WINBINDD(8) UNIX System V (19 November 2002) WINBINDD(8)
NAME
winbindd - Name Service Switch daemon for resolving names
from NT servers
SYNOPSIS
winbindd [ -i ] [ -d <debug level> ] [ -s <smb config
file> ]
DESCRIPTION
This program is part of the Samba suite.
winbindd is a daemon that provides a service for the Name
Service Switch capability that is present in most modern C
libraries. The Name Service Switch allows user and system
information to be obtained from different databases services
such as NIS or DNS. The exact behaviour can be configured
throught the /etc/nsswitch.conf file. Users and groups are
allocated as they are resolved to a range of user and group
ids specified by the administrator of the Samba system.
The service provided by winbindd is called `winbind' and can
be used to resolve user and group information from a Windows
NT server. The service can also provide authentication
services via an associated PAM module.
The pam_winbind module in the 2.2.2 release only supports
the auth and account module-types. The latter is simply
performs a getpwnam() to verify that the system can obtain a
uid for the user. If the libnss_winbind library has been
correctly installed, this should always suceed.
The following nsswitch databases are implemented by the
winbindd service:
hosts
User information traditionally stored in the hosts(5)
file and used by gethostbyname(3) functions. Names are
resolved through the WINS server or by broadcast.
passwd
User information traditionally stored in the passwd(5)
file and used by getpwent(3) functions.
group
Group information traditionally stored in the group(5)
file and used by getgrent(3) functions.
For example, the following simple configuration in the
/etc/nsswitch.conf file can be used to initially resolve
user and group information from /etc/passwd and /etc/group
and then from the Windows NT server.
Page 1 (printed 2/13/04)
WINBINDD(8) UNIX System V (19 November 2002) WINBINDD(8)
passwd: files winbind
group: files winbind
The following simple configuration in the /etc/nsswitch.conf
file can be used to initially resolve hostnames from
/etc/hosts and then from the WINS server.
OPTIONS
-d debuglevel
Sets the debuglevel to an integer between 0 and 100. 0
is for no debugging and 100 is for reams and reams. To
submit a bug report to the Samba Team, use debug level
100 (see BUGS.txt).
-i Tells winbindd to not become a daemon and detach from
the current terminal. This option is used by developers
when interactive debugging of winbindd is required.
NAME AND ID RESOLUTION
Users and groups on a Windows NT server are assigned a
relative id (rid) which is unique for the domain when the
user or group is created. To convert the Windows NT user or
group into a unix user or group, a mapping between rids and
unix user and group ids is required. This is one of the jobs
that winbindd performs.
As winbindd users and groups are resolved from a server,
user and group ids are allocated from a specified range.
This is done on a first come, first served basis, although
all existing users and groups will be mapped as soon as a
client performs a user or group enumeration command. The
allocated unix ids are stored in a database file under the
Samba lock directory and will be remembered.
WARNING: The rid to unix id database is the only location
where the user and group mappings are stored by winbindd. If
this file is deleted or corrupted, there is no way for
winbindd to determine which user and group ids correspond to
Windows NT user and group rids.
CONFIGURATION
Configuration of the winbindd daemon is done through
configuration parameters in the smb.conf(5) file. All
parameters should be specified in the [global] section of
smb.conf.
winbind separator
The winbind separator option allows you to specify how
NT domain names and user names are combined into unix
user names when presented to users. By default,
Page 2 (printed 2/13/04)
WINBINDD(8) UNIX System V (19 November 2002) WINBINDD(8)winbindd will use the traditional '\' separator so that
the unix user names look like DOMAIN\username. In some
cases this separator character may cause problems as
the '\' character has special meaning in unix shells.
In that case you can use the winbind separator option
to specify an alternative separator character. Good
alternatives may be '/' (although that conflicts with
the unix directory separator) or a '+ 'character. The
'+' character appears to be the best choice for 100%
compatibility with existing unix utilities, but may be
an aesthetically bad choice depending on your taste.
Default: winbind separator = \
Example: winbind separator = +
winbind uid
The winbind uid parameter specifies the range of user
ids that are allocated by the winbindd daemon. This
range of ids should have no existing local or NIS users
within it as strange conflicts can occur otherwise.
Default: winbind uid = <empty string>
Example: winbind uid = 10000-20000
winbind gid
The winbind gid parameter specifies the range of group
ids that are allocated by the winbindd daemon. This
range of group ids should have no existing local or NIS
groups within it as strange conflicts can occur
otherwise.
Default: winbind gid = <empty string>
Example: winbind gid = 10000-20000
winbind cache time
This parameter specifies the number of seconds the
winbindd daemon will cache user and group information
before querying a Windows NT server again. When a item
in the cache is older than this time winbindd will ask
the domain controller for the sequence number of the
server's account database. If the sequence number has
not changed then the cached item is marked as valid for
a further winbind cache time seconds. Otherwise the
item is fetched from the server. This means that as
long as the account database is not actively changing
winbindd will only have to send one sequence number
query packet every winbind cache time seconds.
Default: winbind cache time = 15
Page 3 (printed 2/13/04)
WINBINDD(8) UNIX System V (19 November 2002) WINBINDD(8)
winbind enum users
On large installations it may be necessary to suppress
the enumeration of users through the setpwent(),
getpwent() and endpwent() group of system calls. If the
winbind enum users parameter is false, calls to the
getpwent system call will not return any data.
Warning: Turning off user enumeration may cause some
programs to behave oddly. For example, the finger
program relies on having access to the full user list
when searching for matching usernames.
Default: winbind enum users = yes
winbind enum groups
On large installations it may be necessary to suppress
the enumeration of groups through the setgrent(),
getgrent() and endgrent() group of system calls. If the
winbind enum groups parameter is false, calls to the
getgrent() system call will not return any data.
Warning: Turning off group enumeration may cause some
programs to behave oddly.
Default: winbind enum groups = no
template homedir
When filling out the user information for a Windows NT
user, the winbindd daemon uses this parameter to fill
in the home directory for that user. If the string %D
is present it is substituted with the user's Windows NT
domain name. If the string %U is present it is
substituted with the user's Windows NT user name.
Default: template homedir = /home/%D/%U
template shell
When filling out the user information for a Windows NT
user, the winbindd daemon uses this parameter to fill
in the shell for that user.
Default: template shell = /bin/false
EXAMPLE SETUP
To setup winbindd for user and group lookups plus
authentication from a domain controller use something like
the following setup. This was tested on a RedHat 6.2 Linux
box.
In /etc/nsswitch.conf put the following:
passwd: files winbind
Page 4 (printed 2/13/04)
WINBINDD(8) UNIX System V (19 November 2002) WINBINDD(8)
group: files winbind
In /etc/pam.d/* replace the auth lines with something like
this:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
Note in particular the use of the sufficient keyword and the
use_first_pass keyword.
Now replace the account lines with this:
account required /lib/security/pam_winbind.so
The next step is to join the domain. To do that use the
smbpasswd program like this:
smbpasswd -j DOMAIN -r PDC -U Administrator
The username after the -U can be any Domain user that has
administrator privileges on the machine. Substitute your
domain name for "DOMAIN" and the name of your PDC for "PDC".
Next copy libnss_winbind.so to /lib and pam_winbind.so to
/lib/security. A symbolic link needs to be made from
/lib/libnss_winbind.so to /lib/libnss_winbind.so.2. If you
are using an older version of glibc then the target of the
link should be /lib/libnss_winbind.so.1.
Finally, setup a smb.conf containing directives like the
following:
[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = DOMAIN
security = domain
password server = *
Page 5 (printed 2/13/04)
WINBINDD(8) UNIX System V (19 November 2002) WINBINDD(8)
Now start winbindd and you should find that your user and
group database is expanded to include your NT users and
groups, and that you can login to your unix box as a domain
user, using the DOMAIN+user syntax for the username. You may
wish to use the commands getent passwd and getent group to
confirm the correct operation of winbindd.
NOTES
The following notes are useful when configuring and running
winbindd:
nmbd must be running on the local machine for winbindd to
work. winbindd queries the list of trusted domains for the
Windows NT server on startup and when a SIGHUP is received.
Thus, for a running winbindd to become aware of new trust
relationships between servers, it must be sent a SIGHUP
signal.
Client processes resolving names through the winbindd
nsswitch module read an environment variable named
$WINBINDD_DOMAIN. If this variable contains a comma
separated list of Windows NT domain names, then winbindd
will only resolve users and groups within those Windows NT
domains.
PAM is really easy to misconfigure. Make sure you know what
you are doing when modifying PAM configuration files. It is
possible to set up PAM such that you can no longer log into
your system.
If more than one UNIX machine is running winbindd, then in
general the user and groups ids allocated by winbindd will
not be the same. The user and group ids will only be valid
for the local machine.
If the the Windows NT RID to UNIX user and group id mapping
file is damaged or destroyed then the mappings will be lost.
SIGNALS
The following signals can be used to manipulate the winbindd
daemon.
SIGHUP
Reload the smb.conf(5) file and apply any parameter
changes to the running version of winbindd. This signal
also clears any cached user and group information. The
list of other domains trusted by winbindd is also
reloaded.
SIGUSR1
The SIGUSR1 signal will cause winbindd to write status
information to the winbind log file including
Page 6 (printed 2/13/04)
WINBINDD(8) UNIX System V (19 November 2002) WINBINDD(8)
information about the number of user and group ids
allocated by winbindd.
Log files are stored in the filename specified by the
log file parameter.
FILES
/etc/nsswitch.conf(5)
Name service switch configuration file.
/tmp/.winbindd/pipe
The UNIX pipe over which clients communicate with the
winbindd program. For security reasons, the winbind
client will only attempt to connect to the winbindd
daemon if both the /tmp/.winbindd directory and
/tmp/.winbindd/pipe file are owned by root.
/lib/libnss_winbind.so.X
Implementation of name service switch library.
$LOCKDIR/winbindd_idmap.tdb
Storage for the Windows NT rid to UNIX user/group id
mapping. The lock directory is specified when Samba is
initially compiled using the --with-lockdir option.
This directory is by default /usr/local/samba/var/locks
.
$LOCKDIR/winbindd_cache.tdb
Storage for cached user and group information.
VERSION
This man page is correct for version 2.2 of the Samba suite.
SEE ALSO
nsswitch.conf(5), samba(7)wbinfo(1)smb.conf(5)
AUTHOR
The original Samba software and related utilities were
created by Andrew Tridgell. Samba is now developed by the
Samba Team as an Open Source project similar to the way the
Linux kernel is developed.
wbinfo and winbindd were written by Tim Potter.
The conversion to DocBook for Samba 2.2 was done by Gerald
Carter
Page 7 (printed 2/13/04)
