System Administration tools WINBIND(1M)
NAME
winbindd - Name Service Switch daemon for resolving names
from NT servers
SYNOPSIS
winbindd [-D] [-F] [-S] [-i] [-Y] [-d ]
[-s ] [-n]
DESCRIPTION
This program is part of the samba(7) suite.
winbindd is a daemon that provides a number of services to
the Name Service Switch capability found in most modern C
libraries, to arbitrary applications via PAM and ntlmauth
and to Samba itself.
Even if winbind is not used for nsswitch, it still provides
a service to smbd, ntlmauth and the pamwinbind.so PAM
module, by managing connections to domain controllers. In
this configuration the idmap uid and idmap gid parameters
are not required. (This is known as `netlogon proxy only
mode'.)
The Name Service Switch allows user and system information
to be obtained from different databases services such as NIS
or DNS. The exact behaviour can be configured through the
/etc/nsswitch.conf file. Users and groups are allocated as
they are resolved to a range of user and group ids specified
by the administrator of the Samba system.
The service provided by winbindd is called `winbind' and can
be used to resolve user and group information from a Windows
NT server. The service can also provide authentication
services via an associated PAM module.
The pamwinbind module supports the auth, account and
password module-types. It should be noted that the account
module simply performs a getpwnam() to verify that the
system can obtain a uid for the user, as the domain
controller has already performed access control. If the
libnsswinbind library has been correctly installed, or an
alternate source of names configured, this should always
succeed.
The following nsswitch databases are implemented by the
winbindd service:
-D
If specified, this parameter causes the server to
operate as a daemon. That is, it detaches itself and
runs in the background on the appropriate port. This
switch is assumed if winbindd is executed on the command
Samba 3.2 Last change: 01/19/2009 1
System Administration tools WINBIND(1M)
line of a shell.
hosts
This feature is only available on IRIX. User information
traditionally stored in the hosts(4) file and used by
gethostbyname(3) functions. Names are resolved through
the WINS server or by broadcast.
passwd
User information traditionally stored in the passwd(4)
file and used by getpwent(3) functions.
group
Group information traditionally stored in the group(4)
file and used by getgrent(3) functions.
For example, the following simple configuration in the
/etc/nsswitch.conf file can be used to initially resolve
user and group information from /etc/passwd and /etc/group
and then from the Windows NT server.
passwd: files winbind
group: files winbind
## only available on IRIX: use winbind to resolve hosts:
# hosts: files dns winbind
## All other NS enabled systems should use libnsswins.so like this:
hosts: files dns wins
The following simple configuration in the /etc/nsswitch.conf
file can be used to initially resolve hostnames from
/etc/hosts and then from the WINS server.
hosts: files wins
OPTIONS
-F
If specified, this parameter causes the main winbindd
process to not daemonize, i.e. double-fork and
disassociate with the terminal. Child processes are
still created as normal to service each connection
request, but the main process does not exit. This
operation mode is suitable for running winbindd under
process supervisors such as supervise and svscan from
Daniel J. Bernstein's daemontools package, or the AIX
process monitor.
-S
If specified, this parameter causes winbindd to log to
standard output rather than a file.
Samba 3.2 Last change: 01/19/2009 2
System Administration tools WINBIND(1M)
-d--debuglevel=level
level is an integer from 0 to 10. The default value if
this parameter is not specified is 0.
The higher this value, the more detail will be logged to
the log files about the activities of the server. At
level 0, only critical errors and serious warnings will
be logged. Level 1 is a reasonable level for day-to-day
running - it generates a small amount of information
about operations carried out.
Levels above 1 will generate considerable amounts of log
data, and should only be used when investigating a
problem. Levels above 3 are designed for use only by
developers and generate HUGE amounts of log data, most
of which is extremely cryptic.
Note that specifying this parameter here will override
the log level parameter in the smb.conf file.
-V
Prints the program version number.
-s
The file specified contains the configuration details
required by the server. The information in this file
includes server-specific information such as what
printcap file to use, as well as descriptions of all the
services that the server is to provide. See smb.conf for
more information. The default configuration file name is
determined at compile time.
-l--log-basename=logdirectory
Base directory name for log/debug files. The extension
".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the
client.
-h--help
Print a summary of command line options.
-i
Tells winbindd to not become a daemon and detach from
the current terminal. This option is used by developers
when interactive debugging of winbindd is required.
winbindd also logs to standard output, as if the -S
parameter had been given.
-n
Disable caching. This means winbindd will always have to
wait for a response from the domain controller before it
can respond to a client and this thus makes things
Samba 3.2 Last change: 01/19/2009 3
System Administration tools WINBIND(1M)
slower. The results will however be more accurate, since
results from the cache might not be up-to-date. This
might also temporarily hang winbindd if the DC doesn't
respond.
-Y
Single daemon mode. This means winbindd will run as a
single process (the mode of operation in Samba 2.2).
Winbindd's default behavior is to launch a child process
that is responsible for updating expired cache entries.
NAME AND ID RESOLUTION
Users and groups on a Windows NT server are assigned a
security id (SID) which is globally unique when the user or
group is created. To convert the Windows NT user or group
into a unix user or group, a mapping between SIDs and unix
user and group ids is required. This is one of the jobs that
winbindd performs.
As winbindd users and groups are resolved from a server,
user and group ids are allocated from a specified range.
This is done on a first come, first served basis, although
all existing users and groups will be mapped as soon as a
client performs a user or group enumeration command. The
allocated unix ids are stored in a database and will be
remembered.
WARNING: The SID to unix id database is the only location
where the user and group mappings are stored by winbindd. If
this store is deleted or corrupted, there is no way for
winbindd to determine which user and group ids correspond to
Windows NT user and group rids.
See the idmap domains or the old idmap backend parameters in
smb.conf for options for sharing this database, such as via
LDAP.
CONFIGURATION
Configuration of the winbindd daemon is done through
configuration parameters in the smb.conf(4) file. All
parameters should be specified in the [global] section of
smb.conf.
]o winbind separator
]o idmap uid
]o idmap gid
]o idmap backend
]o winbind cache time
Samba 3.2 Last change: 01/19/2009 4
System Administration tools WINBIND(1M)
]o winbind enum users
]o winbind enum groups
]o template homedir
]o template shell
]o winbind use default domain
]o winbind: rpc only Setting this parameter forces
winbindd to use RPC instead of LDAP to retrieve
information from Domain Controllers.
EXAMPLE SETUP
To setup winbindd for user and group lookups plus
authentication from a domain controller use something like
the following setup. This was tested on an early Red Hat
Linux box.
In /etc/nsswitch.conf put the following:
passwd: files winbind
group: files winbind
In /etc/pam.d/* replace the
auth lines with something like this:
auth required /lib/security/pamsecuretty.so
auth required /lib/security/pamnologin.so
auth sufficient /lib/security/pamwinbind.so
auth required /lib/security/pamunix.so \
usefirstpass shadow nullok
Note
The PAM module pamunix has recently replaced the module
pampwdb. Some Linux systems use the module pamunix2 in
place of pamunix.
Note in particular the use of the sufficient keyword and the
usefirstpass keyword.
Now replace the account lines with this:
account required /lib/security/pamwinbind.so
The next step is to join the domain. To do that use the net
program like this:
Samba 3.2 Last change: 01/19/2009 5
System Administration tools WINBIND(1M)
net join -S PDC -U Administrator
The username after the -U can be any Domain user that has
administrator privileges on the machine. Substitute the name
or IP of your PDC for "PDC".
Next copy libnsswinbind.so to /lib and pamwinbind.so to
/lib/security. A symbolic link needs to be made from
/lib/libnsswinbind.so to /lib/libnsswinbind.so.2. If you
are using an older version of glibc then the target of the
link should be /lib/libnsswinbind.so.1.
Finally, setup a smb.conf(4) containing directives like the
following:
[global]
winbind separator = ]
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
workgroup = DOMAIN
security = domain
password server = *
Now start winbindd and you should find that your user and
group database is expanded to include your NT users and
groups, and that you can login to your unix box as a domain
user, using the DOMAIN]user syntax for the username. You may
wish to use the commands getent passwd and getent group to
confirm the correct operation of winbindd.
NOTES
The following notes are useful when configuring and running
winbindd:
nmbd(1M) must be running on the local machine for winbindd
to work.
PAM is really easy to misconfigure. Make sure you know what
you are doing when modifying PAM configuration files. It is
possible to set up PAM such that you can no longer log into
your system.
If more than one UNIX machine is running winbindd, then in
general the user and groups ids allocated by winbindd will
not be the same. The user and group ids will only be valid
for the local machine, unless a shared idmap backend is
configured.
Samba 3.2 Last change: 01/19/2009 6
System Administration tools WINBIND(1M)
If the the Windows NT SID to UNIX user and group id mapping
file is damaged or destroyed then the mappings will be lost.
SIGNALS
The following signals can be used to manipulate the winbindd
daemon.
SIGHUP
Reload the smb.conf(4) file and apply any parameter
changes to the running version of winbindd. This signal
also clears any cached user and group information. The
list of other domains trusted by winbindd is also
reloaded.
SIGUSR2
The SIGUSR2 signal will cause winbindd to write status
information to the winbind log file.
Log files are stored in the filename specified by the
log file parameter.
FILES
/etc/nsswitch.conf(4)
Name service switch configuration file.
/tmp/.winbindd/pipe
The UNIX pipe over which clients communicate with the
winbindd program. For security reasons, the winbind
client will only attempt to connect to the winbindd
daemon if both the /tmp/.winbindd directory and
/tmp/.winbindd/pipe file are owned by root.
$LOCKDIR/winbinddprivileged/pipe
The UNIX pipe over which 'privileged' clients
communicate with the winbindd program. For security
reasons, access to some winbindd functions - like those
needed by the ntlmauth utility - is restricted. By
default, only users in the 'root' group will get this
access, however the administrator may change the group
permissions on $LOCKDIR/winbinddprivileged to allow
programs like 'squid' to use ntlmauth. Note that the
winbind client will only attempt to connect to the
winbindd daemon if both the $LOCKDIR/winbinddprivileged
directory and $LOCKDIR/winbinddprivileged/pipe file are
owned by root.
/lib/libnsswinbind.so.X
Implementation of name service switch library.
$LOCKDIR/winbinddidmap.tdb
Storage for the Windows NT rid to UNIX user/group id
mapping. The lock directory is specified when Samba is
Samba 3.2 Last change: 01/19/2009 7
System Administration tools WINBIND(1M)
initially compiled using the --with-lockdir option. This
directory is by default /usr/local/samba/var/locks .
$LOCKDIR/winbinddcache.tdb
Storage for cached user and group information.
VERSION
This man page is correct for version 3 of the Samba suite.
SEE ALSO
nsswitch.conf(4), samba(7), wbinfo(1), ntlmauth(1M),
smb.conf(4), pamwinbind(1M)
AUTHOR
The original Samba software and related utilities were
created by Andrew Tridgell. Samba is now developed by the
Samba Team as an Open Source project similar to the way the
Linux kernel is developed.
wbinfo and winbindd were written by Tim Potter.
The conversion to DocBook for Samba 2.2 was done by Gerald
Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was
done by Alexander Bokovoy.
ATRIBUTES
See attributes(5) for descriptions of the following
attributes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWsmbar, SUNWsmbau
Interface Stability External
NOTES
Source for Samba is available on http:/opensolaris.org.
Samba(7) delivers the set of four SMF(5) services as can be
seen from the following example:
$ svcs samba wins winbind swat
STATE STIME FMRI
disabled Apr21 svc:/network/samba:default
disabled Apr21 svc:/network/winbind:default
disabled Apr21 svc:/network/wins:default
disabled Apr21 svc:/network/swat:default
where the services are:
Samba 3.2 Last change: 01/19/2009 8
System Administration tools WINBIND(1M)
"samba"
runs the smbd daemon managing the CIFS sessions
"wins"
runs the nmbd daemon enabling the browsing (WINS)
"winbind"
runs the winbindd daemon making the domain idmap
"swat"
Samba Web Administration Tool is a service providing
access to browser-based Samba administration interface
and on-line documentation. The service runs on software
loopback network interface on port 901/tcp, i.e. opening
"http:/localhost:901/" in browser will access the SWAT
service on local machine.
Please note: SWAT uses HTP Basic Authentication scheme
where user name and passwords are sent over the network in
clear text. In the SWAT case the user name is root.
Transferring such sensitive data is advisable only on the
software loopback network interface or over secure networks.
Samba 3.2 Last change: 01/19/2009 9
|
