source: trunk-3.0/docs/htmldocs/manpages/winbindd.8.html@ 102

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>winbindd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="winbindd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>winbindd &#8212; Name Service Switch daemon for resolving names 
        from NT servers</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">winbindd</code> [-F] [-S] [-i] [-Y] [-d &lt;debug level&gt;] [-s &lt;smb config file&gt;] [-n]</p></div></div><div class="refsect1" lang="en"><a name="id259558"></a><h2>DESCRIPTION</h2><p>This program is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">winbindd</code> is a daemon that provides 
        a number of services to the Name Service Switch capability found
        in most modern C libraries, to arbitary applications via PAM
        and <code class="literal">ntlm_auth</code> and to Samba itself.</p><p>Even if winbind is not used for nsswitch, it still provides a
        service to <code class="literal">smbd</code>, <code class="literal">ntlm_auth</code>
        and the <code class="literal">pam_winbind.so</code> PAM module, by managing connections to
        domain controllers.  In this configuraiton the
        <a class="indexterm" name="id259361"></a>idmap uid and
        <a class="indexterm" name="id259368"></a>idmap gid
        parameters are not required. (This is known as `netlogon proxy only mode'.)</p><p> The Name Service Switch allows user 
        and system information to be obtained from different databases 
        services such as NIS or DNS.  The exact behaviour can be configured 
        throught the <code class="filename">/etc/nsswitch.conf</code> file.  
        Users and groups are allocated as they are resolved to a range 
        of user and group ids specified by the administrator of the 
        Samba system.</p><p>The service provided by <code class="literal">winbindd</code> is called `winbind' and 
        can be used to resolve user and group information from a 
        Windows NT server. The service can also provide authentication
        services via an associated PAM module. </p><p>
        The <code class="filename">pam_winbind</code> module supports the
        <em class="parameter"><code>auth</code></em>, <em class="parameter"><code>account</code></em>
        and <em class="parameter"><code>password</code></em>
        module-types.  It should be noted that the 
        <em class="parameter"><code>account</code></em> module simply performs a getpwnam() to verify that
        the system can obtain a uid for the user, as the domain
        controller has already performed access control.  If the
        <code class="filename">libnss_winbind</code> library has been correctly
        installed, or an alternate source of names configured, this should always succeed.
        </p><p>The following nsswitch databases are implemented by 
        the winbindd service: </p><div class="variablelist"><dl><dt><span class="term">hosts</span></dt><dd><p>This feature is only available on IRIX.
                User information traditionally stored in 
                the <code class="filename">hosts(5)</code> file and used by 
                <code class="literal">gethostbyname(3)</code> functions. Names are
                resolved through the WINS server or by broadcast.
                </p></dd><dt><span class="term">passwd</span></dt><dd><p>User information traditionally stored in 
                the <code class="filename">passwd(5)</code> file and used by 
                <code class="literal">getpwent(3)</code> functions. </p></dd><dt><span class="term">group</span></dt><dd><p>Group information traditionally stored in 
                the <code class="filename">group(5)</code> file and used by             
                <code class="literal">getgrent(3)</code> functions. </p></dd></dl></div><p>For example, the following simple configuration in the
        <code class="filename">/etc/nsswitch.conf</code> file can be used to initially 
        resolve user and group information from <code class="filename">/etc/passwd
        </code> and <code class="filename">/etc/group</code> and then from the 
        Windows NT server.
</p><pre class="programlisting">
passwd:         files winbind
group:          files winbind
## only available on IRIX; Linux users should us libnss_wins.so
hosts:          files dns winbind
</pre><p>The following simple configuration in the
        <code class="filename">/etc/nsswitch.conf</code> file can be used to initially
        resolve hostnames from <code class="filename">/etc/hosts</code> and then from the
        WINS server.</p><pre class="programlisting">
hosts:          files wins
</pre></div><div class="refsect1" lang="en"><a name="id260125"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-F</span></dt><dd><p>If specified, this parameter causes
                the main <code class="literal">winbindd</code> process to not daemonize,
                i.e. double-fork and disassociate with the terminal.
                Child processes are still created as normal to service
                each connection request, but the main process does not
                exit. This operation mode is suitable for running
                <code class="literal">winbindd</code> under process supervisors such
                as <code class="literal">supervise</code> and <code class="literal">svscan</code>
                from Daniel J. Bernstein's <code class="literal">daemontools</code>
                package, or the AIX process monitor.
                </p></dd><dt><span class="term">-S</span></dt><dd><p>If specified, this parameter causes
                <code class="literal">winbindd</code> to log to standard output rather
                than a file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number.
</p></dd><dt><span class="term">-s &lt;configuration file&gt;</span></dt><dd><p>The file specified contains the 
configuration details required by the server.  The 
information in this file includes server-specific
information such as what printcap file to use, as well 
as descriptions of all the services that the server is 
to provide. See <code class="filename">smb.conf</code> for more information.
The default configuration file name is determined at 
compile time.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer 
from 0 to 10.  The default value if this parameter is 
not specified is zero.</p><p>The higher this value, the more detail will be 
logged to the log files about the activities of the 
server. At level 0, only critical errors and serious 
warnings will be logged. Level 1 is a reasonable level for
day-to-day running - it generates a small amount of 
information about operations carried out.</p><p>Levels above 1 will generate considerable 
amounts of log data, and should only be used when 
investigating a problem. Levels above 3 are designed for 
use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will 
override the <a class="indexterm" name="id300475"></a> parameter
in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-l|--logfile=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension
<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, 
log.smbd, etc...). The log file is never removed by the client.
</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options.
</p></dd><dt><span class="term">-i</span></dt><dd><p>Tells <code class="literal">winbindd</code> to not 
                become a daemon and detach from the current terminal. This 
                option is used by developers when interactive debugging 
                of <code class="literal">winbindd</code> is required.
                <code class="literal">winbindd</code> also logs to standard output,
                as if the <code class="literal">-S</code> parameter had been given.
                </p></dd><dt><span class="term">-n</span></dt><dd><p>Disable caching. This means winbindd will 
                always have to wait for a response from the domain controller 
                before it can respond to a client and this thus makes things 
                slower. The results will however be more accurate, since 
                results from the cache might not be up-to-date. This 
                might also temporarily hang winbindd if the DC doesn't respond.
                </p></dd><dt><span class="term">-Y</span></dt><dd><p>Single daemon mode. This means winbindd will run 
                as a single process (the mode of operation in Samba 2.2).  Winbindd's 
                default behavior is to launch a child process that is responsible for 
                updating expired cache entries.
                </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id300582"></a><h2>NAME AND ID RESOLUTION</h2><p>Users and groups on a Windows NT server are assigned 
        a security id (SID) which is globally unique when the 
        user or group is created.  To convert the Windows NT user or group 
        into a unix user or group, a mapping between SIDs and unix user 
        and group ids is required.  This is one of the jobs that <code class="literal">
        winbindd</code> performs. </p><p>As winbindd users and groups are resolved from a server, user 
        and group ids are allocated from a specified range.  This
        is done on a first come, first served basis, although all existing 
        users and groups will be mapped as soon as a client performs a user 
        or group enumeration command.  The allocated unix ids are stored 
        in a database and will be remembered. </p><p>WARNING: The SID to unix id database is the only location 
        where the user and group mappings are stored by winbindd.  If this 
        store is deleted or corrupted, there is no way for winbindd to 
        determine which user and group ids correspond to Windows NT user 
        and group rids. </p><p>See the <a class="indexterm" name="id300614"></a> or the old <a class="indexterm" name="id300619"></a> parameters in
        <code class="filename">smb.conf</code> for options for sharing this
        database, such as via LDAP.</p></div><div class="refsect1" lang="en"><a name="id300634"></a><h2>CONFIGURATION</h2><p>Configuration of the <code class="literal">winbindd</code> daemon 
        is done through configuration parameters in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file.  All parameters should be specified in the 
        [global] section of smb.conf. </p><div class="itemizedlist"><ul type="disc"><li><p>
                <a class="indexterm" name="id300664"></a>winbind separator</p></li><li><p>
                <a class="indexterm" name="id300675"></a>idmap uid</p></li><li><p>
                <a class="indexterm" name="id300687"></a>idmap gid</p></li><li><p>
                <a class="indexterm" name="id300698"></a>idmap backend</p></li><li><p>
                <a class="indexterm" name="id300709"></a>winbind cache time</p></li><li><p>
                <a class="indexterm" name="id300721"></a>winbind enum users</p></li><li><p>
                <a class="indexterm" name="id300732"></a>winbind enum groups</p></li><li><p>
                <a class="indexterm" name="id300743"></a>template homedir</p></li><li><p>
                <a class="indexterm" name="id300755"></a>template shell</p></li><li><p>
                <a class="indexterm" name="id300766"></a>winbind use default domain</p></li><li><p>
                <a class="indexterm" name="id300778"></a>winbind: rpc only
                Setting this parameter forces winbindd to use RPC
                instead of LDAP to retrieve information from Domain
                Controllers.
                </p></li></ul></div></div><div class="refsect1" lang="en"><a name="id300789"></a><h2>EXAMPLE SETUP</h2><p>
        To setup winbindd for user and group lookups plus 
        authentication from a domain controller use something like the 
        following setup. This was tested on an early Red Hat Linux box.
        </p><p>In <code class="filename">/etc/nsswitch.conf</code> put the 
        following:
</p><pre class="programlisting">
passwd: files winbind
group:  files winbind
</pre><p>
        </p><p>In <code class="filename">/etc/pam.d/*</code> replace the <em class="parameter"><code>
        auth</code></em> lines with something like this:
</p><pre class="programlisting">
auth  required    /lib/security/pam_securetty.so
auth  required    /lib/security/pam_nologin.so
auth  sufficient  /lib/security/pam_winbind.so
auth  required    /lib/security/pam_unix.so \
                  use_first_pass shadow nullok
</pre><p>
        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
        The PAM module pam_unix has recently replaced the module pam_pwdb.
        Some Linux systems use the module pam_unix2 in place of pam_unix.
        </p></div><p>Note in particular the use of the <em class="parameter"><code>sufficient
        </code></em> keyword and the <em class="parameter"><code>use_first_pass</code></em> keyword. </p><p>Now replace the account lines with this: </p><p><code class="literal">account    required   /lib/security/pam_winbind.so
        </code></p><p>The next step is to join the domain. To do that use the 
        <code class="literal">net</code> program like this:  </p><p><code class="literal">net join -S PDC -U Administrator</code></p><p>The username after the <em class="parameter"><code>-U</code></em> can be any
        Domain user that has administrator privileges on the machine.
        Substitute the name or IP of your PDC for "PDC".</p><p>Next copy <code class="filename">libnss_winbind.so</code> to 
        <code class="filename">/lib</code> and <code class="filename">pam_winbind.so
        </code> to <code class="filename">/lib/security</code>.  A symbolic link needs to be
        made from <code class="filename">/lib/libnss_winbind.so</code> to
        <code class="filename">/lib/libnss_winbind.so.2</code>.  If you are using an
        older version of glibc then the target of the link should be
        <code class="filename">/lib/libnss_winbind.so.1</code>.</p><p>Finally, setup a <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> containing directives like the 
        following:
</p><pre class="programlisting">
[global]
        winbind separator = +
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        workgroup = DOMAIN
        security = domain
        password server = *
</pre><p>Now start winbindd and you should find that your user and 
        group database is expanded to include your NT users and groups, 
        and that you can login to your unix box as a domain user, using 
        the DOMAIN+user syntax for the username. You may wish to use the 
        commands <code class="literal">getent passwd</code> and <code class="literal">getent group
        </code> to confirm the correct operation of winbindd.</p></div><div class="refsect1" lang="en"><a name="id300980"></a><h2>NOTES</h2><p>The following notes are useful when configuring and 
        running <code class="literal">winbindd</code>: </p><p><a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> must be running on the local machine 
        for <code class="literal">winbindd</code> to work. </p><p>PAM is really easy to misconfigure.  Make sure you know what 
        you are doing when modifying PAM configuration files.  It is possible 
        to set up PAM such that you can no longer log into your system. </p><p>If more than one UNIX machine is running <code class="literal">winbindd</code>, 
        then in general the user and groups ids allocated by winbindd will not 
        be the same.  The user and group ids will only be valid for the local 
        machine, unless a shared <a class="indexterm" name="id301027"></a> is configured.</p><p>If the the Windows NT SID to UNIX user and group id mapping 
        file is damaged or destroyed then the mappings will be lost. </p></div><div class="refsect1" lang="en"><a name="id301040"></a><h2>SIGNALS</h2><p>The following signals can be used to manipulate the 
        <code class="literal">winbindd</code> daemon. </p><div class="variablelist"><dl><dt><span class="term">SIGHUP</span></dt><dd><p>Reload the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file and 
                apply any parameter changes to the running 
                version of winbindd.  This signal also clears any cached 
                user and group information.  The list of other domains trusted 
                by winbindd is also reloaded.  </p></dd><dt><span class="term">SIGUSR2</span></dt><dd><p>The SIGUSR2 signal will cause <code class="literal">
                winbindd</code> to write status information to the winbind 
                log file.</p><p>Log files are stored in the filename specified by the 
                log file parameter.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id301102"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/nsswitch.conf(5)</code></span></dt><dd><p>Name service switch configuration file.</p></dd><dt><span class="term">/tmp/.winbindd/pipe</span></dt><dd><p>The UNIX pipe over which clients communicate with 
                the <code class="literal">winbindd</code> program.  For security reasons, the 
                winbind client will only attempt to connect to the winbindd daemon 
                if both the <code class="filename">/tmp/.winbindd</code> directory
                and <code class="filename">/tmp/.winbindd/pipe</code> file are owned by 
                root. </p></dd><dt><span class="term">$LOCKDIR/winbindd_privileged/pipe</span></dt><dd><p>The UNIX pipe over which 'privileged' clients 
                communicate with the <code class="literal">winbindd</code> program.  For security 
                reasons, access to some winbindd functions - like those needed by 
                the <code class="literal">ntlm_auth</code> utility - is restricted.  By default,
                only users in the 'root' group will get this access, however the administrator
                may change the group permissions on $LOCKDIR/winbindd_privileged to allow
                programs like 'squid' to use ntlm_auth.
                Note that the winbind client will only attempt to connect to the winbindd daemon 
                if both the <code class="filename">$LOCKDIR/winbindd_privileged</code> directory
                and <code class="filename">$LOCKDIR/winbindd_privileged/pipe</code> file are owned by 
                root. </p></dd><dt><span class="term">/lib/libnss_winbind.so.X</span></dt><dd><p>Implementation of name service switch library.
                </p></dd><dt><span class="term">$LOCKDIR/winbindd_idmap.tdb</span></dt><dd><p>Storage for the Windows NT rid to UNIX user/group 
                id mapping.  The lock directory is specified when Samba is initially 
                compiled using the <em class="parameter"><code>--with-lockdir</code></em> option.
                This directory is by default <code class="filename">/usr/local/samba/var/locks
                </code>. </p></dd><dt><span class="term">$LOCKDIR/winbindd_cache.tdb</span></dt><dd><p>Storage for cached user and group information.
                </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id301246"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of
        the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id301257"></a><h2>SEE ALSO</h2><p><code class="filename">nsswitch.conf(5)</code>, <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="wbinfo.1.html"><span class="citerefentry"><span class="refentrytitle">wbinfo</span>(1)</span></a>, <a href="ntlm_auth.8.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, <a href="pam_winbind.8.html"><span class="citerefentry"><span class="refentrytitle">pam_winbind</span>(8)</span></a></p></div><div class="refsect1" lang="en"><a name="id301314"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities 
        were created by Andrew Tridgell. Samba is now developed
        by the Samba Team as an Open Source project similar 
        to the way the Linux kernel is developed.</p><p><code class="literal">wbinfo</code> and <code class="literal">winbindd</code> were 
        written by Tim Potter.</p><p>The conversion to DocBook for Samba 2.2 was done 
        by Gerald Carter. The conversion to DocBook XML 4.2 for
        Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html>