Ignore:
Timestamp:
Sep 24, 2009, 9:15:13 AM (16 years ago)
Author:
Herwig Bauernfeind
Message:

Update 3.2 to 3.2.14 (final)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/samba-3.2.x/docs/htmldocs/Samba3-HOWTO/winbind.html

    r272 r335  
    1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Winbind: Use of Domain Accounts</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="VFS.html" title="Chapter 23. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Winbind: Use of Domain Accounts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 24. Winbind: Use of Domain Accounts</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="orgname">Samba Team</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="orgname">Samba Team</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span> <div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="orgname">SNAP</span> <span class="surname">Trostel</span></h3><div class="affiliation"><span class="orgname">SNAP<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">June 15, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="winbind.html#id2653117">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2653461">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2653550">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2653704">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2653749">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2653875">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2653925">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654018">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654066">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654298">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654453">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654529">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2654586">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2654592">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654706">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654858">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2657317">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2657366">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2657408">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2657444">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2653117"></a>Features and Benefits</h2></div></div></div><p>
    2 <a class="indexterm" name="id2653125"></a>
     1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Winbind: Use of Domain Accounts</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="VFS.html" title="Chapter 23. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Winbind: Use of Domain Accounts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 24. Winbind: Use of Domain Accounts</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="orgname">Samba Team</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="orgname">Samba Team</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span> <div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="orgname">SNAP</span> <span class="surname">Trostel</span></h3><div class="affiliation"><span class="orgname">SNAP<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">June 15, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="winbind.html#id2653118">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2653461">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2653551">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2653704">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2653749">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2653875">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2653925">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654018">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654066">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654298">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654453">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654529">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2654586">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2654592">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654706">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2654858">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id2657317">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id2657366">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id2657408">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id2657444">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2653118"></a>Features and Benefits</h2></div></div></div><p>
     2<a class="indexterm" name="id2653126"></a>
    33<a class="indexterm" name="id2653132"></a>
    44        Integration of UNIX and Microsoft Windows NT through a unified logon has
     
    1515        domain user and group ownerships with integrity.
    1616        </p><p>
    17 <a class="indexterm" name="id2653184"></a>
     17<a class="indexterm" name="id2653185"></a>
    1818<a class="indexterm" name="id2653194"></a>
    1919<a class="indexterm" name="id2653201"></a>
     
    3434                NT4 (including a Samba domain) or an Active Directory domain.
    3535                </p></li><li><p>
    36 <a class="indexterm" name="id2653256"></a>
    37 <a class="indexterm" name="id2653263"></a>
     36<a class="indexterm" name="id2653257"></a>
     37<a class="indexterm" name="id2653264"></a>
    3838                Identity resolution (via NSS). This is the default when winbind is not used.
    3939                </p></li><li><p>
     
    5353                from the LDAP database.
    5454                </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    55         <a class="indexterm" name="id2653345"></a>
     55        <a class="indexterm" name="id2653346"></a>
    5656        <a class="indexterm" name="id2653352"></a>
    5757<a class="indexterm" name="id2653362"></a>
     
    9090        groups on either system. The Winbind system provides a simple
    9191        and elegant solution to all three components of the unified logon
    92         problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2653550"></a>What Winbind Provides</h2></div></div></div><p>
    93 <a class="indexterm" name="id2653558"></a>
     92        problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2653551"></a>What Winbind Provides</h2></div></div></div><p>
     93<a class="indexterm" name="id2653559"></a>
    9494<a class="indexterm" name="id2653566"></a>
    9595<a class="indexterm" name="id2653572"></a>
     
    101101        to be used in much the same manner that NIS+ is used within
    102102        UNIX-only environments.</p><p>
    103 <a class="indexterm" name="id2653598"></a>
    104 <a class="indexterm" name="id2653605"></a>
     103<a class="indexterm" name="id2653599"></a>
     104<a class="indexterm" name="id2653606"></a>
    105105<a class="indexterm" name="id2653612"></a>
    106106<a class="indexterm" name="id2653619"></a>
     
    132132        passwords between systems, since all passwords are stored in a single
    133133        location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2653704"></a>Target Uses</h3></div></div></div><p>
    134 <a class="indexterm" name="id2653711"></a>
     134<a class="indexterm" name="id2653712"></a>
    135135                Winbind is targeted at organizations that have an
    136136                existing NT-based domain infrastructure into which they wish
     
    140140                simplifies the administrative overhead of deploying UNIX
    141141                workstations into an NT-based organization.</p><p>
    142 <a class="indexterm" name="id2653728"></a>
     142<a class="indexterm" name="id2653729"></a>
    143143<a class="indexterm" name="id2653735"></a>
    144144                Another interesting way in which we expect Winbind to
     
    164164<a class="indexterm" name="id2653804"></a>
    165165<a class="indexterm" name="id2653811"></a>
    166 <a class="indexterm" name="id2653817"></a>
     166<a class="indexterm" name="id2653818"></a>
    167167        If the Samba server will be accessed from a domain other than the local Samba domain, or
    168168        if there will be access from machines that are not local domain members, winbind will
     
    185185<a class="indexterm" name="id2653883"></a>
    186186<a class="indexterm" name="id2653890"></a>
    187 <a class="indexterm" name="id2653896"></a>
     187<a class="indexterm" name="id2653897"></a>
    188188<a class="indexterm" name="id2653903"></a>
    189189        The Winbind system is designed around a client/server
     
    193193        clients and are processed sequentially.</p><p>The technologies used to implement Winbind are described
    194194        in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2653925"></a>Microsoft Remote Procedure Calls</h3></div></div></div><p>
    195 <a class="indexterm" name="id2653933"></a>
     195<a class="indexterm" name="id2653934"></a>
    196196<a class="indexterm" name="id2653943"></a>
    197197<a class="indexterm" name="id2653950"></a>
    198 <a class="indexterm" name="id2653956"></a>
    199 <a class="indexterm" name="id2653963"></a>
     198<a class="indexterm" name="id2653957"></a>
     199<a class="indexterm" name="id2653964"></a>
    200200                Over the last few years, efforts have been underway by various Samba Team members to implement various aspects of
    201201                the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network-related operations
     
    204204                Samba, it has also yielded a body of code that can be used for other purposes.
    205205                </p><p>
    206 <a class="indexterm" name="id2653982"></a>
     206<a class="indexterm" name="id2653983"></a>
    207207<a class="indexterm" name="id2653989"></a>
    208208<a class="indexterm" name="id2653996"></a>
     
    212212                information onto UNIX user and group names.
    213213                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2654018"></a>Microsoft Active Directory Services</h3></div></div></div><p>
    214 <a class="indexterm" name="id2654026"></a>
     214<a class="indexterm" name="id2654027"></a>
    215215<a class="indexterm" name="id2654033"></a>
    216216<a class="indexterm" name="id2654040"></a>
     
    223223<a class="indexterm" name="id2654074"></a>
    224224<a class="indexterm" name="id2654080"></a>
    225 <a class="indexterm" name="id2654087"></a>
     225<a class="indexterm" name="id2654088"></a>
    226226<a class="indexterm" name="id2654094"></a>
    227227                The NSS is a feature that is present in many UNIX operating systems. It allows system
     
    335335                </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2654586"></a>Installation and Configuration</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2654592"></a>Introduction</h3></div></div></div><p>
    336336<a class="indexterm" name="id2654600"></a>
    337 <a class="indexterm" name="id2654606"></a>
     337<a class="indexterm" name="id2654607"></a>
    338338<a class="indexterm" name="id2654613"></a>
    339339This section describes the procedures used to get Winbind up and running. Winbind is capable of providing
     
    353353        <span class="emphasis"><em>Who should be reading this document?</em></span>
    354354        </p><p>
    355 <a class="indexterm" name="id2654684"></a>
     355<a class="indexterm" name="id2654685"></a>
    356356<a class="indexterm" name="id2654691"></a>
    357357This document is designed for system administrators. If you are implementing Samba on a file server and wish
     
    361361<a class="indexterm" name="id2654714"></a>
    362362<a class="indexterm" name="id2654721"></a>
    363 <a class="indexterm" name="id2654727"></a>
     363<a class="indexterm" name="id2654728"></a>
    364364If you have a Samba configuration file that you are currently using, <span class="emphasis"><em>BACK IT UP!</em></span>
    365365If your system already uses PAM, <span class="emphasis"><em>back up the <code class="filename">/etc/pam.d</code> directory
     
    391391<a class="indexterm" name="id2654873"></a>
    392392<a class="indexterm" name="id2654880"></a>
    393 <a class="indexterm" name="id2654886"></a>
     393<a class="indexterm" name="id2654887"></a>
    394394<a class="indexterm" name="id2654893"></a>
    395395Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
     
    438438group:      files winbind
    439439</pre><p>
    440 <a class="indexterm" name="id2655152"></a>
     440<a class="indexterm" name="id2655153"></a>
    441441<a class="indexterm" name="id2655159"></a>
    442442<a class="indexterm" name="id2655166"></a>
     
    455455</p><p>
    456456<a class="indexterm" name="id2655244"></a>
    457 <a class="indexterm" name="id2655250"></a>
     457<a class="indexterm" name="id2655251"></a>
    458458<a class="indexterm" name="id2655257"></a>
    459459<a class="indexterm" name="id2655264"></a>
     
    484484<a class="indexterm" name="id2655355"></a>
    485485<a class="indexterm" name="id2655362"></a>
    486 <a class="indexterm" name="id2655368"></a>
    487 <a class="indexterm" name="id2655375"></a>
    488 <a class="indexterm" name="id2655382"></a>
     486<a class="indexterm" name="id2655369"></a>
     487<a class="indexterm" name="id2655376"></a>
     488<a class="indexterm" name="id2655383"></a>
    489489<a class="indexterm" name="id2655390"></a>
    490490The Winbind AIX identification module gets built as <code class="filename">libnss_winbind.so</code> in the
     
    506506Management Guide: Operating System and Devices.</a>
    507507</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2655457"></a>Configure smb.conf</h4></div></div></div><p>
    508 <a class="indexterm" name="id2655464"></a>
     508<a class="indexterm" name="id2655465"></a>
    509509<a class="indexterm" name="id2655471"></a>
    510510<a class="indexterm" name="id2655478"></a>
    511511Several parameters are needed in the <code class="filename">smb.conf</code> file to control the behavior of <span class="application">winbindd</span>. These
    512512are described in more detail in the <a class="citerefentry" href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> man page. My <code class="filename">smb.conf</code> file, as shown in <a class="link" href="winbind.html#winbindcfg" title="Example 24.1. smb.conf for Winbind Setup">the smb.conf for Winbind Setup</a>, was modified to include the necessary entries in the [global] section.
    513 </p><div class="example"><a name="winbindcfg"></a><p class="title"><b>Example 24.1. smb.conf for Winbind Setup</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td>#  separate domain and username with '\', like DOMAIN\username</td></tr><tr><td><a class="indexterm" name="id2655552"></a><em class="parameter"><code>winbind separator = \</code></em></td></tr><tr><td>#  use uids from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id2655568"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td>#  use gids from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id2655583"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td>#  allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id2655599"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2655611"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td>#  give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><a class="indexterm" name="id2655628"></a><em class="parameter"><code>template homedir = /home/winnt/%D/%U</code></em></td></tr><tr><td><a class="indexterm" name="id2655640"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2655654"></a>Join the Samba Server to the PDC Domain</h4></div></div></div><p>
     513</p><div class="example"><a name="winbindcfg"></a><p class="title"><b>Example 24.1. smb.conf for Winbind Setup</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td>#  separate domain and username with '\', like DOMAIN\username</td></tr><tr><td><a class="indexterm" name="id2655552"></a><em class="parameter"><code>winbind separator = \</code></em></td></tr><tr><td>#  use uids from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id2655568"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td>#  use gids from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id2655584"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td>#  allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id2655599"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2655611"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td>#  give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><a class="indexterm" name="id2655628"></a><em class="parameter"><code>template homedir = /home/winnt/%D/%U</code></em></td></tr><tr><td><a class="indexterm" name="id2655640"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2655654"></a>Join the Samba Server to the PDC Domain</h4></div></div></div><p>
    514514<a class="indexterm" name="id2655662"></a>
    515515<a class="indexterm" name="id2655669"></a>
    516 <a class="indexterm" name="id2655675"></a>
     516<a class="indexterm" name="id2655676"></a>
    517517All machines that will participate in domain security should be members of
    518518the domain. This applies also to the PDC and all BDCs.
    519519</p><p>
    520 <a class="indexterm" name="id2655687"></a>
     520<a class="indexterm" name="id2655688"></a>
    521521<a class="indexterm" name="id2655694"></a>
    522522<a class="indexterm" name="id2655701"></a>
     
    524524<a class="indexterm" name="id2655719"></a>
    525525<a class="indexterm" name="id2655726"></a>
    526 <a class="indexterm" name="id2655732"></a>
     526<a class="indexterm" name="id2655733"></a>
    527527<a class="indexterm" name="id2655739"></a>
    528528<a class="indexterm" name="id2655746"></a>
     
    534534</p><p>
    535535<a class="indexterm" name="id2655774"></a>
    536 <a class="indexterm" name="id2655780"></a>
     536<a class="indexterm" name="id2655781"></a>
    537537<a class="indexterm" name="id2655788"></a>
    538538Enter the following command to make the Samba server join the domain, where <em class="replaceable"><code>PDC</code></em> is
     
    548548137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx).
    549549</p></div><p>
    550 <a class="indexterm" name="id2655843"></a>
     550<a class="indexterm" name="id2655844"></a>
    551551The use of the <code class="literal">net rpc join</code> facility is shown here:
    552552</p><pre class="screen">
     
    556556<em class="replaceable"><code>DOMAIN</code></em></span>&#8221; where <em class="replaceable"><code>DOMAIN</code></em>
    557557is your domain name.
    558 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2655891"></a>Starting and Testing the <code class="literal">winbindd</code> Daemon</h4></div></div></div><p>
    559 <a class="indexterm" name="id2655905"></a>
     558</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2655892"></a>Starting and Testing the <code class="literal">winbindd</code> Daemon</h4></div></div></div><p>
     559<a class="indexterm" name="id2655906"></a>
    560560<a class="indexterm" name="id2655912"></a>
    561561<a class="indexterm" name="id2655919"></a>
     
    568568Use the appropriate path to the location of the <code class="literal">winbindd</code> executable file.
    569569</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    570 <a class="indexterm" name="id2655958"></a>
     570<a class="indexterm" name="id2655959"></a>
    571571<a class="indexterm" name="id2655965"></a>
    572572The command to start up Winbind services assumes that Samba has been installed in the
     
    581581</pre><p>
    582582</p><p>
    583 <a class="indexterm" name="id2656025"></a>
     583<a class="indexterm" name="id2656026"></a>
    584584This command should produce output like the following if the daemon is running.
    585585</p><pre class="screen">
     
    624624<a class="indexterm" name="id2656151"></a>
    625625<a class="indexterm" name="id2656158"></a>
    626 <a class="indexterm" name="id2656164"></a>
     626<a class="indexterm" name="id2656165"></a>
    627627<a class="indexterm" name="id2656171"></a>
    628628<a class="indexterm" name="id2656178"></a>
    629 <a class="indexterm" name="id2656184"></a>
     629<a class="indexterm" name="id2656185"></a>
    630630The function <code class="literal">getent</code> can now be used to get unified lists of both local and PDC users and
    631631groups. Try the following command:
     
    720720<a class="indexterm" name="id2656500"></a>
    721721<a class="indexterm" name="id2656507"></a>
    722 <a class="indexterm" name="id2656513"></a>
     722<a class="indexterm" name="id2656514"></a>
    723723On Solaris, you need to modify the <code class="filename">/etc/init.d/samba.server</code> startup script. It
    724724usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in
     
    802802<a class="indexterm" name="id2656723"></a>
    803803<a class="indexterm" name="id2656730"></a>
    804 <a class="indexterm" name="id2656736"></a>
     804<a class="indexterm" name="id2656737"></a>
    805805You will need a PAM module to use winbindd with these other services. This module will be compiled in the
    806806<code class="filename">../source/nsswitch</code> directory by invoking the command:
     
    826826<a class="indexterm" name="id2656860"></a>
    827827<a class="indexterm" name="id2656867"></a>
    828 <a class="indexterm" name="id2656873"></a>
     828<a class="indexterm" name="id2656874"></a>
    829829<a class="indexterm" name="id2656880"></a>
    830830<a class="indexterm" name="id2656887"></a>
     
    845845</pre><p>
    846846<a class="indexterm" name="id2656954"></a>
    847 <a class="indexterm" name="id2656960"></a>
     847<a class="indexterm" name="id2656961"></a>
    848848<a class="indexterm" name="id2656968"></a>
    849849For ftp services to work properly, you will also need to either have individual directories for the domain
     
    851851domain users. These can be easily set using the <code class="filename">smb.conf</code> global entry <a class="link" href="smb.conf.5.html#TEMPLATEHOMEDIR" target="_top">template homedir</a>.
    852852</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    853 <a class="indexterm" name="id2657003"></a>
     853<a class="indexterm" name="id2657004"></a>
    854854The directory in <a class="link" href="smb.conf.5.html#TEMPLATEHOMEDIR" target="_top">template homedir</a> is not created automatically! Use pam_mkhomedir or
    855855pre-create the directories of users to make sure users can log in on UNIX with their own home directory.
Note: See TracChangeset for help on using the changeset viewer.