| 1 | <?xml version="1.0" encoding="iso-8859-1"?> | 
|---|
| 2 | <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> | 
|---|
| 3 | <refentry id="winbindd.8"> | 
|---|
| 4 |  | 
|---|
| 5 | <refmeta> | 
|---|
| 6 | <refentrytitle>winbindd</refentrytitle> | 
|---|
| 7 | <manvolnum>8</manvolnum> | 
|---|
| 8 | <refmiscinfo class="source">Samba</refmiscinfo> | 
|---|
| 9 | <refmiscinfo class="manual">System Administration tools</refmiscinfo> | 
|---|
| 10 | <refmiscinfo class="version">3.5</refmiscinfo> | 
|---|
| 11 | </refmeta> | 
|---|
| 12 |  | 
|---|
| 13 |  | 
|---|
| 14 | <refnamediv> | 
|---|
| 15 | <refname>winbindd</refname> | 
|---|
| 16 | <refpurpose>Name Service Switch daemon for resolving names | 
|---|
| 17 | from NT servers</refpurpose> | 
|---|
| 18 | </refnamediv> | 
|---|
| 19 |  | 
|---|
| 20 | <refsynopsisdiv> | 
|---|
| 21 | <cmdsynopsis> | 
|---|
| 22 | <command>winbindd</command> | 
|---|
| 23 | <arg choice="opt">-D</arg> | 
|---|
| 24 | <arg choice="opt">-F</arg> | 
|---|
| 25 | <arg choice="opt">-S</arg> | 
|---|
| 26 | <arg choice="opt">-i</arg> | 
|---|
| 27 | <arg choice="opt">-Y</arg> | 
|---|
| 28 | <arg choice="opt">-d <debug level></arg> | 
|---|
| 29 | <arg choice="opt">-s <smb config file></arg> | 
|---|
| 30 | <arg choice="opt">-n</arg> | 
|---|
| 31 | </cmdsynopsis> | 
|---|
| 32 | </refsynopsisdiv> | 
|---|
| 33 |  | 
|---|
| 34 | <refsect1> | 
|---|
| 35 | <title>DESCRIPTION</title> | 
|---|
| 36 |  | 
|---|
| 37 | <para>This program is part of the <citerefentry><refentrytitle>samba</refentrytitle> | 
|---|
| 38 | <manvolnum>7</manvolnum></citerefentry> suite.</para> | 
|---|
| 39 |  | 
|---|
| 40 | <para><command>winbindd</command> is a daemon that provides | 
|---|
| 41 | a number of services to the Name Service Switch capability found | 
|---|
| 42 | in most modern C libraries, to arbitrary applications via PAM | 
|---|
| 43 | and <command>ntlm_auth</command> and to Samba itself.</para> | 
|---|
| 44 |  | 
|---|
| 45 | <para>Even if winbind is not used for nsswitch, it still provides a | 
|---|
| 46 | service to <command>smbd</command>, <command>ntlm_auth</command> | 
|---|
| 47 | and the <command>pam_winbind.so</command> PAM module, by managing connections to | 
|---|
| 48 | domain controllers.  In this configuraiton the | 
|---|
| 49 | <smbconfoption name="idmap uid"/> and | 
|---|
| 50 | <smbconfoption name="idmap gid"/> | 
|---|
| 51 | parameters are not required. (This is known as `netlogon proxy only mode'.)</para> | 
|---|
| 52 |  | 
|---|
| 53 | <para> The Name Service Switch allows user | 
|---|
| 54 | and system information to be obtained from different databases | 
|---|
| 55 | services such as NIS or DNS.  The exact behaviour can be configured | 
|---|
| 56 | through the <filename>/etc/nsswitch.conf</filename> file. | 
|---|
| 57 | Users and groups are allocated as they are resolved to a range | 
|---|
| 58 | of user and group ids specified by the administrator of the | 
|---|
| 59 | Samba system.</para> | 
|---|
| 60 |  | 
|---|
| 61 | <para>The service provided by <command>winbindd</command> is called `winbind' and | 
|---|
| 62 | can be used to resolve user and group information from a | 
|---|
| 63 | Windows NT server. The service can also provide authentication | 
|---|
| 64 | services via an associated PAM module. </para> | 
|---|
| 65 |  | 
|---|
| 66 | <para> | 
|---|
| 67 | The <filename>pam_winbind</filename> module supports the | 
|---|
| 68 | <parameter>auth</parameter>, <parameter>account</parameter> | 
|---|
| 69 | and <parameter>password</parameter> | 
|---|
| 70 | module-types.  It should be noted that the | 
|---|
| 71 | <parameter>account</parameter> module simply performs a getpwnam() to verify that | 
|---|
| 72 | the system can obtain a uid for the user, as the domain | 
|---|
| 73 | controller has already performed access control.  If the | 
|---|
| 74 | <filename>libnss_winbind</filename> library has been correctly | 
|---|
| 75 | installed, or an alternate source of names configured, this should always succeed. | 
|---|
| 76 | </para> | 
|---|
| 77 |  | 
|---|
| 78 | <para>The following nsswitch databases are implemented by | 
|---|
| 79 | the winbindd service: </para> | 
|---|
| 80 |  | 
|---|
| 81 | <variablelist> | 
|---|
| 82 | <varlistentry> | 
|---|
| 83 | <term>hosts</term> | 
|---|
| 84 | <listitem><para>This feature is only available on IRIX. | 
|---|
| 85 | User information traditionally stored in | 
|---|
| 86 | the <filename>hosts(5)</filename> file and used by | 
|---|
| 87 | <command>gethostbyname(3)</command> functions. Names are | 
|---|
| 88 | resolved through the WINS server or by broadcast. | 
|---|
| 89 | </para></listitem> | 
|---|
| 90 | </varlistentry> | 
|---|
| 91 |  | 
|---|
| 92 | <varlistentry> | 
|---|
| 93 | <term>passwd</term> | 
|---|
| 94 | <listitem><para>User information traditionally stored in | 
|---|
| 95 | the <filename>passwd(5)</filename> file and used by | 
|---|
| 96 | <command>getpwent(3)</command> functions. </para></listitem> | 
|---|
| 97 | </varlistentry> | 
|---|
| 98 |  | 
|---|
| 99 | <varlistentry> | 
|---|
| 100 | <term>group</term> | 
|---|
| 101 | <listitem><para>Group information traditionally stored in | 
|---|
| 102 | the <filename>group(5)</filename> file and used by | 
|---|
| 103 | <command>getgrent(3)</command> functions. </para></listitem> | 
|---|
| 104 | </varlistentry> | 
|---|
| 105 | </variablelist> | 
|---|
| 106 |  | 
|---|
| 107 | <para>For example, the following simple configuration in the | 
|---|
| 108 | <filename>/etc/nsswitch.conf</filename> file can be used to initially | 
|---|
| 109 | resolve user and group information from <filename>/etc/passwd | 
|---|
| 110 | </filename> and <filename>/etc/group</filename> and then from the | 
|---|
| 111 | Windows NT server. | 
|---|
| 112 | </para> | 
|---|
| 113 |  | 
|---|
| 114 | <programlisting> | 
|---|
| 115 | passwd:         files winbind | 
|---|
| 116 | group:          files winbind | 
|---|
| 117 | ## only available on IRIX: use winbind to resolve hosts: | 
|---|
| 118 | # hosts:        files dns winbind | 
|---|
| 119 | ## All other NSS enabled systems should use libnss_wins.so like this: | 
|---|
| 120 | hosts:          files dns wins | 
|---|
| 121 |  | 
|---|
| 122 | </programlisting> | 
|---|
| 123 |  | 
|---|
| 124 | <para>The following simple configuration in the | 
|---|
| 125 | <filename>/etc/nsswitch.conf</filename> file can be used to initially | 
|---|
| 126 | resolve hostnames from <filename>/etc/hosts</filename> and then from the | 
|---|
| 127 | WINS server.</para> | 
|---|
| 128 | <programlisting> | 
|---|
| 129 | hosts:          files wins | 
|---|
| 130 | </programlisting> | 
|---|
| 131 |  | 
|---|
| 132 | </refsect1> | 
|---|
| 133 |  | 
|---|
| 134 |  | 
|---|
| 135 | <refsect1> | 
|---|
| 136 | <title>OPTIONS</title> | 
|---|
| 137 |  | 
|---|
| 138 | <variablelist> | 
|---|
| 139 | <varlistentry> | 
|---|
| 140 | <term>-D</term> | 
|---|
| 141 | <listitem><para>If specified, this parameter causes | 
|---|
| 142 | the server to operate as a daemon. That is, it detaches | 
|---|
| 143 | itself and runs in the background on the appropriate port. | 
|---|
| 144 | This switch is assumed if <command>winbindd</command> is | 
|---|
| 145 | executed on the command line of a shell. | 
|---|
| 146 | </para></listitem> | 
|---|
| 147 | </varlistentry> | 
|---|
| 148 |  | 
|---|
| 149 | <varlistentry> | 
|---|
| 150 | <term>-F</term> | 
|---|
| 151 | <listitem><para>If specified, this parameter causes | 
|---|
| 152 | the main <command>winbindd</command> process to not daemonize, | 
|---|
| 153 | i.e. double-fork and disassociate with the terminal. | 
|---|
| 154 | Child processes are still created as normal to service | 
|---|
| 155 | each connection request, but the main process does not | 
|---|
| 156 | exit. This operation mode is suitable for running | 
|---|
| 157 | <command>winbindd</command> under process supervisors such | 
|---|
| 158 | as <command>supervise</command> and <command>svscan</command> | 
|---|
| 159 | from Daniel J. Bernstein's <command>daemontools</command> | 
|---|
| 160 | package, or the AIX process monitor. | 
|---|
| 161 | </para></listitem> | 
|---|
| 162 | </varlistentry> | 
|---|
| 163 |  | 
|---|
| 164 | <varlistentry> | 
|---|
| 165 | <term>-S</term> | 
|---|
| 166 | <listitem><para>If specified, this parameter causes | 
|---|
| 167 | <command>winbindd</command> to log to standard output rather | 
|---|
| 168 | than a file.</para></listitem> | 
|---|
| 169 | </varlistentry> | 
|---|
| 170 |  | 
|---|
| 171 | &stdarg.server.debug; | 
|---|
| 172 | &popt.common.samba; | 
|---|
| 173 | &stdarg.help; | 
|---|
| 174 |  | 
|---|
| 175 | <varlistentry> | 
|---|
| 176 | <term>-i</term> | 
|---|
| 177 | <listitem><para>Tells <command>winbindd</command> to not | 
|---|
| 178 | become a daemon and detach from the current terminal. This | 
|---|
| 179 | option is used by developers when interactive debugging | 
|---|
| 180 | of <command>winbindd</command> is required. | 
|---|
| 181 | <command>winbindd</command> also logs to standard output, | 
|---|
| 182 | as if the <command>-S</command> parameter had been given. | 
|---|
| 183 | </para></listitem> | 
|---|
| 184 | </varlistentry> | 
|---|
| 185 |  | 
|---|
| 186 | <varlistentry> | 
|---|
| 187 | <term>-n</term> | 
|---|
| 188 | <listitem><para>Disable caching. This means winbindd will | 
|---|
| 189 | always have to wait for a response from the domain controller | 
|---|
| 190 | before it can respond to a client and this thus makes things | 
|---|
| 191 | slower. The results will however be more accurate, since | 
|---|
| 192 | results from the cache might not be up-to-date. This | 
|---|
| 193 | might also temporarily hang winbindd if the DC doesn't respond. | 
|---|
| 194 | </para></listitem> | 
|---|
| 195 | </varlistentry> | 
|---|
| 196 |  | 
|---|
| 197 | <varlistentry> | 
|---|
| 198 | <term>-Y</term> | 
|---|
| 199 | <listitem><para>Single daemon mode. This means winbindd will run | 
|---|
| 200 | as a single process (the mode of operation in Samba 2.2).  Winbindd's | 
|---|
| 201 | default behavior is to launch a child process that is responsible for | 
|---|
| 202 | updating expired cache entries. | 
|---|
| 203 | </para></listitem> | 
|---|
| 204 | </varlistentry> | 
|---|
| 205 |  | 
|---|
| 206 | </variablelist> | 
|---|
| 207 | </refsect1> | 
|---|
| 208 |  | 
|---|
| 209 |  | 
|---|
| 210 | <refsect1> | 
|---|
| 211 | <title>NAME AND ID RESOLUTION</title> | 
|---|
| 212 |  | 
|---|
| 213 | <para>Users and groups on a Windows NT server are assigned | 
|---|
| 214 | a security id (SID) which is globally unique when the | 
|---|
| 215 | user or group is created.  To convert the Windows NT user or group | 
|---|
| 216 | into a unix user or group, a mapping between SIDs and unix user | 
|---|
| 217 | and group ids is required.  This is one of the jobs that <command> | 
|---|
| 218 | winbindd</command> performs. </para> | 
|---|
| 219 |  | 
|---|
| 220 | <para>As winbindd users and groups are resolved from a server, user | 
|---|
| 221 | and group ids are allocated from a specified range.  This | 
|---|
| 222 | is done on a first come, first served basis, although all existing | 
|---|
| 223 | users and groups will be mapped as soon as a client performs a user | 
|---|
| 224 | or group enumeration command.  The allocated unix ids are stored | 
|---|
| 225 | in a database and will be remembered. </para> | 
|---|
| 226 |  | 
|---|
| 227 | <para>WARNING: The SID to unix id database is the only location | 
|---|
| 228 | where the user and group mappings are stored by winbindd.  If this | 
|---|
| 229 | store is deleted or corrupted, there is no way for winbindd to | 
|---|
| 230 | determine which user and group ids correspond to Windows NT user | 
|---|
| 231 | and group rids. </para> | 
|---|
| 232 |  | 
|---|
| 233 | </refsect1> | 
|---|
| 234 |  | 
|---|
| 235 |  | 
|---|
| 236 | <refsect1> | 
|---|
| 237 | <title>CONFIGURATION</title> | 
|---|
| 238 |  | 
|---|
| 239 | <para>Configuration of the <command>winbindd</command> daemon | 
|---|
| 240 | is done through configuration parameters in the <citerefentry> | 
|---|
| 241 | <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum> | 
|---|
| 242 | </citerefentry> file.  All parameters should be specified in the | 
|---|
| 243 | [global] section of smb.conf. </para> | 
|---|
| 244 |  | 
|---|
| 245 | <itemizedlist> | 
|---|
| 246 | <listitem><para> | 
|---|
| 247 | <smbconfoption name="winbind separator"/></para></listitem> | 
|---|
| 248 | <listitem><para> | 
|---|
| 249 | <smbconfoption name="idmap uid"/></para></listitem> | 
|---|
| 250 | <listitem><para> | 
|---|
| 251 | <smbconfoption name="idmap gid"/></para></listitem> | 
|---|
| 252 | <listitem><para> | 
|---|
| 253 | <smbconfoption name="idmap backend"/></para></listitem> | 
|---|
| 254 | <listitem><para> | 
|---|
| 255 | <smbconfoption name="winbind cache time"/></para></listitem> | 
|---|
| 256 | <listitem><para> | 
|---|
| 257 | <smbconfoption name="winbind enum users"/></para></listitem> | 
|---|
| 258 | <listitem><para> | 
|---|
| 259 | <smbconfoption name="winbind enum groups"/></para></listitem> | 
|---|
| 260 | <listitem><para> | 
|---|
| 261 | <smbconfoption name="template homedir"/></para></listitem> | 
|---|
| 262 | <listitem><para> | 
|---|
| 263 | <smbconfoption name="template shell"/></para></listitem> | 
|---|
| 264 | <listitem><para> | 
|---|
| 265 | <smbconfoption name="winbind use default domain"/></para></listitem> | 
|---|
| 266 | <listitem><para> | 
|---|
| 267 | <smbconfoption name="winbind: rpc only"/> | 
|---|
| 268 | Setting this parameter forces winbindd to use RPC | 
|---|
| 269 | instead of LDAP to retrieve information from Domain | 
|---|
| 270 | Controllers. | 
|---|
| 271 | </para></listitem> | 
|---|
| 272 | </itemizedlist> | 
|---|
| 273 | </refsect1> | 
|---|
| 274 |  | 
|---|
| 275 |  | 
|---|
| 276 | <refsect1> | 
|---|
| 277 | <title>EXAMPLE SETUP</title> | 
|---|
| 278 |  | 
|---|
| 279 | <para> | 
|---|
| 280 | To setup winbindd for user and group lookups plus | 
|---|
| 281 | authentication from a domain controller use something like the | 
|---|
| 282 | following setup. This was tested on an early Red Hat Linux box. | 
|---|
| 283 | </para> | 
|---|
| 284 |  | 
|---|
| 285 | <para>In <filename>/etc/nsswitch.conf</filename> put the | 
|---|
| 286 | following: | 
|---|
| 287 | <programlisting> | 
|---|
| 288 | passwd: files winbind | 
|---|
| 289 | group:  files winbind | 
|---|
| 290 | </programlisting> | 
|---|
| 291 | </para> | 
|---|
| 292 |  | 
|---|
| 293 | <para>In <filename>/etc/pam.d/*</filename> replace the <parameter> | 
|---|
| 294 | auth</parameter> lines with something like this: | 
|---|
| 295 | <programlisting> | 
|---|
| 296 | auth  required    /lib/security/pam_securetty.so | 
|---|
| 297 | auth  required    /lib/security/pam_nologin.so | 
|---|
| 298 | auth  sufficient  /lib/security/pam_winbind.so | 
|---|
| 299 | auth  required    /lib/security/pam_unix.so \ | 
|---|
| 300 | use_first_pass shadow nullok | 
|---|
| 301 | </programlisting> | 
|---|
| 302 | </para> | 
|---|
| 303 |  | 
|---|
| 304 | <note><para> | 
|---|
| 305 | The PAM module pam_unix has recently replaced the module pam_pwdb. | 
|---|
| 306 | Some Linux systems use the module pam_unix2 in place of pam_unix. | 
|---|
| 307 | </para></note> | 
|---|
| 308 |  | 
|---|
| 309 | <para>Note in particular the use of the <parameter>sufficient | 
|---|
| 310 | </parameter> keyword and the <parameter>use_first_pass</parameter> keyword. </para> | 
|---|
| 311 |  | 
|---|
| 312 | <para>Now replace the account lines with this: </para> | 
|---|
| 313 |  | 
|---|
| 314 | <para><command>account    required      /lib/security/pam_winbind.so | 
|---|
| 315 | </command></para> | 
|---|
| 316 |  | 
|---|
| 317 | <para>The next step is to join the domain. To do that use the | 
|---|
| 318 | <command>net</command> program like this:  </para> | 
|---|
| 319 |  | 
|---|
| 320 | <para><command>net join -S PDC -U Administrator</command></para> | 
|---|
| 321 |  | 
|---|
| 322 | <para>The username after the <parameter>-U</parameter> can be any | 
|---|
| 323 | Domain user that has administrator privileges on the machine. | 
|---|
| 324 | Substitute the name or IP of your PDC for "PDC".</para> | 
|---|
| 325 |  | 
|---|
| 326 | <para>Next copy <filename>libnss_winbind.so</filename> to | 
|---|
| 327 | <filename>/lib</filename> and <filename>pam_winbind.so | 
|---|
| 328 | </filename> to <filename>/lib/security</filename>.  A symbolic link needs to be | 
|---|
| 329 | made from <filename>/lib/libnss_winbind.so</filename> to | 
|---|
| 330 | <filename>/lib/libnss_winbind.so.2</filename>.  If you are using an | 
|---|
| 331 | older version of glibc then the target of the link should be | 
|---|
| 332 | <filename>/lib/libnss_winbind.so.1</filename>.</para> | 
|---|
| 333 |  | 
|---|
| 334 | <para>Finally, setup a <citerefentry><refentrytitle>smb.conf</refentrytitle> | 
|---|
| 335 | <manvolnum>5</manvolnum></citerefentry> containing directives like the | 
|---|
| 336 | following: | 
|---|
| 337 | <programlisting> | 
|---|
| 338 | [global] | 
|---|
| 339 | winbind separator = + | 
|---|
| 340 | winbind cache time = 10 | 
|---|
| 341 | template shell = /bin/bash | 
|---|
| 342 | template homedir = /home/%D/%U | 
|---|
| 343 | idmap uid = 10000-20000 | 
|---|
| 344 | idmap gid = 10000-20000 | 
|---|
| 345 | workgroup = DOMAIN | 
|---|
| 346 | security = domain | 
|---|
| 347 | password server = * | 
|---|
| 348 | </programlisting></para> | 
|---|
| 349 |  | 
|---|
| 350 |  | 
|---|
| 351 | <para>Now start winbindd and you should find that your user and | 
|---|
| 352 | group database is expanded to include your NT users and groups, | 
|---|
| 353 | and that you can login to your unix box as a domain user, using | 
|---|
| 354 | the DOMAIN+user syntax for the username. You may wish to use the | 
|---|
| 355 | commands <command>getent passwd</command> and <command>getent group | 
|---|
| 356 | </command> to confirm the correct operation of winbindd.</para> | 
|---|
| 357 | </refsect1> | 
|---|
| 358 |  | 
|---|
| 359 |  | 
|---|
| 360 | <refsect1> | 
|---|
| 361 | <title>NOTES</title> | 
|---|
| 362 |  | 
|---|
| 363 | <para>The following notes are useful when configuring and | 
|---|
| 364 | running <command>winbindd</command>: </para> | 
|---|
| 365 |  | 
|---|
| 366 | <para><citerefentry><refentrytitle>nmbd</refentrytitle> | 
|---|
| 367 | <manvolnum>8</manvolnum></citerefentry> must be running on the local machine | 
|---|
| 368 | for <command>winbindd</command> to work. </para> | 
|---|
| 369 |  | 
|---|
| 370 | <para>PAM is really easy to misconfigure.  Make sure you know what | 
|---|
| 371 | you are doing when modifying PAM configuration files.  It is possible | 
|---|
| 372 | to set up PAM such that you can no longer log into your system. </para> | 
|---|
| 373 |  | 
|---|
| 374 | <para>If more than one UNIX machine is running <command>winbindd</command>, | 
|---|
| 375 | then in general the user and groups ids allocated by winbindd will not | 
|---|
| 376 | be the same.  The user and group ids will only be valid for the local | 
|---|
| 377 | machine, unless a shared <smbconfoption name="idmap backend"/> is configured.</para> | 
|---|
| 378 |  | 
|---|
| 379 | <para>If the the Windows NT SID to UNIX user and group id mapping | 
|---|
| 380 | file is damaged or destroyed then the mappings will be lost. </para> | 
|---|
| 381 | </refsect1> | 
|---|
| 382 |  | 
|---|
| 383 |  | 
|---|
| 384 | <refsect1> | 
|---|
| 385 | <title>SIGNALS</title> | 
|---|
| 386 |  | 
|---|
| 387 | <para>The following signals can be used to manipulate the | 
|---|
| 388 | <command>winbindd</command> daemon. </para> | 
|---|
| 389 |  | 
|---|
| 390 | <variablelist> | 
|---|
| 391 | <varlistentry> | 
|---|
| 392 | <term>SIGHUP</term> | 
|---|
| 393 | <listitem><para>Reload the <citerefentry><refentrytitle>smb.conf</refentrytitle> | 
|---|
| 394 | <manvolnum>5</manvolnum></citerefentry> file and | 
|---|
| 395 | apply any parameter changes to the running | 
|---|
| 396 | version of winbindd.  This signal also clears any cached | 
|---|
| 397 | user and group information.  The list of other domains trusted | 
|---|
| 398 | by winbindd is also reloaded.  </para></listitem> | 
|---|
| 399 | </varlistentry> | 
|---|
| 400 |  | 
|---|
| 401 | <varlistentry> | 
|---|
| 402 | <term>SIGUSR2</term> | 
|---|
| 403 | <listitem><para>The SIGUSR2 signal will cause <command> | 
|---|
| 404 | winbindd</command> to write status information to the winbind | 
|---|
| 405 | log file.</para> | 
|---|
| 406 |  | 
|---|
| 407 | <para>Log files are stored in the filename specified by the | 
|---|
| 408 | log file parameter.</para></listitem> | 
|---|
| 409 | </varlistentry> | 
|---|
| 410 | </variablelist> | 
|---|
| 411 | </refsect1> | 
|---|
| 412 |  | 
|---|
| 413 | <refsect1> | 
|---|
| 414 | <title>FILES</title> | 
|---|
| 415 |  | 
|---|
| 416 | <variablelist> | 
|---|
| 417 | <varlistentry> | 
|---|
| 418 | <term><filename>/etc/nsswitch.conf(5)</filename></term> | 
|---|
| 419 | <listitem><para>Name service switch configuration file.</para> | 
|---|
| 420 | </listitem> | 
|---|
| 421 | </varlistentry> | 
|---|
| 422 |  | 
|---|
| 423 | <varlistentry> | 
|---|
| 424 | <term>/tmp/.winbindd/pipe</term> | 
|---|
| 425 | <listitem><para>The UNIX pipe over which clients communicate with | 
|---|
| 426 | the <command>winbindd</command> program.  For security reasons, the | 
|---|
| 427 | winbind client will only attempt to connect to the winbindd daemon | 
|---|
| 428 | if both the <filename>/tmp/.winbindd</filename> directory | 
|---|
| 429 | and <filename>/tmp/.winbindd/pipe</filename> file are owned by | 
|---|
| 430 | root. </para></listitem> | 
|---|
| 431 | </varlistentry> | 
|---|
| 432 |  | 
|---|
| 433 | <varlistentry> | 
|---|
| 434 | <term>$LOCKDIR/winbindd_privileged/pipe</term> | 
|---|
| 435 | <listitem><para>The UNIX pipe over which 'privileged' clients | 
|---|
| 436 | communicate with the <command>winbindd</command> program.  For security | 
|---|
| 437 | reasons, access to some winbindd functions - like those needed by | 
|---|
| 438 | the <command>ntlm_auth</command> utility - is restricted.  By default, | 
|---|
| 439 | only users in the 'root' group will get this access, however the administrator | 
|---|
| 440 | may change the group permissions on $LOCKDIR/winbindd_privileged to allow | 
|---|
| 441 | programs like 'squid' to use ntlm_auth. | 
|---|
| 442 | Note that the winbind client will only attempt to connect to the winbindd daemon | 
|---|
| 443 | if both the <filename>$LOCKDIR/winbindd_privileged</filename> directory | 
|---|
| 444 | and <filename>$LOCKDIR/winbindd_privileged/pipe</filename> file are owned by | 
|---|
| 445 | root. </para></listitem> | 
|---|
| 446 | </varlistentry> | 
|---|
| 447 |  | 
|---|
| 448 | <varlistentry> | 
|---|
| 449 | <term>/lib/libnss_winbind.so.X</term> | 
|---|
| 450 | <listitem><para>Implementation of name service switch library. | 
|---|
| 451 | </para></listitem> | 
|---|
| 452 | </varlistentry> | 
|---|
| 453 |  | 
|---|
| 454 | <varlistentry> | 
|---|
| 455 | <term>$LOCKDIR/winbindd_idmap.tdb</term> | 
|---|
| 456 | <listitem><para>Storage for the Windows NT rid to UNIX user/group | 
|---|
| 457 | id mapping.  The lock directory is specified when Samba is initially | 
|---|
| 458 | compiled using the <parameter>--with-lockdir</parameter> option. | 
|---|
| 459 | This directory is by default <filename>/usr/local/samba/var/locks | 
|---|
| 460 | </filename>. </para></listitem> | 
|---|
| 461 | </varlistentry> | 
|---|
| 462 |  | 
|---|
| 463 | <varlistentry> | 
|---|
| 464 | <term>$LOCKDIR/winbindd_cache.tdb</term> | 
|---|
| 465 | <listitem><para>Storage for cached user and group information. | 
|---|
| 466 | </para></listitem> | 
|---|
| 467 | </varlistentry> | 
|---|
| 468 | </variablelist> | 
|---|
| 469 | </refsect1> | 
|---|
| 470 |  | 
|---|
| 471 |  | 
|---|
| 472 | <refsect1> | 
|---|
| 473 | <title>VERSION</title> | 
|---|
| 474 |  | 
|---|
| 475 | <para>This man page is correct for version 3 of | 
|---|
| 476 | the Samba suite.</para> | 
|---|
| 477 | </refsect1> | 
|---|
| 478 |  | 
|---|
| 479 | <refsect1> | 
|---|
| 480 | <title>SEE ALSO</title> | 
|---|
| 481 |  | 
|---|
| 482 | <para><filename>nsswitch.conf(5)</filename>, <citerefentry> | 
|---|
| 483 | <refentrytitle>samba</refentrytitle> | 
|---|
| 484 | <manvolnum>7</manvolnum></citerefentry>, <citerefentry> | 
|---|
| 485 | <refentrytitle>wbinfo</refentrytitle> | 
|---|
| 486 | <manvolnum>1</manvolnum></citerefentry>, <citerefentry> | 
|---|
| 487 | <refentrytitle>ntlm_auth</refentrytitle> | 
|---|
| 488 | <manvolnum>8</manvolnum></citerefentry>, <citerefentry> | 
|---|
| 489 | <refentrytitle>smb.conf</refentrytitle> | 
|---|
| 490 | <manvolnum>5</manvolnum></citerefentry>, <citerefentry> | 
|---|
| 491 | <refentrytitle>pam_winbind</refentrytitle> | 
|---|
| 492 | <manvolnum>8</manvolnum></citerefentry></para> | 
|---|
| 493 | </refsect1> | 
|---|
| 494 |  | 
|---|
| 495 | <refsect1> | 
|---|
| 496 | <title>AUTHOR</title> | 
|---|
| 497 |  | 
|---|
| 498 | <para>The original Samba software and related utilities | 
|---|
| 499 | were created by Andrew Tridgell. Samba is now developed | 
|---|
| 500 | by the Samba Team as an Open Source project similar | 
|---|
| 501 | to the way the Linux kernel is developed.</para> | 
|---|
| 502 |  | 
|---|
| 503 | <para><command>wbinfo</command> and <command>winbindd</command> were | 
|---|
| 504 | written by Tim Potter.</para> | 
|---|
| 505 |  | 
|---|
| 506 | <para>The conversion to DocBook for Samba 2.2 was done | 
|---|
| 507 | by Gerald Carter. The conversion to DocBook XML 4.2 for | 
|---|
| 508 | Samba 3.0 was done by Alexander Bokovoy.</para> | 
|---|
| 509 | </refsect1> | 
|---|
| 510 |  | 
|---|
| 511 | </refentry> | 
|---|