winbindd(8)

1WINBINDD(8)                                                        WINBINDD(8)
2
3
4

NAME

6       winbindd  -  Name  Service  Switch  daemon  for resolving names from NT
7       servers
8

SYNOPSIS

10       winbindd [-F] [-S] [-i] [-Y] [-d <debug level>]  [-s <smb config file>]
11        [-n]
12

DESCRIPTION

14       This program is part of the samba(7) suite.
15
16       winbindd  is  a  daemon  that provides a number of services to the Name
17       Service Switch capability found in most modern C libraries, to arbitary
18       applications via PAM and ntlm_auth and to Samba itself.
19
20       Even  if  winbind is not used for nsswitch, it still provides a service
21       to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing  con‐
22       nections to domain controllers. In this configuraiton the idmap uid and
23       idmap gid parameters are not required.  (This  is  known  as  `netlogon
24       proxy only mode'.)
25
26       The  Name  Service  Switch  allows  user  and  system information to be
27       obtained from different databases services such  as  NIS  or  DNS.  The
28       exact behaviour can be configured throught the /etc/nsswitch.conf file.
29       Users and groups are allocated as they are resolved to a range of  user
30       and group ids specified by the administrator of the Samba system.
31
32       The service provided by winbindd is called `winbind' and can be used to
33       resolve user and group information from a Windows NT server.  The  ser‐
34       vice  can  also  provide  authentication services via an associated PAM
35       module.
36
37       The pam_winbind module supports the auth, account and password  module-
38       types.  It  should  be  noted that the account module simply performs a
39       getpwnam() to verify that the system can obtain a uid for the user,  as
40       the domain controller has already performed access control. If the lib‐
41       nss_winbind library has  been  correctly  installed,  or  an  alternate
42       source of names configured, this should always succeed.
43
44       The  following  nsswitch databases are implemented by the winbindd ser‐
45       vice:
46
47       hosts
48          This feature is only available on IRIX. User information  tradition‐
49          ally  stored in the hosts(5) file and used by gethostbyname(3) func‐
50          tions. Names are resolved through the WINS server or by broadcast.
51
52       passwd
53          User information traditionally stored in the passwd(5) file and used
54          by getpwent(3) functions.
55
56       group
57          Group information traditionally stored in the group(5) file and used
58          by getgrent(3) functions.
59
60       For example,  the  following  simple  configuration  in  the  /etc/nss‐
61       witch.conf  file can be used to initially resolve user and group infor‐
62       mation from /etc/passwd and /etc/group and then  from  the  Windows  NT
63       server.
64
65
66
67
68       passwd:         files winbind
69       group:          files winbind
70       ## only available on IRIX; Linux users should us libnss_wins.so
71       hosts:          files dns winbind
72
73
74
75       The  following  simple configuration in the /etc/nsswitch.conf file can
76       be used to initially resolve hostnames from /etc/hosts  and  then  from
77       the WINS server.
78
79
80       hosts:         files wins
81
82

OPTIONS

84       -F
85          If specified, this parameter causes the main winbindd process to not
86          daemonize, i.e. double-fork  and  disassociate  with  the  terminal.
87          Child  processes are still created as normal to service each connec‐
88          tion request, but the main process does  not  exit.  This  operation
89          mode is suitable for running winbindd under process supervisors such
90          as supervise and svscan from Daniel J. Bernstein's daemontools pack‐
91          age, or the AIX process monitor.
92
93       -S
94          If specified, this parameter causes winbindd to log to standard out‐
95          put rather than a file.
96
97       -V
98          Prints the program version number.
99
100       -s <configuration file>
101          The file specified contains the configuration  details  required  by
102          the  server.  The  information in this file includes server-specific
103          information such as what printcap file to use, as well  as  descrip‐
104          tions  of  all  the  services  that  the  server  is to provide. See
105          smb.conf for more information. The default configuration  file  name
106          is determined at compile time.
107
108       -d|--debuglevel=level
109          level  is an integer from 0 to 10. The default value if this parame‐
110          ter is not specified is zero.
111
112          The higher this value, the more detail will be  logged  to  the  log
113          files  about the activities of the server. At level 0, only critical
114          errors and serious warnings will be logged. Level 1 is a  reasonable
115          level for day-to-day running - it generates a small amount of infor‐
116          mation about operations carried out.
117
118          Levels above 1 will generate considerable amounts of log  data,  and
119          should only be used when investigating a problem. Levels above 3 are
120          designed for use only by developers and generate HUGE amounts of log
121          data, most of which is extremely cryptic.
122
123          Note that specifying this parameter here will override the
124
125          parameter in the smb.conf file.
126
127       -l|--logfile=logdirectory
128          Base  directory  name for log/debug files. The extension ".progname"
129          will be appended (e.g. log.smbclient,  log.smbd,  etc...).  The  log
130          file is never removed by the client.
131
132       -h|--help
133          Print a summary of command line options.
134
135       -i
136          Tells  winbindd  to  not become a daemon and detach from the current
137          terminal. This option is used by developers when interactive  debug‐
138          ging  of  winbindd is required.  winbindd also logs to standard out‐
139          put, as if the -S parameter had been given.
140
141       -n
142          Disable caching. This means winbindd will always have to wait for  a
143          response  from  the  domain  controller  before  it can respond to a
144          client and this thus makes things slower. The results  will  however
145          be  more  accurate, since results from the cache might not be up-to-
146          date. This might also temporarily hang winbindd if  the  DC  doesn't
147          respond.
148
149       -Y
150          Single daemon mode. This means winbindd will run as a single process
151          (the mode of operation in Samba 2.2). Winbindd's default behavior is
152          to  launch  a child process that is responsible for updating expired
153          cache entries.
154

NAME AND ID RESOLUTION

156       Users and groups on a Windows NT server  are  assigned  a  security  id
157       (SID)  which  is  globally unique when the user or group is created. To
158       convert the Windows NT user or group into a unix user or group, a  map‐
159       ping  between SIDs and unix user and group ids is required. This is one
160       of the jobs that winbindd performs.
161
162       As winbindd users and groups are resolved from a server, user and group
163       ids are allocated from a specified range. This is done on a first come,
164       first served basis, although all existing  users  and  groups  will  be
165       mapped  as  soon  as a client performs a user or group enumeration com‐
166       mand. The allocated unix ids are stored  in  a  database  and  will  be
167       remembered.
168
169       WARNING:  The  SID  to  unix id database is the only location where the
170       user and group mappings are  stored  by  winbindd.  If  this  store  is
171       deleted  or  corrupted, there is no way for winbindd to determine which
172       user and group ids correspond to Windows NT user and group rids.
173
174       See the
175
176       or the old
177
178       parameters in smb.conf for options for sharing this database,  such  as
179       via LDAP.
180

CONFIGURATION

182       Configuration  of  the  winbindd  daemon  is done through configuration
183       parameters in the smb.conf(5) file. All parameters should be  specified
184       in the [global] section of smb.conf.
185
186       ·
187
188          winbind separator
189
190       ·
191
192          idmap uid
193
194       ·
195
196          idmap gid
197
198       ·
199
200          idmap backend
201
202       ·
203
204          winbind cache time
205
206       ·
207
208          winbind enum users
209
210       ·
211
212          winbind enum groups
213
214       ·
215
216          template homedir
217
218       ·
219
220          template shell
221
222       ·
223
224          winbind use default domain
225
226       ·
227
228          winbind:  rpc only Setting this parameter forces winbindd to use RPC
229          instead of LDAP to retrieve information from Domain Controllers.
230

EXAMPLE SETUP

232       To setup winbindd for user and group lookups plus authentication from a
233       domain  controller  use  something  like  the following setup. This was
234       tested on an early Red Hat Linux box.
235
236       In /etc/nsswitch.conf put the following:
237
238
239
240
241       passwd: files winbind
242       group:  files winbind
243
244
245
246       In /etc/pam.d/* replace the
247        auth lines with something like this:
248
249
250
251
252       auth  required    /lib/security/pam_securetty.so
253       auth  required   /lib/security/pam_nologin.so
254       auth  sufficient  /lib/security/pam_winbind.so
255       auth  required    /lib/security/pam_unix.so                   use_first_pass shadow nullok
256
257
258
259       Note
260       The PAM module pam_unix has recently replaced the module pam_pwdb. Some
261       Linux systems use the module pam_unix2 in place of pam_unix.
262
263       Note   in  particular  the  use  of  the  sufficient  keyword  and  the
264       use_first_pass keyword.
265
266       Now replace the account lines with this:
267
268       account required /lib/security/pam_winbind.so
269
270       The next step is to join the domain. To do that  use  the  net  program
271       like this:
272
273       net join -S PDC -U Administrator
274
275       The username after the -U can be any Domain user that has administrator
276       privileges on the machine. Substitute the name or IP of  your  PDC  for
277       "PDC".
278
279       Next  copy  libnss_winbind.so  to /lib and pam_winbind.so to /lib/secu‐
280       rity. A symbolic link needs to be made from  /lib/libnss_winbind.so  to
281       /lib/libnss_winbind.so.2.  If  you  are using an older version of glibc
282       then the target of the link should be /lib/libnss_winbind.so.1.
283
284       Finally, setup a smb.conf(5) containing directives like the following:
285
286
287
288
289       [global]
290            winbind separator = +
291               winbind cache time = 10
292               template shell = /bin/bash
293               template homedir = /home/%D/%U
294               idmap uid = 10000-20000
295               idmap gid = 10000-20000
296               workgroup = DOMAIN
297               security = domain
298               password server = *
299
300
301
302       Now start winbindd and you should find that your user and  group  data‐
303       base  is expanded to include your NT users and groups, and that you can
304       login to your unix box as a domain user, using the  DOMAIN+user  syntax
305       for  the  username.  You may wish to use the commands getent passwd and
306       getent group to confirm the correct operation of winbindd.
307

NOTES

309       The following notes are useful when configuring and running winbindd:
310
311       nmbd(8) must be running on the local machine for winbindd to work.
312
313       PAM is really easy to misconfigure. Make sure you  know  what  you  are
314       doing  when modifying PAM configuration files. It is possible to set up
315       PAM such that you can no longer log into your system.
316
317       If more than one UNIX machine is running winbindd, then in general  the
318       user  and  groups  ids  allocated by winbindd will not be the same. The
319       user and group ids will only be valid for the local machine,  unless  a
320       shared
321
322       is configured.
323
324       If  the  the  Windows  NT SID to UNIX user and group id mapping file is
325       damaged or destroyed then the mappings will be lost.
326

SIGNALS

328       The following signals can be used to manipulate the winbindd daemon.
329
330       SIGHUP
331          Reload the smb.conf(5) file and apply any parameter changes  to  the
332          running version of winbindd. This signal also clears any cached user
333          and group information. The list of other domains trusted by winbindd
334          is also reloaded.
335
336       SIGUSR2
337          The  SIGUSR2  signal will cause winbindd to write status information
338          to the winbind log file.
339
340          Log files are stored in the  filename  specified  by  the  log  file
341          parameter.
342

FILES

344       /etc/nsswitch.conf(5)
345          Name service switch configuration file.
346
347       /tmp/.winbindd/pipe
348          The  UNIX pipe over which clients communicate with the winbindd pro‐
349          gram. For security reasons, the winbind client will only attempt  to
350          connect  to the winbindd daemon if both the /tmp/.winbindd directory
351          and /tmp/.winbindd/pipe file are owned by root.
352
353       $LOCKDIR/winbindd_privileged/pipe
354          The UNIX pipe over which 'privileged' clients communicate  with  the
355          winbindd  program.  For  security  reasons,  access to some winbindd
356          functions -  like  those  needed  by  the  ntlm_auth  utility  -  is
357          restricted. By default, only users in the 'root' group will get this
358          access, however the administrator may change the  group  permissions
359          on  $LOCKDIR/winbindd_privileged  to  allow programs like 'squid' to
360          use ntlm_auth. Note that the winbind client  will  only  attempt  to
361          connect  to the winbindd daemon if both the $LOCKDIR/winbindd_privi‐
362          leged directory and $LOCKDIR/winbindd_privileged/pipe file are owned
363          by root.
364
365       /lib/libnss_winbind.so.X
366          Implementation of name service switch library.
367
368       $LOCKDIR/winbindd_idmap.tdb
369          Storage  for  the  Windows NT rid to UNIX user/group id mapping. The
370          lock directory is specified when Samba is initially  compiled  using
371          the   --with-lockdir   option.   This   directory   is   by  default
372          /usr/local/samba/var/locks .
373
374       $LOCKDIR/winbindd_cache.tdb
375          Storage for cached user and group information.
376

VERSION

378       This man page is correct for version 3.0 of the Samba suite.
379

AUTHOR

385       The  original  Samba  software  and  related  utilities were created by
386       Andrew Tridgell. Samba is now developed by the Samba Team  as  an  Open
387       Source project similar to the way the Linux kernel is developed.
388
389       wbinfo and winbindd were written by Tim Potter.
390
391       The  conversion to DocBook for Samba 2.2 was done by Gerald Carter. The
392       conversion to DocBook XML 4.2 for  Samba  3.0  was  done  by  Alexander
393       Bokovoy.
394
395
396
397
398                                                                   WINBINDD(8)