2
3
.\" Author: [see the "AUTHOR" section]
3
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
4
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
5
6
.\" Manual: System Administration tools
6
7
.\" Source: Samba 3.5
7
8
.\" Language: English
9
.TH "WINBINDD" "8" "06/18/2010" "Samba 3\&.5" "System Administration tools"
10
.\" -----------------------------------------------------------------
11
.\" * (re)Define some macros
12
.\" -----------------------------------------------------------------
13
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14
.\" toupper - uppercase a string (locale-aware)
15
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
19
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
21
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22
.\" SH-xref - format a cross-reference to an SH section
23
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33
.\" SH - level-one heading that works better for non-TTY output
34
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36
.\" put an extra blank line of space above the head in non-TTY output
43
.nr an-prevailing-indent \\n[IN]
47
.HTML-TAG ".NH \\n[an-level]"
49
.nr an-no-space-flag 1
51
\." make the size of the head bigger
56
.\" if n (TTY output), use uppercase
61
.\" if not n (not TTY), use normal case (not uppercase)
65
.\" if not n (not TTY), put a border/line under subheading
70
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71
.\" SS - level-two heading that works better for non-TTY output
72
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77
.nr an-prevailing-indent \\n[IN]
82
.nr an-no-space-flag 1
85
\." make the size of the head bigger
91
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92
.\" BB/BE - put background/screen (filled box) around block of text
93
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
106
.if "\\$2"adjust-for-leading-newline" \{\
114
.nr BW \\n(.lu-\\n(.i
117
.ie "\\$2"adjust-for-leading-newline" \{\
118
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
121
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
132
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133
.\" BM/EM - put colored marker in margin next to block of text
134
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
10
.TH "WINBINDD" "8" "03/06/2011" "Samba 3\&.5" "System Administration tools"
159
11
.\" -----------------------------------------------------------------
160
12
.\" * set default formatting
161
13
.\" -----------------------------------------------------------------
166
18
.\" -----------------------------------------------------------------
167
19
.\" * MAIN CONTENT STARTS HERE *
168
20
.\" -----------------------------------------------------------------
170
22
winbindd \- Name Service Switch daemon for resolving names from NT servers
174
\FCwinbindd\F[] [\-D] [\-F] [\-S] [\-i] [\-Y] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-n]
25
winbindd [\-D] [\-F] [\-S] [\-i] [\-Y] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-n]
178
28
This program is part of the
183
33
is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitrary applications via PAM and
185
35
and to Samba itself\&.
187
37
Even if winbind is not used for nsswitch, it still provides a service to
191
\FCpam_winbind\&.so\F[]
192
42
PAM module, by managing connections to domain controllers\&. In this configuraiton the
193
43
\m[blue]\fBidmap uid\fR\m[]
223
73
This feature is only available on IRIX\&. User information traditionally stored in the
226
\FCgethostbyname(3)\F[]
227
77
functions\&. Names are resolved through the WINS server or by broadcast\&.
232
82
User information traditionally stored in the
241
91
Group information traditionally stored in the
248
98
For example, the following simple configuration in the
249
\FC/etc/nsswitch\&.conf\F[]
250
100
file can be used to initially resolve user and group information from
254
104
and then from the Windows NT server\&.
265
.BB lightgray adjust-for-leading-newline
268
110
passwd: files winbind
269
111
group: files winbind
270
112
## only available on IRIX: use winbind to resolve hosts:
272
114
## All other NSS enabled systems should use libnss_wins\&.so like this:
273
115
hosts: files dns wins
275
.EB lightgray adjust-for-leading-newline
286
122
The following simple configuration in the
287
\FC/etc/nsswitch\&.conf\F[]
288
124
file can be used to initially resolve hostnames from
290
126
and then from the WINS server\&.
301
.BB lightgray adjust-for-leading-newline
304
132
hosts: files wins
305
.EB lightgray adjust-for-leading-newline
319
141
If specified, this parameter causes the server to operate as a daemon\&. That is, it detaches itself and runs in the background on the appropriate port\&. This switch is assumed if
321
143
is executed on the command line of a shell\&.
326
148
If specified, this parameter causes the main
328
150
process to not daemonize, i\&.e\&. double\-fork and disassociate with the terminal\&. Child processes are still created as normal to service each connection request, but the main process does not exit\&. This operation mode is suitable for running
330
152
under process supervisors such as
334
156
from Daniel J\&. Bernstein\'s
336
158
package, or the AIX process monitor\&.
341
163
If specified, this parameter causes
343
165
to log to standard output rather than a file\&.
604
.BB lightgray adjust-for-leading-newline
607
407
auth required /lib/security/pam_securetty\&.so
608
408
auth required /lib/security/pam_nologin\&.so
609
409
auth sufficient /lib/security/pam_winbind\&.so
610
410
auth required /lib/security/pam_unix\&.so \e
611
411
use_first_pass shadow nullok
612
.EB lightgray adjust-for-leading-newline
648
440
Now replace the account lines with this:
650
\FCaccount required /lib/security/pam_winbind\&.so \F[]
442
account required /lib/security/pam_winbind\&.so
652
444
The next step is to join the domain\&. To do that use the
654
446
program like this:
656
\FCnet join \-S PDC \-U Administrator\F[]
448
net join \-S PDC \-U Administrator
658
450
The username after the
660
452
can be any Domain user that has administrator privileges on the machine\&. Substitute the name or IP of your PDC for "PDC"\&.
663
\FClibnss_winbind\&.so\F[]
667
\FCpam_winbind\&.so \F[]
669
\FC/lib/security\F[]\&. A symbolic link needs to be made from
670
\FC/lib/libnss_winbind\&.so\F[]
672
\FC/lib/libnss_winbind\&.so\&.2\F[]\&. If you are using an older version of glibc then the target of the link should be
673
\FC/lib/libnss_winbind\&.so\&.1\F[]\&.
461
/lib/security\&. A symbolic link needs to be made from
462
/lib/libnss_winbind\&.so
464
/lib/libnss_winbind\&.so\&.2\&. If you are using an older version of glibc then the target of the link should be
465
/lib/libnss_winbind\&.so\&.1\&.
676
468
\fBsmb.conf\fR(5)
698
482
workgroup = DOMAIN
699
483
security = domain
700
484
password server = *
701
.EB lightgray adjust-for-leading-newline
712
490
Now start winbindd and you should find that your user and group database is expanded to include your NT users and groups, and that you can login to your unix box as a domain user, using the DOMAIN+user syntax for the username\&. You may wish to use the commands
716
494
to confirm the correct operation of winbindd\&.
719
497
The following notes are useful when configuring and running
723
501
must be running on the local machine for
727
505
PAM is really easy to misconfigure\&. Make sure you know what you are doing when modifying PAM configuration files\&. It is possible to set up PAM such that you can no longer log into your system\&.
729
507
If more than one UNIX machine is running
730
\FCwinbindd\F[], then in general the user and groups ids allocated by winbindd will not be the same\&. The user and group ids will only be valid for the local machine, unless a shared
508
winbindd, then in general the user and groups ids allocated by winbindd will not be the same\&. The user and group ids will only be valid for the local machine, unless a shared
731
509
\m[blue]\fBidmap backend\fR\m[]
763
541
/tmp/\&.winbindd/pipe
765
543
The UNIX pipe over which clients communicate with the
767
545
program\&. For security reasons, the winbind client will only attempt to connect to the winbindd daemon if both the
768
\FC/tmp/\&.winbindd\F[]
770
\FC/tmp/\&.winbindd/pipe\F[]
548
/tmp/\&.winbindd/pipe
771
549
file are owned by root\&.
774
552
$LOCKDIR/winbindd_privileged/pipe
776
554
The UNIX pipe over which \'privileged\' clients communicate with the
778
556
program\&. For security reasons, access to some winbindd functions \- like those needed by the
780
558
utility \- is restricted\&. By default, only users in the \'root\' group will get this access, however the administrator may change the group permissions on $LOCKDIR/winbindd_privileged to allow programs like \'squid\' to use ntlm_auth\&. Note that the winbind client will only attempt to connect to the winbindd daemon if both the
781
\FC$LOCKDIR/winbindd_privileged\F[]
559
$LOCKDIR/winbindd_privileged
783
\FC$LOCKDIR/winbindd_privileged/pipe\F[]
561
$LOCKDIR/winbindd_privileged/pipe
784
562
file are owned by root\&.