1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>winbindd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.64.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="winbindd.8"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>winbindd — Name Service Switch daemon for resolving names
2
from NT servers</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">winbindd</tt> [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]</p></div></div><div class="refsect1" lang="en"><a name="id2478470"></a><h2>DESCRIPTION</h2><p>This program is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><span><b class="command">winbindd</b></span> is a daemon that provides
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>winbindd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="winbindd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>winbindd — Name Service Switch daemon for resolving names
2
from NT servers</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">winbindd</tt> [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]</p></div></div><div class="refsect1" lang="en"><a name="id2497577"></a><h2>DESCRIPTION</h2><p>This program is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><span><b class="command">winbindd</b></span> is a daemon that provides
3
3
a number of services to the Name Service Switch capability found
4
4
in most modern C libraries, to arbitary applications via PAM
5
5
and <span><b class="command">ntlm_auth</b></span> and to Samba itself.</p><p>Even if winbind is not used for nsswitch, it still provides a
6
6
service to <span><b class="command">smbd</b></span>, <span><b class="command">ntlm_auth</b></span>
7
7
and the <span><b class="command">pam_winbind.so</b></span> PAM module, by managing connections to
8
8
domain controllers. In this configuraiton the
9
<a class="indexterm" name="id2478527"></a>idmap uid and
10
<a class="indexterm" name="id2478534"></a>idmap gid
9
<a class="indexterm" name="id2497634"></a>idmap uid and
10
<a class="indexterm" name="id2497641"></a>idmap gid
11
11
parameters are not required. (This is known as `netlogon proxy only mode'.)</p><p> The Name Service Switch allows user
12
12
and system information to be obtained from different databases
13
13
services such as NIS or DNS. The exact behaviour can be configured
52
52
resolve hostnames from <tt class="filename">/etc/hosts</tt> and then from the
53
53
WINS server.</p><pre class="programlisting">
55
</pre></div><div class="refsect1" lang="en"><a name="id2430227"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-F</span></dt><dd><p>If specified, this parameter causes
55
</pre></div><div class="refsect1" lang="en"><a name="id2449262"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-F</span></dt><dd><p>If specified, this parameter causes
56
56
the main <span><b class="command">winbindd</b></span> process to not daemonize,
57
57
i.e. double-fork and disassociate with the terminal.
58
58
Child processes are still created as normal to service
84
84
investigating a problem. Levels above 3 are designed for
85
85
use only by developers and generate HUGE amounts of log
86
86
data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will
87
override the <a class="indexterm" name="id2429202"></a>log level parameter
87
override the <a class="indexterm" name="id2448336"></a> parameter
88
88
in the <tt class="filename">smb.conf</tt> file.</p></dd><dt><span class="term">-l|--logfile=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension
89
89
<tt class="constant">".progname"</tt> will be appended (e.g. log.smbclient,
90
90
log.smbd, etc...). The log file is never removed by the client.
105
105
as a single process (the mode of operation in Samba 2.2). Winbindd's
106
106
default behavior is to launch a child process that is responsible for
107
107
updating expired cache entries.
108
</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2429319"></a><h2>NAME AND ID RESOLUTION</h2><p>Users and groups on a Windows NT server are assigned
108
</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2448451"></a><h2>NAME AND ID RESOLUTION</h2><p>Users and groups on a Windows NT server are assigned
109
109
a security id (SID) which is globally unique when the
110
110
user or group is created. To convert the Windows NT user or group
111
111
into a unix user or group, a mapping between SIDs and unix user
120
120
where the user and group mappings are stored by winbindd. If this
121
121
file is deleted or corrupted, there is no way for winbindd to
122
122
determine which user and group ids correspond to Windows NT user
123
and group rids. </p><p>See the <a class="indexterm" name="id2429360"></a>idmap
123
and group rids. </p><p>See the <a class="indexterm" name="id2448492"></a> parameter in
125
124
<tt class="filename">smb.conf</tt> for options for sharing this
126
database, such as via LDAP.</p></div><div class="refsect1" lang="en"><a name="id2429377"></a><h2>CONFIGURATION</h2><p>Configuration of the <span><b class="command">winbindd</b></span> daemon
125
database, such as via LDAP.</p></div><div class="refsect1" lang="en"><a name="id2448507"></a><h2>CONFIGURATION</h2><p>Configuration of the <span><b class="command">winbindd</b></span> daemon
127
126
is done through configuration parameters in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file. All parameters should be specified in the
128
127
[global] section of smb.conf. </p><div class="itemizedlist"><ul type="disc"><li><p>
129
<a class="indexterm" name="id2429409"></a>winbind separator</p></li><li><p>
130
<a class="indexterm" name="id2429420"></a>idmap uid</p></li><li><p>
131
<a class="indexterm" name="id2429432"></a>idmap gid</p></li><li><p>
132
<a class="indexterm" name="id2429443"></a>idmap backend</p></li><li><p>
133
<a class="indexterm" name="id2429454"></a>winbind cache time</p></li><li><p>
134
<a class="indexterm" name="id2429466"></a>winbind enum users</p></li><li><p>
135
<a class="indexterm" name="id2429478"></a>winbind enum groups</p></li><li><p>
136
<a class="indexterm" name="id2429489"></a>template homedir</p></li><li><p>
137
<a class="indexterm" name="id2429501"></a>template shell</p></li><li><p>
138
<a class="indexterm" name="id2429512"></a>winbind use default domain</p></li></ul></div></div><div class="refsect1" lang="en"><a name="id2429523"></a><h2>EXAMPLE SETUP</h2><p>To setup winbindd for user and group lookups plus
128
<a class="indexterm" name="id2448539"></a>winbind separator</p></li><li><p>
129
<a class="indexterm" name="id2448551"></a>idmap uid</p></li><li><p>
130
<a class="indexterm" name="id2448562"></a>idmap gid</p></li><li><p>
131
<a class="indexterm" name="id2448573"></a>idmap backend</p></li><li><p>
132
<a class="indexterm" name="id2448585"></a>winbind cache time</p></li><li><p>
133
<a class="indexterm" name="id2448596"></a>winbind enum users</p></li><li><p>
134
<a class="indexterm" name="id2448608"></a>winbind enum groups</p></li><li><p>
135
<a class="indexterm" name="id2448620"></a>template homedir</p></li><li><p>
136
<a class="indexterm" name="id2448631"></a>template shell</p></li><li><p>
137
<a class="indexterm" name="id2448643"></a>winbind use default domain</p></li></ul></div></div><div class="refsect1" lang="en"><a name="id2448654"></a><h2>EXAMPLE SETUP</h2><p>To setup winbindd for user and group lookups plus
139
138
authentication from a domain controller use something like the
140
139
following setup. This was tested on a RedHat 6.2 Linux box. </p><p>In <tt class="filename">/etc/nsswitch.conf</tt> put the
178
177
and that you can login to your unix box as a domain user, using
179
178
the DOMAIN+user syntax for the username. You may wish to use the
180
179
commands <span><b class="command">getent passwd</b></span> and <span><b class="command">getent group
181
</b></span> to confirm the correct operation of winbindd.</p></div><div class="refsect1" lang="en"><a name="id2491126"></a><h2>NOTES</h2><p>The following notes are useful when configuring and
180
</b></span> to confirm the correct operation of winbindd.</p></div><div class="refsect1" lang="en"><a name="id2510231"></a><h2>NOTES</h2><p>The following notes are useful when configuring and
182
181
running <span><b class="command">winbindd</b></span>: </p><p><a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> must be running on the local machine
183
182
for <span><b class="command">winbindd</b></span> to work. </p><p>PAM is really easy to misconfigure. Make sure you know what
184
183
you are doing when modifying PAM configuration files. It is possible
185
184
to set up PAM such that you can no longer log into your system. </p><p>If more than one UNIX machine is running <span><b class="command">winbindd</b></span>,
186
185
then in general the user and groups ids allocated by winbindd will not
187
186
be the same. The user and group ids will only be valid for the local
188
machine, unless a shared <a class="indexterm" name="id2491176"></a>idmap
189
backend is configured.</p><p>If the the Windows NT SID to UNIX user and group id mapping
190
file is damaged or destroyed then the mappings will be lost. </p></div><div class="refsect1" lang="en"><a name="id2491192"></a><h2>SIGNALS</h2><p>The following signals can be used to manipulate the
187
machine, unless a shared <a class="indexterm" name="id2510282"></a> is configured.</p><p>If the the Windows NT SID to UNIX user and group id mapping
188
file is damaged or destroyed then the mappings will be lost. </p></div><div class="refsect1" lang="en"><a name="id2510295"></a><h2>SIGNALS</h2><p>The following signals can be used to manipulate the
191
189
<span><b class="command">winbindd</b></span> daemon. </p><div class="variablelist"><dl><dt><span class="term">SIGHUP</span></dt><dd><p>Reload the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file and
192
190
apply any parameter changes to the running
193
191
version of winbindd. This signal also clears any cached
195
193
by winbindd is also reloaded. </p></dd><dt><span class="term">SIGUSR2</span></dt><dd><p>The SIGUSR2 signal will cause <span><b class="command">
196
194
winbindd</b></span> to write status information to the winbind
197
195
log file.</p><p>Log files are stored in the filename specified by the
198
log file parameter.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2491257"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><tt class="filename">/etc/nsswitch.conf(5)</tt></span></dt><dd><p>Name service switch configuration file.</p></dd><dt><span class="term">/tmp/.winbindd/pipe</span></dt><dd><p>The UNIX pipe over which clients communicate with
196
log file parameter.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2510361"></a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term"><tt class="filename">/etc/nsswitch.conf(5)</tt></span></dt><dd><p>Name service switch configuration file.</p></dd><dt><span class="term">/tmp/.winbindd/pipe</span></dt><dd><p>The UNIX pipe over which clients communicate with
199
197
the <span><b class="command">winbindd</b></span> program. For security reasons, the
200
198
winbind client will only attempt to connect to the winbindd daemon
201
199
if both the <tt class="filename">/tmp/.winbindd</tt> directory
202
200
and <tt class="filename">/tmp/.winbindd/pipe</tt> file are owned by
203
root. </p></dd><dt><span class="term">$LOCKDIR/winbindd_privilaged/pipe</span></dt><dd><p>The UNIX pipe over which 'privilaged' clients
201
root. </p></dd><dt><span class="term">$LOCKDIR/winbindd_privileged/pipe</span></dt><dd><p>The UNIX pipe over which 'privileged' clients
204
202
communicate with the <span><b class="command">winbindd</b></span> program. For security
205
203
reasons, access to some winbindd functions - like those needed by
206
204
the <span><b class="command">ntlm_auth</b></span> utility - is restricted. By default,
207
205
only users in the 'root' group will get this access, however the administrator
208
may change the group permissions on $LOCKDIR/winbindd_privilaged to allow
206
may change the group permissions on $LOCKDIR/winbindd_privileged to allow
209
207
programs like 'squid' to use ntlm_auth.
210
208
Note that the winbind client will only attempt to connect to the winbindd daemon
211
if both the <tt class="filename">$LOCKDIR/winbindd_privilaged</tt> directory
212
and <tt class="filename">$LOCKDIR/winbindd_privilaged/pipe</tt> file are owned by
209
if both the <tt class="filename">$LOCKDIR/winbindd_privileged</tt> directory
210
and <tt class="filename">$LOCKDIR/winbindd_privileged/pipe</tt> file are owned by
213
211
root. </p></dd><dt><span class="term">/lib/libnss_winbind.so.X</span></dt><dd><p>Implementation of name service switch library.
214
212
</p></dd><dt><span class="term">$LOCKDIR/winbindd_idmap.tdb</span></dt><dd><p>Storage for the Windows NT rid to UNIX user/group
215
213
id mapping. The lock directory is specified when Samba is initially
216
214
compiled using the <i class="parameter"><tt>--with-lockdir</tt></i> option.
217
215
This directory is by default <tt class="filename">/usr/local/samba/var/locks
218
216
</tt>. </p></dd><dt><span class="term">$LOCKDIR/winbindd_cache.tdb</span></dt><dd><p>Storage for cached user and group information.
219
</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2491414"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of
220
the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id2491425"></a><h2>SEE ALSO</h2><p><tt class="filename">nsswitch.conf(5)</tt>, <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="wbinfo.1.html"><span class="citerefentry"><span class="refentrytitle">wbinfo</span>(1)</span></a>, <a href="ntlm_auth.8.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a></p></div><div class="refsect1" lang="en"><a name="id2491474"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
217
</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2510517"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of
218
the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id2510528"></a><h2>SEE ALSO</h2><p><tt class="filename">nsswitch.conf(5)</tt>, <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="wbinfo.1.html"><span class="citerefentry"><span class="refentrytitle">wbinfo</span>(1)</span></a>, <a href="ntlm_auth.8.html"><span class="citerefentry"><span class="refentrytitle">ntlm_auth</span>(8)</span></a>, <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a>, <a href="pam_winbind.8.html"><span class="citerefentry"><span class="refentrytitle">pam_winbind</span>(8)</span></a></p></div><div class="refsect1" lang="en"><a name="id2510586"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
221
219
were created by Andrew Tridgell. Samba is now developed
222
220
by the Samba Team as an Open Source project similar
223
221
to the way the Linux kernel is developed.</p><p><span><b class="command">wbinfo</b></span> and <span><b class="command">winbindd</b></span> were