>The SIGUSR1 signal will cause <command>
winbindd</command> to write status information to the winbind
log file including information about the number of user and
group ids allocated by <command>winbindd</command>.</para>
<para>Log files are stored in the filename specified by the
log file parameter.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/nsswitch.conf(5)</filename></term>
<listitem><para>Name service switch configuration file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>/tmp/.winbindd/pipe</term>
<listitem><para>The UNIX pipe over which clients communicate with
the <command>winbindd</command> program. For security reasons, the
winbind client will only attempt to connect to the winbindd daemon
if both the <filename>/tmp/.winbindd</filename> directory
and <filename>/tmp/.winbindd/pipe</filename> file are owned by
root. </para></listitem>
</varlistentry>
<varlistentry>
<term>$LOCKDIR/winbindd_privilaged/pipe</term>
<listitem><para>The UNIX pipe over which 'privilaged' clients
communicate with the <command>winbindd</command> program. For security
reasons, access to some winbindd functions - like those needed by
the <command>ntlm_auth</command> utility - is restricted. By default,
only users in the 'root' group will get this access, however the administrator
may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
programs like 'squid' to use ntlm_auth.
Note that the winbind client will only attempt to connect to the winbindd daemon
if both the <filename>$LOCKDIR/winbindd_privilaged</filename> directory
and <filename>$LOCKDIR/winbindd_privilaged/pipe</filename> file are owned by
root. </para></listitem>
</varlistentry>
<varlistentry>
<term>/lib/libnss_winbind.so.X</term>
<listitem><para>Implementation of name service switch library.
</para></listitem>
</varlistentry>
<varlistentry>
<term>$LOCKDIR/winbindd_idmap.tdb</term>
<listitem><para>Storage for the Windows NT rid to UNIX user/group
id mapping. The lock directory is specified when Samba is initially
compiled using the <parameter>--with-lockdir</parameter> option.
This directory is by default <filename>/usr/local/samba/var/locks
</filename>. </para></listitem>
</varlistentry>
<varlistentry>
<term>$LOCKDIR/winbindd_cache.tdb</term>
<listitem><para>Storage for cached user and group information.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is correct for version 3.0 of
the Samba suite.</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><filename>nsswitch.conf(5)</filename>, <citerefentry>
<refentrytitle>Samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>, <citerefentry>
<refentrytitle>wbinfo</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
<refentrytitle>smb.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry></para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para><command>wbinfo</command> and <command>winbindd</command> were
written by Tim Potter.</para>
<para>The conversion to DocBook for Samba 2.2 was done
by Gerald Carter. The conversion to DocBook XML 4.2 for
Samba 3.0 was done by Alexander Bokovoy.</para>
</refsect1>
</refentry>
|