1WINBINDD(8)               System Administration tools              WINBINDD(8)
2
3
4

NAME

6       winbindd - Name Service Switch daemon for resolving names from NT
7       servers
8

SYNOPSIS

10       winbindd [-D|--daemon] [-F|--foreground] [-S|--stdout]
11        [-i|--interactive] [-d <debug level>] [-s <smb config file>]
12        [-n|--no-caching] [--no-process-group]
13

DESCRIPTION

15       This program is part of the samba(7) suite.
16
17       winbindd is a daemon that provides a number of services to the Name
18       Service Switch capability found in most modern C libraries, to
19       arbitrary applications via PAM and ntlm_auth and to Samba itself.
20
21       Even if winbind is not used for nsswitch, it still provides a service
22       to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing
23       connections to domain controllers. In this configuration the idmap
24       config * : range parameter is not required. (This is known as `netlogon
25       proxy only mode'.)
26
27       The Name Service Switch allows user and system information to be
28       obtained from different databases services such as NIS or DNS. The
29       exact behaviour can be configured through the /etc/nsswitch.conf file.
30       Users and groups are allocated as they are resolved to a range of user
31       and group ids specified by the administrator of the Samba system.
32
33       The service provided by winbindd is called `winbind' and can be used to
34       resolve user and group information from a Windows NT server. The
35       service can also provide authentication services via an associated PAM
36       module.
37
38       The pam_winbind module supports the auth, account and password
39       module-types. It should be noted that the account module simply
40       performs a getpwnam() to verify that the system can obtain a uid for
41       the user, as the domain controller has already performed access
42       control. If the libnss_winbind library has been correctly installed, or
43       an alternate source of names configured, this should always succeed.
44
45       The following nsswitch databases are implemented by the winbindd
46       service:
47
48       hosts
49           This feature is only available on IRIX. User information
50           traditionally stored in the hosts(5) file and used by
51           gethostbyname(3) functions. Names are resolved through the WINS
52           server or by broadcast.
53
54       passwd
55           User information traditionally stored in the passwd(5) file and
56           used by getpwent(3) functions.
57
58       group
59           Group information traditionally stored in the group(5) file and
60           used by getgrent(3) functions.
61
62       For example, the following simple configuration in the
63       /etc/nsswitch.conf file can be used to initially resolve user and group
64       information from /etc/passwd and /etc/group and then from the Windows
65       NT server.
66
67           passwd:         files winbind
68           group:          files winbind
69           ## only available on IRIX: use winbind to resolve hosts:
70           # hosts:        files dns winbind
71           ## All other NSS enabled systems should use libnss_wins.so like this:
72           hosts:          files dns wins
73
74
75       The following simple configuration in the /etc/nsswitch.conf file can
76       be used to initially resolve hostnames from /etc/hosts and then from
77       the WINS server.
78
79           hosts:         files wins
80

OPTIONS

82       -D|--daemon
83           If specified, this parameter causes the server to operate as a
84           daemon. That is, it detaches itself and runs in the background on
85           the appropriate port. This switch is assumed if winbindd is
86           executed on the command line of a shell.
87
88       -F|--foreground
89           If specified, this parameter causes the main winbindd process to
90           not daemonize, i.e. double-fork and disassociate with the terminal.
91           Child processes are still created as normal to service each
92           connection request, but the main process does not exit. This
93           operation mode is suitable for running winbindd under process
94           supervisors such as supervise and svscan from Daniel J. Bernstein's
95           daemontools package, or the AIX process monitor.
96
97       -S|--stdout
98           If specified, this parameter causes winbindd to log to standard
99           output rather than a file.
100
101       -d|--debuglevel=level
102           level is an integer from 0 to 10. The default value if this
103           parameter is not specified is 0.
104
105           The higher this value, the more detail will be logged to the log
106           files about the activities of the server. At level 0, only critical
107           errors and serious warnings will be logged. Level 1 is a reasonable
108           level for day-to-day running - it generates a small amount of
109           information about operations carried out.
110
111           Levels above 1 will generate considerable amounts of log data, and
112           should only be used when investigating a problem. Levels above 3
113           are designed for use only by developers and generate HUGE amounts
114           of log data, most of which is extremely cryptic.
115
116           Note that specifying this parameter here will override the log
117           level parameter in the smb.conf file.
118
119       -V|--version
120           Prints the program version number.
121
122       -s|--configfile=<configuration file>
123           The file specified contains the configuration details required by
124           the server. The information in this file includes server-specific
125           information such as what printcap file to use, as well as
126           descriptions of all the services that the server is to provide. See
127           smb.conf for more information. The default configuration file name
128           is determined at compile time.
129
130       -l|--log-basename=logdirectory
131           Base directory name for log/debug files. The extension ".progname"
132           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
133           file is never removed by the client.
134
135       --option=<name>=<value>
136           Set the smb.conf(5) option "<name>" to value "<value>" from the
137           command line. This overrides compiled-in defaults and options read
138           from the configuration file.
139
140       -?|--help
141           Print a summary of command line options.
142
143       --usage
144           Display brief usage message.
145
146       -i|--interactive
147           Tells winbindd to not become a daemon and detach from the current
148           terminal. This option is used by developers when interactive
149           debugging of winbindd is required.  winbindd also logs to standard
150           output, as if the -S parameter had been given.
151
152       -n|--no-caching
153           Disable some caching. This means winbindd will often have to wait
154           for a response from the domain controller before it can respond to
155           a client and this thus makes things slower. The results will
156           however be more accurate, since results from the cache might not be
157           up-to-date. This might also temporarily hang winbindd if the DC
158           doesn't respond. This does not disable the samlogon cache, which is
159           required for group membership tracking in trusted environments.
160
161       --no-process-group
162           Do not create a new process group for winbindd.
163

NAME AND ID RESOLUTION

165       Users and groups on a Windows NT server are assigned a security id
166       (SID) which is globally unique when the user or group is created. To
167       convert the Windows NT user or group into a unix user or group, a
168       mapping between SIDs and unix user and group ids is required. This is
169       one of the jobs that winbindd performs.
170
171       As winbindd users and groups are resolved from a server, user and group
172       ids are allocated from a specified range. This is done on a first come,
173       first served basis, although all existing users and groups will be
174       mapped as soon as a client performs a user or group enumeration
175       command. The allocated unix ids are stored in a database and will be
176       remembered.
177
178       WARNING: The SID to unix id database is the only location where the
179       user and group mappings are stored by winbindd. If this store is
180       deleted or corrupted, there is no way for winbindd to determine which
181       user and group ids correspond to Windows NT user and group rids.
182

CONFIGURATION

184       Configuration of the winbindd daemon is done through configuration
185       parameters in the smb.conf(5) file. All parameters should be specified
186       in the [global] section of smb.conf.
187
188              ·   winbind separator
189
190              ·   idmap config * : range
191
192              ·   idmap config * : backend
193
194              ·   winbind cache time
195
196              ·   winbind enum users
197
198              ·   winbind enum groups
199
200              ·   template homedir
201
202              ·   template shell
203
204              ·   winbind use default domain
205
206              ·   winbind: rpc only Setting this parameter forces winbindd to
207                  use RPC instead of LDAP to retrieve information from Domain
208                  Controllers.
209

EXAMPLE SETUP

211       To setup winbindd for user and group lookups plus authentication from a
212       domain controller use something like the following setup. This was
213       tested on an early Red Hat Linux box.
214
215       In /etc/nsswitch.conf put the following:
216
217           passwd: files winbind
218           group:  files winbind
219
220       In /etc/pam.d/* replace the
221        auth lines with something like this:
222
223           auth  required    /lib/security/pam_securetty.so
224           auth  required   /lib/security/pam_nologin.so
225           auth  sufficient  /lib/security/pam_winbind.so
226           auth  required    /lib/security/pam_unix.so \
227                             use_first_pass shadow nullok
228
229
230           Note
231           The PAM module pam_unix has recently replaced the module pam_pwdb.
232           Some Linux systems use the module pam_unix2 in place of pam_unix.
233
234       Note in particular the use of the sufficient keyword and the
235       use_first_pass keyword.
236
237       Now replace the account lines with this:
238
239       account required /lib/security/pam_winbind.so
240
241       The next step is to join the domain. To do that use the net program
242       like this:
243
244       net join -S PDC -U Administrator
245
246       The username after the -U can be any Domain user that has administrator
247       privileges on the machine. Substitute the name or IP of your PDC for
248       "PDC".
249
250       Next copy libnss_winbind.so to /lib and pam_winbind.so to
251       /lib/security. A symbolic link needs to be made from
252       /lib/libnss_winbind.so to /lib/libnss_winbind.so.2. If you are using an
253       older version of glibc then the target of the link should be
254       /lib/libnss_winbind.so.1.
255
256       Finally, setup a smb.conf(5) containing directives like the following:
257
258           [global]
259                winbind separator = +
260                   winbind cache time = 10
261                   template shell = /bin/bash
262                   template homedir = /home/%D/%U
263                   idmap config * : range = 10000-20000
264                   workgroup = DOMAIN
265                   security = domain
266                   password server = *
267
268       Now start winbindd and you should find that your user and group
269       database is expanded to include your NT users and groups, and that you
270       can login to your unix box as a domain user, using the DOMAIN+user
271       syntax for the username. You may wish to use the commands getent passwd
272       and getent group to confirm the correct operation of winbindd.
273

NOTES

275       The following notes are useful when configuring and running winbindd:
276
277       nmbd(8) must be running on the local machine for winbindd to work.
278
279       PAM is really easy to misconfigure. Make sure you know what you are
280       doing when modifying PAM configuration files. It is possible to set up
281       PAM such that you can no longer log into your system.
282
283       If more than one UNIX machine is running winbindd, then in general the
284       user and groups ids allocated by winbindd will not be the same. The
285       user and group ids will only be valid for the local machine, unless a
286       shared idmap config * : backend is configured.
287
288       If the Windows NT SID to UNIX user and group id mapping file is damaged
289       or destroyed then the mappings will be lost.
290

SIGNALS

292       The following signals can be used to manipulate the winbindd daemon.
293
294       SIGHUP
295           Reload the smb.conf(5) file and apply any parameter changes to the
296           running version of winbindd. This signal also clears any cached
297           user and group information. The list of other domains trusted by
298           winbindd is also reloaded.
299
300           Instead of sending a SIGHUP signal, a request to reload
301           configuration file may be sent using smbcontrol(1) program.
302
303       SIGUSR2
304           The SIGUSR2 signal will cause winbindd to write status information
305           to the winbind log file.
306
307           Log files are stored in the filename specified by the log file
308           parameter.
309

FILES

311       /etc/nsswitch.conf(5)
312           Name service switch configuration file.
313
314       /tmp/.winbindd/pipe
315           The UNIX pipe over which clients communicate with the winbindd
316           program. For security reasons, the winbind client will only attempt
317           to connect to the winbindd daemon if both the /tmp/.winbindd
318           directory and /tmp/.winbindd/pipe file are owned by root.
319
320       $LOCKDIR/winbindd_privileged/pipe
321           The UNIX pipe over which 'privileged' clients communicate with the
322           winbindd program. For security reasons, access to some winbindd
323           functions - like those needed by the ntlm_auth utility - is
324           restricted. By default, only users in the 'root' group will get
325           this access, however the administrator may change the group
326           permissions on $LOCKDIR/winbindd_privileged to allow programs like
327           'squid' to use ntlm_auth. Note that the winbind client will only
328           attempt to connect to the winbindd daemon if both the
329           $LOCKDIR/winbindd_privileged directory and
330           $LOCKDIR/winbindd_privileged/pipe file are owned by root.
331
332       /lib/libnss_winbind.so.X
333           Implementation of name service switch library.
334
335       $LOCKDIR/winbindd_idmap.tdb
336           Storage for the Windows NT rid to UNIX user/group id mapping. The
337           lock directory is specified when Samba is initially compiled using
338           the --with-lockdir option. This directory is by default
339           /usr/local/samba/var/locks.
340
341       $LOCKDIR/winbindd_cache.tdb
342           Storage for cached user and group information.
343

VERSION

345       This man page is part of version 4.13.7 of the Samba suite.
346

SEE ALSO

348       nsswitch.conf(5), samba(7), wbinfo(1), ntlm_auth(8), smb.conf(5),
349       pam_winbind(8)
350

AUTHOR

352       The original Samba software and related utilities were created by
353       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
354       Source project similar to the way the Linux kernel is developed.
355
356       wbinfo and winbindd were written by Tim Potter.
357
358       The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The
359       conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander
360       Bokovoy.
361
362
363
364Samba 4.13.7                      03/25/2021                       WINBINDD(8)
Impressum