mirror of
https://github.com/samba-team/samba.git
synced 2025-01-17 02:05:21 +03:00
461 lines
17 KiB
XML
461 lines
17 KiB
XML
<?xml version="1.0" encoding="iso8859-1"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
|
|
<!ENTITY % globalentities SYSTEM './../global.ent'> %globalentities;
|
|
]>
|
|
<refentry id="winbindd.8">
|
|
|
|
<refmeta>
|
|
<refentrytitle>winbindd</refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
</refmeta>
|
|
|
|
|
|
<refnamediv>
|
|
<refname>winbindd</refname>
|
|
<refpurpose>Name Service Switch daemon for resolving names
|
|
from NT servers</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>winbindd</command>
|
|
<arg choice="opt">-F</arg>
|
|
<arg choice="opt">-S</arg>
|
|
<arg choice="opt">-i</arg>
|
|
<arg choice="opt">-B</arg>
|
|
<arg choice="opt">-d <debug level></arg>
|
|
<arg choice="opt">-s <smb config file></arg>
|
|
<arg choice="opt">-n</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
|
|
<para>This program is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|
|
|
<para><command>winbindd</command> is a daemon that provides
|
|
a service for the Name Service Switch capability that is present
|
|
in most modern C libraries. The Name Service Switch allows user
|
|
and system information to be obtained from different databases
|
|
services such as NIS or DNS. The exact behaviour can be configured
|
|
throught the <filename>/etc/nsswitch.conf</filename> file.
|
|
Users and groups are allocated as they are resolved to a range
|
|
of user and group ids specified by the administrator of the
|
|
Samba system.</para>
|
|
|
|
<para>The service provided by <command>winbindd</command> is called `winbind' and
|
|
can be used to resolve user and group information from a
|
|
Windows NT server. The service can also provide authentication
|
|
services via an associated PAM module. </para>
|
|
|
|
<para>
|
|
The <filename>pam_winbind</filename> module in the 2.2.2 release only
|
|
supports the <parameter>auth</parameter> and <parameter>account</parameter>
|
|
module-types. The latter simply
|
|
performs a getpwnam() to verify that the system can obtain a uid for the
|
|
user. If the <filename>libnss_winbind</filename> library has been correctly
|
|
installed, this should always succeed.
|
|
</para>
|
|
|
|
<para>The following nsswitch databases are implemented by
|
|
the winbindd service: </para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>hosts</term>
|
|
<listitem><para>User information traditionally stored in
|
|
the <filename>hosts(5)</filename> file and used by
|
|
<command>gethostbyname(3)</command> functions. Names are
|
|
resolved through the WINS server or by broadcast.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>passwd</term>
|
|
<listitem><para>User information traditionally stored in
|
|
the <filename>passwd(5)</filename> file and used by
|
|
<command>getpwent(3)</command> functions. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>group</term>
|
|
<listitem><para>Group information traditionally stored in
|
|
the <filename>group(5)</filename> file and used by
|
|
<command>getgrent(3)</command> functions. </para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>For example, the following simple configuration in the
|
|
<filename>/etc/nsswitch.conf</filename> file can be used to initially
|
|
resolve user and group information from <filename>/etc/passwd
|
|
</filename> and <filename>/etc/group</filename> and then from the
|
|
Windows NT server.
|
|
<programlisting>
|
|
passwd: files winbind
|
|
group: files winbind
|
|
</programlisting></para>
|
|
|
|
<para>The following simple configuration in the
|
|
<filename>/etc/nsswitch.conf</filename> file can be used to initially
|
|
resolve hostnames from <filename>/etc/hosts</filename> and then from the
|
|
WINS server.</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-F</term>
|
|
<listitem><para>If specified, this parameter causes
|
|
the main <command>winbindd</command> process to not daemonize,
|
|
i.e. double-fork and disassociate with the terminal.
|
|
Child processes are still created as normal to service
|
|
each connection request, but the main process does not
|
|
exit. This operation mode is suitable for running
|
|
<command>winbindd</command> under process supervisors such
|
|
as <command>supervise</command> and <command>svscan</command>
|
|
from Daniel J. Bernstein's <command>daemontools</command>
|
|
package, or the AIX process monitor.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-S</term>
|
|
<listitem><para>If specified, this parameter causes
|
|
<command>winbindd</command> to log to standard output rather
|
|
than a file.</para></listitem>
|
|
</varlistentry>
|
|
|
|
&popt.common.samba;
|
|
&stdarg.help;
|
|
|
|
<varlistentry>
|
|
<term>-i</term>
|
|
<listitem><para>Tells <command>winbindd</command> to not
|
|
become a daemon and detach from the current terminal. This
|
|
option is used by developers when interactive debugging
|
|
of <command>winbindd</command> is required.
|
|
<command>winbindd</command> also logs to standard output,
|
|
as if the <command>-S</command> parameter had been given.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-n</term>
|
|
<listitem><para>Disable caching. This means winbindd will
|
|
always have to wait for a response from the domain controller
|
|
before it can respond to a client and this thus makes things
|
|
slower. The results will however be more accurate, since
|
|
results from the cache might not be up-to-date. This
|
|
might also temporarily hang winbindd if the DC doesn't respond.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-B</term>
|
|
<listitem><para>Dual daemon mode. This means winbindd will run
|
|
as 2 threads. The first will answer all requests from the cache,
|
|
thus making responses to clients faster. The other will
|
|
update the cache for the query that the first has just responded.
|
|
Advantage of this is that responses stay accurate and are faster.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>NAME AND ID RESOLUTION</title>
|
|
|
|
<para>Users and groups on a Windows NT server are assigned
|
|
a relative id (rid) which is unique for the domain when the
|
|
user or group is created. To convert the Windows NT user or group
|
|
into a unix user or group, a mapping between rids and unix user
|
|
and group ids is required. This is one of the jobs that <command>
|
|
winbindd</command> performs. </para>
|
|
|
|
<para>As winbindd users and groups are resolved from a server, user
|
|
and group ids are allocated from a specified range. This
|
|
is done on a first come, first served basis, although all existing
|
|
users and groups will be mapped as soon as a client performs a user
|
|
or group enumeration command. The allocated unix ids are stored
|
|
in a database file under the Samba lock directory and will be
|
|
remembered. </para>
|
|
|
|
<para>WARNING: The rid to unix id database is the only location
|
|
where the user and group mappings are stored by winbindd. If this
|
|
file is deleted or corrupted, there is no way for winbindd to
|
|
determine which user and group ids correspond to Windows NT user
|
|
and group rids. </para>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>CONFIGURATION</title>
|
|
|
|
<para>Configuration of the <command>winbindd</command> daemon
|
|
is done through configuration parameters in the <citerefentry>
|
|
<refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry> file. All parameters should be specified in the
|
|
[global] section of smb.conf. </para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><ulink url="smb.conf.5.html#WINBINDSEPARATOR">
|
|
<parameter>winbind separator</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#WINBINDUID">
|
|
<parameter>winbind uid</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#WINBINDGID">
|
|
<parameter>winbind gid</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#WINBINDCACHETIME">
|
|
<parameter>winbind cache time</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#WINBINDENUMUSERS">
|
|
<parameter>winbind enum users</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#WINBINDENUMGROUPS">
|
|
<parameter>winbind enum groups</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#TEMPLATEHOMEDIR">
|
|
<parameter>template homedir</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#TEMPLATESHELL">
|
|
<parameter>template shell</parameter></ulink></para></listitem>
|
|
<listitem><para><ulink url="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN">
|
|
<parameter>winbind use default domain</parameter></ulink></para></listitem>
|
|
</itemizedlist>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>EXAMPLE SETUP</title>
|
|
|
|
<para>To setup winbindd for user and group lookups plus
|
|
authentication from a domain controller use something like the
|
|
following setup. This was tested on a RedHat 6.2 Linux box. </para>
|
|
|
|
<para>In <filename>/etc/nsswitch.conf</filename> put the
|
|
following:
|
|
<programlisting>
|
|
passwd: files winbind
|
|
group: files winbind
|
|
</programlisting></para>
|
|
|
|
<para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
|
|
auth</parameter> lines with something like this:
|
|
<programlisting>
|
|
auth required /lib/security/pam_securetty.so
|
|
auth required /lib/security/pam_nologin.so
|
|
auth sufficient /lib/security/pam_winbind.so
|
|
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
|
|
</programlisting></para>
|
|
|
|
|
|
<para>Note in particular the use of the <parameter>sufficient
|
|
</parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para>
|
|
|
|
<para>Now replace the account lines with this: </para>
|
|
|
|
<para><command>account required /lib/security/pam_winbind.so
|
|
</command></para>
|
|
|
|
<para>The next step is to join the domain. To do that use the
|
|
<command>net</command> program like this: </para>
|
|
|
|
<para><command>net join -S PDC -U Administrator</command></para>
|
|
|
|
<para>The username after the <parameter>-U</parameter> can be any
|
|
Domain user that has administrator privileges on the machine.
|
|
Substitute the name or IP of your PDC for "PDC".</para>
|
|
|
|
<para>Next copy <filename>libnss_winbind.so</filename> to
|
|
<filename>/lib</filename> and <filename>pam_winbind.so
|
|
</filename> to <filename>/lib/security</filename>. A symbolic link needs to be
|
|
made from <filename>/lib/libnss_winbind.so</filename> to
|
|
<filename>/lib/libnss_winbind.so.2</filename>. If you are using an
|
|
older version of glibc then the target of the link should be
|
|
<filename>/lib/libnss_winbind.so.1</filename>.</para>
|
|
|
|
<para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> containing directives like the
|
|
following:
|
|
<programlisting>
|
|
[global]
|
|
winbind separator = +
|
|
winbind cache time = 10
|
|
template shell = /bin/bash
|
|
template homedir = /home/%D/%U
|
|
winbind uid = 10000-20000
|
|
winbind gid = 10000-20000
|
|
workgroup = DOMAIN
|
|
security = domain
|
|
password server = *
|
|
</programlisting></para>
|
|
|
|
|
|
<para>Now start winbindd and you should find that your user and
|
|
group database is expanded to include your NT users and groups,
|
|
and that you can login to your unix box as a domain user, using
|
|
the DOMAIN+user syntax for the username. You may wish to use the
|
|
commands <command>getent passwd</command> and <command>getent group
|
|
</command> to confirm the correct operation of winbindd.</para>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>NOTES</title>
|
|
|
|
<para>The following notes are useful when configuring and
|
|
running <command>winbindd</command>: </para>
|
|
|
|
<para><citerefentry><refentrytitle>nmbd</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry> must be running on the local machine
|
|
for <command>winbindd</command> to work. <command>winbindd</command> queries
|
|
the list of trusted domains for the Windows NT server
|
|
on startup and when a SIGHUP is received. Thus, for a running <command>
|
|
winbindd</command> to become aware of new trust relationships between
|
|
servers, it must be sent a SIGHUP signal. </para>
|
|
|
|
<para>PAM is really easy to misconfigure. Make sure you know what
|
|
you are doing when modifying PAM configuration files. It is possible
|
|
to set up PAM such that you can no longer log into your system. </para>
|
|
|
|
<para>If more than one UNIX machine is running <command>winbindd</command>,
|
|
then in general the user and groups ids allocated by winbindd will not
|
|
be the same. The user and group ids will only be valid for the local
|
|
machine.</para>
|
|
|
|
<para>If the the Windows NT RID to UNIX user and group id mapping
|
|
file is damaged or destroyed then the mappings will be lost. </para>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>SIGNALS</title>
|
|
|
|
<para>The following signals can be used to manipulate the
|
|
<command>winbindd</command> daemon. </para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>SIGHUP</term>
|
|
<listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> file and
|
|
apply any parameter changes to the running
|
|
version of winbindd. This signal also clears any cached
|
|
user and group information. The list of other domains trusted
|
|
by winbindd is also reloaded. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>SIGUSR1</term>
|
|
<listitem><para>The SIGUSR1 signal will cause <command>
|
|
winbindd</command> to write status information to the winbind
|
|
log file including information about the number of user and
|
|
group ids allocated by <command>winbindd</command>.</para>
|
|
|
|
<para>Log files are stored in the filename specified by the
|
|
log file parameter.</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><filename>/etc/nsswitch.conf(5)</filename></term>
|
|
<listitem><para>Name service switch configuration file.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>/tmp/.winbindd/pipe</term>
|
|
<listitem><para>The UNIX pipe over which clients communicate with
|
|
the <command>winbindd</command> program. For security reasons, the
|
|
winbind client will only attempt to connect to the winbindd daemon
|
|
if both the <filename>/tmp/.winbindd</filename> directory
|
|
and <filename>/tmp/.winbindd/pipe</filename> file are owned by
|
|
root. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>$LOCKDIR/winbindd_privilaged/pipe</term>
|
|
<listitem><para>The UNIX pipe over which 'privilaged' clients
|
|
communicate with the <command>winbindd</command> program. For security
|
|
reasons, access to some winbindd functions - like those needed by
|
|
the <command>ntlm_auth</command> utility - is restricted. By default,
|
|
only users in the 'root' group will get this access, however the administrator
|
|
may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
|
|
programs like 'squid' to use ntlm_auth.
|
|
Note that the winbind client will only attempt to connect to the winbindd daemon
|
|
if both the <filename>$LOCKDIR/winbindd_privilaged</filename> directory
|
|
and <filename>$LOCKDIR/winbindd_privilaged/pipe</filename> file are owned by
|
|
root. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>/lib/libnss_winbind.so.X</term>
|
|
<listitem><para>Implementation of name service switch library.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>$LOCKDIR/winbindd_idmap.tdb</term>
|
|
<listitem><para>Storage for the Windows NT rid to UNIX user/group
|
|
id mapping. The lock directory is specified when Samba is initially
|
|
compiled using the <parameter>--with-lockdir</parameter> option.
|
|
This directory is by default <filename>/usr/local/samba/var/locks
|
|
</filename>. </para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>$LOCKDIR/winbindd_cache.tdb</term>
|
|
<listitem><para>Storage for cached user and group information.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>VERSION</title>
|
|
|
|
<para>This man page is correct for version 3.0 of
|
|
the Samba suite.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>SEE ALSO</title>
|
|
|
|
<para><filename>nsswitch.conf(5)</filename>, <citerefentry>
|
|
<refentrytitle>Samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry>, <citerefentry>
|
|
<refentrytitle>wbinfo</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
|
|
<refentrytitle>smb.conf</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry></para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
|
|
<para>The original Samba software and related utilities
|
|
were created by Andrew Tridgell. Samba is now developed
|
|
by the Samba Team as an Open Source project similar
|
|
to the way the Linux kernel is developed.</para>
|
|
|
|
<para><command>wbinfo</command> and <command>winbindd</command> were
|
|
written by Tim Potter.</para>
|
|
|
|
<para>The conversion to DocBook for Samba 2.2 was done
|
|
by Gerald Carter. The conversion to DocBook XML 4.2 for
|
|
Samba 3.0 was done by Alexander Bokovoy.</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|