2
3
.\" Author: [see the "AUTHOR" section]
3
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
4
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
5
6
.\" Manual: System Administration tools
6
7
.\" Source: Samba 3.4
7
8
.\" Language: English
9
.TH "WINBINDD" "8" "10/29/2009" "Samba 3\&.4" "System Administration tools"
10
.\" -----------------------------------------------------------------
11
.\" * (re)Define some macros
12
.\" -----------------------------------------------------------------
13
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14
.\" toupper - uppercase a string (locale-aware)
15
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
19
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
21
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22
.\" SH-xref - format a cross-reference to an SH section
23
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33
.\" SH - level-one heading that works better for non-TTY output
34
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36
.\" put an extra blank line of space above the head in non-TTY output
43
.nr an-prevailing-indent \\n[IN]
47
.HTML-TAG ".NH \\n[an-level]"
49
.nr an-no-space-flag 1
51
\." make the size of the head bigger
56
.\" if n (TTY output), use uppercase
61
.\" if not n (not TTY), use normal case (not uppercase)
65
.\" if not n (not TTY), put a border/line under subheading
70
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71
.\" SS - level-two heading that works better for non-TTY output
72
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77
.nr an-prevailing-indent \\n[IN]
82
.nr an-no-space-flag 1
85
\." make the size of the head bigger
91
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92
.\" BB/BE - put background/screen (filled box) around block of text
93
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
106
.if "\\$2"adjust-for-leading-newline" \{\
114
.nr BW \\n(.lu-\\n(.i
117
.ie "\\$2"adjust-for-leading-newline" \{\
118
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
121
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
132
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133
.\" BM/EM - put colored marker in margin next to block of text
134
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
10
.TH "WINBINDD" "8" "01/18/2010" "Samba 3\&.4" "System Administration tools"
159
11
.\" -----------------------------------------------------------------
160
12
.\" * set default formatting
161
13
.\" -----------------------------------------------------------------
166
18
.\" -----------------------------------------------------------------
167
19
.\" * MAIN CONTENT STARTS HERE *
168
20
.\" -----------------------------------------------------------------
170
22
winbindd \- Name Service Switch daemon for resolving names from NT servers
174
\FCwinbindd\F[] [\-D] [\-F] [\-S] [\-i] [\-Y] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-n]
25
winbindd [\-D] [\-F] [\-S] [\-i] [\-Y] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-n]
178
28
This program is part of the
183
33
is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitrary applications via PAM and
185
35
and to Samba itself\&.
187
37
Even if winbind is not used for nsswitch, it still provides a service to
191
\FCpam_winbind\&.so\F[]
192
42
PAM module, by managing connections to domain controllers\&. In this configuraiton the
193
43
\m[blue]\fBidmap uid\fR\m[]
223
73
If specified, this parameter causes the server to operate as a daemon\&. That is, it detaches itself and runs in the background on the appropriate port\&. This switch is assumed if
225
75
is executed on the command line of a shell\&.
230
80
This feature is only available on IRIX\&. User information traditionally stored in the
233
\FCgethostbyname(3)\F[]
234
84
functions\&. Names are resolved through the WINS server or by broadcast\&.
239
89
User information traditionally stored in the
248
98
Group information traditionally stored in the
255
105
For example, the following simple configuration in the
256
\FC/etc/nsswitch\&.conf\F[]
257
107
file can be used to initially resolve user and group information from
261
111
and then from the Windows NT server\&.
272
.BB lightgray adjust-for-leading-newline
275
117
passwd: files winbind
276
118
group: files winbind
277
119
## only available on IRIX: use winbind to resolve hosts:
279
121
## All other NSS enabled systems should use libnss_wins\&.so like this:
280
122
hosts: files dns wins
282
.EB lightgray adjust-for-leading-newline
293
129
The following simple configuration in the
294
\FC/etc/nsswitch\&.conf\F[]
295
131
file can be used to initially resolve hostnames from
297
133
and then from the WINS server\&.
308
.BB lightgray adjust-for-leading-newline
311
139
hosts: files wins
312
.EB lightgray adjust-for-leading-newline
326
148
If specified, this parameter causes the main
328
150
process to not daemonize, i\&.e\&. double\-fork and disassociate with the terminal\&. Child processes are still created as normal to service each connection request, but the main process does not exit\&. This operation mode is suitable for running
330
152
under process supervisors such as
334
156
from Daniel J\&. Bernstein\'s
336
158
package, or the AIX process monitor\&.
341
163
If specified, this parameter causes
343
165
to log to standard output rather than a file\&.
353
175
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
355
177
Note that specifying this parameter here will override the
356
\m[blue]\fBlog level\fR\m[]
178
\m[blue]\fB\%smb.conf.5.html#\fR\m[]
364
186
Prints the program version number\&.
367
\-s <configuration file>
189
\-s|\-\-configfile <configuration file>
369
191
The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
371
193
for more information\&. The default configuration file name is determined at compile time\&.
604
.BB lightgray adjust-for-leading-newline
607
407
auth required /lib/security/pam_securetty\&.so
608
408
auth required /lib/security/pam_nologin\&.so
609
409
auth sufficient /lib/security/pam_winbind\&.so
610
410
auth required /lib/security/pam_unix\&.so \e
611
411
use_first_pass shadow nullok
612
.EB lightgray adjust-for-leading-newline
648
440
Now replace the account lines with this:
650
\FCaccount required /lib/security/pam_winbind\&.so \F[]
442
account required /lib/security/pam_winbind\&.so
652
444
The next step is to join the domain\&. To do that use the
654
446
program like this:
656
\FCnet join \-S PDC \-U Administrator\F[]
448
net join \-S PDC \-U Administrator
658
450
The username after the
660
452
can be any Domain user that has administrator privileges on the machine\&. Substitute the name or IP of your PDC for "PDC"\&.
663
\FClibnss_winbind\&.so\F[]
667
\FCpam_winbind\&.so \F[]
669
\FC/lib/security\F[]\&. A symbolic link needs to be made from
670
\FC/lib/libnss_winbind\&.so\F[]
672
\FC/lib/libnss_winbind\&.so\&.2\F[]\&. If you are using an older version of glibc then the target of the link should be
673
\FC/lib/libnss_winbind\&.so\&.1\F[]\&.
461
/lib/security\&. A symbolic link needs to be made from
462
/lib/libnss_winbind\&.so
464
/lib/libnss_winbind\&.so\&.2\&. If you are using an older version of glibc then the target of the link should be
465
/lib/libnss_winbind\&.so\&.1\&.
676
468
\fBsmb.conf\fR(5)
698
482
workgroup = DOMAIN
699
483
security = domain
700
484
password server = *
701
.EB lightgray adjust-for-leading-newline
712
490
Now start winbindd and you should find that your user and group database is expanded to include your NT users and groups, and that you can login to your unix box as a domain user, using the DOMAIN+user syntax for the username\&. You may wish to use the commands
716
494
to confirm the correct operation of winbindd\&.
719
497
The following notes are useful when configuring and running
723
501
must be running on the local machine for
727
505
PAM is really easy to misconfigure\&. Make sure you know what you are doing when modifying PAM configuration files\&. It is possible to set up PAM such that you can no longer log into your system\&.
729
507
If more than one UNIX machine is running
730
\FCwinbindd\F[], then in general the user and groups ids allocated by winbindd will not be the same\&. The user and group ids will only be valid for the local machine, unless a shared
508
winbindd, then in general the user and groups ids allocated by winbindd will not be the same\&. The user and group ids will only be valid for the local machine, unless a shared
731
509
\m[blue]\fBidmap backend\fR\m[]
763
541
/tmp/\&.winbindd/pipe
765
543
The UNIX pipe over which clients communicate with the
767
545
program\&. For security reasons, the winbind client will only attempt to connect to the winbindd daemon if both the
768
\FC/tmp/\&.winbindd\F[]
770
\FC/tmp/\&.winbindd/pipe\F[]
548
/tmp/\&.winbindd/pipe
771
549
file are owned by root\&.
774
552
$LOCKDIR/winbindd_privileged/pipe
776
554
The UNIX pipe over which \'privileged\' clients communicate with the
778
556
program\&. For security reasons, access to some winbindd functions \- like those needed by the
780
558
utility \- is restricted\&. By default, only users in the \'root\' group will get this access, however the administrator may change the group permissions on $LOCKDIR/winbindd_privileged to allow programs like \'squid\' to use ntlm_auth\&. Note that the winbind client will only attempt to connect to the winbindd daemon if both the
781
\FC$LOCKDIR/winbindd_privileged\F[]
559
$LOCKDIR/winbindd_privileged
783
\FC$LOCKDIR/winbindd_privileged/pipe\F[]
561
$LOCKDIR/winbindd_privileged/pipe
784
562
file are owned by root\&.