| 
     WINBINDD(8)     UNIX System V (19 November	2002)	   WINBINDD(8)
     NAME    [Toc]    [Back]
	  winbindd - Name Service Switch daemon	for resolving names
	  from NT servers
     SYNOPSIS    [Toc]    [Back]
	  winbindd [ -i	]  [ -d	<debug level> ]	 [ -s <smb config
	  file>	]
     DESCRIPTION    [Toc]    [Back]
	  This program is part of the  Samba suite.
	  winbindd is a	daemon that provides a service for the Name
	  Service Switch capability that is present in most modern C
	  libraries. The Name Service Switch allows user and system
	  information to be obtained from different databases services
	  such as NIS or DNS. The exact	behaviour can be configured
	  throught the /etc/nsswitch.conf file.	Users and groups are
	  allocated as they are	resolved to a range of user and	group
	  ids specified	by the administrator of	the Samba system.
	  The service provided by winbindd is called `winbind' and can
	  be used to resolve user and group information	from a Windows
	  NT server. The service can also provide authentication
	  services via an associated PAM module.
	  The pam_winbind module in the	2.2.2 release only supports
	  the auth and account module-types. The latter	is simply
	  performs a getpwnam()	to verify that the system can obtain a
	  uid for the user. If the libnss_winbind library has been
	  correctly installed, this should always suceed.
	  The following	nsswitch databases are implemented by the
	  winbindd service:
	  hosts
	       User information	traditionally stored in	the hosts(5)
	       file and	used by	gethostbyname(3) functions. Names are
	       resolved	through	the WINS server	or by broadcast.
	  passwd
	       User information	traditionally stored in	the passwd(5)
	       file and	used by	getpwent(3) functions.
	  group
	       Group information traditionally stored in the group(5)
	       file and	used by	getgrent(3) functions.
	  For example, the following simple configuration in the
	  /etc/nsswitch.conf file can be used to initially resolve
	  user and group information from /etc/passwd and /etc/group
	  and then from	the Windows NT server.
     Page 1					     (printed 2/13/04)
     WINBINDD(8)     UNIX System V (19 November	2002)	   WINBINDD(8)
	  passwd:	  files	winbind
	  group:	  files	winbind
	  The following	simple configuration in	the /etc/nsswitch.conf
	  file can be used to initially	resolve	hostnames from
	  /etc/hosts and then from the WINS server.
     OPTIONS    [Toc]    [Back]
	  -d debuglevel
	       Sets the	debuglevel to an integer between 0 and 100. 0
	       is for no debugging and 100 is for reams	and reams. To
	       submit a	bug report to the Samba	Team, use debug	level
	       100 (see	BUGS.txt).
	  -i   Tells winbindd to not become a daemon and detach	from
	       the current terminal. This option is used by developers
	       when interactive	debugging of winbindd is required.
     NAME AND ID RESOLUTION    [Toc]    [Back]
	  Users	and groups on a	Windows	NT server are assigned a
	  relative id (rid) which is unique for	the domain when	the
	  user or group	is created. To convert the Windows NT user or
	  group	into a unix user or group, a mapping between rids and
	  unix user and	group ids is required. This is one of the jobs
	  that	winbindd performs.
	  As winbindd users and	groups are resolved from a server,
	  user and group ids are allocated from	a specified range.
	  This is done on a first come,	first served basis, although
	  all existing users and groups	will be	mapped as soon as a
	  client performs a user or group enumeration command. The
	  allocated unix ids are stored	in a database file under the
	  Samba	lock directory and will	be remembered.
	  WARNING: The rid to unix id database is the only location
	  where	the user and group mappings are	stored by winbindd. If
	  this file is deleted or corrupted, there is no way for
	  winbindd to determine	which user and group ids correspond to
	  Windows NT user and group rids.
     CONFIGURATION    [Toc]    [Back]
	  Configuration	of the winbindd	daemon is done through
	  configuration	parameters in the smb.conf(5) file. All
	  parameters should be specified in the	[global] section of
	  smb.conf.
	  winbind separator
	       The winbind separator option allows you to specify how
	       NT domain names and user	names are combined into	unix
	       user names when presented to users. By default,
     Page 2					     (printed 2/13/04)
     WINBINDD(8)     UNIX System V (19 November	2002)	   WINBINDD(8)
	       winbindd	will use the traditional '\' separator so that
	       the unix	user names look	like DOMAIN\username. In some
	       cases this separator character may cause	problems as
	       the '\' character has special meaning in	unix shells.
	       In that case you	can use	the winbind separator option
	       to specify an alternative separator character. Good
	       alternatives may	be '/' (although that conflicts	with
	       the unix	directory separator) or	a '+ 'character. The
	       '+' character appears to	be the best choice for 100%
	       compatibility with existing unix	utilities, but may be
	       an aesthetically	bad choice depending on	your taste.
	       Default:	winbind	separator = \
	       Example:	winbind	separator = +
	  winbind uid
	       The winbind uid parameter specifies the range of	user
	       ids that	are allocated by the winbindd daemon. This
	       range of	ids should have	no existing local or NIS users
	       within it as strange conflicts can occur	otherwise.
	       Default:	winbind	uid = <empty string>
	       Example:	winbind	uid = 10000-20000
	  winbind gid
	       The winbind gid parameter specifies the range of	group
	       ids that	are allocated by the winbindd daemon. This
	       range of	group ids should have no existing local	or NIS
	       groups within it	as strange conflicts can occur
	       otherwise.
	       Default:	winbind	gid = <empty string>
	       Example:	winbind	gid = 10000-20000
	  winbind cache	time
	       This parameter specifies	the number of seconds the
	       winbindd	daemon will cache user and group information
	       before querying a Windows NT server again. When a item
	       in the cache is older than this time winbindd will ask
	       the domain controller for the sequence number of	the
	       server's	account	database. If the sequence number has
	       not changed then	the cached item	is marked as valid for
	       a further winbind cache time seconds. Otherwise the
	       item is fetched from the	server.	This means that	as
	       long as the account database is not actively changing
	       winbindd	will only have to send one sequence number
	       query packet every winbind cache	time seconds.
	       Default:	winbind	cache time = 15
     Page 3					     (printed 2/13/04)
     WINBINDD(8)     UNIX System V (19 November	2002)	   WINBINDD(8)
	  winbind enum users
	       On large	installations it may be	necessary to suppress
	       the enumeration of users	through	the  setpwent(),
	       getpwent() and endpwent() group of system calls.	If the
	       winbind enum users parameter is false, calls to the
	       getpwent	system call will not return any	data.
	       Warning:	Turning	off user enumeration may cause some
	       programs	to behave oddly. For example, the finger
	       program relies on having	access to the full user	list
	       when searching for matching usernames.
	       Default:	winbind	enum users = yes
	  winbind enum groups
	       On large	installations it may be	necessary to suppress
	       the enumeration of groups through the  setgrent(),
	       getgrent() and endgrent() group of system calls.	If the
	       winbind enum groups parameter is	false, calls to	the
	       getgrent() system call will not return any data.
	       Warning:	Turning	off group enumeration may cause	some
	       programs	to behave oddly.
	       Default:	winbind	enum groups = no
	  template homedir
	       When filling out	the user information for a Windows NT
	       user, the winbindd daemon uses this parameter to	fill
	       in the home directory for that user. If the string %D
	       is present it is	substituted with the user's Windows NT
	       domain name. If the string %U is	present	it is
	       substituted with	the user's Windows NT user name.
	       Default:	template homedir = /home/%D/%U
	  template shell
	       When filling out	the user information for a Windows NT
	       user, the winbindd daemon uses this parameter to	fill
	       in the shell for	that user.
	       Default:	template shell = /bin/false
     EXAMPLE SETUP    [Toc]    [Back]
	  To setup winbindd for	user and group lookups plus
	  authentication from a	domain controller use something	like
	  the following	setup. This was	tested on a RedHat 6.2 Linux
	  box.
	  In /etc/nsswitch.conf	put the	following:
	  passwd:     files winbind
     Page 4					     (printed 2/13/04)
     WINBINDD(8)     UNIX System V (19 November	2002)	   WINBINDD(8)
	  group:      files winbind
	  In /etc/pam.d/* replace the auth lines with something	like
	  this:
	  auth	     required /lib/security/pam_securetty.so
	  auth	     required /lib/security/pam_nologin.so
	  auth	     sufficient	   /lib/security/pam_winbind.so
	  auth	     required	  /lib/security/pam_pwdb.so use_first_pass shadow nullok
	  Note in particular the use of	the sufficient keyword and the
	  use_first_pass keyword.
	  Now replace the account lines	with this:
	  account required /lib/security/pam_winbind.so
	  The next step	is to join the domain. To do that use the
	  smbpasswd program like this:
	  smbpasswd -j DOMAIN -r PDC -U	Administrator
	  The username after the -U can	be any Domain user that	has
	  administrator	privileges on the machine.  Substitute your
	  domain name for "DOMAIN" and the name	of your	PDC for	"PDC".
	  Next copy libnss_winbind.so to /lib and pam_winbind.so to
	  /lib/security. A symbolic link needs to be made from
	  /lib/libnss_winbind.so to /lib/libnss_winbind.so.2. If you
	  are using an older version of	glibc then the target of the
	  link should be /lib/libnss_winbind.so.1.
	  Finally, setup a smb.conf containing directives like the
	  following:
	  [global]
	       winbind separator = +
		  winbind cache	time = 10
		  template shell = /bin/bash
		  template homedir = /home/%D/%U
		  winbind uid =	10000-20000
		  winbind gid =	10000-20000
		  workgroup = DOMAIN
		  security = domain
		  password server = *
     Page 5					     (printed 2/13/04)
     WINBINDD(8)     UNIX System V (19 November	2002)	   WINBINDD(8)
	  Now start winbindd and you should find that your user	and
	  group	database is expanded to	include	your NT	users and
	  groups, and that you can login to your unix box as a domain
	  user,	using the DOMAIN+user syntax for the username. You may
	  wish to use the commands getent passwd and getent group to
	  confirm the correct operation	of winbindd.
     NOTES    [Toc]    [Back]
	  The following	notes are useful when configuring and running
	  winbindd:
	  nmbd must be running on the local machine for	winbindd to
	  work.	winbindd queries the list of trusted domains for the
	  Windows NT server on startup and when	a SIGHUP is received.
	  Thus,	for a running  winbindd	to become aware	of new trust
	  relationships	between	servers, it must be sent a SIGHUP
	  signal.
	  Client processes resolving names through the winbindd
	  nsswitch module read an environment variable named
	  $WINBINDD_DOMAIN. If this variable contains a	comma
	  separated list of Windows NT domain names, then winbindd
	  will only resolve users and groups within those Windows NT
	  domains.
	  PAM is really	easy to	misconfigure. Make sure	you know what
	  you are doing	when modifying PAM configuration files.	It is
	  possible to set up PAM such that you can no longer log into
	  your system.
	  If more than one UNIX	machine	is running winbindd, then in
	  general the user and groups ids allocated by winbindd	will
	  not be the same. The user and	group ids will only be valid
	  for the local	machine.
	  If the the Windows NT	RID to UNIX user and group id mapping
	  file is damaged or destroyed then the	mappings will be lost.
     SIGNALS    [Toc]    [Back]
	  The following	signals	can be used to manipulate the winbindd
	  daemon.
	  SIGHUP
	       Reload the smb.conf(5) file and apply any parameter
	       changes to the running version of winbindd. This	signal
	       also clears any cached user and group information. The
	       list of other domains trusted by	winbindd is also
	       reloaded.
	  SIGUSR1
	       The SIGUSR1 signal will cause  winbindd to write	status
	       information to the winbind log file including
     Page 6					     (printed 2/13/04)
     WINBINDD(8)     UNIX System V (19 November	2002)	   WINBINDD(8)
	       information about the number of user and	group ids
	       allocated by winbindd.
	       Log files are stored in the filename specified by the
	       log file	parameter.
     FILES    [Toc]    [Back]
	  /etc/nsswitch.conf(5)
	       Name service switch configuration file.
	  /tmp/.winbindd/pipe
	       The UNIX	pipe over which	clients	communicate with the
	       winbindd	program. For security reasons, the winbind
	       client will only	attempt	to connect to the winbindd
	       daemon if both the /tmp/.winbindd directory and
	       /tmp/.winbindd/pipe file	are owned by root.
	  /lib/libnss_winbind.so.X
	       Implementation of name service switch library.
	  $LOCKDIR/winbindd_idmap.tdb
	       Storage for the Windows NT rid to UNIX user/group id
	       mapping.	The lock directory is specified	when Samba is
	       initially compiled using	the --with-lockdir option.
	       This directory is by default /usr/local/samba/var/locks
	       .
	  $LOCKDIR/winbindd_cache.tdb
	       Storage for cached user and group information.
     VERSION    [Toc]    [Back]
	  This man page	is correct for version 2.2 of the Samba	suite.
     SEE ALSO    [Toc]    [Back]
	  nsswitch.conf(5), samba(7) wbinfo(1) smb.conf(5)
     AUTHOR    [Toc]    [Back]
	  The original Samba software and related utilities were
	  created by Andrew Tridgell. Samba is now developed by	the
	  Samba	Team as	an Open	Source project similar to the way the
	  Linux	kernel is developed.
	  wbinfo and winbindd were written by Tim Potter.
	  The conversion to DocBook for	Samba 2.2 was done by Gerald
	  Carter
     Page 7					     (printed 2/13/04)
[ Back ] |