mirror of
https://github.com/samba-team/samba.git
synced 2025-02-18 17:57:55 +03:00
401 lines
13 KiB
Plaintext
401 lines
13 KiB
Plaintext
mailto(samba-bugs@samba.org)
|
|
manpage(winbindd htmlcommand((8)))(8)(13 Jun 2000)(Samba)(SAMBA)
|
|
|
|
label(NAME)
|
|
manpagename(winbindd)(Name Service Switch daemon for resolving names from NT servers)
|
|
|
|
label(SYNOPSIS)
|
|
manpagesynopsis()
|
|
|
|
bf(winbindd) [link(-d debuglevel)(minusd)] [link(-i)(minusi)]
|
|
|
|
label(DESCRIPTION)
|
|
manpagedescription()
|
|
|
|
This program is part of the bf(Samba) suite version 3.0 and describes
|
|
functionality not yet implemented in the main version of Samba.
|
|
|
|
bf(winbindd) is a daemon that provides a service for the Name Service
|
|
Switch capability that is present in most modern C libraries. The Name
|
|
Service Switch allows user and system information to be obtained from
|
|
different databases services such as NIS or DNS. The exact behaviour can
|
|
be configured throught the tt(/etc/nsswitch.conf) file. Users and groups
|
|
are allocated as they are resolved to a range of user and group ids
|
|
specified by the administrator of the Samba system.
|
|
|
|
The service provided by bf(winbindd) is called `winbind' and can be
|
|
used to resolve user and group information from a Windows NT server.
|
|
The service can also provide authentication services via an associated
|
|
PAM module.
|
|
|
|
The following nsswitch databases are implemented by the bf(winbindd)
|
|
service:
|
|
|
|
startdit()
|
|
|
|
dit(passwd)
|
|
|
|
User information traditionally stored in the bf(passwd(5)) file and used by
|
|
bf(getpwent(3)) functions.
|
|
|
|
dit(group)
|
|
|
|
Group information traditionally stored in the bf(group(5)) file and used by
|
|
bf(getgrent(3)) functions.
|
|
|
|
enddit()
|
|
|
|
For example, the following simple configuration in the
|
|
tt(/etc/nsswitch.conf) file can be used to initially resolve user and group
|
|
information from tt(/etc/passwd) and tt(/etc/group) and then from the
|
|
Windows NT server.
|
|
|
|
verb(
|
|
passwd: files winbind
|
|
group: files winbind
|
|
)
|
|
|
|
label(OPTIONS)
|
|
manpageoptions()
|
|
|
|
The following options are available to the bf(winbindd) daemon:
|
|
|
|
startdit()
|
|
|
|
label(minusd)
|
|
dit(bf(-d debuglevel))
|
|
Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging
|
|
and 100 is for reams and reams. To submit a bug report to the Samba Team,
|
|
use debug level 100 (see bf(BUGS.txt)).
|
|
|
|
label(minusi)
|
|
dit(bf(-i))
|
|
Tells bf(winbindd) to not become a daemon and detach from the current terminal.
|
|
This option is used by developers when interactive debugging of bf(winbindd) is
|
|
required.
|
|
|
|
enddit()
|
|
|
|
label(NAMEANDIDRESOLUTION)
|
|
manpagesection(NAME AND ID RESOLUTION)
|
|
|
|
Users and groups on a Windows NT server are assigned a relative id (rid)
|
|
which is unique for the domain when the user or group is created. To
|
|
convert the Windows NT user or group into a unix user or group, a mapping
|
|
between rids and unix user and group ids is required. This is one of the
|
|
jobs that bf(winbindd) performs.
|
|
|
|
As bf(winbindd) users and groups are resolved from a server, user and group
|
|
ids are allocated from a specified range. This is done on a first come,
|
|
first served basis, although all existing users and groups will be mapped
|
|
as soon as a client performs a user or group enumeration command. The
|
|
allocated unix ids are stored in a database file under the Samba lock
|
|
directory and will be remembered.
|
|
|
|
WARNING: The rid to unix id database is the only location where the user
|
|
and group mappings are stored by bf(winbindd). If this file is deleted or
|
|
corrupted, there is no way for bf(winbindd) to determine which user and
|
|
group ids correspond to Windows NT user and group rids.
|
|
|
|
label(CONFIGURATION)
|
|
manpagesection(CONFIGURATION)
|
|
|
|
Configuration of the bf(winbindd) daemon is done through configuration
|
|
parameters in the url(bf(smb.conf))(smb.conf.5.html) file. All parameters
|
|
should be specified in the [global] section of
|
|
url(bf(smb.conf))(smb.conf.5.html).
|
|
|
|
startdit()
|
|
|
|
dit(winbind separator)
|
|
|
|
The winbind separator option allows you to specify how NT domain names
|
|
and user names are combined into unix user names when presented to
|
|
users. By default winbind will use the traditional \ separator so
|
|
that the unix user names look like DOMAIN\username. In some cases
|
|
this separator character may cause problems as the \ character has
|
|
special meaning in unix shells. In that case you can use the winbind
|
|
separator option to specify an alternative sepataror character. Good
|
|
alternatives may be / (although that conflicts with the unix directory
|
|
separator) or a + character. The + character appears to be the best
|
|
choice for 100% compatibility with existing unix utilities, but may be
|
|
an aesthetically bad choice depending on your taste.
|
|
|
|
bf(Default:)
|
|
tt( winbind separator = \)
|
|
|
|
bf(Example:)
|
|
tt( winbind separator = +)
|
|
|
|
dit(winbind uid)
|
|
|
|
The winbind uid parameter specifies the range of user ids that are
|
|
allocated by the bf(winbindd) daemon. This range of
|
|
ids should have no existing local or nis users within it as strange
|
|
conflicts can occur otherwise.
|
|
|
|
bf(Default:)
|
|
tt( winbind uid = <empty string>)
|
|
|
|
bf(Example:)
|
|
tt( winbind uid = 10000-20000)
|
|
|
|
dit(winbind gid)
|
|
|
|
The winbind gid parameter specifies the range of group ids that are
|
|
allocated by the bf(winbindd) daemon. This range of group ids should have
|
|
no existing local or nis groups within it as strange conflicts can occur
|
|
otherwise.
|
|
|
|
bf(Default:)
|
|
tt( winbind gid = <empty string>)
|
|
|
|
bf(Example:)
|
|
tt( winbind gid = 10000-20000)
|
|
|
|
dit(winbind cache time)
|
|
|
|
This parameter specifies the number of seconds the bf(winbindd) daemon will
|
|
cache user and group information before querying a Windows NT server
|
|
again. When a item in the cache is older than this time bf(winbindd) will ask
|
|
the domain controller for the sequence number of the servers account
|
|
database. If the sequence number has not changed then the cached item is
|
|
marked as valid for a further "winbind cache time" seconds. Otherwise the
|
|
item is fetched from the server. This means that as long as the account
|
|
database is not actively changing bf(winbindd) will only have to send one
|
|
sequence number query packet every "winbind cache time" seconds.
|
|
|
|
bf(Default:)
|
|
tt( winbind cache time = 15)
|
|
|
|
dit(winbind enum users)
|
|
|
|
On large installations it may be necessary to suppress the enumeration of
|
|
users through the tt(setpwent), tt(getpwent) and tt(endpwent) group of
|
|
system calls. If the tt(winbind enum users) parameter is false, calls to
|
|
the tt(getpwent) system call will not return any data.
|
|
|
|
Warning: Turning off user enumeration may cause some programs to behave
|
|
oddly. For example, the finger program relies on having access to the full
|
|
user list when searching for matching usernames.
|
|
|
|
bf(Default:)
|
|
tt( winbind enum users = true)
|
|
|
|
dit(winbind enum groups)
|
|
|
|
On large installations it may be necessary to suppress the enumeration of
|
|
groups through the tt(setgrent), tt(getgrent) and tt(endgrent) group of
|
|
system calls. If the tt(winbind enum groups) parameter is false, calls to
|
|
the tt(getgrent) system call will not return any data.
|
|
|
|
Warning: Turning off group enumeration may cause some programs to behave
|
|
oddly.
|
|
|
|
bf(Default:)
|
|
tt( winbind enum groups = true)
|
|
|
|
dit(template homedir)
|
|
|
|
When filling out the user information for a Windows NT user, the
|
|
bf(winbindd) daemon uses this parameter to fill in the home directory for
|
|
that user. If the string tt(%D) is present it is substituted with the
|
|
user's Windows NT domain name. If the string tt(%U) is present it is
|
|
substituted with the user's Windows NT user name.
|
|
|
|
bf(Default:)
|
|
tt( template homedir = /home/%D/%U)
|
|
|
|
dit(template shell)
|
|
|
|
When filling out the user information for a Windows NT user, the
|
|
bf(winbindd) daemon uses this parameter to fill in the shell for that user.
|
|
|
|
bf(Default:)
|
|
tt( template shell = /bin/false)
|
|
|
|
enddit()
|
|
|
|
|
|
label(EXAMPLESETUP)
|
|
manpagesection(EXAMPLE SETUP)
|
|
|
|
To setup bf(winbindd) for user and group lookups plus authentication from
|
|
a domain controller use something like the following setup. This was
|
|
tested on a RedHat 6.2 Linux box.
|
|
|
|
In tt(/etc/nsswitch.conf) put the following:
|
|
verb(
|
|
passwd: files winbind
|
|
group: files winbind
|
|
)
|
|
|
|
In tt(/etc/pam.d/*) replace the tt(auth) lines with something like this:
|
|
verb(
|
|
auth required /lib/security/pam_securetty.so
|
|
auth required /lib/security/pam_nologin.so
|
|
auth sufficient /lib/security/pam_winbind.so
|
|
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
|
|
)
|
|
|
|
Note in particular the use of the tt(sufficient) keyword and the
|
|
tt(use_first_pass) keyword.
|
|
|
|
Now replace the account lines with this:
|
|
verb(
|
|
account required /lib/security/pam_winbind.so
|
|
)
|
|
|
|
The next step is to join the domain. To do that use the samedit
|
|
program like this:
|
|
verb(
|
|
samedit -S '*' -W DOMAIN -UAdministrator
|
|
)
|
|
|
|
The username after the -U can be any Domain user that has administrator
|
|
priviliges on the machine. Next from within samedit, run the command:
|
|
verb(
|
|
createuser MACHINE$ -j DOMAIN -L
|
|
)
|
|
|
|
This assumes your domain is called tt(DOMAIN) and your Samba workstation
|
|
is called tt(MACHINE).
|
|
|
|
Next copy tt(libnss_winbind.so.2) to tt(/lib) and tt(pam_winbind.so) to
|
|
tt(/lib/security).
|
|
|
|
Finally, setup a smb.conf containing directives like the following:
|
|
verb(
|
|
[global]
|
|
winbind separator = +
|
|
winbind cache time = 10
|
|
template shell = /bin/bash
|
|
template homedir = /home/%D/%U
|
|
winbind uid = 10000-20000
|
|
winbind gid = 10000-20000
|
|
workgroup = DOMAIN
|
|
security = domain
|
|
password server = *
|
|
)
|
|
|
|
Now start bf(winbindd) and you should find that your user and group
|
|
database is expanded to include your NT users and groups, and that you
|
|
can login to your unix box as a domain user, using the tt(DOMAIN+user)
|
|
syntax for the username. You may wish to use the commands "getent
|
|
passwd" and "getent group" to confirm the correct operation of
|
|
bf(winbindd).
|
|
|
|
label(NOTES)
|
|
manpagesection(NOTES)
|
|
|
|
The following notes are useful when configuring and running bf(winbindd):
|
|
|
|
startdit()
|
|
|
|
dit()
|
|
url(bf(nmbd))(nmbd.8.html) must be running on the local machine for
|
|
bf(winbindd) to work.
|
|
|
|
dit()
|
|
bf(winbindd) queries the list of trusted domains for the Windows NT server
|
|
on startup and when a SIGHUP is received. Thus, for a running bf(winbindd)
|
|
to become aware of new trust relationships between servers, it must be sent
|
|
a SIGHUP signal.
|
|
|
|
dit()
|
|
Client processes resolving names through the bf(winbindd) nsswitch module
|
|
read an environment variable named tt(WINBINDD_DOMAIN). If this variable
|
|
contains a comma separated list of Windows NT domain names, then bf(winbindd)
|
|
will only resolve users and groups within those Windows NT domains.
|
|
|
|
dit()
|
|
PAM is really easy to misconfigure. Make sure you know what you are doing
|
|
when modifying PAM configuration files. It is possible to set up PAM
|
|
such that you can no longer log into your system.
|
|
|
|
dit()
|
|
If more than one UNIX machine is running bf(winbindd), then in general the
|
|
user and groups ids allocated by bf(winbindd) will not be the same. The
|
|
user and group ids will only be valid for the local machine.
|
|
|
|
dit()
|
|
If the the Windows NT RID to UNIX user and group id mapping file
|
|
is damaged or destroyed then the mappings will be lost.
|
|
|
|
enddit()
|
|
|
|
label(SIGNALS)
|
|
manpagesection(SIGNALS)
|
|
|
|
The following signals can be used to manipulate the bf(winbindd) daemon.
|
|
|
|
startdit()
|
|
|
|
dit(tt(SIGHUP))
|
|
|
|
Reload the tt(smb.conf) file and apply any parameter changes to the running
|
|
version of bf(winbindd). This signal also clears any cached user and group
|
|
information. The list of other domains trusted by bf(winbindd) is also
|
|
reloaded.
|
|
|
|
dit(tt(SIGUSR1))
|
|
|
|
The tt(SIGUSR1) signal will cause bf(winbindd) to write status information
|
|
to the winbind log file including information about the number of user and
|
|
group ids allocated by bf(winbindd).
|
|
|
|
Log files are stored in the filename specified by the bf(log file) parameter.
|
|
|
|
enddit()
|
|
|
|
label(FILES)
|
|
manpagefiles()
|
|
|
|
The following files are relevant to the operation of the bf(winbindd)
|
|
daemon.
|
|
|
|
startdit()
|
|
|
|
dit(/etc/nsswitch.conf(5))
|
|
|
|
Name service switch configuration file.
|
|
|
|
dit(/tmp/.winbindd/pipe)
|
|
|
|
The UNIX pipe over which clients communicate with the bf(winbindd) program.
|
|
For security reasons, the winbind client will only attempt to connect to the
|
|
bf(winbindd) daemon if both the tt(/tmp/.winbindd) directory and
|
|
tt(/tmp/.winbindd/pipe) file are owned by root.
|
|
|
|
dit(/lib/libnss_winbind.so.X)
|
|
|
|
Implementation of name service switch library.
|
|
|
|
dit($LOCKDIR/winbindd_idmap.tdb)
|
|
|
|
Storage for the Windows NT rid to UNIX user/group id mapping. The lock
|
|
directory is specified when Samba is initially compiled using the
|
|
tt(--with-lockdir) option. This directory is by default
|
|
tt(/usr/local/samba/var/locks).
|
|
|
|
dit($LOCKDIR/winbindd_cache.tdb)
|
|
|
|
Storage for cached user and group information.
|
|
|
|
enddit()
|
|
|
|
label(SEEALSO)
|
|
manpageseealso()
|
|
|
|
url(bf(samba(7)))(samba.7.html), url(bf(smb.conf(5)))(smb.conf.5.html),
|
|
bf(nsswitch.conf(5)), url(bf(wbinfo(1)))(wbinfo.1.html)
|
|
|
|
label(AUTHOR)
|
|
manpageauthor()
|
|
|
|
The original Samba software and related utilities were created by
|
|
Andrew Tridgell. Samba is now developed by the Samba Team as an Open
|
|
Source project.
|
|
|
|
bf(winbindd) was written by Tim Potter.
|