1WINBINDD(8) System Administration tools WINBINDD(8)
2
3
4
6 winbindd - Name Service Switch daemon for resolving names from NT
7 servers
8
10 winbindd [-D|--daemon] [-i|--interactive] [-F|--foreground]
11 [--no-process-group] [-n|--no-caching] [-d <debug level>]
12 [--debug-stdout] [--configfile=<configuration file>]
13 [--option=<name>=<value>] [-l|--log-basename <log directory>]
14 [--leak-report] [--leak-report-full] [-V|--version]
15
17 This program is part of the samba(7) suite.
18
19 winbindd is a daemon that provides a number of services to the Name
20 Service Switch capability found in most modern C libraries, to
21 arbitrary applications via PAM and ntlm_auth and to Samba itself.
22
23 Even if winbind is not used for nsswitch, it still provides a service
24 to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing
25 connections to domain controllers. In this configuration the idmap
26 config * : range parameter is not required. (This is known as `netlogon
27 proxy only mode'.)
28
29 The Name Service Switch allows user and system information to be
30 obtained from different databases services such as NIS or DNS. The
31 exact behaviour can be configured through the /etc/nsswitch.conf file.
32 Users and groups are allocated as they are resolved to a range of user
33 and group ids specified by the administrator of the Samba system.
34
35 The service provided by winbindd is called `winbind' and can be used to
36 resolve user and group information from a Windows NT server. The
37 service can also provide authentication services via an associated PAM
38 module.
39
40 The pam_winbind module supports the auth, account and password
41 module-types. It should be noted that the account module simply
42 performs a getpwnam() to verify that the system can obtain a uid for
43 the user, as the domain controller has already performed access
44 control. If the libnss_winbind library has been correctly installed, or
45 an alternate source of names configured, this should always succeed.
46
47 The following nsswitch databases are implemented by the winbindd
48 service:
49
50 hosts
51 This feature is only available on IRIX. User information
52 traditionally stored in the hosts(5) file and used by
53 gethostbyname(3) functions. Names are resolved through the WINS
54 server or by broadcast.
55
56 passwd
57 User information traditionally stored in the passwd(5) file and
58 used by getpwent(3) functions.
59
60 group
61 Group information traditionally stored in the group(5) file and
62 used by getgrent(3) functions.
63
64 For example, the following simple configuration in the
65 /etc/nsswitch.conf file can be used to initially resolve user and group
66 information from /etc/passwd and /etc/group and then from the Windows
67 NT server.
68
69 passwd: files winbind
70 group: files winbind
71 ## only available on IRIX: use winbind to resolve hosts:
72 # hosts: files dns winbind
73 ## All other NSS enabled systems should use libnss_wins.so like this:
74 hosts: files dns wins
75
76
77 The following simple configuration in the /etc/nsswitch.conf file can
78 be used to initially resolve hostnames from /etc/hosts and then from
79 the WINS server.
80
81 hosts: files wins
82
84 -D|--daemon
85 If specified, this parameter causes the server to operate as a
86 daemon. That is, it detaches itself and runs in the background on
87 the appropriate port. This switch is assumed if winbindd is
88 executed on the command line of a shell.
89
90 -i|--interactive
91 Tells winbindd to not become a daemon and detach from the current
92 terminal. This option is used by developers when interactive
93 debugging of winbindd is required. winbindd also logs to standard
94 output, as if the -S parameter had been given.
95
96 -F|--foreground
97 If specified, this parameter causes the main winbindd process to
98 not daemonize, i.e. double-fork and disassociate with the terminal.
99 Child processes are still created as normal to service each
100 connection request, but the main process does not exit. This
101 operation mode is suitable for running winbindd under process
102 supervisors such as supervise and svscan from Daniel J. Bernstein's
103 daemontools package, or the AIX process monitor.
104
105 --no-process-group
106 Do not create a new process group for winbindd.
107
108 -n|--no-caching
109 Disable some caching. This means winbindd will often have to wait
110 for a response from the domain controller before it can respond to
111 a client and this thus makes things slower. The results will
112 however be more accurate, since results from the cache might not be
113 up-to-date. This might also temporarily hang winbindd if the DC
114 doesn't respond. This does not disable the samlogon cache, which is
115 required for group membership tracking in trusted environments.
116
117 -d|--debuglevel=DEBUGLEVEL, --debug-stdout
118 level is an integer from 0 to 10. The default value if this
119 parameter is not specified is 0.
120
121 The higher this value, the more detail will be logged to the log
122 files about the activities of the server. At level 0, only critical
123 errors and serious warnings will be logged. Level 1 is a reasonable
124 level for day-to-day running - it generates a small amount of
125 information about operations carried out.
126
127 Levels above 1 will generate considerable amounts of log data, and
128 should only be used when investigating a problem. Levels above 3
129 are designed for use only by developers and generate HUGE amounts
130 of log data, most of which is extremely cryptic.
131
132 Note that specifying this parameter here will override the log
133 level parameter in the smb.conf file. This will redirect debug
134 output to STDOUT. By default server daemons are logging to a log
135 file.
136
137 --configfile=CONFIGFILE
138 The file specified contains the configuration details required by
139 the server. The information in this file includes server-specific
140 information such as what printcap file to use, as well as
141 descriptions of all the services that the server is to provide. See
142 smb.conf for more information. The default configuration file name
143 is determined at compile time.
144
145 --option=<name>=<value>
146 Set the smb.conf(5) option "<name>" to value "<value>" from the
147 command line. This overrides compiled-in defaults and options read
148 from the configuration file. If a name or a value includes a space,
149 wrap whole --option=name=value into quotes.
150
151 -l|--log-basename=logdirectory
152 Base directory name for log/debug files. The parent process uses
153 filename log.winbindd, the child process uses filename
154 log.wb-<name>. The log file is never removed by winbindd.
155
156 --leak-report
157 Enable talloc leak reporting on exit.
158
159 --leak-report-full
160 Enable full talloc leak reporting on exit.
161
162 -V|--version
163 Prints the program version number.
164
165 -?|--help
166 Print a summary of command line options.
167
168 --usage
169 Display brief usage message.
170
172 Users and groups on a Windows NT server are assigned a security id
173 (SID) which is globally unique when the user or group is created. To
174 convert the Windows NT user or group into a unix user or group, a
175 mapping between SIDs and unix user and group ids is required. This is
176 one of the jobs that winbindd performs.
177
178 As winbindd users and groups are resolved from a server, user and group
179 ids are allocated from a specified range. This is done on a first come,
180 first served basis, although all existing users and groups will be
181 mapped as soon as a client performs a user or group enumeration
182 command. The allocated unix ids are stored in a database and will be
183 remembered.
184
185 WARNING: The SID to unix id database is the only location where the
186 user and group mappings are stored by winbindd. If this store is
187 deleted or corrupted, there is no way for winbindd to determine which
188 user and group ids correspond to Windows NT user and group rids.
189
191 Configuration of the winbindd daemon is done through configuration
192 parameters in the smb.conf(5) file. All parameters should be specified
193 in the [global] section of smb.conf.
194
195 • winbind separator
196
197 • idmap config * : range
198
199 • idmap config * : backend
200
201 • winbind cache time
202
203 • winbind enum users
204
205 • winbind enum groups
206
207 • template homedir
208
209 • template shell
210
211 • winbind use default domain
212
213 • winbind: rpc only Setting this parameter forces winbindd to
214 use RPC instead of LDAP to retrieve information from Domain
215 Controllers.
216
218 To setup winbindd for user and group lookups plus authentication from a
219 domain controller use something like the following setup. This was
220 tested on an early Red Hat Linux box.
221
222 In /etc/nsswitch.conf put the following:
223
224 passwd: files winbind
225 group: files winbind
226
227 In /etc/pam.d/* replace the
228 auth lines with something like this:
229
230 auth required /lib/security/pam_securetty.so
231 auth required /lib/security/pam_nologin.so
232 auth sufficient /lib/security/pam_winbind.so
233 auth required /lib/security/pam_unix.so \
234 use_first_pass shadow nullok
235
236
237 Note
238 The PAM module pam_unix has recently replaced the module pam_pwdb.
239 Some Linux systems use the module pam_unix2 in place of pam_unix.
240
241 Note in particular the use of the sufficient keyword and the
242 use_first_pass keyword.
243
244 Now replace the account lines with this:
245
246 account required /lib/security/pam_winbind.so
247
248 The next step is to join the domain. To do that use the net program
249 like this:
250
251 net join -S PDC -U Administrator
252
253 The username after the -U can be any Domain user that has administrator
254 privileges on the machine. Substitute the name or IP of your PDC for
255 "PDC".
256
257 Next copy libnss_winbind.so to /lib and pam_winbind.so to
258 /lib/security. A symbolic link needs to be made from
259 /lib/libnss_winbind.so to /lib/libnss_winbind.so.2. If you are using an
260 older version of glibc then the target of the link should be
261 /lib/libnss_winbind.so.1.
262
263 Finally, setup a smb.conf(5) containing directives like the following:
264
265 [global]
266 winbind separator = +
267 winbind cache time = 10
268 template shell = /bin/bash
269 template homedir = /home/%D/%U
270 idmap config * : range = 10000-20000
271 workgroup = DOMAIN
272 security = domain
273 password server = *
274
275 Now start winbindd and you should find that your user and group
276 database is expanded to include your NT users and groups, and that you
277 can login to your unix box as a domain user, using the DOMAIN+user
278 syntax for the username. You may wish to use the commands getent passwd
279 and getent group to confirm the correct operation of winbindd.
280
282 The following notes are useful when configuring and running winbindd:
283
284 PAM is really easy to misconfigure. Make sure you know what you are
285 doing when modifying PAM configuration files. It is possible to set up
286 PAM such that you can no longer log into your system.
287
288 If more than one UNIX machine is running winbindd, then in general the
289 user and groups ids allocated by winbindd will not be the same. The
290 user and group ids will only be valid for the local machine, unless a
291 shared idmap config * : backend is configured.
292
293 If the Windows NT SID to UNIX user and group id mapping file is damaged
294 or destroyed then the mappings will be lost.
295
297 The following signals can be used to manipulate the winbindd daemon.
298
299 SIGHUP
300 Reload the smb.conf(5) file and apply any parameter changes to the
301 running version of winbindd. This signal also clears any cached
302 user and group information. The list of other domains trusted by
303 winbindd is also reloaded.
304
305 Instead of sending a SIGHUP signal, a request to reload
306 configuration file may be sent using smbcontrol(1) program.
307
308 SIGUSR2
309 The SIGUSR2 signal will cause winbindd to write status information
310 to the winbind log file.
311
312 Log files are stored in the filename specified by the log file
313 parameter.
314
316 /etc/nsswitch.conf(5)
317 Name service switch configuration file.
318
319 /tmp/.winbindd/pipe
320 The UNIX pipe over which clients communicate with the winbindd
321 program. For security reasons, the winbind client will only attempt
322 to connect to the winbindd daemon if both the /tmp/.winbindd
323 directory and /tmp/.winbindd/pipe file are owned by root.
324
325 $LOCKDIR/winbindd_privileged/pipe
326 The UNIX pipe over which 'privileged' clients communicate with the
327 winbindd program. For security reasons, access to some winbindd
328 functions - like those needed by the ntlm_auth utility - is
329 restricted. By default, only users in the 'root' group will get
330 this access, however the administrator may change the group
331 permissions on $LOCKDIR/winbindd_privileged to allow programs like
332 'squid' to use ntlm_auth. Note that the winbind client will only
333 attempt to connect to the winbindd daemon if both the
334 $LOCKDIR/winbindd_privileged directory and
335 $LOCKDIR/winbindd_privileged/pipe file are owned by root.
336
337 /lib/libnss_winbind.so.X
338 Implementation of name service switch library.
339
340 $LOCKDIR/winbindd_idmap.tdb
341 Storage for the Windows NT rid to UNIX user/group id mapping. The
342 lock directory is specified when Samba is initially compiled using
343 the --with-lockdir option. This directory is by default
344 /usr/local/samba/var/locks.
345
346 $LOCKDIR/winbindd_cache.tdb
347 Storage for cached user and group information.
348
350 This man page is part of version 4.15.2 of the Samba suite.
351
353 nsswitch.conf(5), samba(7), wbinfo(1), ntlm_auth(8), smb.conf(5),
354 pam_winbind(8)
355
357 The original Samba software and related utilities were created by
358 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
359 Source project similar to the way the Linux kernel is developed.
360
361 wbinfo and winbindd were written by Tim Potter.
362
363 The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The
364 conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander
365 Bokovoy.
366
367
368
369Samba 4.15.2 11/13/2021 WINBINDD(8)