1WINBINDD(8) System Administration tools WINBINDD(8)
2
3
4
6 winbindd - Name Service Switch daemon for resolving names from NT
7 servers
8
10 winbindd [-D|--daemon] [-F|--foreground] [-S|--stdout]
11 [-i|--interactive] [-d <debug level>] [-s <smb config file>]
12 [-n|--no-caching] [--no-process-group]
13
15 This program is part of the samba(7) suite.
16
17 winbindd is a daemon that provides a number of services to the Name
18 Service Switch capability found in most modern C libraries, to
19 arbitrary applications via PAM and ntlm_auth and to Samba itself.
20
21 Even if winbind is not used for nsswitch, it still provides a service
22 to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing
23 connections to domain controllers. In this configuration the idmap
24 config * : range parameter is not required. (This is known as `netlogon
25 proxy only mode'.)
26
27 The Name Service Switch allows user and system information to be
28 obtained from different databases services such as NIS or DNS. The
29 exact behaviour can be configured through the /etc/nsswitch.conf file.
30 Users and groups are allocated as they are resolved to a range of user
31 and group ids specified by the administrator of the Samba system.
32
33 The service provided by winbindd is called `winbind' and can be used to
34 resolve user and group information from a Windows NT server. The
35 service can also provide authentication services via an associated PAM
36 module.
37
38 The pam_winbind module supports the auth, account and password
39 module-types. It should be noted that the account module simply
40 performs a getpwnam() to verify that the system can obtain a uid for
41 the user, as the domain controller has already performed access
42 control. If the libnss_winbind library has been correctly installed, or
43 an alternate source of names configured, this should always succeed.
44
45 The following nsswitch databases are implemented by the winbindd
46 service:
47
48 hosts
49 This feature is only available on IRIX. User information
50 traditionally stored in the hosts(5) file and used by
51 gethostbyname(3) functions. Names are resolved through the WINS
52 server or by broadcast.
53
54 passwd
55 User information traditionally stored in the passwd(5) file and
56 used by getpwent(3) functions.
57
58 group
59 Group information traditionally stored in the group(5) file and
60 used by getgrent(3) functions.
61
62 For example, the following simple configuration in the
63 /etc/nsswitch.conf file can be used to initially resolve user and group
64 information from /etc/passwd and /etc/group and then from the Windows
65 NT server.
66
67 passwd: files winbind
68 group: files winbind
69 ## only available on IRIX: use winbind to resolve hosts:
70 # hosts: files dns winbind
71 ## All other NSS enabled systems should use libnss_wins.so like this:
72 hosts: files dns wins
73
74
75 The following simple configuration in the /etc/nsswitch.conf file can
76 be used to initially resolve hostnames from /etc/hosts and then from
77 the WINS server.
78
79 hosts: files wins
80
82 -D|--daemon
83 If specified, this parameter causes the server to operate as a
84 daemon. That is, it detaches itself and runs in the background on
85 the appropriate port. This switch is assumed if winbindd is
86 executed on the command line of a shell.
87
88 -F|--foreground
89 If specified, this parameter causes the main winbindd process to
90 not daemonize, i.e. double-fork and disassociate with the terminal.
91 Child processes are still created as normal to service each
92 connection request, but the main process does not exit. This
93 operation mode is suitable for running winbindd under process
94 supervisors such as supervise and svscan from Daniel J. Bernstein's
95 daemontools package, or the AIX process monitor.
96
97 -S|--stdout
98 If specified, this parameter causes winbindd to log to standard
99 output rather than a file.
100
101 -d|--debuglevel=level
102 level is an integer from 0 to 10. The default value if this
103 parameter is not specified is 0.
104
105 The higher this value, the more detail will be logged to the log
106 files about the activities of the server. At level 0, only critical
107 errors and serious warnings will be logged. Level 1 is a reasonable
108 level for day-to-day running - it generates a small amount of
109 information about operations carried out.
110
111 Levels above 1 will generate considerable amounts of log data, and
112 should only be used when investigating a problem. Levels above 3
113 are designed for use only by developers and generate HUGE amounts
114 of log data, most of which is extremely cryptic.
115
116 Note that specifying this parameter here will override the log
117 level parameter in the smb.conf file.
118
119 -V|--version
120 Prints the program version number.
121
122 -s|--configfile=<configuration file>
123 The file specified contains the configuration details required by
124 the server. The information in this file includes server-specific
125 information such as what printcap file to use, as well as
126 descriptions of all the services that the server is to provide. See
127 smb.conf for more information. The default configuration file name
128 is determined at compile time.
129
130 -l|--log-basename=logdirectory
131 Base directory name for log/debug files. The extension ".progname"
132 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
133 file is never removed by the client.
134
135 --option=<name>=<value>
136 Set the smb.conf(5) option "<name>" to value "<value>" from the
137 command line. This overrides compiled-in defaults and options read
138 from the configuration file.
139
140 -?|--help
141 Print a summary of command line options.
142
143 --usage
144 Display brief usage message.
145
146 -i|--interactive
147 Tells winbindd to not become a daemon and detach from the current
148 terminal. This option is used by developers when interactive
149 debugging of winbindd is required. winbindd also logs to standard
150 output, as if the -S parameter had been given.
151
152 -n|--no-caching
153 Disable some caching. This means winbindd will often have to wait
154 for a response from the domain controller before it can respond to
155 a client and this thus makes things slower. The results will
156 however be more accurate, since results from the cache might not be
157 up-to-date. This might also temporarily hang winbindd if the DC
158 doesn't respond. This does not disable the samlogon cache, which is
159 required for group membership tracking in trusted environments.
160
161 --no-process-group
162 Do not create a new process group for winbindd.
163
165 Users and groups on a Windows NT server are assigned a security id
166 (SID) which is globally unique when the user or group is created. To
167 convert the Windows NT user or group into a unix user or group, a
168 mapping between SIDs and unix user and group ids is required. This is
169 one of the jobs that winbindd performs.
170
171 As winbindd users and groups are resolved from a server, user and group
172 ids are allocated from a specified range. This is done on a first come,
173 first served basis, although all existing users and groups will be
174 mapped as soon as a client performs a user or group enumeration
175 command. The allocated unix ids are stored in a database and will be
176 remembered.
177
178 WARNING: The SID to unix id database is the only location where the
179 user and group mappings are stored by winbindd. If this store is
180 deleted or corrupted, there is no way for winbindd to determine which
181 user and group ids correspond to Windows NT user and group rids.
182
184 Configuration of the winbindd daemon is done through configuration
185 parameters in the smb.conf(5) file. All parameters should be specified
186 in the [global] section of smb.conf.
187
188 · winbind separator
189
190 · idmap config * : range
191
192 · idmap config * : backend
193
194 · winbind cache time
195
196 · winbind enum users
197
198 · winbind enum groups
199
200 · template homedir
201
202 · template shell
203
204 · winbind use default domain
205
206 · winbind: rpc only Setting this parameter forces winbindd to
207 use RPC instead of LDAP to retrieve information from Domain
208 Controllers.
209
211 To setup winbindd for user and group lookups plus authentication from a
212 domain controller use something like the following setup. This was
213 tested on an early Red Hat Linux box.
214
215 In /etc/nsswitch.conf put the following:
216
217 passwd: files winbind
218 group: files winbind
219
220 In /etc/pam.d/* replace the
221 auth lines with something like this:
222
223 auth required /lib/security/pam_securetty.so
224 auth required /lib/security/pam_nologin.so
225 auth sufficient /lib/security/pam_winbind.so
226 auth required /lib/security/pam_unix.so \
227 use_first_pass shadow nullok
228
229
230 Note
231 The PAM module pam_unix has recently replaced the module pam_pwdb.
232 Some Linux systems use the module pam_unix2 in place of pam_unix.
233
234 Note in particular the use of the sufficient keyword and the
235 use_first_pass keyword.
236
237 Now replace the account lines with this:
238
239 account required /lib/security/pam_winbind.so
240
241 The next step is to join the domain. To do that use the net program
242 like this:
243
244 net join -S PDC -U Administrator
245
246 The username after the -U can be any Domain user that has administrator
247 privileges on the machine. Substitute the name or IP of your PDC for
248 "PDC".
249
250 Next copy libnss_winbind.so to /lib and pam_winbind.so to
251 /lib/security. A symbolic link needs to be made from
252 /lib/libnss_winbind.so to /lib/libnss_winbind.so.2. If you are using an
253 older version of glibc then the target of the link should be
254 /lib/libnss_winbind.so.1.
255
256 Finally, setup a smb.conf(5) containing directives like the following:
257
258 [global]
259 winbind separator = +
260 winbind cache time = 10
261 template shell = /bin/bash
262 template homedir = /home/%D/%U
263 idmap config * : range = 10000-20000
264 workgroup = DOMAIN
265 security = domain
266 password server = *
267
268 Now start winbindd and you should find that your user and group
269 database is expanded to include your NT users and groups, and that you
270 can login to your unix box as a domain user, using the DOMAIN+user
271 syntax for the username. You may wish to use the commands getent passwd
272 and getent group to confirm the correct operation of winbindd.
273
275 The following notes are useful when configuring and running winbindd:
276
277 nmbd(8) must be running on the local machine for winbindd to work.
278
279 PAM is really easy to misconfigure. Make sure you know what you are
280 doing when modifying PAM configuration files. It is possible to set up
281 PAM such that you can no longer log into your system.
282
283 If more than one UNIX machine is running winbindd, then in general the
284 user and groups ids allocated by winbindd will not be the same. The
285 user and group ids will only be valid for the local machine, unless a
286 shared idmap config * : backend is configured.
287
288 If the Windows NT SID to UNIX user and group id mapping file is damaged
289 or destroyed then the mappings will be lost.
290
292 The following signals can be used to manipulate the winbindd daemon.
293
294 SIGHUP
295 Reload the smb.conf(5) file and apply any parameter changes to the
296 running version of winbindd. This signal also clears any cached
297 user and group information. The list of other domains trusted by
298 winbindd is also reloaded.
299
300 SIGUSR2
301 The SIGUSR2 signal will cause winbindd to write status information
302 to the winbind log file.
303
304 Log files are stored in the filename specified by the log file
305 parameter.
306
308 /etc/nsswitch.conf(5)
309 Name service switch configuration file.
310
311 /tmp/.winbindd/pipe
312 The UNIX pipe over which clients communicate with the winbindd
313 program. For security reasons, the winbind client will only attempt
314 to connect to the winbindd daemon if both the /tmp/.winbindd
315 directory and /tmp/.winbindd/pipe file are owned by root.
316
317 $LOCKDIR/winbindd_privileged/pipe
318 The UNIX pipe over which 'privileged' clients communicate with the
319 winbindd program. For security reasons, access to some winbindd
320 functions - like those needed by the ntlm_auth utility - is
321 restricted. By default, only users in the 'root' group will get
322 this access, however the administrator may change the group
323 permissions on $LOCKDIR/winbindd_privileged to allow programs like
324 'squid' to use ntlm_auth. Note that the winbind client will only
325 attempt to connect to the winbindd daemon if both the
326 $LOCKDIR/winbindd_privileged directory and
327 $LOCKDIR/winbindd_privileged/pipe file are owned by root.
328
329 /lib/libnss_winbind.so.X
330 Implementation of name service switch library.
331
332 $LOCKDIR/winbindd_idmap.tdb
333 Storage for the Windows NT rid to UNIX user/group id mapping. The
334 lock directory is specified when Samba is initially compiled using
335 the --with-lockdir option. This directory is by default
336 /usr/local/samba/var/locks.
337
338 $LOCKDIR/winbindd_cache.tdb
339 Storage for cached user and group information.
340
342 This man page is part of version 4.12.2 of the Samba suite.
343
345 nsswitch.conf(5), samba(7), wbinfo(1), ntlm_auth(8), smb.conf(5),
346 pam_winbind(8)
347
349 The original Samba software and related utilities were created by
350 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
351 Source project similar to the way the Linux kernel is developed.
352
353 wbinfo and winbindd were written by Tim Potter.
354
355 The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The
356 conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander
357 Bokovoy.
358
359
360
361Samba 4.12.2 04/28/2020 WINBINDD(8)