1WINBINDD(8) System Administration tools WINBINDD(8)
2
6 winbindd - Name Service Switch daemon for resolving names from NT
7 servers
8
10 winbindd [-D] [-F] [-S] [-i] [-d <debug level>] [-s <smb config file>]
11 [-n]
12
14 This program is part of the samba(7) suite.
15 winbindd is a daemon that provides a number of services to the Name
17 Service Switch capability found in most modern C libraries, to
18 arbitrary applications via PAM and ntlm_auth and to Samba itself.
19 Even if winbind is not used for nsswitch, it still provides a service
21 to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing
22 connections to domain controllers. In this configuration the idmap
23 config * : range parameter is not required. (This is known as `netlogon
24 proxy only mode'.)
25 The Name Service Switch allows user and system information to be
27 obtained from different databases services such as NIS or DNS. The
28 exact behaviour can be configured through the /etc/nsswitch.conf file.
29 Users and groups are allocated as they are resolved to a range of user
30 and group ids specified by the administrator of the Samba system.
31 The service provided by winbindd is called `winbind' and can be used to
33 resolve user and group information from a Windows NT server. The
34 service can also provide authentication services via an associated PAM
35 module.
36 The pam_winbind module supports the auth, account and password
38 module-types. It should be noted that the account module simply
39 performs a getpwnam() to verify that the system can obtain a uid for
40 the user, as the domain controller has already performed access
41 control. If the libnss_winbind library has been correctly installed, or
42 an alternate source of names configured, this should always succeed.
43 The following nsswitch databases are implemented by the winbindd
45 service:
46 hosts
48 This feature is only available on IRIX. User information
49 traditionally stored in the hosts(5) file and used by
50 gethostbyname(3) functions. Names are resolved through the WINS
51 server or by broadcast.
52 passwd
54 User information traditionally stored in the passwd(5) file and
55 used by getpwent(3) functions.
56 group
58 Group information traditionally stored in the group(5) file and
59 used by getgrent(3) functions.
60 For example, the following simple configuration in the
62 /etc/nsswitch.conf file can be used to initially resolve user and group
63 information from /etc/passwd and /etc/group and then from the Windows
64 NT server.
65 passwd: files winbind
67 group: files winbind
68 ## only available on IRIX: use winbind to resolve hosts:
69 # hosts: files dns winbind
70 ## All other NSS enabled systems should use libnss_wins.so like this:
71 hosts: files dns wins
72 The following simple configuration in the /etc/nsswitch.conf file can
75 be used to initially resolve hostnames from /etc/hosts and then from
76 the WINS server.
77 hosts: files wins
79
81 -D
82 If specified, this parameter causes the server to operate as a
83 daemon. That is, it detaches itself and runs in the background on
84 the appropriate port. This switch is assumed if winbindd is
85 executed on the command line of a shell.
86 -F
88 If specified, this parameter causes the main winbindd process to
89 not daemonize, i.e. double-fork and disassociate with the terminal.
90 Child processes are still created as normal to service each
91 connection request, but the main process does not exit. This
92 operation mode is suitable for running winbindd under process
93 supervisors such as supervise and svscan from Daniel J. Bernstein's
94 daemontools package, or the AIX process monitor.
95 -S
97 If specified, this parameter causes winbindd to log to standard
98 output rather than a file.
99 -d|--debuglevel=level
101 level is an integer from 0 to 10. The default value if this
102 parameter is not specified is 0.
103 The higher this value, the more detail will be logged to the log
105 files about the activities of the server. At level 0, only critical
106 errors and serious warnings will be logged. Level 1 is a reasonable
107 level for day-to-day running - it generates a small amount of
108 information about operations carried out.
109 Levels above 1 will generate considerable amounts of log data, and
111 should only be used when investigating a problem. Levels above 3
112 are designed for use only by developers and generate HUGE amounts
113 of log data, most of which is extremely cryptic.
114 Note that specifying this parameter here will override the log
116 level parameter in the smb.conf file.
117 -V|--version
119 Prints the program version number.
120 -s|--configfile <configuration file>
122 The file specified contains the configuration details required by
123 the server. The information in this file includes server-specific
124 information such as what printcap file to use, as well as
125 descriptions of all the services that the server is to provide. See
126 smb.conf for more information. The default configuration file name
127 is determined at compile time.
128 -l|--log-basename=logdirectory
130 Base directory name for log/debug files. The extension ".progname"
131 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
132 file is never removed by the client.
133 -?|--help
135 Print a summary of command line options.
136 -i
138 Tells winbindd to not become a daemon and detach from the current
139 terminal. This option is used by developers when interactive
140 debugging of winbindd is required. winbindd also logs to standard
141 output, as if the -S parameter had been given.
142 -n
144 Disable caching. This means winbindd will always have to wait for a
145 response from the domain controller before it can respond to a
146 client and this thus makes things slower. The results will however
147 be more accurate, since results from the cache might not be
148 up-to-date. This might also temporarily hang winbindd if the DC
149 doesn't respond.
150
152 Users and groups on a Windows NT server are assigned a security id
153 (SID) which is globally unique when the user or group is created. To
154 convert the Windows NT user or group into a unix user or group, a
155 mapping between SIDs and unix user and group ids is required. This is
156 one of the jobs that winbindd performs.
157 As winbindd users and groups are resolved from a server, user and group
159 ids are allocated from a specified range. This is done on a first come,
160 first served basis, although all existing users and groups will be
161 mapped as soon as a client performs a user or group enumeration
162 command. The allocated unix ids are stored in a database and will be
163 remembered.
164 WARNING: The SID to unix id database is the only location where the
166 user and group mappings are stored by winbindd. If this store is
167 deleted or corrupted, there is no way for winbindd to determine which
168 user and group ids correspond to Windows NT user and group rids.
169
171 Configuration of the winbindd daemon is done through configuration
172 parameters in the smb.conf(5) file. All parameters should be specified
173 in the [global] section of smb.conf.
174 · winbind separator
176 · idmap config * : range
178 · idmap config * : backend
180 · winbind cache time
182 · winbind enum users
184 · winbind enum groups
186 · template homedir
188 · template shell
190 · winbind use default domain
192 · winbind: rpc only Setting this parameter forces winbindd to use RPC
194 instead of LDAP to retrieve information from Domain Controllers.
195
197 To setup winbindd for user and group lookups plus authentication from a
198 domain controller use something like the following setup. This was
199 tested on an early Red Hat Linux box.
200 In /etc/nsswitch.conf put the following:
202 passwd: files winbind
204 group: files winbind
205 In /etc/pam.d/* replace the
207 auth lines with something like this:
208 auth required /lib/security/pam_securetty.so
210 auth required /lib/security/pam_nologin.so
211 auth sufficient /lib/security/pam_winbind.so
212 auth required /lib/security/pam_unix.so \
213 use_first_pass shadow nullok
214 Note
217 The PAM module pam_unix has recently replaced the module pam_pwdb.
218 Some Linux systems use the module pam_unix2 in place of pam_unix.
219 Note in particular the use of the sufficient keyword and the
221 use_first_pass keyword.
222 Now replace the account lines with this:
224 account required /lib/security/pam_winbind.so
226 The next step is to join the domain. To do that use the net program
228 like this:
229 net join -S PDC -U Administrator
231 The username after the -U can be any Domain user that has administrator
233 privileges on the machine. Substitute the name or IP of your PDC for
234 "PDC".
235 Next copy libnss_winbind.so to /lib and pam_winbind.so to
237 /lib/security. A symbolic link needs to be made from
238 /lib/libnss_winbind.so to /lib/libnss_winbind.so.2. If you are using an
239 older version of glibc then the target of the link should be
240 /lib/libnss_winbind.so.1.
241 Finally, setup a smb.conf(5) containing directives like the following:
243 [global]
245 winbind separator = +
246 winbind cache time = 10
247 template shell = /bin/bash
248 template homedir = /home/%D/%U
249 idmap config * : range = 10000-20000
250 workgroup = DOMAIN
251 security = domain
252 password server = *
253 Now start winbindd and you should find that your user and group
255 database is expanded to include your NT users and groups, and that you
256 can login to your unix box as a domain user, using the DOMAIN+user
257 syntax for the username. You may wish to use the commands getent passwd
258 and getent group to confirm the correct operation of winbindd.
259
261 The following notes are useful when configuring and running winbindd:
262 nmbd(8) must be running on the local machine for winbindd to work.
264 PAM is really easy to misconfigure. Make sure you know what you are
266 doing when modifying PAM configuration files. It is possible to set up
267 PAM such that you can no longer log into your system.
268 If more than one UNIX machine is running winbindd, then in general the
270 user and groups ids allocated by winbindd will not be the same. The
271 user and group ids will only be valid for the local machine, unless a
272 shared idmap config * : backend is configured.
273 If the the Windows NT SID to UNIX user and group id mapping file is
275 damaged or destroyed then the mappings will be lost.
276
278 The following signals can be used to manipulate the winbindd daemon.
279 SIGHUP
281 Reload the smb.conf(5) file and apply any parameter changes to the
282 running version of winbindd. This signal also clears any cached
283 user and group information. The list of other domains trusted by
284 winbindd is also reloaded.
285 SIGUSR2
287 The SIGUSR2 signal will cause winbindd to write status information
288 to the winbind log file.
289 Log files are stored in the filename specified by the log file
291 parameter.
292
294 /etc/nsswitch.conf(5)
295 Name service switch configuration file.
296 /tmp/.winbindd/pipe
298 The UNIX pipe over which clients communicate with the winbindd
299 program. For security reasons, the winbind client will only attempt
300 to connect to the winbindd daemon if both the /tmp/.winbindd
301 directory and /tmp/.winbindd/pipe file are owned by root.
302 $LOCKDIR/winbindd_privileged/pipe
304 The UNIX pipe over which 'privileged' clients communicate with the
305 winbindd program. For security reasons, access to some winbindd
306 functions - like those needed by the ntlm_auth utility - is
307 restricted. By default, only users in the 'root' group will get
308 this access, however the administrator may change the group
309 permissions on $LOCKDIR/winbindd_privileged to allow programs like
310 'squid' to use ntlm_auth. Note that the winbind client will only
311 attempt to connect to the winbindd daemon if both the
312 $LOCKDIR/winbindd_privileged directory and
313 $LOCKDIR/winbindd_privileged/pipe file are owned by root.
314 /lib/libnss_winbind.so.X
316 Implementation of name service switch library.
317 $LOCKDIR/winbindd_idmap.tdb
319 Storage for the Windows NT rid to UNIX user/group id mapping. The
320 lock directory is specified when Samba is initially compiled using
321 the --with-lockdir option. This directory is by default
322 /usr/local/samba/var/locks.
323 $LOCKDIR/winbindd_cache.tdb
325 Storage for cached user and group information.
326
328 This man page is correct for version 3 of the Samba suite.
329
331 nsswitch.conf(5), samba(7), wbinfo(1), ntlm_auth(8), smb.conf(5),
332 pam_winbind(8)
333
335 The original Samba software and related utilities were created by
336 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
337 Source project similar to the way the Linux kernel is developed.
338 wbinfo and winbindd were written by Tim Potter.
340 The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The
342 conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander
343 Bokovoy.
344Samba 3.6 04/11/2016 WINBINDD(8)